What if a former employee downloads confidential information (customer lists, pricing information, etc.) from your computer system and uses it to lure your customers away? Among the laws at your disposal is the Computer Fraud and Abuse Act (“CFAA”). Although principally a criminal statute intended to combat computer hacking, the CFAA allows a civil lawsuit against someone who obtains information from another’s computer “without authorization.”
Let’s change the scenario slightly. What if a current employee downloads your sensitive business information to his personal computer, resigns, goes to work for your arch-competitor, and then uses that information to pirate your business? Do not count on the CFAA to provide a remedy for that blatant misappropriation. In WEC Carolina Energy Solutions, LLC v. Miller, the federal appeals court with jurisdiction over Maryland, Virginia and other mid-Atlantic states narrowly construed the CFAA in a way that does not always reach even egregious misappropriation by current employees.
In this case, Miller worked for WEC as a project director and resigned to go to work for a competitor, Arc Energy. Before he quit, Miller allegedly downloaded to his personal computer WEC’s confidential information, which he used to make a presentation to a potential customer after he quit. That customer selected Arc Energy over WEC. WEC sued Miller under the CFAA for misappropriating the confidential information from its computer system. WEC established that it had a policy prohibiting employees from misusing confidential information or downloading it to a personal computer. WEC, however, did not restrict Miller’s authorization to access its confidential information.
The court ruled that the CFAA was designed to target unauthorized “access” to computer information, not unauthorized “use” of that information. As a result, the court decided that the CFAA only applies when an individual “accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access.” The CFAA did not apply to Miller’s actions because WEC had given him authorization to access the information he took – the fact that he misused that information in violation of WEC’s policies did not implicate the CFAA.
Although the court candidly noted that its decision “will likely disappoint employers hoping for a means to reign in rogue employees,” the CFAA door is not completely shut to combat hacking by current employees. Depending on the content of your policies, the decision leaves room for an argument that the CFAA applies if a current employee downloads your information for the benefit of a third party.
In this regard, in addition to standard “use and access” restrictions, computer policies should specifically emphasize that employees have no authorization to access company data on behalf of outsiders. That way, if a miscreant employee who has broad computer access shares your confidential information with a third party, there may be an argument that he has exceeded the scope of his authorized access under the CFAA. The entity on whose behalf the employee obtained the information might also be on the hook under an agency theory. Because the court relied on WEC’s internal policies to define the contours of what constitutes “authorized” access to its computer data, employers should review and tighten their computer use and access policies. Even if the CFAA does not apply to a particular employee’s computer hacking, however, there are common law causes of action potentially available to provide relief. Under those causes of action as well, your computer use and access policies will play a central role.