Employers now have another option for punishing employees for unauthorized taking of employer information. Employers can sue employees under the Computer Fraud and Abuse Act (CFAA) 18 U.S.C. § 1030 for unauthorized access of information on the employer’s computers, which does not require proof of actual trade secret misappropriation. However, the employer may risk a defamation claim when discussing such unauthorized access claims outside of the company.
On November 22, 2006, in Fiber Systems International, Inc. v. Roehrs, 470 F.3d 1150 (5th Cir. 2006), the Fifth Circuit Court of Appeals ruled that an employer can bring a civil action against an employee under the CFAA, § 1030(a)(4), which prohibits knowing and unauthorized access of a protected computer with intent to defraud, if the conduct furthers the intended fraud and if the violator obtains anything of value.
The lawsuit arose from the struggle for control of Fiber Systems International, Inc. (FSI). The ownership dispute ended with Michael Roehrs buying out the minority owners’ stake in the company, becoming executive chairman, and terminating employment of his brother, Daniel Roehrs, and the other defendants, who were officers and directors of FSI. In 2004, FSI sued the former employees, alleging that defendants violated the CFAA when leaving the company, taking with them confidential and proprietary information from FSI’s computers. Defendants filed a defamation counterclaim alleging FSI falsely called them thieves from FSI’s computers. While the jury found that three of the defendants violated § 1030(a)(4) of the CFAA, entitling FSI to $36,000 in damages, the district court entered a takenothing judgment, holding that § 1030 does not create a civil cause of action for § (a)(4) violations. In addition, the jury awarded the defendants damages for the defamation action.
In FSI’s appeal, the Fifth Circuit overturned the district court’s take-nothing judgment, holding that § 1030(g) of the CFAA permits civil actions by any person suffering damage or loss under § 1030 as a whole, including under § 1030(a)(4). The jury found that FSI suffered a loss of $36,000, which far exceeded the $5,000 loss requirement for bringing such a claim.
The court further found that the district court’s dismissal of FSI’s claim for an injunction was proper because the CFAA allows injunctions only against ongoing and future unauthorized access. FSI could not be threatened by future harm from defendants’ trade secret theft since the jury found that no trade secrets actually were stolen. Regarding the defamation claim, FSI argued that the jury’s finding of a § 1030 violation was equivalent to a finding that defendants were thieves, so FSI’s statement that defendants were thieves was true and thus nondefamatory. However, the court explained that unauthorized access that results in obtaining something of value under § 1030, of which defendants were found guilty, does not require that the valuable thing obtained be a trade secret or even something stolen. The value obtained might be, e.g., temporary use and possession of hardware.
Thus, while employers can sue employees for obtaining information under the CFAA withtout having to provide trade secret theft, employers still must be cautious not to refer to former employees as “thieves” in so doing.