Royal Truck & Trailer Sales v. Mike Kraft, 974 F.3d 756

Royal Truck & Trailer employed salespersons Mike Kraft and Kelly Matthews and issued devices and an employee handbook prohibiting unauthorized retention/disclosure and disabling GPS/software on company phones.
Shortly before abruptly resigning to join a competitor, Kraft and Matthews forwarded proprietary customer/pricing and payroll info from their Royal email accounts to personal email accounts.
Kraft reinstalled his laptop OS and Matthews factory-reset her company phone, making data unrecoverable; Royal recovered the devices and hired a forensic expert to assess and attempt data restoration.
Royal sued both employees in federal court under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, and asserted related Michigan state-law claims.
The district court dismissed the CFAA claims (and then dismissed state-law claims without prejudice); Royal appealed.

Issue	Plaintiff's Argument	Defendant's Argument	Held
Whether sending company data from work devices to personal email constitutes "exceeding authorized access" under § 1030(a)(2)(C)	Misuse of information in violation of employer policy means employees exceeded authorized access	Employees were authorized to access the data via company accounts, so they did not exceed authorized access	Court: No. Because employees were authorized to access the files, their subsequent misuse did not "exceed authorized access" under the CFAA
Whether deleting/resetting device data constituted exceeding authorized access under the CFAA	Deletion of data from company devices was unauthorized and thus exceeded access	Even if deletion exceeded access, deletion is not the same as "obtaining" information required by § 1030(a)(2)(C)	Court: Dismissed CFAA theory based on deletion; complaint did not allege deletion "thereby obtain[ed] information" as required
Whether to retain supplemental state-law claims after federal claims dismissed	Royal sought to keep state claims in federal court	Defendants sought dismissal of state claims after federal claims gone	Court: District court properly dismissed state-law claims without prejudice under 28 U.S.C. § 1367(c)(3)

Pulte Homes, Inc. v. Laborers’ Int’l Union of N. Am., 648 F.3d 295 (6th Cir. 2011) (CFAA authorization focuses on threshold permission to access systems)
LVRC Holdings, LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) (authorization requires sanction or permission; misuse after access does not necessarily make access unauthorized)
United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (CFAA targets accessing data one is not authorized to access; narrow reading to avoid penalizing policy violations)
United States v. Valle, 807 F.3d 508 (2d Cir. 2015) (CFAA intended to address hacking/trespass into computer systems)
Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006) (broader view that misuse can terminate authorization and trigger CFAA liability)
United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010) (employee obtaining company information for non-business purposes can exceed authorized access)
Van Buren v. United States, 940 F.3d 1192 (11th Cir. 2019) (case raising interpretation of "exceeds authorized access"; later granted certiorari to resolve circuit split)