May 16, 2012

Decision may limit claims of employee computer fraud

By: Kimberly Atkins

Staff writer

A recent 9th Circuit decision has cast doubt on a tool that is increasingly being used by employers to go after employees who use confidential information from company computer systems.

The Computer Fraud and Abuse Act provides for criminal and civil penalties against an employee who “knowingly and with the intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.”

But the 9th Circuit case makes it tougher for employers to use the Act, and creates a circuit split that could send the issue to the U.S. Supreme Court to decide.

More recourse

In recent years employers have ramped up their use of CFAA claims, often in conjunction with more traditional breach of contract claims.

The value of a claim under the Act is that injunctive relief is available, which allows employers to stop former workers from using improperly-accessed information for their own benefit and to the detriment of the employer, said Amy K. Jensen, partner in the San Francisco office of Hinshaw & Culbertson.

“That may give the employer some recourse” where a contract claim may not, Jensen noted.

The Act has other advantages. It establishes federal jurisdiction, and provides for damages beyond what could be recovered in a traditional breach-of-contract action.

The statute allows the recovery of “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

What that means, said Brian P. Bialas, an associate in the Boston office of Foley Hoag, is that “if your computer system is down for a period of time because you have this breach and you have to investigate it, the costs of that are recoverable under the CFAA.”

In addition, in cases where the government brings criminal CFAA claims, a conviction can later be used as evidence in civil actions by an employer.

Hackers only

In U.S. v. Nosal, the government indicted a man for allegedly using his log-in credentials to download source lists, names and contact information from a confidential database on his employer’s computer to use to start his own business. The employee had been authorized to access the database, but his employer had a policy that forbade disclosing confidential information.

An en banc panel ruled that the Act was meant to address computer hacking, or unauthorized access to computer data.

But in cases like this one, where an employee has “unrestricted physical access to a computer, but is limited in the use to which he can put the information,” the statute does not apply, the court concluded.

To hold otherwise “would expand [the law’s] scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer,” the court said. “This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.”

The decision stands in stark contrast to other federal courts’ interpretation of the statute. Back in 2001, for example, the 1st Circuit ruled in EF Cultural Travel BV v. Explorica that CFAA claims can be brought against former employees who violate the terms of a confidentiality agreement.

The 5th, 8th, and 11th Circuits have ruled similarly, allowing CFAA claims in cases where employers claim contractual breaches of confidentiality or computer use agreements.

For attorneys practicing in the 9th Circuit, or with clients who have West Coast offices, the Nosal ruling is a profound change.

The decision means that an “airtight electronic communications policy” isn’t enough, said Jensen. She noted that not only was such a policy in place in the Nosal case, but workers were also reminded of the policy via a pop-up message whenever they access the company’s computer system.

“We have to help our clients understand that an airtight policy is not going to mean [the courts] will come down on your side,” said Jensen, although such are still important in order to preserve contract and tort-based remedies.

Bialas said he has seen an increased number of employees citing Nosal as persuasive authority.

Despite the reputation of the 9th Circuit is being liberal-leaning, the Nosal opinion was authored by noted conservative Judge Alex Kozinski.

“He’s a well-respected jurist among the circuits,” Bialas said.

Since the heart of the circuit split involves different interpretations of the meaning of “exceeds authorized access” under the statute, the issue may need to be resolved in Washington.

“Congress or the Supreme Court will have to step in and clear up that ambiguity if some exists,” Jensen said.

Questions or comments can be directed to the writer at: