What if a former employee downloads confidential information (such as a donor or member database, fundraising strategies, new program and service plans, and the like) from your computer system and uses it to help your competitors or others? Among the laws at your disposal is the Computer Fraud and Abuse Act (“CFAA”). Although principally a criminal statute intended to combat computer hacking, the CFAA allows for a civil lawsuit against someone who obtains information from another’s computer “without authorization.”
Let’s change the scenario slightly. What if a current employee downloads your sensitive, confidential information to his personal computer, resigns, goes to work for your arch-competitor, and then uses that information to target your donors, members, or other supporters? Do not count on the CFAA to provide a remedy for that blatant misappropriation. In WEC Carolina Energy Solutions, LLC v. Miller, the federal appeals court with jurisdiction over Maryland, Virginia and other mid-Atlantic states narrowly construed the CFAA in a way that does not always reach even egregious misappropriation by current employees. While the case involved a for-profit company, it is equally applicable to nonprofit employers.
In this case, Miller worked for WEC as a project director and resigned to go to work for a competitor, Arc Energy. Before he quit, Miller allegedly downloaded to his personal computer WEC’s confidential information, which he used to make a presentation to a potential customer after he quit. That customer selected Arc Energy over WEC. WEC sued Miller under the CFAA for misappropriating the confidential information from its computer system. WEC established that it had a policy prohibiting employees from misusing confidential information or downloading it to a personal computer. WEC, however, did not restrict Miller’s authorization to access its confidential information.
The court ruled that the CFAA was designed to target unauthorized “access” to computer information, not unauthorized “use” of that information. As a result, the court decided that the CFAA only applies when an individual “accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access.” The CFAA did not apply to Miller’s actions because WEC had given him authorization to access the information he took; the fact that he misused that information in violation of WEC’s policies did not implicate the CFAA.
Although the court candidly noted that its decision “will likely disappoint employers hoping for a means to reign [sic] in rogue employees,” the CFAA door is not completely shut to combat hacking by current employees. Depending on the content of your policies, the decision leaves room for an argument that the CFAA applies if a current employee with unrestricted computer access downloads your information for the benefit of a third party.
In this regard, in addition to standard “use and access" restrictions, computer policies should specifically emphasize that employees have no authorization to access your organization’s data on behalf of outsiders. That way, if a miscreant employee who has broad computer access shares your confidential information with a third party, there may be an argument that he has exceeded the scope of his authorized access under the CFAA. The entity on whose behalf the employee obtained the information also may be on the hook for unauthorized access under an agency theory. Because the court relied on WEC’s internal policies to define the contours of what constitutes “authorized” access to its computer data, nonprofit employers should review and tighten their computer use and access policies. Even if the CFAA does not apply to a particular employee’s computer hacking, there are common law causes of action (such as breach of fiduciary duty and tortious interference) potentially available to provide relief. Under those causes of action as well, your computer use and access policies will play a central role.