Courts Address When an Alleged Employee Hacking Is a Crime

Notwithstanding these two cases, employees have elsewhere found success in defeating CFAA accusations often by arguing that they did not access a database or other proprietary information without authorization because their login credentials had yet to be revoked.

As surveyed below, results have been mixed for employees accused of hacking into the databases of their own companies, competitors and potential business partners. This article discusses three recent cases in this area of law, including cases involving: whether theft of intangible property that is not trade secret protected can constitute the common law tort of conversion; if working to remedy an alleged security breach is an adequate showing of “loss” under the CFAA; and if allegations stemming from a software hack are sufficiently related to a separate non-disclosure agreement so as to invoke its forum selection clause.

Can an Alleged Hacker Be Liable for Converting Intangible Property?

Intangible property is broadly defined as “something of individual value that cannot be touched or held” and can include “any item of net worth that is not physical in nature. Such property includes trademarks, copyrights and even goodwill.

In late June of this year, the Supreme Court of Arkansas decided Integrated Direct Marketing v. May, — S.W. 3d —-, 2016 WL 3568569 (Ark. 2016), which presented a matter appearing to be of first impression as to whether intangible property, standing alone and not deemed a trade secret, could be converted in violation of the common-law tort. This court has defined conversion as “the exercise of dominion over property in violation of the rights of the owner or person entitled to possession.”

The plaintiff, which provided custom data solutions and advice on “data intelligence,” sued its former employee and his current employer for conversion after the former employee allegedly copied to his personal hard drive more than 300 files containing confidential and proprietary information. A federal district court granted summary judgment for the defendants on all of the plaintiff's resulting claims that alleged, inter alia, breach of contract, breach of fiduciary duty and violation of state statutory trade secret protections, except for a conversion claim under Arkansas law. It certified the question to the Supreme Court of Arkansas of whether intangible property, such as electronic data, standing alone and not constituting a trade secret, can be converted.

This court answered in the affirmative. Without “controlling precedent on this issue,” it cited favorably the Ninth Circuit's decision in Kremen v. Cohen, 337 F.3d 1024, 1034 (9th Cir. 2003), (http://bit.ly/2bwp0NU), which held that an Internet domain name could be intangible property that serves as a basis for conversion claim, and also observed that “it would be curious jurisprudence that turned on the existence of a paper document rather than an electronic one.” Id. The Arkansas court adopted the logic of the Ninth Circuit and concluded that there is “simply no reasonable basis for allowing a claim for conversion of paper documents but not for their electronically stored counterparts.”

Does 'Working Exclusively' on Remedying a Former Employee's Data Breach Constitute Loss?

In Custom Packaging Supply v. Phillips, 2016 WL 1532220 (C.D. Cal. April 15, 2016), the defendants included former employees of the plaintiff alleged to have downloaded proprietary designs and other confidential information to compile an “illegal library” and pass it on to their new employers.

The plaintiff's federal cause of action arose under the CFAA (separately, the court dismissed the state claims due to an absence of supplemental jurisdiction under 28 U.S.C. ' 1367(c)). A mandatory element of a justiciable CFAA civil claim is “damage or loss.” In the instant case, the plaintiff averred that it suffered sufficient “loss” because its employees worked to remedy the alleged data breach for roughly a week, “forcing other projects and customer needs to be ignored.” The court rejected this invocation of “lost business opportunities” as a sufficient loss, and since the plaintiff did not otherwise allege that its computer systems were damaged, the defendants' motions to dismiss were granted.

Interpreting a Forum Non Conveniens Defense in a Software Hacking Case

Like the other cases discussed in this article, In re Orange, 818 F.3d 956 (9th Cir. 2016) (http://bit.ly/2bM0xAl), involves litigation against the plaintiff's former employees and competitors for injuries arising from an alleged hack (including those redressable by the CFAA and analogous state-law claims). The parties began to negotiate the forming of a partnership, which included non-disclosure agreements (NDAs), that looked into building technology that would enable phone calls between users of social media without the need for telephone numbers.

The nascent relationship soon went downhill, and the plaintiff later sued in federal court in California alleging that the defendants had used “fictitious names” to hack into the plaintiff's application, and thereby obtain information about the plaintiff's platform.

The defendants, a French company and its employees, moved to dismiss on grounds of forum non conveniens on the theory that the forum selection clause in the NDA mandated that any litigation between the parties occur in France. After this defense failed in the trial court, the defendants sought a writ of mandamus to the Ninth Circuit that would compel dispute resolution in France. The writ was denied and the Ninth Circuit affirmed on the grounds that the CFAA and related claims that arose from allegations of defendants' hacking was not covered by the NDA, which pertained instead to discussions of the potential business relationship.

Richard Raysman is a Partner at Holland & Knight. Peter Brown is the principal at Peter Brown & Associates. They are co-authors of Computer Law: Drafting and Negotiating Forms and Agreements (Law Journal Press).