In recent months, the courts have been putting new teeth into the Computer Fraud and Abuse Act. And with a little attention to detail, a company can make this law’s provisions a major arrow in the company’s quiver of competitive advantage protections.
The act provides civil and criminal penalties when an employee “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.” There have been several recent criminal prosecutions under the act that have withstood appeals, and the act has been used successfully in civil proceedings as well. Take, for example, the recent Ninth U.S. Circuit Court of Appeals case of United States vs. Nosal, which reversed the dismissal of several counts of a criminal indictment and remanded for trial of allegations that Nosal, a former Korn/Ferry executive, enlisted other Korn/Ferry employees to obtain and transfer to Nosal trade secrets and other proprietary information by using their user accounts to access the Korn/Ferry computer system. This case, however, makes clear that if a company wants to make use of the act, it should implement a computer use policy that will put its employees on notice that there are clear and conspicuous restrictions on the employees’ access both to the system in general and to certain databases. The policy should clearly delineate authorized from unauthorized use, including the information’s return upon termination of employment, and make clear to the employees that unauthorized use may result in civil and/or criminal prosecutions.