Small Business: Computer Fraud and Abuse Act
April 5, 2010
By Philip I. Frankel, Small-Biz Focus, March/April 2010
The current economic climate has forced many companies to reduce their workforces, leaving behind some disgruntled former employees. This has made the safety of business information an increasingly prominent issue for companies. Fortunately, the Computer Fraud and Abuse Act ("CFAA") holds employees liable for accessing a company's computer system without authorization in order to obtain information for seeking a competitive advantage.
Liability attaches to anyone who: (1) knowingly and with the intent to defraud; (2) accesses a protected computer system; (3) without or in excess of authorization; and thereby (4) furthers the intended fraud and obtains any valuable information; causing (5) a one-year loss of at least $5,000. Under the CFAA, employers can seek compensatory damages and equitable relief. Employers must bring a CFAA action within two years from the date of the violation or the date that actual damage is discovered. Additionally, a CFAA violation may constitute a criminal act under state and federal laws.
The most elusive element of a CFAA claim is proof that a party accessed a computer system without authorization. The courts are split on what constitutes "authorization." One line of cases interprets the CFAA narrowly as only reaching conduct by an employee who did not have permission and hacked into a company's computer system. These courts hold that the CFAA does not apply to the misuse of information obtained with permission. For example, in LVRC Holdings, LLC v. Brekka, a marketing employee did not violate the CFAA by sending emails containing company financial and marketing information to his personal computer, because he was authorized to access the computer he used.
Conversely, other courts view the scope of the CFAA as expansive, and hold an employee liable if he or she obtained proprietary information from an employer's computer and used that information to gain a competitive advantage, regardless of permission status. This is further bolstered by the fact that such use of company information violates the employee's contractual or fiduciary duties. In EF Cultural Travel BV v. Explorica, Inc., the court upheld a CFAA claim against employees who collected pricing information from a server in order to undersell their former employer.
Thus, it is critical for employers to take steps to avoid computer security breaches and the misuse of valuable business information on their computer systems. As a matter of policy, all employers should:
- Review current computer policies, or develop them if none exist. Define what constitutes an acceptable use of business information.
- Consider prohibiting employees from transmitting all or certain business information to personal devices.
- Review computer security protections. Develop a system for identifying unauthorized access to business information.
- Require employees to sign confidentiality agreements requiring that they protect certain business information.
- Monitor and, where possible, limit employees' access to sensitive business information.
- Revise termination notices and exit letters to rescind previous authorization for computer access. Manage password accounts to insure that former employees are prohibited from accessing the system immediately upon termination or resignation.