-
A former employee will violate the computer fraud and abuse act only by having unauthorized access to data, not by using data for an unauthorized purpose.
-
Former owners or employees that access computer systems after termination may be liable under the Computer Fraud and Abuse Act.
-
A federal claim based on the unauthorized use of data will likely no longer support a federal claim in a business divorce litigation.
So much impact from such a little word. The U.S. Supreme Court, resolving a split among the circuit courts, imposed significant limits on the reach of the Computer Fraud and Abuse Act (CFAA), severely restricting its usefulness as a tool to pursue unfaithful former employees and owners.
The significance of the decision– which as discussed below turned on the construction of the work “so” in the statute’s definitions – in business divorce cases is that it will limit the ability of litigants to employ the statute as redress for some types of conduct and deprive a plaintiff in some cases of access to federal courts. (For the linquists and grammarians, the parsing of “so” is in the opinion, here.)
Theft of Data by Departing Owner or Employee
It is not unusual that an individual leaving a business whether as employer or owner will access the computer system and extract data, usually in violation of some policy or limit on the permitted use of the data. The departing executive, for example, may copy information that will be of use in the future. This information may or may not involve trade secrets, but accessing the information without authorization or for an unauthorized purpose was sufficient to create a colorable claim under the CFAA.
The Supreme Court, however, has limited the reach of the act. It requires that the defendant access information without authorization, not that it be used in an unauthorized manner. The facts of the case demonstrate the distinction. If the information taken was a trade secret, there may still be recourse under the federal Defend Trade Secrets Act, but the mere fact of access is no unlikely to sustain a federal claim.
Unauthorized Use of Data is Not a Crime Under the CFAA
In the case before the Supreme Court, a police officer had been caught in a sting operation selling information that he obtained using his authorized access to a database from the terminal in his patrol care. The government argued that he had exceeded his authorized access by pulling the information for sale to a third party because access was permitted only for law enforcement purposes. The defendant police officer argued that the statute did not apply because he had used the access given to him, but for an unauthorized purposed.
The Supreme Court agreed with the defendant. The language in the statute that prohibits conduct that “exceeds authorized access” refers to access to a portion of the computer system to which the user was not authorized, e.g., files or other data that he or she should not have reached in the first instance. It did not reach access to data for a wrongful purpose.
Now consider the former executive who is given access to data for business purposes, but then misuse that access, for example by making a copy for use in a competing business. This is a relatively common allegation and until this decision may well have been sufficient to get the matter into federal court.
There are other issues with the CFAA as a means of redress in a business divorce litigation. Civil damage remedies do not include consequential damages in the nature of lost opportunities or disgorgement. However, the statute does permit injunctive relief and would extend to both the party that was primarily liable under the CFAA and to the recipient of the information.
Damages Under CFAA
There is a $5,000 jurisdictional threshold for a claim, which can include the costs of responding to the offense, damages assessments, costs to restore data and even the forensic inquiry necessary to determine who was responsible for an intrusion. Consequential damages in the form of lost revenue likely are available only in cases where there is an interruption in service or direct damage to the computer system.
Does the decision mean that there will be no applicability of the CFAA in the future. Not entirely, we have seen cases in which there was access to a computer after termination of an employee. A former employee encrypted a laptop computer before it was returned in another cases. There have been cases in which data became corrupted or unusable.
Those in control of a business that use best practice to prevent the loss of key business data – both trade secrets and other data – will have more tools at their disposal. A company that adopts file server security protocols that segregate access has a better opportunity to avail itself of the remedy for someone who gains unauthorized access to files. Likewise, the company that immediately terminates access to computers and servers in the event of a termination will have a stronger claim.
Many of the battles in a business divorce concern access to and use of information. Having good policies and procedures in place will invariably protect the enterprise from individual actors.
Contact us if you have questions on protection of data and information during a business divorce controversy.