|
The
Computer Fraud and Abuse Act (CFAA) was passed by the U.S. Congress in
1986 to apply criminal penalties for damage or destruction of data on
government computer systems caused by outside “hackers” and others with
“unauthorized access” to those systems. Amendments since its initial
passage have greatly increased the CFAA’s scope and penalties. The CFAA
now applies to any “protected computer” (defined to include any computer
used in foreign or interstate commerce) so computer systems used by most
businesses are protected by the law. In addition, the “unauthorized
access” requirement was expanded so the CFAA also applies to a company’s
employees, consultants and other “insiders” who “exceed authorized
access” to damage or destroy computer data. Most importantly, civil
enforcement powers were added so companies can use the CFAA to sue
insiders or outsiders who damage or destroy the company’s computer
system or its data if the company’s damages exceed $5,000 in any
one-year period (including costs to restore or replace data and update
computer security as well as lost revenue and losses from interruption
of service).
Simply
pressing a “delete” or “erase” key on a company’s computer does not
trigger enforcement under the CFAA. The CFAA makes it unlawful to
“knowingly cause the transmission of a program” to intentionally damage
a company’s computer or its data. However,
courts have afforded companies protection under the amended CFAA by
giving it a broad interpretation.
For
example, federal court opinions have applied the CFAA to theft of a
company’s confidential information or trade secrets in computer data
format when it is “transmitted” to an outside party by an insider who
does not have authorized access to the company’s computer system. These
court opinions have sustained claims under the CFAA against employees
who accessed a current employer’s computer system and “transmitted”
confidential information to a new employer via e-mail before
officially leaving their employment with the current employer. The
employees argued they had authorized access to the current employer’s
computer system as long as they remained employees, but the courts held
the employees lost or exceeded their authorized access when they began
acting as agents for a new employer.
A recent
decision from the Seventh Circuit U.S. Court of Appeals shows how the
CFAA can apply to a departing employee who destroys data on the
company’s computer system without trying to take the data with him or
send it to his new employer, even if the data does not qualify as a
trade secret or confidential information. In International Airport
Centers, L.L.C. vs. Citrin, the employee was going into business
for himself and, before leaving the company’s employment, deleted all
data on the laptop computer the employer provided for his use. The
data he deleted included valuable information about the employer’s
current and prospective business deals as well as data showing the
employee engaged in wrongful conduct while working for the company.
After deleting the data, the employee installed and ran a
“secure-erasure” software program on the laptop that made it impossible
for the employer to recover any of the deleted data.
The
lower court in Citrin held the employee’s conduct was not covered
by the CFAA because simply deleting or erasing files was not a
“transmission” covered by the law. The Court of Appeals reversed the
lower court and held the employee lost or exceeded his authorized access
to the company’s computer when he engaged in wrongful conduct and
decided to destroy files that belonged to the employer or exposed his
wrongful conduct. The Court of Appeals also held the employee
“transmitted” a program intended to damage the employer’s computer or
its data, within the meaning of the CFAA, when he installed and ran the
secure-erasure software program on the laptop to prevent the employer
from recovering data that belonged to it.
The
Citrin decision and other court opinions applying the CFAA offer
valuable advantages and lessons for employers wanting to guard against
wrongful conduct by departing employees. If violations occur, employers
can bring CFAA actions against disloyal employees even if there is no
confidentiality or non-compete agreement with the employee, and
available remedies include both damages and injunctive relief. To avoid
violations, employers may want to educate employees on the CFAA and the
consequences of violating it, and establish policies prohibiting the
downloading or installation of any software or hardware with the
intention or ability to damage the company’s computer system or its
data.
For
questions about this Employer Alert or assistance with policies
concerning use of a company’s computer system or other matters involving
departing employees, please contact
Louis Meyer at
lmeyer@poynerspruill.com or 919.783.2810 or
Susie Gibbons at 919.783.2813 or
sgibbons@poynerspruill.com. |
