Effective October 1, 2015, Florida’s Computer Abuse and Data Recovery Act (Sections 608.801- 668.805, Florida Statutes) (CADRA) provides a new remedy to employers and other businesses that suffer harm or loss due to unauthorized access to their computers or to information stored on their computers.
CADRA provides a civil cause of action for businesses actually harmed by an individual who knowingly, and with intent to cause harm, obtains information from a covered computer without authorization. In addition to monetary remedies and injunctive relief, CADRA allows a successful employer or business to recover attorney’s fees.
While criminal hacking and data breaches by third parties can occur and are the subject of extensive publicity, CADRA was passed to help businesses and employers respond to “inside jobs,” that is, unauthorized access to data by employees.
How it Works
Protection under CADRA requires the business’s computer to be a “protected computer” and access has been effectuated by someone who is not an “authorized user.” This means that a business cannot seek protection for its data if the business does not take reasonable measures on its own to protect the data.
The law comes into play only if the information taken from a “protected computer” is taken “without authorization.” While it is unclear whether an employee who has the authority to access certain data at the time the data is accessed violates CADRA if they exceed their authority, it is clear that any authorized access terminates upon cessation of employment. Moreover, the owner of the information can expressly revoke an otherwise-authorized person’s access if the employee goes outside the scope of authority.
In litigation with employees, employers often discover that current or former employees retain information from the employer’s computer systems. For example, employees may email files and other company documents to their personal email addresses. In addition, employees can print from company computers sensitive or even routine documents and bring them home.
CADRA and its remedies and attorney’s fees provisions provide an opportunity for forward-thinking employers to gain leverage against their employees by counterclaiming against any employee who improperly takes employer data with them upon termination and fails to return such company data. An effective CADRA claim allows an employer to recover or offset the fees it expends seeking relief for a CADRA violation.
However, coverage under CADRA is not automatic. Employers first must put reasonable measures in place (“technological access barriers”) to restrict access to company computer data. Companies also should have clear policies spelling out what constitutes authorized access, what conduct is deemed improper and unauthorized access, and when the right to access is revoked.
Similarly, employers should monitor carefully any violation of their data access policies and make it clear that employees will be disciplined for any violations. Finally, companies should address violations in a consistent manner, and train human resources and IT personnel to spot possible violations and know how to respond when a violation occurs.
Employers should consider reviewing and revising their handbooks and policies and implement an effective data access policy and appropriate technological access barriers. Please contact a Jackson Lewis attorney if you have any questions.