The Computer Fraud and Abuse Act and Former Employees

The CFAA prohibits an individual from:

• Intentionally accessing a computer without authorization or in excess of authorized access and obtaining information from a protected computer. 18 U.S.C. ' 1030(a)(2)(C);
• Knowingly, and with intent to defraud, accessing a protected computer without authorization or in excess of authorized access and by means of such conduct obtaining anything of value. 18 U.S.C. ' 1030(a)(4);
• Knowingly causing the transmission of a program, information, code or command and as a result intentionally causing damage without authorization to a protected computer. 18 U.S.C. ' 1030(a)(5)(A); and
• Intentionally accessing a protected computer without authorization and as a result of such conduct causing damage and loss or recklessly causing damage. 18 U.S.C. ' 1030(a)(5)(B) and (C).

Each of these prohibitions requires some form of unauthorized access of a computer, or access that exceeds authorization.

With varying degrees of success, employers have used the CFAA to go after employees who access, take, and/or destroy electronically stored company information before departing to form their own business or join a competitor.

Courts are split over whether an employee who, while employed, has obtained electronically stored information from his employer has accessed the computer without authorization. Some courts have determined that an employee who accesses the information with an improper purpose acts without authorization. These courts rely on International Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), and reason that an employee who has decided to leave and is obtaining the information to compete has breached his duty of loyalty and, therefore, terminated the agency relationship and any authorization (by virtue of his employment) to use the computer. In Citrin, the employer argued that its former employee violated the CFAA when he permanently deleted, through an erasure software program, incriminating documents and company information from his company computer after he decided to quit and start a competing business. The court determined that although the employee had authority to access the computer as an employee, when he destroyed the files, he breached his duty of loyalty and terminated the agency relationship. The agency relationship was the basis for the employee's authority to access the company computer.

Other courts have refused to apply the CFAA (which was intended to apply to hackers) when the employer has authorized the individual to use the computer and access the information. These courts focus on whether access to the computer was authorized, not whether the use of the information was authorized. Condux Int'l v. Haugum, 2008 WL 5244818, *8 (D. Minn. 2008). According to the court in Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 966 (D. Ariz. 2008), “the CFAA was intended to prohibit electronic trespassing, not the subsequent use or misuse of information.” These courts hold that an employee accesses a computer “without authorization” only when initial access is not permitted. According to these courts, an employee exceeds authorization where, although initial access is permitted, the employee accesses certain information that is not permitted.

Regardless of whether the employee violated the statute by merely accessing electronic information, most courts are in agreement that an employee violates the statute when he or she intentionally scrubs or erases information from an employer's computer without authorization.

A Civic Action for Damage or Loss

The CFAA is primarily a criminal statute, but it also provides for a civil action to recover for damages or loss caused, if the loss exceeds $5,000 in value. 18 U.S.C. ' 1030(g). Damage is defined, somewhat narrowly, as impairment to the integrity or availability of data, a program, a system or information. 18 U.S.C. ' 1030(e)(8). Courts are split on whether unauthorized copying, downloading or e-mailing confidential information amounts to damage to a protected computer. Some courts require some “diminution in the completeness or usability of data or information on a computer system.” Resdev LLC v. Lot Builders Assn, 2005 WL 1924743, at * 5 n. 3 (M.D. Fla. 2005). These courts require deletion or damage to files; the mere copying and e-mailing of files is not enough. See Garelli Wong & Assoc. v. Nichols, 551 F. Supp. 2d 704, 710-11 (N.D. Ill. 2008).

“Loss” is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. ' 1030(e)(11). Courts, again, are split on their interpretation of this definition. Some have interpreted it broadly to include loss of business and business goodwill. See Contract Associates Office Interiors, Inc. v. Ruitel, 2008 WL 3286798, *3 (E.D. Calif. 2008). Others have concluded that all forms of loss are limited by the last clause and must be “incurred because of interruption of service.” See American Family Mutual Insurance Co. v. Rickman, 554 F. Supp. 2d 766, 771 (N.D. Ohio 2008).

One principle that is fairly accepted is that recoverable loss under the CFAA can include the cost of any forensic investigation undertaken by the employer to determine and/or correct any damage. In Teksystems, Inc. v. Modis, Inc., 2008 WL 5155720, *5 (N.D. Ill. 2008), the employer alleged a cause of action against an employee who downloaded the company's confidential information after accepting a position with a competitor but before notifying the employer. The employer's loss was the cost of the computer forensic investigation into his conduct.

Although in some jurisdictions damages or loss under the CFAA may be easier to prove than under more traditional theories of recovery, injunctive relief may be more limited. In addition to damages, the statute provides for injunctive or other equitable relief. However, under the CFAA, the wrong is the unauthorized access. Injunctive relief, therefore, may be limited to circumstances involving the potential for on-going access or damage to the employer's computers. In most cases, the employee has left the employer's employment and no longer has access to the employer's computers, making injunctive relief unlikely.

Proactive Efforts to Utilize the CFAA

Whether an employer may utilize the CFAA depends in large part on the jurisdiction where it is located and the type of conduct engaged in by the employee.

Although some courts have recognized a cause of action based on gathering and disseminating confidential electronic data, courts are more likely to enforce the CFAA where deletion or damage to the computer files and or system itself has occurred. This may include the departing employee's deletion of his own files on the employer's system in an effort to hide whatever actions he took prior to leaving the employer.

Employers remain wise to limit access, electronically or otherwise, to confidential information. Employees to whom they provide access should sign confidentiality and/or non-compete agreements to protect the information.

Employers should provide by policy and/or agreement that its authorization to the employee to access the company's computers and electronic files terminates upon the employee's decision to quit employment or act contrary to the employer's interests regardless of whether that decision has been communicated to the employer. Such language and notice to the employee may help an employer argue later that an employee's access of the computer to download or e-mail confidential information exceeded the employer's authorization. Employers also should make employees aware that CFAA is a criminal statute that may apply if the employee acts beyond the employer's authorization with respect to electronic information.

Finally, access to company computer systems and networks should be cut off upon an employee's termination. When the termination is involuntary, access should be restricted, if at all possible, before the employee learns of the termination. If the termination is voluntary, access should be restricted, as soon as the employer learns of the resignation even if the employee intends to stay during a two-week, or other, notice period. The employer should also preserve the employee's computer so that a forensic analysis and/or audit of the departing employee's electronic files can be conducted, if necessary.

Conclusion

CFAA is being used with more and more frequency by employers whose employees have taken or deleted electronic information. While certainly not a solution to all of the problems created by the electronic accessibility of important company information, some employers have been successful in utilizing the CFAA to help prevent and correct the unauthorized removal of electronic information.

Patricia Anderson Pryor, a member of this newsletter's Board of Editors, is a partner in the Labor and Employment Department at Taft, Stettinius & Hollister LLP. Ms. Pryor represents and advises employers in all forms of litigation, and dispute resolution, including mediation and arbitration, and in managing all aspects of the employment relationship. She is a frequent speaker at legal seminars and to employers and professional groups and has been featured on the radio broadcast, Employment Straight Talk.

Laptops, thumb drives, data sticks, e-mails, and USB ports make it easy for employees to walk out of a company with valuable information, customer lists, and trade secrets. An employer's remedies are often limited. Is there a confidentiality agreement or non-compete agreement that limits the employee's ability to use the information? If so, will the court enforce it and can the employer prove the employee's use of the information? Has there been a breach of fiduciary duty or a breach of the employee's duty of loyalty? Are trade secrets involved?

Under traditional causes of action, employers often struggle to prove actionable harm. In order to obtain damages, an employer may need to establish that the employee has used the information that he or she has copied or downloaded and that such use has caused harm. In recent years, employers have attempted to use the Computer Fraud and Abuse Act (“CFAA”) to seek damages from departing employees who take company information or electronic assets with them.

CFAA's Prohibitions

The CFAA prohibits an individual from:

• Intentionally accessing a computer without authorization or in excess of authorized access and obtaining information from a protected computer. 18 U.S.C. ' 1030(a)(2)(C);
• Knowingly, and with intent to defraud, accessing a protected computer without authorization or in excess of authorized access and by means of such conduct obtaining anything of value. 18 U.S.C. ' 1030(a)(4);
• Knowingly causing the transmission of a program, information, code or command and as a result intentionally causing damage without authorization to a protected computer. 18 U.S.C. ' 1030(a)(5)(A); and
• Intentionally accessing a protected computer without authorization and as a result of such conduct causing damage and loss or recklessly causing damage. 18 U.S.C. ' 1030(a)(5)(B) and (C).

Each of these prohibitions requires some form of unauthorized access of a computer, or access that exceeds authorization.

With varying degrees of success, employers have used the CFAA to go after employees who access, take, and/or destroy electronically stored company information before departing to form their own business or join a competitor.

Courts are split over whether an employee who, while employed, has obtained electronically stored information from his employer has accessed the computer without authorization. Some courts have determined that an employee who accesses the information with an improper purpose acts without authorization. These courts rely on International Airport Centers LLC v. Citrin , 440 F.3d 418 (7th Cir. 2006), and reason that an employee who has decided to leave and is obtaining the information to compete has breached his duty of loyalty and, therefore, terminated the agency relationship and any authorization (by virtue of his employment) to use the computer. In Citrin, the employer argued that its former employee violated the CFAA when he permanently deleted, through an erasure software program, incriminating documents and company information from his company computer after he decided to quit and start a competing business. The court determined that although the employee had authority to access the computer as an employee, when he destroyed the files, he breached his duty of loyalty and terminated the agency relationship. The agency relationship was the basis for the employee's authority to access the company computer.

Other courts have refused to apply the CFAA (which was intended to apply to hackers) when the employer has authorized the individual to use the computer and access the information. These courts focus on whether access to the computer was authorized, not whether the use of the information was authorized. Condux Int'l v. Haugum, 2008 WL 5244818, *8 (D. Minn. 2008). According to the court in Shamrock Foods Co. v. Gast , 535 F. Supp. 2d 962, 966 (D. Ariz. 2008), “the CFAA was intended to prohibit electronic trespassing, not the subsequent use or misuse of information.” These courts hold that an employee accesses a computer “without authorization” only when initial access is not permitted. According to these courts, an employee exceeds authorization where, although initial access is permitted, the employee accesses certain information that is not permitted.

Regardless of whether the employee violated the statute by merely accessing electronic information, most courts are in agreement that an employee violates the statute when he or she intentionally scrubs or erases information from an employer's computer without authorization.

A Civic Action for Damage or Loss

The CFAA is primarily a criminal statute, but it also provides for a civil action to recover for damages or loss caused, if the loss exceeds $5,000 in value. 18 U.S.C. ' 1030(g). Damage is defined, somewhat narrowly, as impairment to the integrity or availability of data, a program, a system or information. 18 U.S.C. ' 1030(e)(8). Courts are split on whether unauthorized copying, downloading or e-mailing confidential information amounts to damage to a protected computer. Some courts require some “diminution in the completeness or usability of data or information on a computer system.” Resdev LLC v. Lot Builders Assn, 2005 WL 1924743, at * 5 n. 3 (M.D. Fla. 2005). These courts require deletion or damage to files; the mere copying and e-mailing of files is not enough. See Garelli Wong & Assoc. v. Nichols , 551 F. Supp. 2d 704, 710-11 (N.D. Ill. 2008).

“Loss” is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. ' 1030(e)(11). Courts, again, are split on their interpretation of this definition. Some have interpreted it broadly to include loss of business and business goodwill. See Contract Associates Office Interiors, Inc. v. Ruitel, 2008 WL 3286798, *3 (E.D. Calif. 2008). Others have concluded that all forms of loss are limited by the last clause and must be “incurred because of interruption of service.” See American Family Mutual Insurance Co. v. Rickman , 554 F. Supp. 2d 766, 771 (N.D. Ohio 2008).

One principle that is fairly accepted is that recoverable loss under the CFAA can include the cost of any forensic investigation undertaken by the employer to determine and/or correct any damage. In Teksystems, Inc. v. Modis, Inc., 2008 WL 5155720, *5 (N.D. Ill. 2008), the employer alleged a cause of action against an employee who downloaded the company's confidential information after accepting a position with a competitor but before notifying the employer. The employer's loss was the cost of the computer forensic investigation into his conduct.

Although in some jurisdictions damages or loss under the CFAA may be easier to prove than under more traditional theories of recovery, injunctive relief may be more limited. In addition to damages, the statute provides for injunctive or other equitable relief. However, under the CFAA, the wrong is the unauthorized access. Injunctive relief, therefore, may be limited to circumstances involving the potential for on-going access or damage to the employer's computers. In most cases, the employee has left the employer's employment and no longer has access to the employer's computers, making injunctive relief unlikely.

Proactive Efforts to Utilize the CFAA

Whether an employer may utilize the CFAA depends in large part on the jurisdiction where it is located and the type of conduct engaged in by the employee.

Although some courts have recognized a cause of action based on gathering and disseminating confidential electronic data, courts are more likely to enforce the CFAA where deletion or damage to the computer files and or system itself has occurred. This may include the departing employee's deletion of his own files on the employer's system in an effort to hide whatever actions he took prior to leaving the employer.

Employers remain wise to limit access, electronically or otherwise, to confidential information. Employees to whom they provide access should sign confidentiality and/or non-compete agreements to protect the information.

Employers should provide by policy and/or agreement that its authorization to the employee to access the company's computers and electronic files terminates upon the employee's decision to quit employment or act contrary to the employer's interests regardless of whether that decision has been communicated to the employer. Such language and notice to the employee may help an employer argue later that an employee's access of the computer to download or e-mail confidential information exceeded the employer's authorization. Employers also should make employees aware that CFAA is a criminal statute that may apply if the employee acts beyond the employer's authorization with respect to electronic information.

Finally, access to company computer systems and networks should be cut off upon an employee's termination. When the termination is involuntary, access should be restricted, if at all possible, before the employee learns of the termination. If the termination is voluntary, access should be restricted, as soon as the employer learns of the resignation even if the employee intends to stay during a two-week, or other, notice period. The employer should also preserve the employee's computer so that a forensic analysis and/or audit of the departing employee's electronic files can be conducted, if necessary.

Conclusion

CFAA is being used with more and more frequency by employers whose employees have taken or deleted electronic information. While certainly not a solution to all of the problems created by the electronic accessibility of important company information, some employers have been successful in utilizing the CFAA to help prevent and correct the unauthorized removal of electronic information.

Patricia Anderson Pryor, a member of this newsletter's Board of Editors, is a partner in the Labor and Employment Department at Taft, Stettinius & Hollister LLP. Ms. Pryor represents and advises employers in all forms of litigation, and dispute resolution, including mediation and arbitration, and in managing all aspects of the employment relationship. She is a frequent speaker at legal seminars and to employers and professional groups and has been featured on the radio broadcast, Employment Straight Talk.