Can Employers Sue Employees Under the CFFA?

Imagine the following hypothetical (one most employers would agree constitutes a “nightmare scenario”), with apologies to “Back to the Future”: Your company, McFly Industries, which develops, manufactures and sells hoverboards, just celebrated its fifth anniversary after having its most successful year ever. In the highly competitive hoverboard industry, you have managed to beat the competition and grab a larger slice of the hoverboard market, surpassing your fiercest competitor, Biff Incorporated. This development is largely due to your company's development of the Flux Capacitor, which has given McFly Industries' hoverboard superiority over its rivals' boards, and allows it to reach top-end speeds (once clocked at 88 miles per hour in an unofficial test).

However, your elation is short-lived. Late on a Friday afternoon, you receive nearly identical e-mails from your top engineer, Doc, who was responsible for development of the Flux Capacitor, and Marty, your crack Sales Director, informing you they are resigning effective immediately. Then, over the weekend, you learn through industry sources that they are going to work for Biff, and may have been planning to go work for Biff Incorporated for some time. Even worse, on Monday your lawyer, Strickland, informs you that neither Doc nor Marty signed a non-competition or non-solicitation agreement, meaning they are free to compete against you virtually unfettered. You do some digging, and sure enough Marty and Doc have been sending e-mails to their personal e-mail accounts, which you suspect contain confidential McFly Industries information ' including files related to the Flux Capacitor ' that they will use to compete against you at Biff Incorporated.

Distraught, you turn to Strickland, who shares with you the only good piece of information you have heard all day: you may be able to use a federal law called the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. ' 1030, to protect the
sensitive data and information stored on company computers that you believe Doc and Marty may have taken.

The CFFA

The CFAA is a federal criminal statute that outlaws, among other things, the theft and destruction of data in computer systems. In addition to its criminal provisions, the CFAA permits a company to bring a civil action for damages and injunctive relief against an employee or other individual who, under certain circumstances, steals information from the company's computers. See 18 U.S.C. ' 1030(g) (“Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.”). The CFAA subjects to criminal liability any person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ' information from any protected computer.” 18 U.S.C. ' 1030(a)(2)(C). The term “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. ' 1030(e)(6).

Accordingly, whether an employer like McFly Industries can bring a CFAA claim against a former employee like Marty or Doc usually depends on whether the employee obtained the employer's information by accessing its computer system: 1) without authorization; or 2) by exceeding the employee's authorized access. This issue is one with which federal courts have struggled, and its resolution bears significantly on whether or not employers can use the CFAA as an effective tool against employees.

In the Courts

Generally speaking, courts have taken two approaches. Some courts have construed the CFAA narrowly in the context of civil liability, taking the employee-friendly view that as long as the employee's actions in accessing information in the employer's computer system are consistent with the authorization to access the information previously granted to the employee, the employee does not violate the statute. Other decisions, however, take a broader, more employer-friendly view that an employee accesses a computer “without authorization” or “exceeds authorized access” when the employee does so in breach of his or her duty of loyalty to the employer, without a business purpose and/or in violation of computer access and use restrictions imposed by the employer.

Although a number of courts have adhered to the narrower construction, several decisions issued by federal Courts of Appeal in the past few years suggest that the trend is moving toward the broader view, making the CFAA a truly viable option for employers aggrieved by employee data theft. This article focuses on this latter group of cases.

The Narrow View of Employee Liability Under the CFAA

As CFAA jurisprudence has evolved, many district courts around the country have been unwilling to impose liability on employees who steal information from computer systems to which their employers granted them access. Typically, these courts have reasoned that because the employee was authorized to access the computer system, information taken by the employee could not have been without authorization or exceeded the employee's authorized access. See, e.g., Brett Senior & Assocs., P.C. v. Fitzgerald, 2007 U.S. Dist. LEXIS 50833 (E.D. Pa. July 13, 2007) (the phrase “without authorization” only reaches conduct by outsiders who do not have permission to access a computer in the first place because the CFAA targets “the unauthorized procurement or
alteration of information, not its misuse or misappropriation”); Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962 (D. Ariz. 2008) (dismissing an employer's CFAA claim against a former employee who acquired confidential information prior to resigning employment for a new position with a competitor, where employee was authorized to initially access the computer and was permitted to view the specific files he e-mailed to himself). For the most part, these courts believe the CFAA is intended to target “outside, third parties or other 'high-tech' criminals,” not the “rogue employee.” Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting, LLC, 600 F. Supp. 2d 1045, 1049 (E.D. Mo. 2009).

Recent Circuit Court Cases Suggest a Broader View

However, there has been an unmistakable trend in recent years at the Circuit Court of Appeal level suggesting that courts are willing to take a more expansive view of employee liability, particularly when employees “exceed authorized access” to employer computers. Although many of these decisions arise in the context of criminal convictions, the CFAA statutory provisions at issue are identical (or use identical language), and the decisions and their underlying rationale can be translated to civil actions. Furthermore, even within the context of a broader view of employee liability, the courts take different approaches that are instructive for employers contemplating a CFAA claim to combat a former employee's data theft.

Employee Agency As Authorization

The Seventh Circuit's decision in International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006), is viewed as being at the vanguard of a broader approach to employee liability amongst federal courts of appeal. In Citrin, the defendant former employee permanently deleted company data from a company-provided laptop, as well as data that would have revealed that he engaged in improper conduct, before he resigned to go into business for himself in violation of his employment contract. Relying on the duty of loyalty the employee owed to his employer, Judge Richard A. Posner held that the employee had accessed a computer without authorization in violation of the CFAA, because “his authorization to access the laptop terminated when, having already engaged in misconduct and decided to quit [the employer] in violation of his employment contract, he resolved to destroy files that incriminated himself and other files that were also the property of his employer.” Id. at 420. See also Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000) (holding that an employer could assert a CFAA claim based on its employee's e-mail transmission of the trade secrets and proprietary information to a competitor; because the employee was acting as an agent for the competitor, he had lost his authorization to access the computers and information).

Citrin takes perhaps the broadest view of employee liability, because it posits that an employee who is acting contrary to the interests of his or her employer when accessing the employer's computers is not “authorized” to do so, regardless of any employer policies or other safeguards.

Access Lacking a 'Business Purpose'

Two recent cases provide slightly narrower, yet still broad, approach to defining conduct that “exceeds authorized access” ' computer access that is without a business purpose.

In United States v. Tolliver, No. 10-3439, 2011 WL 4090472 (3d Cir. Sept. 15, 2011), the Third Circuit upheld the conviction of a bank employee for unauthorized access of a financial record under a different section of the CFAA, 18 U.S.C. ' 1030(a)(2), which in this case required proof that the employee “exceed[ed] authorized access” to a computer “and thereby obtain[ed] ' information contained in a financial record.” The convicted employee had accessed bank customers' accounts and provided information to others who carried out the fraudulent scheme. In upholding the conviction, the court held that there was sufficient evidence to establish that the employee exceeded her authorized access because she intentionally accessed the bank customers' accounts and “she did not have a business purpose to do so.”

Similarly, the Eleventh Circuit upheld the CFAA conviction of an employee of the Social Security Administration for exceeding his authorized access to his employer's computer system. United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010). The defendant had used his access to obtain personal contact information of ex-girlfriends and other women in whom he had a romantic interest, and used that information to send them flowers or show up unannounced at their homes. In holding that Rodriguez exceeded his authorized access, the court specifically noted that his employer told him “that he was not authorized to obtain personal information for non-business reasons.” Id. at 1263.

Employee Policies and Agreements Limiting Access

However, the direction in which case law is most likely to head is reflected in the growing recognition by courts that employers can define the boundaries of authorized access, and position themselves to take advantage of the CFAA should the unfortunate need arise, by promulgating policies and employee agreements that delineate clearly the scope of employees' authorization to access and use the employer's computer data.

For example, in United States v. John, 597 F.3d 263 (5th Cir. 2010), the Fifth Circuit upheld the CFAA conviction of a bank employee who used the bank's computer system to access customer account information, and then passed the account information along to others who incurred fraudulent charges on
customer accounts. The court held that the defendant exceeded her authorized access to the information because, among other things, the purpose for which she accessed the information was contrary to the bank's employee policies, of which, the court noted, the employee was aware.

Nosal

Along the same lines, the most recent example of the growing trend toward a broader view of employee liability under the CFAA is the Ninth Circuit's opinion in United States v. Nosal, 642 F.3d 781 (9th Cir. 2011) (author's note: the court has granted an en banc rehearing of its decision). In Nosal, the court held that an employee “exceeds authorized access” under the CFAA when he or she “obtains information from the employer's computer and uses it for a purpose that violates the employer's restrictions on the use of the information.” Id. at 782.

Mr. Nosal was a former executive of an executive search firm who left to start a competing business, and who recruited three employees of the search firm to transfer to him confidential information through their user accounts in the search firm's computer system.

The court held that because the search firm had in place clear computer access and use restrictions, Nosal's violation of those restrictions (and that of his accomplices) constituted conduct that “exceeds authorized access” in violation of the CFAA. The court specifically held that “the only logical interpretation of 'exceeds authorized access' is that the employer has placed limitations on the employee's 'permission to use' the computer and the employee has violated ' or 'exceeded' ' those limitations.” Id. at 787 (emphasis in original).

Importantly, the Ninth Circuit's decision in Nosal clarified its earlier opinion in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), which widely had been viewed by courts as standing for the proposition that just because employees are authorized to access their employers' computers, they cannot access these computers without authorization or exceed their authorized access, and an employer therefore cannot assert a CFAA claim against an employee who steals information from his or her employer's computers. The court in Nosal distinguished Brekka by noting a “substantial factual distinction” ' “[t]he employee in Brekka had unfettered access to the company computer” without a written agreement or published guidelines prohibiting transmission of company documents to personal computers. Id.

Lessons for Employers

So, what does this mean for employers looking to preserve for themselves a CFAA claim against an employee who steals the employer's electronically stored data? At a minimum, employers should develop and promulgate policies regarding employee access to and use of the employer's computer systems, employee access to the employer's computer systems, the employer's right to monitor employee computer access and usage, and imposing restrictions on employee usage of data in the employer's computer systems. Any such policy should:

• Specify the terms on which the company grants employee access to its computer systems, and gives examples of improper conduct that will be deemed to exceed that access.
• Make clear that all data on the company's computer system is company property, and is to be used by employees only in connection with the performance of their job duties.
• Define what drives, folders, files and other data on the computer system employees have access to ' and what they do not.
• Prohibit employee alteration, disabling or circumvention of computer or network security features.
• Prohibit using another employee's log-in or password information to access the company's computer system.
• Communicate the employer's right to monitor employee access to and use of its computer system.
• Consistently be enforced, as a failure to do so could undercut the argument that employees' authorized access, and the purposes for which employees can use the employer's data, truly was limited.
• Be distributed to employees. Importantly, employees should be required to acknowledge, in writing, their receipt of the policy.
• Employers should also consider requiring employees with access to confidential and proprietary information to sign agreements regarding their access to and use of the employer's computer systems in connection with the confidential and proprietary information, and the employer's right to obtain injunctive and other relief for violations of the agreement.

Now ' Back to the Future

As for McFly Industries, although it did not have agreements in place with Marty and Doc, fortunately Strickland had advised the company at its inception to develop and promulgate a computer access and use policy. Employees were required to acknowledge in writing that they had received the policy, which clearly communicated to employees the terms on which employees were granted access to computer data for certain purposes, and the company's expectations for and restrictions on employee use of that data. Armed with this policy, McFly Industries was able to file a meritorious CFAA claim against Marty and Doc, greatly limiting their ability to help Biff Incorporated unfairly compete against McFly.

Christopher D. Durham, a member of this newsletter's Board of Editors, practices in Duane Morris' Philadelphia office in the area of labor and employment law. He advises clients on issues relating to employer-employee and management-union relations.

Imagine the following hypothetical (one most employers would agree constitutes a “nightmare scenario”), with apologies to “Back to the Future”: Your company, McFly Industries, which develops, manufactures and sells hoverboards, just celebrated its fifth anniversary after having its most successful year ever. In the highly competitive hoverboard industry, you have managed to beat the competition and grab a larger slice of the hoverboard market, surpassing your fiercest competitor, Biff Incorporated. This development is largely due to your company's development of the Flux Capacitor, which has given McFly Industries' hoverboard superiority over its rivals' boards, and allows it to reach top-end speeds (once clocked at 88 miles per hour in an unofficial test).

However, your elation is short-lived. Late on a Friday afternoon, you receive nearly identical e-mails from your top engineer, Doc, who was responsible for development of the Flux Capacitor, and Marty, your crack Sales Director, informing you they are resigning effective immediately. Then, over the weekend, you learn through industry sources that they are going to work for Biff, and may have been planning to go work for Biff Incorporated for some time. Even worse, on Monday your lawyer, Strickland, informs you that neither Doc nor Marty signed a non-competition or non-solicitation agreement, meaning they are free to compete against you virtually unfettered. You do some digging, and sure enough Marty and Doc have been sending e-mails to their personal e-mail accounts, which you suspect contain confidential McFly Industries information ' including files related to the Flux Capacitor ' that they will use to compete against you at Biff Incorporated.

Distraught, you turn to Strickland, who shares with you the only good piece of information you have heard all day: you may be able to use a federal law called the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. ' 1030, to protect the
sensitive data and information stored on company computers that you believe Doc and Marty may have taken.

The CFFA

The CFAA is a federal criminal statute that outlaws, among other things, the theft and destruction of data in computer systems. In addition to its criminal provisions, the CFAA permits a company to bring a civil action for damages and injunctive relief against an employee or other individual who, under certain circumstances, steals information from the company's computers. See 18 U.S.C. ' 1030(g) (“Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.”). The CFAA subjects to criminal liability any person who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ' information from any protected computer.” 18 U.S.C. ' 1030(a)(2)(C). The term “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. ' 1030(e)(6).

Accordingly, whether an employer like McFly Industries can bring a CFAA claim against a former employee like Marty or Doc usually depends on whether the employee obtained the employer's information by accessing its computer system: 1) without authorization; or 2) by exceeding the employee's authorized access. This issue is one with which federal courts have struggled, and its resolution bears significantly on whether or not employers can use the CFAA as an effective tool against employees.

In the Courts

Generally speaking, courts have taken two approaches. Some courts have construed the CFAA narrowly in the context of civil liability, taking the employee-friendly view that as long as the employee's actions in accessing information in the employer's computer system are consistent with the authorization to access the information previously granted to the employee, the employee does not violate the statute. Other decisions, however, take a broader, more employer-friendly view that an employee accesses a computer “without authorization” or “exceeds authorized access” when the employee does so in breach of his or her duty of loyalty to the employer, without a business purpose and/or in violation of computer access and use restrictions imposed by the employer.

Although a number of courts have adhered to the narrower construction, several decisions issued by federal Courts of Appeal in the past few years suggest that the trend is moving toward the broader view, making the CFAA a truly viable option for employers aggrieved by employee data theft. This article focuses on this latter group of cases.

The Narrow View of Employee Liability Under the CFAA

As CFAA jurisprudence has evolved, many district courts around the country have been unwilling to impose liability on employees who steal information from computer systems to which their employers granted them access. Typically, these courts have reasoned that because the employee was authorized to access the computer system, information taken by the employee could not have been without authorization or exceeded the employee's authorized access. See, e.g., Brett Senior & Assocs., P.C. v. Fitzgerald, 2007 U.S. Dist. LEXIS 50833 (E.D. Pa. July 13, 2007) (the phrase “without authorization” only reaches conduct by outsiders who do not have permission to access a computer in the first place because the CFAA targets “the unauthorized procurement or
alteration of information, not its misuse or misappropriation”); Shamrock Foods Co. v. Gast , 535 F. Supp. 2d 962 (D. Ariz. 2008) (dismissing an employer's CFAA claim against a former employee who acquired confidential information prior to resigning employment for a new position with a competitor, where employee was authorized to initially access the computer and was permitted to view the specific files he e-mailed to himself). For the most part, these courts believe the CFAA is intended to target “outside, third parties or other 'high-tech' criminals,” not the “rogue employee.” Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting, LLC , 600 F. Supp. 2d 1045, 1049 (E.D. Mo. 2009).

Recent Circuit Court Cases Suggest a Broader View

However, there has been an unmistakable trend in recent years at the Circuit Court of Appeal level suggesting that courts are willing to take a more expansive view of employee liability, particularly when employees “exceed authorized access” to employer computers. Although many of these decisions arise in the context of criminal convictions, the CFAA statutory provisions at issue are identical (or use identical language), and the decisions and their underlying rationale can be translated to civil actions. Furthermore, even within the context of a broader view of employee liability, the courts take different approaches that are instructive for employers contemplating a CFAA claim to combat a former employee's data theft.

Employee Agency As Authorization

The Seventh Circuit's decision in International Airport Centers, L.L.C. v. Citrin , 440 F.3d 418 (7th Cir. 2006), is viewed as being at the vanguard of a broader approach to employee liability amongst federal courts of appeal. In Citrin, the defendant former employee permanently deleted company data from a company-provided laptop, as well as data that would have revealed that he engaged in improper conduct, before he resigned to go into business for himself in violation of his employment contract. Relying on the duty of loyalty the employee owed to his employer, Judge Richard A. Posner held that the employee had accessed a computer without authorization in violation of the CFAA, because “his authorization to access the laptop terminated when, having already engaged in misconduct and decided to quit [the employer] in violation of his employment contract, he resolved to destroy files that incriminated himself and other files that were also the property of his employer.” Id. at 420. See also Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc. , 119 F. Supp. 2d 1121 (W.D. Wash. 2000) (holding that an employer could assert a CFAA claim based on its employee's e-mail transmission of the trade secrets and proprietary information to a competitor; because the employee was acting as an agent for the competitor, he had lost his authorization to access the computers and information).

Citrin takes perhaps the broadest view of employee liability, because it posits that an employee who is acting contrary to the interests of his or her employer when accessing the employer's computers is not “authorized” to do so, regardless of any employer policies or other safeguards.

Access Lacking a 'Business Purpose'

Two recent cases provide slightly narrower, yet still broad, approach to defining conduct that “exceeds authorized access” ' computer access that is without a business purpose.

In United States v. Tolliver, No. 10-3439, 2011 WL 4090472 (3d Cir. Sept. 15, 2011), the Third Circuit upheld the conviction of a bank employee for unauthorized access of a financial record under a different section of the CFAA, 18 U.S.C. ' 1030(a)(2), which in this case required proof that the employee “exceed[ed] authorized access” to a computer “and thereby obtain[ed] ' information contained in a financial record.” The convicted employee had accessed bank customers' accounts and provided information to others who carried out the fraudulent scheme. In upholding the conviction, the court held that there was sufficient evidence to establish that the employee exceeded her authorized access because she intentionally accessed the bank customers' accounts and “she did not have a business purpose to do so.”

Similarly, the Eleventh Circuit upheld the CFAA conviction of an employee of the Social Security Administration for exceeding his authorized access to his employer's computer system. United States v. Rodriguez , 628 F.3d 1258, 1263 (11th Cir. 2010). The defendant had used his access to obtain personal contact information of ex-girlfriends and other women in whom he had a romantic interest, and used that information to send them flowers or show up unannounced at their homes. In holding that Rodriguez exceeded his authorized access, the court specifically noted that his employer told him “that he was not authorized to obtain personal information for non-business reasons.” Id. at 1263.

Employee Policies and Agreements Limiting Access

However, the direction in which case law is most likely to head is reflected in the growing recognition by courts that employers can define the boundaries of authorized access, and position themselves to take advantage of the CFAA should the unfortunate need arise, by promulgating policies and employee agreements that delineate clearly the scope of employees' authorization to access and use the employer's computer data.

For example, in United States v. John , 597 F.3d 263 (5th Cir. 2010), the Fifth Circuit upheld the CFAA conviction of a bank employee who used the bank's computer system to access customer account information, and then passed the account information along to others who incurred fraudulent charges on
customer accounts. The court held that the defendant exceeded her authorized access to the information because, among other things, the purpose for which she accessed the information was contrary to the bank's employee policies, of which, the court noted, the employee was aware.

Nosal

Along the same lines, the most recent example of the growing trend toward a broader view of employee liability under the CFAA is the Ninth Circuit's opinion in United States v. Nosal , 642 F.3d 781 (9th Cir. 2011) (author's note: the court has granted an en banc rehearing of its decision). In Nosal, the court held that an employee “exceeds authorized access” under the CFAA when he or she “obtains information from the employer's computer and uses it for a purpose that violates the employer's restrictions on the use of the information.” Id. at 782.

Mr. Nosal was a former executive of an executive search firm who left to start a competing business, and who recruited three employees of the search firm to transfer to him confidential information through their user accounts in the search firm's computer system.

The court held that because the search firm had in place clear computer access and use restrictions, Nosal's violation of those restrictions (and that of his accomplices) constituted conduct that “exceeds authorized access” in violation of the CFAA. The court specifically held that “the only logical interpretation of 'exceeds authorized access' is that the employer has placed limitations on the employee's 'permission to use' the computer and the employee has violated ' or 'exceeded' ' those limitations.” Id. at 787 (emphasis in original).

Importantly, the Ninth Circuit's decision in Nosal clarified its earlier opinion in LVRC Holdings LLC v. Brekka , 581 F.3d 1127 (9th Cir. 2009), which widely had been viewed by courts as standing for the proposition that just because employees are authorized to access their employers' computers, they cannot access these computers without authorization or exceed their authorized access, and an employer therefore cannot assert a CFAA claim against an employee who steals information from his or her employer's computers. The court in Nosal distinguished Brekka by noting a “substantial factual distinction” ' “[t]he employee in Brekka had unfettered access to the company computer” without a written agreement or published guidelines prohibiting transmission of company documents to personal computers. Id.

Lessons for Employers

So, what does this mean for employers looking to preserve for themselves a CFAA claim against an employee who steals the employer's electronically stored data? At a minimum, employers should develop and promulgate policies regarding employee access to and use of the employer's computer systems, employee access to the employer's computer systems, the employer's right to monitor employee computer access and usage, and imposing restrictions on employee usage of data in the employer's computer systems. Any such policy should:

• Specify the terms on which the company grants employee access to its computer systems, and gives examples of improper conduct that will be deemed to exceed that access.
• Make clear that all data on the company's computer system is company property, and is to be used by employees only in connection with the performance of their job duties.
• Define what drives, folders, files and other data on the computer system employees have access to ' and what they do not.
• Prohibit employee alteration, disabling or circumvention of computer or network security features.
• Prohibit using another employee's log-in or password information to access the company's computer system.
• Communicate the employer's right to monitor employee access to and use of its computer system.
• Consistently be enforced, as a failure to do so could undercut the argument that employees' authorized access, and the purposes for which employees can use the employer's data, truly was limited.
• Be distributed to employees. Importantly, employees should be required to acknowledge, in writing, their receipt of the policy.
• Employers should also consider requiring employees with access to confidential and proprietary information to sign agreements regarding their access to and use of the employer's computer systems in connection with the confidential and proprietary information, and the employer's right to obtain injunctive and other relief for violations of the agreement.

Now ' Back to the Future

As for McFly Industries, although it did not have agreements in place with Marty and Doc, fortunately Strickland had advised the company at its inception to develop and promulgate a computer access and use policy. Employees were required to acknowledge in writing that they had received the policy, which clearly communicated to employees the terms on which employees were granted access to computer data for certain purposes, and the company's expectations for and restrictions on employee use of that data. Armed with this policy, McFly Industries was able to file a meritorious CFAA claim against Marty and Doc, greatly limiting their ability to help Biff Incorporated unfairly compete against McFly.

Christopher D. Durham, a member of this newsletter's Board of Editors, practices in Duane Morris' Philadelphia office in the area of labor and employment law. He advises clients on issues relating to employer-employee and management-union relations.