Computer Fraud and Abuse Act is a
Powerful Tool
If an employee leaves your company to join the
competition, you may have recourse to stop the
former employee from accessing your computer
system to take client lists and / or trade
secrets. Companies are increasingly turning to
the Computer Fraud and Abuse Act (“CFAA”). While
amendments have greatly expanded this 1994 law,
recent court decisions make the CFAA an
attractive weapon against disloyal employees.
Damages and injunctive relief are available and,
more importantly,
according to Nixon Peabody LLP, a federal
cause of action that does not require that
confidentiality, trade secret, and / or
noncompete agreements be in place. The law’s
power was expanded even further in 1996 when the
“unauthorized access” requirement was removed,
thereby covering company insiders in addition to
outside hackers.
The CFAA provides for recovery in the event of
“loss” or “damage,”
according to the Metropolitan Corporate Council.
“Loss” is defined as “any reasonable cost to any
victim, including the cost of responding to an
offense, conducting a damage assessment, and
restoring the data, program, system, or
information to its condition prior to the
offense, and any revenue lost, cost incurred, or
other consequential damages incurred because of
interruption of service.” “Damage” is “any
impairment to the integrity or availability of
data, a system, or information.”
The damages and injunctive relief, they point
out, “Supply another arrow in the quiver of an
employer faced with a disloyal employee.”
The CFAA can also be used against employees who
leave and delete all the files from their
computer, according to the Iowa Employment
Law Letter as it was in International
Airports Centers v. Citrin. This case
centered on Jacob Citrin, a worker at
International Airports Centers (IAC), who wasn't
a happy camper. He eventually decided that he
could make more money on his own. “He quit IAC
to go into business for himself, violating his
employment contract (bad idea). Before he turned
in the company laptop, he purged all of the
detailed business data he had been collecting
for IAC (worse idea), deleted other data in the
computer (worst idea), and trashed data that
would have revealed his improper conduct before
he decided to quit (at least that probably
seemed like a good idea at the time).”
Unfortunately for him, pushing the delete key
does not delete all the information on the
computer, and Nixon Peabody LLP claims that the
subsequent ruling against him in March gives the
CFAA the teeth it needs to be a deterrent for
employees who become disloyal to their employer.
The CFAA is so powerful that it has been used as
a threat to prevent mobility of employees to
competitors, according to The Computer &
Internet Lawyer.
But be careful, it says, because “the
comparative ease with which the CFAA can be used
by companies seeking to reign in departing
employees is a double-edged sword. In a world in
which information is transmitted instantaneously
and employees can change jobs almost as quickly,
every company that has a serious interest in
protecting its competitive computer information
is equally at risk of being accused of stealing
someone else's. Liability under the CFAA is not
limited to cases of intentional theft or
industrial espionage. Every time a departing
employee ‘accesses’ information from a current
employer's computers after accepting employment
at a new firm or downloads materials from
company computers and forgets to return them
before starting a new job, both the former
employee and the new employer face a risk of
exposure to the CFAA's criminal and civil
penalties.”
Some notable cases that CFAA has been used in
include:
-
Charles Schwab & Co., Inc. v. Brian D.
Carter, Acorn Advisory Management, L.L.C.,
et al. (2005)
According to Phillips Ziner LLP, in this
case the court held that a principal can be held
vicariously liable under the CFAA for its
agent's accessing without authorization
another's computer system in violation of the
CFAA at the principal's direction. The Court
denied the motion of defendant Acorn which
sought to dismiss claims advanced by plaintiff
Charles Schwab & Co. Inc. to hold Acorn liable
under the CFAA for the acts of defendant Brian
Carter. Carter, a former employee of Schwab, had
allegedly downloaded without authorization
confidential information and trade secrets from
Schwab's computer system at the behest of Acorn,
by whom he was subsequently employed.
-
Shurgard Storage Centers Inc. v. Safeguard
Self-Storage Inc. (2000)
According to Nixon Peabody LLP, “former Shurgard
employees — while still on its payroll — used
its computers to send trade secrets and
proprietary information to Safeguard, the new
employer they had already agreed to join. CFAA
covers intentional access to a computer without
authorization and obtaining information from a
computer by exceeding authorized access. The
former employees argued that they retained their
existing authority to access Shurgard’s computer
system as long as they remained its employees
and, therefore, had not acted without authority
or in excess of their authority. The court
swiftly dismissed this argument, noting the
employees’ authority to access Shurgard’s
computer system evaporated when they began
acting as agents for Safeguard.”
Southeast Tech Wire suggests making sure
that your company policy addresses this issue:
“That policy may be part of an employee manual
or may even be based on the computer itself. In
some cases, a written agreement may be best. In
any event, companies should have such a policy
in place in order to protect themselves from the
possibility of unfair competition from defecting
employees. A one-size-fits-all computer usage
policy, however, is not likely the best. When
determining which forms of protection work best,
business should consult with lawyers who know
their companies, their industries, and
understand the nuances of the CFAA and other
critical issues surrounding trade secrets.”
While Iowa Employment Law Letter
suggests: “First, you would be wise to educate
your workforce about the potential impact of the
Computer Fraud and Abuse Act. Prosecution may
await any employee who impairs or damages your
company computer system. You might think it's
common sense that those actions are a ‘no-no.’
Nevertheless, you can protect your business
better by being up-front about the applicability
of federal and state laws that protect your
computer assets. Let your workforce know that
you'll pursue any employee who attempts to
impair your computer data or system. Also remind
your employees of their fiduciary duty of
loyalty to your company. The duty of loyalty is
rarely mentioned inside or outside the
workplace. Still, many state courts have
recognized an employee's obligation to act in
his employer's best interests at all times. Of
course, that duty means taking no actions that
damage or otherwise harm the company's
business…By periodically reminding them of their
duty of loyalty, you can better insulate
yourself against the type of sabotage that could
cause a severe business interruption.”
“Communication is key,” states Michael
Maciekowich, National Director for Astron
Solutions. “Many employees have likely not
heard of the CFAA. However, ignorance of the
law is no excuse. Combine information on the
CFAA with ethics, policy, or other general
training provided to all employees.” While it
may seem that additional training creates a
current additional burden for HR, ensuring
everyone knows of the law – and its
ramifications – may save your organization time
and money down the road from lawsuits prevented.