Electronic theft by employees is increasing at an alarming rate. Three recent decisions now provide important new guidance to employers when attempting to deter theft through limiting authorized use, surveillance, and contract clausesprotecting intellectual property.
One impact of the recession is that U.S. businesses are reporting increased employee theft. In a study conducted by the Security Executive Council quoted in a recent issue of the Harvard Business Review (HBR July–August 2009, p. 105), during the past year 44% of the companies polled reported increases in property theft, 43% reported increases in fraud, and 19% reported increases in intellectual property theft.
The following is a summary of three recent cases that provide guidance to employers on steps they can, and cannot, take to deter employee theft in the electronic age.
Summary of recent case developments
1.When is employee computer access “unauthorized” and therefore actionable under the Computer Fraud and Abuse Act?
Enacted as a tool for the government to target computer hackers who disrupt computer functionality and steal information from computers, the Computer Fraud and Abuse Act (“CFAA”) also provides for civil private rights of action for damages. The CFAA can provide a remedy if former or current employees steal information from company computers. However, in LVRC Holdings LLC v. Brekka, 2009 U.S. App. LEXIS 20439 (9th Cir. 2009) the court recently held that an employee who e-mails his employer’s confidential documents to his home for alleged wrongful purposes is not necessarily liable for damages to his employer under the CFAA. In doing so, the Ninth Circuit has taken a position contrary to a 2006 Seventh Circuit decision.
The CFAA can be a particularly useful tool for companies seeking to protect company information that may not rise to the level of “trade secrets” protected under state law. The CFAA prohibits the misuse or intrusion into company information that is not necessarily confidential. Companies seeking to protect such information can sometimes be limited by state trade secret laws, and rely on the CFAA to bring actions against acts of theft that may be just as damaging as the theft of legally recognizable trade secrets. The CFAA also allows companies to invoke federal court jurisdiction for their claims where such jurisdiction may be more advantageous than state court jurisdiction.
In LVRC Holdings, the plaintiff employer (“LVRC”) filed an action against its former employee, Christopher Brekka (“Brekka”), for allegedly violating the Computer Fraud and Abuse Act (CFAA) by accessing LVRC’s computer “without authorization” both during his employment and after he left the company. LVRC operated a residential treatment center for addicted persons in Nevada. Part of Brekka’s job was to conduct internet marketing programs and help with e-mail, website, and related services. Brekka also operated a consulting business that obtained and provided referrals for addiction rehabilitation services. LVRC assigned Brekka a computer at his office. Brekka commuted between his home in Florida and Nevada.
A year after his employment with LVRC commenced, Brekka and LVRC entered into negotiations regarding Brekka’s purchase of an ownership interest in LVRC. During the period of those negotiations Brekka e-mailed company documents to himself and his wife, including financial statement for LVRC, LVRC’s marketing budget, a list of past and current patients, and other information relating to LVRC. Those negotiations eventually broke down, and Brekka subsequently ceased working for LVRC. Brekka left his work computer at LVRC and did not delete his e-mails from his computer. After Brekka left LVRC, another employee discovered that someone was still accessing LVRC ’s website using Brekka’s administrative login and password. LVRC concluded that it was Brekka who had used Brekka’s LVRC password. During the course of its investigation into that situation, LVRC discovered that Brekka had sent some important company information to himself and his wife while employed with LVRC.
LVRC filed suit in federal court claiming, among other things, that Brekka violated provisions of the CFAA when he e-mailed documents to his and his wife’s personal computer while employed with LVRC and continued to access the website after his employment ceased. However, the district court granted summary judgment in favor of Brekka, and the Ninth Circuit affirmed. Regarding LVRC’s claim that Brekka had accessed LVRC’s computer after his employment was terminated, the Ninth Circuit determined that there was simply not enough evidence to create a triable issue of fact as to whether Brekka was the employee who logged in to the company’s website. Regarding LVRC’s claim that Brekka violated the CFAA when he e-mailed documents to himself during his employment, the Ninth Circuit held that Brekka’s conduct did not violate the CFAA because the sections of the CFAA under which the claims were brought require proof that the alleged wrongdoer was “not authorized” to access the computer. The court found that Brekka was in fact “authorized” to access to LVRC’s computer at the time he sent LVRC’s data to his home computer, and on that basis affirmed the district court’s opinion.
In finding that LVRC had failed to prove that Brekka was not authorized to access the company computer during his employment, the Ninth Circuit declined to follow the decision of the Seventh Circuit in International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), that an employee loses authorization for purposes of the CFAA when he acts “contrary to the employer’s interest.” The Seventh Circuit cited common law agency principles to find that an employee breached his duty of loyalty to his employer when he destroyed computer files in violation of company policy. That breach resulted in a termination of the agency relationship with his employer, and his authority to use the computer was rescinded by the breach. In rejecting the Seventh Circuit’s argument, the Ninth Circuit concluded that nothing in the common usage of the term “authorization” supports a finding that authorization is automatically revoked when an employee exceeds the scope of the authorization given. The Ninth Circuit did not appear to consider that exceeding the scope of authorization would logically put the employee in an unauthorized position. Instead the Ninth Circuit held that the employee “remains authorized to use the computer even if the employee violates those limitations.” It further found that “[i]t is the employer’s decision to allow or to terminate an employee’s authorization to access a computer that determines whether the employee is with or ‘without authorization.’” The court opined that employers must affirmatively rescind permission in order to destroy previously given authority.
The Ninth Circuit noted that LVRC did not promulgate employee guidelines or execute a written employment agreement prohibiting employees from e-mailing documents to personal computers. Although it is unclear whether this would have been a decisive factor in the court’s opinion to disallow LVRC’s claims under the sections 1030(a)(2) and 1030(a)(4) of the CFAA, it certainly appears that such guidelines and/or agreement would be persuasive evidence on the subject of authorization.
Following LVRC, at least in the Ninth Circuit, employers should implement a thorough computer and business systems policy that clarifies the limits of employees’ authorized access. With such policies in place, employers can better protect their proprietary information and potentially obtain compensatory damages, injunctive relief, and other equitable relief when employees violate those policies.
It is critical to note that the LVRC Holdings decision only impacts claims under sections 1030(a)(2) and 1030(a)(4) of the CFAA, which include the requirement that the plaintiff prove that the computer access was “without authorization.” As to those sections, the court specifically suggests that companies can overcome the legal hurdle encountered by LVRC by creating policies and procedures that expressly delineate the scope of “authorized” company access. Regarding post- employment use of company computers by a former employee, it is important to note that the Ninth Circuit opined that had there been enough evidence, there would be “no dispute” that Brekka acted without authorization.
2.Has the California Supreme Court expanded an employer’s ability to videotape its employees?
California, like a number of other states, specifically prohibits surveillance in certain private areas such as restrooms, locker rooms, or changing rooms. See Cal. Lab. Code § 435; N.Y. Gen. Bus. Law § 395-b; Conn. Gen Stat. § 31-48(b). While some states permit such surveillance with proper notice, California prohibits the practice outright. Id. On the other end of the spectrum, an employer may legally videotape its employees in public or semi-public employment settings without violating their right to privacy. See Sanders v. American Broadcasting Co., 20 Cal. 4th 907, 923 (1999).
The California Supreme Court has recently issued a new, perhaps surprising, decision in Hernandez v. Hillsides, 47 Cal. 4th 272 (2009), on this subject.
In Hernandez, the defendant employer operated a private nonprofit residential facility for neglected and abused children, including the victims of sexual abuse. The defendant learned that an unknown individual repeatedly used a computer in an office shared by two employees to view pornographic websites after hours. In an attempt to discover the unknown person, the employer installed a hidden camera in the office without notifying the two employees. The employer only operated the camera during a limited timeframe (once a week for three weeks), never recorded the employees, and only operated the camera after working hours in an attempt to discover the unknown person. When the employees discovered the camera, they sued claiming the employer violated their right to privacy.
The trial court granted the employer’s motion for summary judgment, but the Court of Appeals reversed, finding triable issues as to whether 1) the employer intruded into a protected zone of privacy and 2) whether that intrusion was so unjustified and offensive as to constitute a privacy violation. The Supreme Court reversed and held that the trial court properly granted the motion for summary judgment. The court agreed with the Court of Appeals that there was an issue of fact as to whether the employees had a reasonable expectation of privacy. The court concluded that the employees had a reasonable expectation that their employer would not, without their prior consent, install video equipment in their office capable of monitoring and recording their personal and work related activities behind closed doors. The plaintiffs could only survive summary judgment, however, if an issue of fact also existed as to whether the intrusion was highly offensive to a reasonable person and sufficiently serious and unwarranted as to constitute an “egregious breach of social norms.”
The court noted that the employer had a strong justification to implement surveillance to protect the children residing on the premises and protect the company from legal liability. The court emphasized that the surveillance was very limited in timing and scope, prompted by legitimate business concerns, and the employees were never actually recorded. Thus, the court concluded that the invasion was not highly offensive as a matter of law and did not constitute an egregious violation of prevailing social norms.
Hernandez certainly lends some support for the use of video surveillance to deter or investigate theft, but a great deal of caution is in order here. This case only dealt with an employer’s decision to videotape employee’s workstations during non-working hours and in a limited way. The purported businesses need to protect children was also a strong factor in the outcome of the case, as was the fact that employees themselves were not videotaped. The court also seems to warn employees about engaging in the very conduct the court held did not violate the right to privacy as a matter of law: “Nothing we say here is meant to encourage such surveillance measures, particularly in the absence of adequate notice to persons within camera range that their actions may be viewed and taped.” In sum, advice of counsel should be sought before engaging in any video surveillance.
3.California’s “pro-competition” laws and intellectual property
For many years, the California legislature and judiciary have promoted employee mobility in the commercial sector by outlawing the use of covenants not to compete. A recent ruling from the United States District Court for the Northern District of California applies these “pro- competition” principles in a case involving an attempt to protect intellectual property. See Applied Materials, Inc. v. Advanced Micro-Fabrication Equipment (Shanghai) Co., No. 2007-5248 (N.D. Cal. 2009).
In Applied Materials, the corporate defendant hired the plaintiff’s former employees after they left their employment with the plaintiff. The plaintiff filed suit alleging misappropriation of trade secrets and related claims. The defendants brought a counterclaim alleging the employment agreements between the plaintiff and its former employees included an assignment clause that constituted an unenforceable non-compete agreement. The assignment clause gave the plaintiff ownership rights to all inventions the former employees described in patent applications or disclosed to third-parties for a period of one year after the conclusion of their employment with the plaintiff. The defendant moved for summary judgment on its counterclaim.
The District Court determined the assignment clause was overly broad in both subject matter and temporal scope. As to subject matter, the clause covered inventions that were based not on the company’s confidential information, but on independent research and development. As to temporal scope, the clause covered inventions even if they were conceived after the employment relationship ended. Therefore, the court held the assignment clause was invalid as a matter of law.
This ruling may well be appealed, but in the meanwhile, it provides guidance on how to structure employment agreements to protect an employer’s intellectual property even under California’s “pro-competition” laws. A clause requiring former employees to assign intellectual property to the employer will need to be narrowly tailored in time and scope.