Almost daily, we hear about cyber attacks on big businesses and government agencies. But the attacks are not isolated to the big entities. Your business’s most valuable trade secret information more than likely resides in an electronic database that is vulnerable. Yet probably the greatest threat to that database may come from within: your own employees.
It is easy to move electronic files, and in a fluid economy in which your employee may have an opportunity to jump ahead by joining a competitor, the temptation to take data for use in future employment may be particularly strong. Historically, many employers have relied on employment contracts to protect confidential information and trade secrets. Unfortunately, too frequently, these contracts are drafted so broadly with respect to the sections aimed at protecting confidential information that those provisions are of limited value at best.
The good news for employers (at least those who can bring suit in federal courts in the Seventh Circuit) is that they have another, and arguably more powerful, weapon against theft of trade secrets and other confidential information. It is the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (2004) (“CFAA”).
Making a CFAA claim
The CFAA essentially punishes anyone who accesses a computer without authorization to take various unlawful actions, such as stealing or deleting information stored on the computer. Although the CFAA was originally enacted to punish remote computer hackers, it is increasingly being used by employers as a way to pursue departing employees — and their new employers — who steal or delete information before departing or access it after they leave.
To state a claim under the CFAA, the plaintiff-employer must show that the departing employee accessed a “protected computer” (i.e., one that was used to access the Internet) without authorization and took, deleted or performed some other action with respect to information stored on that computer. The Seventh Circuit has held that access is unauthorized for the purposes of the CFAA if the employee acts contrary to the employer’s interest.
For example, employers have brought suits under the CFAA against departing employees who stole information from employer computers to use in a competing business or who deleted incriminating information from employer computers before departing. Remedies available to the plaintiff-employer include injunctive relief and monetary damages, as stated in 18 U.S.C. § 1030(g).
There are several benefits of bringing a claim under the CFAA in addition to or instead of traditional contract and trade secret theories of recovery. First, the plaintiff-employer does not need to establish that the stolen information constitutes a “trade secret” under applicable state law to prevail under the CFAA. The misappropriated or deleted information may be confidential to an employer and not be protectable as a “trade secret” under state law, and yet the employer can still prevail under CFAA. For example, under Illinois law, client lists and customer contact information typically do not amount to trade secrets because the information can be discovered from sources outside the company.
To prevail under CFAA, the employer does not need to rely on a non-disclosure agreement to establish a claim. Employee restrictive covenants, including non-disclosure agreements, may pose challenges to enforcement, especially when the consideration for such agreements is supported exclusively by at-will employment. But the duration of a departing employee’s employment is irrelevant to CFAA claims.
Technological advances have made stealing electronically stored information easier. Fluid employee mobility has increased the frequency of theft and deletion of information by departing employees. Forewarned is forearmed, and employers may be able to combat theft or damage inflicted by employees on their way out by reminding employees of the consequences of conduct that would violate CFAA.
Employers need to take measures to cut off access to their databases and to preserve evidence for a reasonable period of time. In other words, do not rush to pass on the departing employee’s laptop or desktop computer — you may corrupt evidence of the departing employee’s theft or misconduct. Employers should be aware of all of their legal remedies, including the CFAA, when faced with a departing employee who steals confidential information.