Trading Secrets : Trade Secrets Lawyers & Attorneys : Seyfarth Shaw Law Firm : Computer Fraud, Confidentiality Agreements, Corporate Espionage

Amy E. Bivins recently published another article in the Daily Labor Report addressing the effects of the Ninth Circuit's Brekka decision, which we have posted about previously.  Ms. Bivins quotes Seyfarth attorney Carolyn Sieve on the issue.  Carolyn reminded employers that they "should not rely solely on a potential CFAA claim to protect their proprietary information."  Indeed, employers will need to consider what access to computer systems is "authorized." 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The BNA publication, Electronic Commerce & Law Report, recently quoted our own Carolyn Sieve, discussing the Brekka decision.  The Electronic Commerce & Law Report article, "Brekka Case Shows Need for Comprehensive Strategy to Shield Data from Insider Misuse," discussed how the Ninth Circuit recently joined a trend disfavoring Computer Fraud and Abuse Act (CFAA) claims brought by companies against disloyal employees. In LVRC Holdings LLC v. Brekka, the court resolved disagreement among federal district courts within the circuit about how the CFAA’s "authorization" standard applies to cases involving data theft by disloyal employees.

According to the article, the court explained that employers may be able to pursue claims under the CFAA, but only if employees violate clearly defined limits on access to company networks in the course of stealing proprietary information. Carolyn commented that the message from Brekka is that employers should not rely solely on potential CFAA claims to protect their proprietary information. She also noted, "The Brekka decision places more responsibility on the employer’s shoulders to provide notice to employees as to what is ‘authorized access.’" Carolyn recommended that employers determine what information they want to protect, implement security protocols to safeguard that information, and combine those efforts with systemic employee education regarding confidential and data use policies.

 A full copy of the article is available here.  It is reproduced with permission from Electronic Commerce & Law Report, 14 ECLR 1381 (Sept. 20, 2009). Copyright 2009 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a recent decision, the federal Ninth Circuit Court of Appeals joined a growing number of federal courts that have limited the use of the Computer Fraud and Abuse Act ("CFAA") in suits brought against former employees accused of taking data from a company’s computer system before leaving the company.

In LVRC Holdings LLC v. Brekka, Case No. 07-17116, 2009 WL 2928952 (9^th Cir. September 15, 2009), the Court held that an employer could not maintain its claim under the CFAA, 18 U.S.C. § 1030, against a former employee accused of e-mailing company property to his personal e-mail account because the employer could not establish that the former employee accessed its computer system “without authorization” or “in excess of authorization,” causing a loss. The employee argued that he was authorized to access the computer system in connection with his job duties, and was, therefore, authorized to access the computer system. 

In its opinion in Brekka, the Ninth Circuit explicitly rejected the Seventh Circuit Court of Appeals’ reasoning in International Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006) (Judge Posner, presiding), in which the Seventh Circuit held that a defendant employee’s authorization to access his employer’s computer files terminated when he violated his duty of loyalty to his employer.

Concluding that “[n]o language in the CFAA supports [plaintiff’s] argument that authorization to use a computer ceases when an employee resolves to use the computer contrary to the employer’s interest,” the Ninth Circuit switched the focus of inquiry from the former employee’s motive to an objective standard: What actions did the employer take to define what was authorized access and what was not? “If the employer has not rescinded the defendant’s right to use the computer, the defendant would have no reason to know that making personal use of the company computer in breach of a state law fiduciary duty to an employer would constitute a criminal violation of the CFAA.” 

In Brekka, plaintiff allowed its employee to e-mail company documents to his personal computer in the course of his duties. In addition, plaintiff promulgated no employee guidelines to prohibit employees from e-mailing company documents to personal computers. These were facts fatal to its CFAA claim and may provide a basis to distinguish subsequent cases where employers attempt to assert CFAA claims against former employees accused of e-mailing company information to their personal accounts, provided that they have clear policies prohibiting such activities.

The Brekka Court held “that a person uses a computer ‘without authorization’ under §§ 1030(a)(2) and (4) when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone’s computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” 

The Brekka decision is a wake-up call to employers to take measures to define for their employees the type of computer activity that is permissible (and impermissible) so that the employers can, to the extent allowable, avail themselves of a CFAA claim.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting, LLC, 600 F. Supp. 2d 1045 (E.D. Mo. 2009), the United States District Court for the Eastern District of Missouri dismissed an employer’s claim that two former employees violated the Computer Fraud & Abuse Act (“CFAA”), 18 U.S.C. § 1030, et seq., by deleting information from and refusing to return their company laptops after resigning. Lasco brought claims against former sales representatives Ronald Hall and Charles Shaw, as well as their new company, Hall and Shaw Sales, Marketing & Consulting. Included in the action were claims under the CFAA and the Stored Wire and Electronic Communications Act (“SECA”), 18 U.S.C. § 2701, et seq., as well as a number of claims under Missouri law. 

Lasco alleged that Shaw “deleted confidential and trade secret information from Lasco’s computer” and “unlawfully copied or otherwise downloaded Lasco’s Trade Secret Information for his own personal use and for the use of HSSMC.” Lasco further alleged that Hall refused to return his Lasco laptop and that Lasco anticipated that a forensic examination of Hall’s laptop would reveal that he also deleted information from the laptop.

Hall and Shaw moved to dismiss the SECA and CFAA claims. The District Court found that federal courts have found that the general purpose of these two statutes “was to create a cause of action against computer hackers (e.g., electronic trespassers),” rather than rogue employees. Accordingly, because Lasco alleged that Hall and Shaw had unrestricted access to Lasco’s information on its computers, the District Court dismissed the claims under the CFAA and SECA because Lasco had not alleged that Hall and Shaw accessed Lasco’s information without authorization.

The District Court did find that Lasco had alleged sufficiently that it had suffered damage and loss by virtue of Hall and Shaw deleting information and forcing Lasco to take remedial measures. The District Court also found that Lasco had alleged interruption of service by asserting that Hall and Shaw had delayed before returning their computers. However, because Lasco could not show that Hall and Shaw were unauthorized users, its claim under the CFAA was dismissed, leaving Lasco to pursue state law claims.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

BY JASON STIEHL

            In recent years, courts in the Northern District of Illinois have made clear that without actual harm to data, a plaintiff cannot claim “damage” under the Consumer Fraud and Abuse Act, 18 U.S.C. 1030 et seq. (“CFAA”). See, e.g., Garelli Wong & Assoc. v. Nichols, 551 F. Supp. 2d 704, 704 (N.D. Ill. 2008) (holding there was no “damage” because the defendant’s “unauthorized acts of copying and e-mailing [Plaintiff’s] computer files did not impair the integrity or availability of the information in the Database and did not cause any interruption of service.”) To circumvent this strict reading of the CFAA, companies have used the term “loss” in the statute, arguing that a company suffered a “loss” by undertaking efforts to investigate and assess what “damage” may have been caused.   18 U.S.C. 1030 (e)(11) (defining “loss” to include “conducting a damage assessment.”).  A recent case calls into question whether such allegations will continue to suffice.

            In Kluber Skahan & Associates, Inc. v. Cordogan, Clark & Assoc., Inc., the court addressed whether allegations of a “loss” suffered within two years were sufficient to toll the limitation period under the CFAA, which requires a case to be brought within two years of discovery of any “damage.” In answering in the negative, Judge Zagel further shortened the reach of the CFAA. In Kluber, the court defined the elements of CFAA as requiring proof of: (1) damage or loss, (2) as a result of (3) a violation of some other provision of section 1030, and (4) conduct involving one of the facts set forth in section 1030 (c)(4)(A)(i). Kluber Skahan & Associates, Inc. v. Cordogan, Clark & Assoc., Inc., No. 08-cv-1529, 2009 WL 466812, * 6 (N.D. Ill. Feb. 25, 2009). The court undertook an analysis of the definitions of “loss” and “damage” under Section 1030, finding that the words were not only different in definition, but different in concept. Specifically, the court stated “whereas ‘damage’ contemplates harms to data and information, ‘loss’ refers to monetary harms.” Id. at * 7. The court went one step further, announcing that “Section 1030(g) does not require damage for a CFAA claim to arise.” Id. at *8 n. 14.   It is ironic that with such an emphasis on the distinction between these harms, the court would later take effort to amalgamate them.

            Ultimately, the court refused to toll the limitations period, holding that Congress explicitly chose to provide a two-year limitation for injury-discovery regardless of whether a “loss” had occurred. Id. at * 8 (“It was well within Congress’ power to include a separate two-year limitation of the discovery of loss. The text of the CFAA reflects that Congress declined to do so, and so will I.”). It supported its decision by emphasizing that the purpose of the statute is primarily criminal and that the statute was not meant to “cover the disloyal employee who walks off with confidential information.” Id (citing Am. Family Mut. Ins. Co. v. Rickman, 554 F. Supp. 2d 766, 771 (N.D. Ohio 2008)). Thus, it concluded that “[l]osses are monetary harms attenuated from the underlying concern of the Act: damage to data.” Id. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Although the trial court's analysis was not extensive, it clearly found that allegations in a complaint that an employee used a computer program to delete information from a laptop and knowingly deleted information without authorization sufficiently states a Computer Fraud and Abuse Act claim so as to survive a motion to dismiss for failure to state a claim.

In Alliance International Inc. v. Todd, Civ. Action No. 5:08-CV-214-BR (E.D.N.C. July 22, 2008), the parties contested whether the former employees (now defendants) could be held liable for deleting information from company computers.  Defendants argued, ultimately unsuccessfully, that plaintiff could not bring a cause of action under CFAA Subsection (a)(5)(A)(i) against two of the individual defendants because Alliance did not plead that those individuals downloaded a file erasure program.   Subsection (a)(5)(A)(i) provides a cause of action against someone who

knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer . . .

18 U.S.C. § 1030(a)(5)(A)(i). 

Defendants argued that "[a]n employee's act of knowingly deleting files by hitting the 'delete' key could not plausibly give rise to criminal and civil liability under the CFAA."  (Defs.' Mem. of Law in Support of Mot. to Dismiss at 24 (filed May 29, 2008) (emphasis added).   Not taking the bait to argue whether hitting the delete key constitutes a "command," Alliance merely contended that it met its pleading obligation under the CFAA by alleging that the defendants permanently deleted/destroyed information from Alliance computers. 

The Court side-stepped both parties' arguments, however, and found that the specific allegations in Alliance's complaint, to wit that the defendants

(1) "deleted, removed and destroyed information, documents and/or data contained on . . . protected computers" and

(2) "knowingly caused the transmission of a program, information, code or command, including but not limited to, Net Eraser Trial, and as a result of such conduct, intentionally caused damage without authorization, to a protected computer"  (citing paragraphs 62 & 63 of the complaint),

were sufficient to state a CFAA claim.  Although clearly tailored to the facts at hand, the court's decision could be persuasive authority for a plaintiff to withstand a Rule 12(b)(6) motion targeting similar allegations.

 Not long after the Court's ruling, on August 12, 2008, Alliance filed a stipulation of dismissal of the case, with prejudice, signaling a likely settlement with the defendants following the Court's ruling in Alliance's favor.  The court's opinion, nonetheless, as well as the parties' briefing, is a ready resource for case citations on the issue of deletion as well as "authorization" under the CFAA, as the parties and the court cite to numerous federal cases on these issues.

• Email This
• Print
• Comments
• Trackbacks
• Share Link