Stealing Confidential Information, Quirky Question # 78
Quirky Question # 78:
I am the HR Director at our company. I just learned that one of our most valuable employees has resigned and taken a position with a competitor. I requested our IT Department to make an evaluation of his computer. They reported to me that before he left, he emailed to himself and his new employer customer and rate information We consider that information to be highly sensitive, potentially providing our ex-employee the chance to divert a significant portion of our business to his new employer.
Most of our employees have non-competition agreements but, as it turns out, the employee who just quit never signed one. I also doubt that we could claim the data he took is trade secret. Unfortunately, we have not taken reasonable steps to protect the confidentiality of this information. Are we out of luck?
As you recognize, your company’s position would be enhanced either if: a) your employee had executed an agreement containing post-employment restrictive covenants such as a non-compete or non-disclosure obligation, or b) your company had taken appropriate steps to protect the confidentiality of the data so that you could seek protection pursuant to the Uniform Trade Secrets Act. Despite the unavailability of potential contract or statutory claims based on these legal theories, however, you are not out of luck.
When data has been stolen, a company also has the option under the Computer Fraud and Abuse Act (“CFAA”) to file a lawsuit in federal court for injunctive relief and damages. Title 18, U.S.C.§ 1030. The injunction can direct the employee and his new employer to return the stolen data and prevent the employee and his new employer from contacting the customers who are the subject of the stolen data. In other words, you may be able to obtain the same relief as if your employee had a valid restrictive covenant requiring him not to conduct business with your customers.
Primarily a criminal statute, the CFAA provides that “[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” § 1030(g). Because it is a federal statute, you can file in federal court. (State causes of action for theft of trade secrets and breach of a restrictive covenant cannot be filed in federal court unless there is diversity of citizenship or there are other federal claims.)
The CFAA was enacted in 1984 as a criminal statute to criminalize the theft of national security and banking data. In 1992 it was amended to include the ability for an individual injured by a violation of the statute to bring a civil action, much like the Racketeer Influenced and Corrupt Organizations (“RICO”) statute, Title 18, U.S.C. § 1961, et seq. The CFAA has since been amended a number of times to keep up with new technologies and the ubiquity of computers in society. The CFAA was last amended in 2001 in the U. S. Patriot Act to include computers located outside the United States if they communicate with the United States or are involved in commerce with the United States.
The CFAA outlaws the entire panoply of computer crime including stealing computer data. There is no need to show that the data is trade secret protected, copyrighted, confidential or proprietary. Rather, one of the key elements necessary to prove a CFAA civil action, as explained in more detail below, is to show that the employee accessed the company computer without authorization or exceeded the authorization he had been granted.
As a jurisdictional prerequisite to filing a civil CFAA action, the plaintiff company must allege and ultimately prove $5,000 in loss. “Loss” is defined by the CFAA as
“any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”
The “federal courts have sustained actions based on allegations of costs to investigate and take remedial steps in response to a defendant’s misappropriation of data.” Modis, Inc. v. Bardelli, 531 F. Supp. 2d 314, 320 (D. Conn. Jan. 22, 2008). Such costs must of course relate to the computer. In Nexans Wires, SA 319 F.Supp. 2d 468, (S.D.N.Y 2004), aff’d, 166 Fed. Appx. 559, 562-63 (2d Cir. 2006), for example, the court held that $8,000 spent by two corporate executives to fly to Manhattan from Germany to examine the computer intrusion and discuss the breach at the French restaurant Le Cirque did not qualify for the $5,000 loss because the expense was not sufficiently related to the company computer.
The CFAA encompasses what it defines as a “protected computer.” The CFAA’s definition of protected computer, however, covers every conceivable type of computer. § 1030(e)(1). As the defendant rightly claimed in United States v. Mitra, 405 F. 3d 492, 495 (8th Cir. 2005), “[e]very cell phone and cell tower is a ‘computer’ under this statute’s definition; so is every iPod, every wireless base station in the corner coffee shop, and many another gadget.”
Four of the seven causes of action under this statute require proof that the person who accessed the computer did so “without authorization or exceeding authorization.” Title 18, U.S.C., §§ 1030(a)(2), (a)(4), 5(A)(ii), and 5(A)(iii). The courts have acknowledged that the difference between unauthorized access and exceeding authorized access is “paper thin.” Inter’al Airport Centers, LLC v. Citrin, 440 F.3d 418, 420 (2006). For example, in the employee/employer context an employee is authorized to access the company computers to perform work for the company but exceeds that authorization when the computer is accessed to steal data for a competitor. Lack of authorization, as interpreted by the courts, can be established in four separate ways.
First, lack of authorization can be shown when an employee violates his agency relationship with his employer by accessing the employer’s computer for a purpose that is contrary to the interests of the employer. It is the breach of the “duty of loyalty” that terminates “the agency relationship “and with it” the “authority to access” the computer. Citrin, 440 F.3d at 420-21. In Citrin, the defendant employee Citrin used an erasure program to destroy data on his employer’s computer immediately prior to his resignation from the company to join a competitor. Thus, the court found that Citrin’s authorization to access the computer terminated when he “resolved to destroy files that incriminated himself and other files that were also the property of his employer.” Citrin, 440 F.3d at 420.
The agency theory upon which authorization is based is not universally accepted by the lower courts. There are at least five reported federal district court decisions that have refused to adopt the agency standard as a predicate to an employee’s authorization to use an employer’s computers. These district courts take the simplistic view that if the employee was authorized to use the employer’s computer, he was authorized to use if for all purposes. Thus, even if the employee accessed the computer to steal the employer’s data, the employee did not violate the CFAA because the employee, as part of his duties, was authorized to access the computer.
For that reason, these courts ruled that the intent of the employee in accessing the computer was irrelevant to the question of authorization and that “the phrase ‘without authorization’ generally only reaches conduct by outsiders who do not have permission to access the plaintiff’s computer in the first place.” Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962, 964-65 (D. Ariz. 2008); Diamond Power Intern., Inc. v. Davidson, Nos. 1:04-CV-0091-RWS-CCH and 1:04-CV-1708-RWS-CCH, 2007 WL 2904119, at *13 (N.D. Ga. Oct. 1, 2007); Brett Senior & Assocs., P.C. v. Fitzgerald, No. 06-1412, 2007 WL 2043377, at *2-4 (E.D. Pa. July 13, 2007); Lockheed Martin Corp. v. Speed, No 6:05-CV-1580-ORL-31, 2006 WL 2683058, at *5 (M.D. Fl. Aug. 1, 2006); Int’l Ass’n of Machinists and Aerospace Workers v. Werner-Masuda, 390 F.Supp.2d 479, 495 (D.Md. 2005).
None of the Circuit courts, however, have adopted this view of authorization, and this issue has not yet reached the Supreme Court. For example, the 11th Circuit in United States v. Salum, 257 Fed. Appx 225, 230 (11th Cir. 2007) upheld a criminal conviction for a violation of the CFAA, where the defendant employee was authorized to access the computer but did so for an improper purpose. In that case the court affirmed the criminal CFAA conviction of a police officer with the Montgomery Police Department, who had provided information from the FBI’s National Crime Information Center database to a private investigator. Although the defendant police officer “had authority to access the NCIC database” [just like any employee has the authority to access his company’s computers] the Court held that there was sufficient evidence to convict on the element of lack of authorization because the defendant knew the information he accessed was to be used “for an improper purpose.” The court did not cite either the Diamond Power case or Lockheed Martin the two district court cases from the 11th Circuit which dismissed CFAA civil cases finding that the defendants’ motive in accessing the computers had no bearing on whether the access was authorized. Nonetheless, Salum effectively overruled these two lower court cases.
Second, the limits of authorization to access a computer can be set by agreement. In EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583-84 (1st Cir. 2001) the court upheld a preliminary injunction entered by the district court based on a violation of the CFAA because the defendants, all former employees of the plaintiff, had accessed and downloaded pricing data on EF Cultural’s website by violating their confidentiality agreements with EF Cultural. In that case the former employees used EF Cultural’s confidential information concerning its public website to create an automatic robot to download from the website all 154,293 prices for high school tours in a two-day period.
Third, lack of authorization can be established by a violation of company rules and policies. The CFAA is a unique statute in the sense that it allows companies to set the rules that form the predicate for a violation of the statute. In EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003), the court recognized that the “CFAA . . . is primarily a statute imposing limits on access and enhancing control by information providers.” Thus, a company “can easily spell out explicitly what is forbidden.” Id. at 63. Doe v. Dartmouth-Hitchcock Medical Center, 2001 WL 873063 *2 (D.N.H. 2001) provides a clear example of the critical nature of promulgating workplace rules for accessing data. In that case, the court interpreted “unauthorized access” based on the hospital’s Graduate Medical Training Manual which contained “policies governing the confidentiality of patient records, which generally prohibit interns and Fellows, like . . . [the Defendant] from accessing patient records absent a ‘professional ‘need to know.’” Based on these policies, the court found that the defendant, who was a resident in psychiatry at the Dartmouth hospital, “was granted only limited access to Dartmouth’s computerized patient records” and this limitation was imposed “for the very purpose of protecting patient confidentiality.” Id. at *5.
A patient whose records had been allegedly viewed by a hospital intern for reasons unrelated to treatment sued the hospital and the intern for violations of the CFAA. The court dismissed the CFAA claim against the hospital finding that it had been victimized by its “own policies.” Id. at * 5. For that reason it would be inconsistent with the purpose of the CFAA “to protect computer systems . . . from unauthorized access and concomitant damage – to find the hospital was vicariously liable for the actions of the resident.” Id.
Fourth, the courts have found that access is without authorization when it exceeds the expected norms of intended use of the computer. In United States v. Phillips, 477 F.3d 215 (5th Cir. 2007) a student at the University of Texas was provided access to a school secured network through a password consisting of his Social Security number. The student, however, used what is known as “’brute-force attack program’ which automatically transmitted to the website as many as six Social Security numbers per second, at least some of which would correspond to those of authorized . . . users.” Id. at 218. This program allowed Phillips “[o]ver a fourteen-month period” to gain “access to a mother lode of data about more than 45,000 current and prospective students, donors, and alumni.” Id. The court upheld the student’s criminal conviction under the CFAA, finding that his access to the computer was not authorized because the “brute force attack” exceeded the expected norms of intended use of the computer.
In sum, the CFAA provides your company a legitimate basis on which to seek redress for the wrongful conduct of your former employee, given that he used your company’s computers to copy critical customer and rate information, and forwarded that data to both himself and his new employer. Other claims may be available to your company as well, such as a claim for breach of fiduciary duty, or a claim based on your state’s unfair competition laws. In the future, however, you can further enhance the protections for your company by ensuring that all appropriate employees execute the agreement containing your post-employment restrictive covenants. Similarly, as you recognize, it would be prudent for your company to take appropriate measures to ensure that your company’s confidential information is treated in a manner that ensures protection under the Uniform Trade Secrets Act.