Computer Fraud and Abuse Act

In what appears to be a first under the Defend Trade Secrets Act (“DTSA”), a United States District Judge has thrown out claims against an alleged trade secret thief on the basis of the DTSA’s immunity for confidential disclosures to attorneys in the course of investigating a suspected violation of the law. Christian v. Lannett Co., Inc., No. 16-cv-00963-CDJ, 2018 WL 1532849 (E.D. Pa. Mar. 29, 2018).

Certain Trade Secret Disclosures to Attorneys or the Government Are Protected

The DTSA exempts from both criminal and civil liability any trade secret disclosure made in confidence to a federal, state, or local official or to an attorney if the disclosure is made “solely for the purpose of reporting or investigating a suspected violation of law.” 18 U.S.C. § 1833(b)(1). Continue Reading Defend Trade Secrets Act First: Claim Tossed Based on Whistleblower Immunity

A recent decision from the Eastern District of Pennsylvania reinforces the importance of the timing of purported misconduct in alleged violations of the Computer Fraud and Abuse Act (CFAA) and Defend Trade Secrets Act (DTSA). In Teva Pharmaceutical USA, Inc. v. Sandhu, et al., 2018 WL 617991 (Jan. 30, 2018), Judge Savage found that a defendant former executive could not be liable under the CFAA for conduct that occurred while she had authorized access to computers from which she misappropriated trade secrets. Id. at *1. However, the court also found that CFAA claims could be brought against the recipients of those trade secrets under an “indirect access” theory, and that DTSA claims could be brought on the basis of activity that began before the enactment of the DTSA but continued to occur after its passage. Continue Reading Federal Court Dismisses CFAA Claims Against Former Executive, Allows CFAA and DTSA Claims Against Competitor in Pharmaceuticals Trade Secret Dispute

Continuing our annual tradition, we present the top developments/headlines for 2017/2018 in trade secret, computer fraud, and non-compete law.

1. Notable Defend Trade Secrets Act Developments

Just two years after its enactment, the Defend Trade Secrets Act (“DTSA”) continues to be one of the most significant and closely followed developments in trade secret law. The statute provides for a federal civil cause of action for trade secret theft, protections for whistleblowers, and new remedies (e.g., ex parte seizure of property), that were not previously available under state trade secret laws. Continue Reading Top Developments/Headlines in Trade Secret, Computer Fraud, and Non-Compete Law in 2017/2018

On Tuesday, October 10, 2017, the United States Supreme Court denied certiorari in Nosal v. United States, 16-1344. Nosal asked the Court to determine whether a person violates the Computer Fraud and Abuse Act’s prohibition of accessing a computer “without authorization” when using someone else’s credentials (with that other user’s permission) after the owner of the computer expressly revoked the first person’s own access rights. In denying certiorari, the Court effectively killed the petitioner’s legal challenge to his conviction in a long-running case that we have extensively covered here, here, here, here, here, here, and here (among other places). The denial of certiorari leaves further development of the scope of the CFAA in the hands of the lower courts. Continue Reading Supreme Court Refuses to Hear Password-Sharing Case, Leaving Scope of Criminal Liability Under Computer Fraud and Abuse Act Unclear

shutterstock_361749602The Computer Fraud and Abuse Act (“CFAA”) gives rise to an actionable claim if someone “knowingly access[es] a computer without authorization or exceed[s] authorized access.” 18 U.S.C. § 1030(a)(1). The term “exceeds authorized access” is defined as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). In recent years, plaintiffs have attempted to argue that someone “exceeds authorized access” under the CFAA when they access work related information on their employer issued computer for non-work related reasons. In Georgia, courts appear to be divided on whether such an allegation gives rise to a valid CFAA claim.

For example, in United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010), the Eleventh Circuit adopted a broad view of the definition “exceeds authorized access,” holding that when an employer has a policy limiting an employee’s computer access to that done for business purposes, an employee who accesses that information for non-business purposes exceeds authorized access. In Rodriguez, the defendant worked for the Social Security Administration, which had a policy that the use of its databases to obtain personal information was authorized only when done for business reasons. 628 F.3d at 1263. The defendant conceded that his access of personal information at issue was not done in furtherance of his duties as a teleservice representative. Id. As such, the court ruled that the defendant had exceeding his authorized access under the CFAA.

The following year, the Northern District of Georgia applied Rodriguez’s broad interpretation of “exceeding authorized access,” holding that an employee’s e-mailing of confidential employer information to herself without a business purpose exceeded any authorized computer access and, therefore, violated the CFAA. See Amedisys Holding, LLC v. Interim Healthcare of Atlanta, Inc., 793 F.Supp.2d 1302, 1315 (N.D. Ga. 2011) (“[T]here is no question that [an employee] exceeded any authority she had when she sent [documents] to herself after accepting a position at [another company] for use in competing with [the plaintiff].”)

Since Rodriguez and Amedisys, however, several district courts in the Eleventh Circuit, including in at least one in Georgia, have applied a more narrow definition of “exceeds authorized access,” concluding that if a defendant has full administrative access to a computer, a claim for unauthorized access cannot be stated under the CFAA. See, e.g., Power Equip. Maint., Inc. v. AIRCO Power Servs., Inc., 953 F.Supp.2d 1290, 1297 (S.D. Ga. 2013); Enhanced Recovery Co. LLC v. Frady, No. 3:13-cv-1262-J-34JBT, at *26 n.7 (M.D. Fla. Mar. 31, 2015).

The Power Equip. decision is particularly instructive on the issue, explaining that:

the CFAA focuses on an individual’s unauthorized access of information rather than how a defendant used the accessed data. More specifically, the proper inquiry is whether an employer had, at the time, both authorized the employee to access a computer and authorized that employee to access specific information on that computer. 953 F.Supp.2d 1290, 1295 (S.D. Ga. 2013) (emphasis in original).

The court further held that the CFAA

does not confer upon employers the ability to sue their employees in federal court for violations of company policy regarding computer usage… [It] does not speak to employees who properly accessed information, but subsequently used it to the detriment of their employers: either one has been granted access or has not. Employers cannot use the CFAA to grant access to information and then sue an employee who uses that information in a manner undesired by the employer.

Id., at 1296 (emphasis added). Other courts in the Eleventh Circuit have held the same. See Trademotion, LLC v. Marketcliq, Inc., 857 F.Supp.2d 1285, 1291 (M.D. Fla. 2012) (concluding that plaintiff failed to state a claim under CFAA because plaintiff admitted that defendant had “full administrative access” to plaintiff’s computer system).

Takeaway

When deciding whether to assert a cause of action under the CFAA based on “exceeding authorized access,” the safest course of action in Georgia is to only do so when the facts demonstrate that the individual in question did not have permission to access the information in question. If the individual was given access to the information in question, but you believe accessed that they accessed that information for a non-work related purpose, consider relying on alternative theories of liability, such as conversation, breach of contract, or misappropriation.

OverviewWe are pleased to announce the webinar “The Intersection of Trade Secrets Violations and the Criminal Law” is now available as a webinar recording.

In Seyfarth’s eighth installment in the 2016 Trade Secrets Webinar Series, attorneys Andrew Boutros, Katherine Perrelli and Michael Wexler focused on criminal liability for trade secret misappropriation. Trade secret misappropriation is increasingly garnering the attention of federal law enforcement authorities. This reality creates different dynamics and risks depending on whether the company at issue is being accused of wrongdoing or is the victim of such conduct.

As a conclusion to this well-received webinar, we compiled a summary of three takeaways that were discussed during the webinar:

  • The theft of trade secrets is not only a civil violation — it is also a criminal act subject to serious fines and imprisonment.  In an ever-increasing technological age where a company’s crown jewels can be downloaded onto a thumb drive, victims and corporate violators must be mindful of the growing role that law enforcement plays in this active area.  And, in doing so, working with experienced counsel is critical to interfacing with law enforcement (especially depending on which side of the “v.” you are on), while still maintaining control of the civil litigation.
  • With the advent of the Defend Trade Secrets Act, intellectual capital owners have a powerful new tool to both protect assets with as well potentially defend against.  As such, processes must be in place to carefully screen new employees as well as provide vigilance over exiting employees so that one can guard against theft and be prepared to address purported theft brought to ones doorstep with a new hire.  Finally, it is important to review and update agreements with the latest in suggested and required language to maximize protections which is best accomplished through annual reviews of local and federal statutes with one’s counsel.
  • “Protect your own home” by putting tools in place before a trade secret misappropriation occurs. This includes taking a look at your employment agreements to make sure they are updated to comply with the Defend Trade Secrets Act (DTSA) and that they have been signed. In addition, make sure you have agreements in place with third parties (e.g., clients, vendors, contractors, suppliers) to protect your proprietary information. Finally, secure your network and facilities by distributing materials on a need-to-know basis: Don’t let your entire workforce have access.

Tank Connection, LLC v. HaightThe stakes are getting higher: Trade secret misappropriation is increasingly garnering the attention of federal law enforcement authorities. This reality creates different dynamics and risks depending on whether the company at issue is being accused of wrongdoing or is the victim of such conduct.

On Tuesday, October 4, at 12:00 p.m. Central, Seyfarth attorneys Katherine E. Perrelli, Andrew S. Boutros and Michael D. Wexler will present “The Intersection of Trade Secrets Violations and the Criminal Law,” the ninth installment in Seyfarth’s 2016 Trade Secrets Webinar series.

Our presenters will focus on criminal liability for trade secret misappropriation, covering:

  • Key statutes: Economic Espionage Act, Computer Fraud and Abuse Act, and Defend Trade Secrets Act of 2016
  • Key elements for criminal prosecution
  • Factors prosecutors consider when deciding whether and what to prosecute
  • How to work with federal prosecutors and their law enforcement partners: Making your case attractive to the “Feds”
  • Cutting-edge considerations: Civil RICO under the Defend Trade Secrets Act
  • Best practices to avoid misappropriation and what to do when you suspect misappropriation has occurred, including a discussion of forensic investigation options

Our panel consists of experienced attorneys with significant experience investigating and litigating trade secret issues, advising clients on trade secret protection, drafting confidentiality and restrictive covenant agreements, conducting trade secret audits, and handling federal criminal matters. This CLE is recommended for management, HR personnel and in-house counsel.

*CLE Credit for this webinar has been awarded in the following states: CA, IL, NJ and NY. CLE Credit is pending for GA, TX and VA. Please note that in order to receive full credit for attending this webinar, the registrant must be present for the entire session.

register

shutterstock_236620168On July 12, 2016, the Ninth Circuit filed its published opinion in Facebook, Inc. v. Power Ventures, Inc., et al., Case No. 13-17154 (“Power Ventures”).  Power Ventures is the latest in a series of decisions from the Ninth Circuit relating to the type of activities potentially giving rise to liability under the Computer Fraud and Abuse Act (18 U.S.C. §1030) (“CFAA”). Power Ventures has potentially important implications for the ways that businesses create, store, and monetize data through computers and web-based applications. Unlike the court’s Nosal line of decisions, Power Ventures is focused more on internet-based conduct that may violate the CFAA.

The underlying legal dispute between the parties began in 2008, when Facebook filed suit against Power Ventures, Inc. (“Power”) in the USDC for the Northern District of California. Power, which aggregated data from different social networking sites using, among other things, automated scripts (i.e., “scraping”), enabled people with various social media accounts to access all of their information in one place. Power used user-provided social media log-in information to import people’s information to a Power portal. In an effort to promote itself and attract users, Power then contacted via e-mail Facebook users’ friends, making it appear as if the e-mails came from Facebook.

Upon learning of Power’s activities, Facebook sent Power a cease and desist letter and used IP blocks in an attempt to prevent Power from obtaining Facebook data (IP blocking is a process by which a computer or network is directed to ignore all communications from a particular IP address). But Power continued to copy Facebook data and took measures to evade the IP blocks.

Although the Ninth Circuit analyzed whether Power’s conduct violated the federal CAN-SPAM Act (finding that it did not, and reversing District Court Judge Lucy Koh), the court’s analysis of the CFAA issues are most noteworthy. The court first walked through its United States v. Nosal CFAA decisions (from 2012 and July 5, 2016; see our coverage of these decisions here and here) to “distill two general rules” in analyzing the issue of authorized access under the CFAA:

(1) “a defendant can run afoul of the CFAA when he or she has no permission to access a computer or when such permission has been revoked explicitly” (noting that “once permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability”); and

(2) “a violation of the terms of use of a website—without more—cannot be the basis for liability under the CFAA.”

Applying these rules, the court noted that Power users “arguably gave Power permission to use Facebook’s computers to disseminate messages” (further stating that “Power reasonably could have thought that consent from Facebook users to share the [Power promotion] was permission for Power to access Facebook’s computers”) (emphasis in original). Importantly, the court found that “[b]ecause Power had at least arguable permission to access Facebook’s computers, it did not initially access Facebook’s computers ‘without authorization’ within the meaning of the CFAA.”

The court declined, in a footnote, to “decide whether websites such as Facebook are presumptively open to all comers, unless and until permission is revoked expressly” (citing to a law review article asserting that “websites are the cyber-equivalent of an open public square in the physical world”).
Instead, the court found that a cease and desist letter sent to Power by Facebook expressly rescinded the permission granted by Facebook users to Power and put Power on notice that it “was no longer authorized to access Facebook’s computers.” The letter informed Power that, in Facebook’s view, Power had violated Facebook’s Terms of Use and directed Power to cease using Facebook content or otherwise interacting with Facebook through automated scripts.

Power continued to access Facebook and took steps to evade the IP blocks that Facebook put in place. The court noted discovery from the trial court that appears to reflect a concerted effort by Power to wire around Facebook’s countermeasures and a likely awareness that Power’s conduct implicated the CFAA.

To explain its finding that the Facebook cease and desist letter had revoked Power’s permission to access Facebook, the court analogized the circumstances to a person who wanted to borrow a friend’s jewelry held in a bank safe deposit box. The court said that the borrower would need permission from the bank and the safe deposit box holder to access the box if the bank had determined that it did not want the borrower on its premises (in the court’s example, because the borrower brought a shotgun to the bank when entering to access the safe deposit box).

Although the court’s analogy might have helped it better understand the technology and information flow at issue in Power Ventures, it lacks the nuance that can swirl around alleged “scraping” scenarios where there are sometimes questions concerning whether “access” under the CFAA has occurred and whether there is a protectable or property interest in the data scraped (in the court’s analogy, the jewelry was the safe deposit box holder’s property, but what was the data equivalent in Power Ventures and, under different facts, what might be the bank’s property interest?).

The court then went on to distinguish Power from its Nosal decisions and, in doing so made some interesting observations (arguably in dictum) about the legal effect of Facebook’s Terms of Use. The court observed that “Facebook and Power had no direct relationship, and it does not appear that Power was subject to any contractual terms that it could have breached.” It is unclear whether, by making this statement, the court is saying that, by its conduct, Power and Facebook had not entered into a contract (e.g., the Facebook Terms of Use) or rather there simply were no terms within the Terms of Use that prohibited Power’s conduct.

Notably, Facebook does not appear to have pleaded a breach of contract claim in the trial court.

In any event, whether a website’s terms of use will apply to and bind a party that attempts to “scrape” data from the website is likely to be further litigated as the intersection of traditional contact formation principles meet the evolving standards under “browser-wrap” and “click-wrap” agreements.

This much is clear from Power Ventures: Those who use websites to conduct business would be well-served to (1) carefully consider the drafting and use of website terms of use; (2) diligently monitor their websites and associated computers/servers for any access, and the means of access, by anyone other than authorized users; and (3) where unauthorized access is detected, to act promptly to notify in writing those who have potentially made such access of the conduct alleged to be improper/unlawful and demand that such conduct cease.

Cyberspace and e-commerce law will continue to evolve rapidly, so banks best keep an eye out for those skilled in the programming arts along with shotgun-toting borrowers of jewelry.

shutterstock_414545476Not exactly. A divided Ninth Circuit panel recently affirmed the conviction of a former employee under the Computer Fraud and Abuse Act (“CFAA”), holding that “[u]nequivocal revocation of computer access closes both the front door and the back door” to protected computers, and that using a password shared by an authorized system user to circumvent the revocation of the former employee’s access is a crime. United States v. Nosal, (“Nosal II”) Nos. 14-10037, 14-10275 (9th Cir. July 5, 2016). The dissenting opinion raised concerns that the majority opinion would criminalize password-sharing in a wide variety of contexts where the password was shared by an authorized user but in violation of a service provider’s terms of service, such as for email or social networking.

An inside job

David Nosal was a recruiter employed by the executive search firm Korn/Ferry. To serve its clients and help place executives in response to talent searches, Korn/Ferry maintained a confidential, proprietary database containing detailed personal information about over one million executives. Nosal left Korn/Ferry and launched a competing firm with two other Korn/Ferry colleagues. Korn/Ferry revoked Nosal and his colleagues’ authorization to access its database. After Nosal and his colleagues left Korn/Ferry, Nosal’s colleagues accessed the database at his behest using the log-in credentials of Nosal’s former executive assistant, who remained employed at Korn/Ferry and who was authorized to access the database. They used the assistant’s valid credentials in order to run searches for candidates and thereby compete with Korn/Ferry. Nosal was convicted of violating the CFAA on a theory of accomplice liability based on his colleagues’ actions. He was ordered to pay a sizeable restitution award to Korn/Ferry.

What does “without authorization” mean, anyway?

The CFAA imposes criminal penalties on whoever “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . .” 18 U.S.C. § 1030(a)(4) (emphasis added). In a previous appeal in the Nosal case (“Nosal I”), the Ninth Circuit held that the “exceeds authorized access” prong makes criminal conduct out of “violations of [a company’s] use restrictions.” The Ninth Circuit’s decision in Nosal II, however, focused entirely on the “without authorization” prong of the CFAA.

The majority concluded that “without authorization” is unambiguous, and that the Ninth Circuit’s ruling in LVCR Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) applied to Nosal’s conduct: “[A] person uses a computer ‘without authorization’ under [the CFAA] . . . when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” The court stated that refusing to apply the CFAA to circumstances where an authorized user shared log-in credentials with a person whose credentials had been revoked by the owner of a protected computer system would “remove from the scope of the CFAA any hacking conspiracy with an inside person. That surely was not Congress’s intent.”

So is password-sharing now a crime?

Judge Reinhardt dissented from the majority’s opinion, expressing concerns that the ruling would criminalize “password sharing.” Judge Reinhardt warned that the majority opinion “threatens to criminalize all sorts of innocuous conduct” and does not provide “a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners” like email service providers or social networking sites. Judge Reinhardt asserted that, in order to avoid criminalizing such commonplace conduct, the “best reading of ‘without authorization’ in the CFAA is a narrow one: a person accesses an account ‘without authorization’ if he does so without having the permission of either the system owner or a legitimate account holder.” (Emphasis original.)

It will be left to future cases to ascertain the outer boundaries of the majority’s holding. It seems unlikely that the Ninth Circuit would uphold a CFAA conviction of a person who watched Netflix using a friend’s login credentials, but Judge Reinhart correctly points out that there is no inherently limiting language in the statute itself. So, future litigants may focus on the Nosal II majority’s discussion of “revocation of access” as a means to distinguish simple password sharing. It would be one thing for a person to use a friend’s Netflix account to watch movies; it would be another thing if the person had previously had a Netflix account revoked for downloading and selling pirated copyrighted works, then used a friend’s account to circumvent the “revocation of access” and continue such piracy. The problem is, the statute’s language does not make any distinctions based on “revocation of access.” It remains to be seen whether Nosal II provides a workable rule for applying the CFAA in future cases.

Practical Implications for Employers

Setting aside the great password-sharing debate, Nosal II makes clear that criminal sanctions can be imposed against former employees who improperly access their employer’s systems after their authorization to do so is revoked by the employer. Whether former employees use their old log-in credentials or use those of current employees who are themselves authorized to use the employer’s systems, Nosal II means that any such access is “without authorization” under the CFAA.

shutterstock_214450246An ex-employee’s former employer sued him for alleged violations of the Kansas Uniform Trade Secrets Act (KUTSA) and the federal Computer Fraud and Abuse Act (CFAA).  The first claim was based on the company’s hunch that he had misappropriated trade secrets and thereby breached his non-disclosure agreement.  Two forensic experts were paid $38,000 to examine the computers and flash drives he had used, looking for evidence that he had used or disclosed confidential information.  The second claim centered on his admission that, shortly before resigning from the company, he had read a top-secret file which was, but should not have been, accessible to employees.  He moved for summary judgment on both claims.  The court granted the motion, holding that (a) payments to the experts did not satisfy the KUTSA requirement of showing an “actual loss caused by misappropriation” (K.S.A. 60-3322(a)), and (b) he was authorized to access the company’s shared files and, therefore, he did not violate the CFAA. Tank Connection, LLC v. Haight, No. 6:13-cv-01392-JTM (D. Kan., Feb. 5, 2016) (Marten, C.J.).

Summary of the case.  Haight was International Sales Manager of Tank Connection, a  manufacturer of large storage tanks.  He signed a confidentiality agreement (but not a non-compete).   With the company’s consent, he downloaded confidential information onto the laptop and flash drives provided to him by the company.  However, he also downloaded company data onto his own flash drives.  Further, he reviewed — but did not copy — the company’s president’s confidential computer file.  Following his resignation, he returned the company’s laptop and what he asserted were all of its flash drives.  Further, he insisted that he had neither disclosed the company’s secrets to his new employer nor used the information, and that he had deleted all of Tank Connection’s data from his personal flash drives.  Concluding that Tank Connection had produced no evidence contrary to his disavowal of trade secret misappropriation, and that reading the shared file was not a violation of the CFAA, the court entered judgment for Haight.

Why the claim of trade secret misappropriation failed.

Tank Connection’s expert witnesses determined that, shortly before Haight’s resignation, he accessed the company’s server and transferred to the company’s laptop and flash drives, and to his own flash drives, a lot of confidential information.  The company contended that “harvesting” of that data circumstantially supported the claim that he had used proprietary information improperly and/or had disclosed it to his new employer.  However, Chief Judge Marten ruled that without any hard evidence of wrongdoing, and in the face of Haight’s unqualified denial of culpability, Tank Connection’s speculation of improper conduct was insufficient to create KUTSA liability.

Tank Connection alleged that its damages from Haight’s “misappropriation” aggregated $1,238,000: $1.2 million that the company had expended for creating, developing and updating the computer programs, plus $38,000 it had paid to the experts.  Chief Judge Marten rejected the $1.2 million claim because the company did not show any loss of data, damage to its computers or programs, unfair competition, or unjust enrichment.  Further, the statutory alternative of assessing “a reasonable royalty” was inapplicable due to the absence of proof that Haight disclosed or used confidential information.

Finally, the court held that payments to computer forensic experts retained by Tank Connection to investigate an alleged but unproved theft of trade secrets were not an “actual loss caused by misappropriation.”  The judge said that the question has not been decided by Kansas judges, and that Connecticut Appellate and Virginia Supreme Court rulings are in diametric opposition to each other.  Concluding that the payments were “not within the traditional realm of tort damages,” and that they were incurred merely in an attempt to ascertain if there had been a theft, the court held that they were not compensable losses under KUTSA.

Why the claim of a CFAA violation failed. 

A few days before Haight resigned, a co-worker brought to his attention a computerized folder containing highly sensitive information intended solely for the eyes of the company president and one administrator.  The company was unaware that incorrect security settings for the folder enabled employees such as Haight to access it.  He admitted that he had looked at it, which constituted a CFAA violation according to Tank Connection, but he insisted that he and other employees regularly viewed shared files in the course of their work and that he did not copy, disclose or use the folder’s contents.

Chief Judge Marten observed that the president’s folder was in a shared file, and there was no evidence that Tank Connection told its employees not to open the folder.  He said that, therefore, Haight clearly did not violate the statutory prohibition against accessing a computer “without authorization.”  The difficult question under the CFAA was whether Haight exceeded his authorized computer access.  The judge found persuasive U.S. v. Valle, 807 F.3d 508 (2nd Cir. 2015), which held that an employee’s authority to access a computer file is dispositive in determining that the CFAA has not been violated, regardless of the use to or purpose for which the file is accessed.  Thus, summary judgment was granted on the CFAA claim as well.

Takeaways.  Haight prevailed on the trade secrets misappropriation claim largely because he was authorized to use Tank Connection’s confidential data in the course of his employment, and the company had no evidence that he disclosed or used the data other than for company business.  In the absence of a smoking gun or an eye witness to wrongdoing (Tank Connection had neither), employers often have difficulty disproving an ex-employee’s denial of culpability.  Perhaps Tank Connection might have strengthened its case if it had examined Haight’s personal flash drives before he deleted all of the information on them.

The ruling declining reimbursement of Tank Connection’s expenses for computer forensic experts seems to have been driven by the company’s inability to prove that any misappropriation occurred.  A number of courts have held that amounts paid to such experts, for tasks associated with a pretrial investigation launched because of suspected trade secret theft, are recoverable damages.  However, in those cases typically, the experts concluded that the company’s suspicion was well-founded.  Tank Connection is unusual because reimbursement was sought in the face of a failure to prove any impropriety.  Under these circumstances, the expenses did not qualify as an “actual loss caused by misappropriation.”

Chief Judge Marten’s ruling regarding the scope of the CFAA is another in the litany of disputes pitting a narrow statutory interpretation against a broader one.  Compare such decisions as Valle cited by the court (holding that the Act only prohibits computer hacking by an outsider), with, e.g., Epic Systems Corp. v. Tata Consultancy Services Ltd., No. 14-cv-748 (W.D. Wis., Nov. 18, 2015) (opining that the CFAA also criminalizes “insider hacking,” that is, unauthorized use of data by someone authorized to access the computer).  The conflict in these decisions probably can only be resolved by Congress or the U.S. Supreme Court.