Employers Increasingly Use the Computer Fraud and Abuse Act against Disloyal Employees

Companies have a new weapon against employees who leave to join the competition and, on their way out, access information from their former employer’s computer system without authorization. Companies are increasingly turning to the Computer Fraud and Abuse Act (“CFAA”). Amendments have greatly expanded this 1994 law and recent court decisions, especially the Seventh Circuit’s March 6 decision in International Airports Centers v. Citrin, make CFAA an attractive weapon against disloyal employees. Damages and injunctive relief are available and, more important, a federal cause of action that does not require that confidentiality, trade secret, and/or noncompete agreements be in place.
by John Canoni

3/16/2006

Open PDF: Employers Increasingly Use the Computer Fraud and Abuse Act against Disloyal Employees

Employers are increasingly taking advantage of new civil remedies available under the Computer Fraud and Abuse Act (“CFAA”).[1] This federal law particularly applies when an employee accepts a job at another company but continues working at the current job and continues to access her/his current employer’s computer system. Both the departing employee and the new employer can be sued under CFAA if, either separately or together, they seek to gain a competitive advantage through unauthorized use of information from the current employer’s computer system.

When CFAA was passed in 1994, it covered mainly classified information on government computers. Successive amendments have greatly expanded its scope. Civil remedies were added in 1994 and, in 1996, Congress (1) extended CFAA to any “protected computer” (i.e., any computer used in interstate or foreign commerce) and (2) removed the “unauthorized access” requirement, thereby covering company insiders in addition to outside hackers.

The courts have cooperated by giving the amended CFAA a broad interpretation. In Shurgard Storage Centers Inc. v. Safeguard Self-Storage Inc.,[2] former Shurgard employees—while still on its payroll—used its computers to send trade secrets and proprietary information to Safeguard, the new employer they had already agreed to join. CFAA covers intentional access to a computer without authorization and obtaining information from a computer by exceeding authorized access. The former employees argued that they retained their existing authority to access Shurgard’s computer system as long as they remained its employees and, therefore, had not acted without authority or in excess of their authority. The court swiftly dismissed this argument, noting the employees’ authority to access Shurgard’s computer system evaporated when they began acting as agents for Safeguard.

CFAA covers abuse of a computer system and the data on that system. A recent decision by the Seventh Circuit reveals the act will prohibit, in Judge Richard Posner’s words, “attacks by disgruntled programmers who decide to trash the employer’s data system on the way out (or threaten to do so in order to extort payments).” In that case, an employee of International Airports Centers (“IAC”) decided to go into business for himself and, before leaving IAC, savagely attacked IAC’s computer files. He first deleted all data on the laptop computer IAC provided him; not only data belonging to IAC but also data that would have revealed his improper conduct. He then installed a secure-erasure software program, making it impossible for IAC to recover any of the deleted information.

District Judge Wayne Andersen held the employee’s conduct was not covered by CFAA because simply erasing files was not a “transmission” under that act.[3] The Seventh Circuit unanimously reversed.[4] The court held Citrin’s authorization to access IAC’s computer system and information ended when he resolved to destroy the files that would have incriminated him and other files that were IAC’s property. Those actions violated the duty of loyalty that agency law imposes on any employee. In addition, Citrin had transmitted a program to the IAC computer intended to cause damage to that system by preventing IAC from replacing files belonging to it that he deleted.

Other cases have sustained CFAA causes of action by employees who accessed a current employer’s computer system and sent confidential information to a new employer before officially leaving the current employment.[5] In Charles Schwab & Co. v. Carter, the departing employee believed he had the right to e-mail confidential information to his new employer because Schwab was closing the division where he worked.

CFAA covers more than the losses directly caused by the employee’s unauthorized access to the employer’s computer system. It also covers damage assessments and security update and restoration or replacement costs, as well as any revenue lost or costs incurred or other damages resulting from any impairment or interruption of service. Damages must be more than $5,000 in any one-year period. That modest minimum should easily be reached when hiring a consultant to determine if the employer’s website is secure or compromised.[6]

CFAA offers employers many advantages. First and foremost, employers can bring their actions in federal court because CFAA bestows federal question jurisdiction. CFAA claims avoid possible restrictive state noncompete or unfair competition laws. California employers can use CFAA despite that state’s general prohibition on covenants not to compete. Second, CFAA’s focus is not on the type of information or data stolen but on abuse of a computer system to obtain that information or data. Employers can bring CFAA claims without proving the information wrongfully accessed was a trade secret, constituted confidential or proprietary information, or breached an employment contract, confidentiality agreement, or noncompete agreement. Employers can bring CFAA actions even if they do not have any confidentiality, noncompete, or trade secret agreements with the disloyal employee.

CFAA actions, of course, can be two-way streets. As with noncompete and similar agreements, the employer who brings a CFAA claim one day can have one brought against it the very next day. New employers should still take action to avoid potential CFAA claims, particularly by addressing conduct by the employee while he/she is still working for the old employer but after agreeing to join the new employer. They should remind a new employee not to take information from a former employer, to return all computer-generated data before starting the new job, and to bring only such data along if the former employer has given its permission to do so.

CFAA is also a criminal statute. That has not stopped courts from expansively construing its key elements. The law should continue to apply broadly as future disgruntled employees conceive more imaginative computer-abuse strategies.

Employers should consider using the federal Computer Fraud and Abuse Act in appropriate situations. Damages and injunctive relief are available. Key information for CFAA suits can be obtained by the former employer’s own forensic computer experts. CFAA is no longer a limited statute. Expansive court interpretations have converted it into an attractive weapon against wrongful conduct by disloyal employees.

  1. 18 USC Sec. 1030.
    [Back to reference]
  2. 119 F. Supp. 2d 1121 (W.D. Wash., 2000).
    [Back to reference]
  3. International Airports Centers L.L.C. v. Citrin, 2005 U.S. Dist. LEXIS 3905 (N.D. Ill., 2005).
    [Back to reference]
  4. 2006 U.S. App. LEXIS 5772 (7th Cir., March 8, 2006).
    [Back to reference]
  5. HUB Group, Inc. v. Clancy, 2006 U.S. Dist. LEXIS 2635 (E.D. Pa., January 26, 2006); Charles Schwab & Co. v. Carter, 2005 U.S. Dist. LEXIS 21348 (N.D. Ill., 2005).
    [Back to reference]
  6. See, e.g., EF Cultural Travel v. Explorica Inc., 274 F. 3d 377, (1st Cir. 2001).
    [Back to reference]

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

To subscribe to one of our alerts or newsletters, please e-mail Yolanda Jones at yljones@nixonpeabody.com.

 Printable (PDF) Version

Follow us on Twitter!

Services

Labor & Employment
ERISA Litigation
BostonChicagoLos AngelesLondonNew YorkParis
RochesterSan FranciscoShanghaiSilicon ValleyWashingtonAlbany
BuffaloLong IslandManchesterPalm Beach GardensProvidence

Disclaimer | Nixon Peabody International | © 2010 Nixon Peabody LLP
This website contains attorney advertising. Prior results do not guarantee a similar outcome.