Following the recent Fourth Circuit opinion in WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012), the issue of whether the Computer Fraud and Abuse Act (CFAA) applies to the actions of employees (as opposed to hackers) may end up at the Supreme Court. The Act provides both civil and criminal liability for a person who “exceeds authorized access” to obtain information. This is a significant issue because the possible criminal sanctions available under the CFAA could be a powerful option available to employers seeking to protect their confidential information from being stolen by disloyal employees and used by competitors.
In WEC Carolina Energy Solutions LLC v. Miller, an employee downloaded a significant amount of proprietary information from his employer’s network before resigning to join a competitor. In deciding whether the employee violated the CFAA, the U.S. Court of Appeals for the Fourth Circuit (MD, VA, WV, NC and SC) sided with the Ninth Circuit (AK, AZ, CA, HI, ID, MT, NV, OR and WA) in construing the provisions of CFAA narrowly, holding that an employee’s taking of information in violation of company policy did not violate the CFAA because the employee’s job gave him access to the information. In taking that narrow view, the Court declined to follow the Seventh Circuit (IL, IN, WI), which previously held that an employee loses his authority by using the computer contrary to the employer’s interests. The Seventh Circuit view is in line with the opinions of the First, Third, Fifth and Eleventh Circuits, which take the position that authority to access data for one purpose does not confer authority to access data for other purposes.
While the Courts grapple with this split in authority, employers must continue to be vigilant in protecting confidential information and trade secrets with strong policies and available technology tools. Employers should consider using tools that limit access to systems, monitoring electronic communications to detect when sensitive information is sent unencrypted or to an unauthorized recipient, and “watermarking” highly sensitive documents that need to be closely controlled. Employers must also have clear policies regarding acceptable use of corporate technology (to include computers, telephones and mobile devices) and privacy training that begins in the hiring process and repeats annually. Additionally, employers must secure, with appropriate confidentiality and other contract language, these protections from others – such as independent contractors, vendors, and their employees – that have access to confidential information. Finally, employers should monitor the departure of any employee, whether voluntary or involuntary, very closely to protect against theft of confidential information. In this area, employers must consider the application of both employment and privacy laws to ensure protection of the employer’s interests while not stepping on an employee’s rights.