What if a former employee downloads confidential information
(customer lists, pricing information, etc.) from your computer
system and uses it to lure your customers away? Among the
laws at your disposal is the Computer Fraud and Abuse Act
("CFAA"). Although principally a criminal statute
intended to combat computer hacking, the CFAA allows a civil
lawsuit against someone who obtains information from another's
computer "without authorization."
Let's change the scenario slightly. What if a
current employee downloads your sensitive
business information to his personal computer, resigns, goes to
work for your arch-competitor, and then uses that information to
pirate your business? Do not count on the CFAA to provide a
remedy for that blatant misappropriation. In WEC Carolina Energy Solutions, LLC v.
Miller, the federal appeals court with jurisdiction over
Maryland, Virginia and other mid-Atlantic states narrowly construed
the CFAA in a way that does not always reach even egregious
misappropriation by current employees.
In this case, Miller worked for WEC as a project director and
resigned to go to work for a competitor, Arc Energy. Before
he quit, Miller allegedly downloaded to his personal computer
WEC's confidential information, which he used to make a
presentation to a potential customer after he quit. That
customer selected Arc Energy over WEC. WEC sued Miller under
the CFAA for misappropriating the confidential information from its
computer system. WEC established that it had a policy
prohibiting employees from misusing confidential information or
downloading it to a personal computer. WEC, however, did not
restrict Miller's authorization to access its confidential
information.
The court ruled that the CFAA was designed to target unauthorized
"access" to computer information, not unauthorized
"use" of that information. As a result, the court
decided that the CFAA only applies when an individual
"accesses a computer without permission or obtains or alters
information on a computer beyond that which he is authorized to
access." The CFAA did not apply to Miller's actions
because WEC had given him authorization to access the information
he took – the fact that he misused that information in
violation of WEC's policies did not implicate the
CFAA.
Although the court candidly noted that its decision "will
likely disappoint employers hoping for a means to reign in rogue
employees," the CFAA door is not completely shut to combat
hacking by current employees. Depending on the content of
your policies, the decision leaves room for an argument that the
CFAA applies if a current employee with unrestricted computer
access downloads your information for the benefit of a third
party.
In this regard, in addition to standard "use and access"
restrictions, computer policies should specifically emphasize that
employees have no authorization to access
company data on behalf of outsiders. That way, if a miscreant
employee who has broad computer access shares your confidential
information with a third party, there may be an argument that he
has exceeded the scope of his authorized access under the
CFAA. The entity on whose behalf the employee obtained the
information might also be on the hook for unauthorized
access under an agency theory. Because the court relied
on WEC's internal policies to define the contours of what
constitutes "authorized" access to its computer data,
employers should review and tighten their computer use and access
policies. Even if the CFAA does not apply to a particular
employee's computer hacking, however, there are common law
causes of action potentially available to provide relief.
Under those causes of action as well, your computer use and access
policies will play a central role.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.