Sixty percent of employees leaving a firm take proprietary confidential data with them
A data breach caused by a hacker or caused by a negligent employee losing a laptop or a data chip is what most often makes the news. Such a security breach, if it involves “Personal Information” as defined in G.L. c. 93H, §1 requires a report to the Massachusetts Attorney General and notice and the payment of costs to the clients that had their information stolen or lost.
What almost never makes the news is the more common and possibly more damaging data breach resulting from an employee accessing and copying a company’s confidential business information.
A 2009 survey conducted by the Ponemon Institute, a data protection research group, found that employers can expect that 60% of all departing employees will download and take the company’s data with them without authorization. The survey found that the confidential data taken usually consisted of email lists, competitive business information, customer lists, employee records, and company financial information. “Employers . . . are increasingly taking advantage of the [Computer Fraud and Abuse Act’s] civil remedies to sue former employees and their new companies who seek a competitive edge through wrongful use of information from the former employer’s computer system.” P.C. Yonkers, Inc. v. Celebrations the Party and Seasonal Superstore, LLC, 428 F.3d 504, 510 (3rd Cir.2005)..
“Employers . . . are increasingly taking advantage of the [Computer Fraud and Abuse Act’s] civil remedies to sue former employees and their new companies who seek a competitive edge through wrongful use of information from the former employer’s computer system.” P.C. Yonkers, Inc. v. Celebrations the Party and Seasonal Superstore, LLC, 428 F.3d 504, 510 (3rd Cir.2005)..
A 2013 follow-up study by the same Institute found that the ubiquity of employees bringing their own devices (laptops, jump drives, etc.) into the workplace exacerbated the problem of insiders purloining customer data and trade secrets before leaving a company’s employ. Oftentimes the greatest risk in these situations came from the employees or independent contractors who the company allowed access to critical applications and data.
Bringing unauthorized access of the firm’s computer under the Federal “Computer Fraud and Abuse Act”
Of course, any business should first invest heavily in preventing the unauthorized pilfering of its confidential business data and, in the insurance agency business, its expirations. However, if such protections fail and a company fraudulently loses its proprietary data because of unauthorized persons accessing the company’s computers, there is a federal remedy. The Computer Fraud and Abuse (“Computer Fraud and Abuse Act” or “Act”), Title 18 U.S.C. § 1030(a)(4), may offer such a wronged organization legal remedies and rights beyond existing common law rights and remedies.
The violation of the Act can result in the perpetrator suffering both civil and criminal penalties. A civil suit under the Act can be filed in either state or federal court to recover both damages and injunctive relief.
To prevail under the Act, a victimized company has to allege that (most commonly) a former employee or other person:
- has accessed a protected computer;
- has done so without authorization or by exceeding such authorization as was granted;
- has done so knowingly and with intent to defraud; and
- as a result has furthered the intended fraud and obtained anything of value.
For purposes of the Computer Fraud and Abuse Act, a “protected computer” is any computer “which is used in or affecting interstate or foreign commerce or communication.” Since Federal courts hold that the Internet is a channel of interstate commerce, effectively any computing device from a smartphone to a mainframe is within the scope of the Computer Fraud and Abuse Act.
The only caveat is that the loss to the company exceeds $5,000. However, for calculating this threshold amount and damages, the Act states that “loss” includes “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”
These elements of loss or damage, therefore, allow for the all-important and often very expensive costs for the necessary computer forensic investigations to establish the scope and nature of the data accessed and downloaded illegally.
Unauthorized access or granted access exceeded
The phrase “without authorization” is not defined in the Computer Fraud and Abuse Act. However, the term to “exceed authorized access” is defined and means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
While there are differing court decisions, the majority view applicable in the Massachusetts federal courts is that an employee’s computer authorization is terminated the moment that an employee acts contrary to his employer’s interest. Typically, in the employment context this occurs when employees breach their fiduciary duty to act in their employers’ interests by downloading and converting their present employers’ confidential information for their own benefit or the benefit of their next employer.
Make sure you have in place confidentiality or user agreements for your firm’s computers
The broad scope of the Computer Fraud and Abuse Act in the civil context and the use of its criminal penalties have caused calls for the Supreme Court to interpret and limit the Act. So far the Supreme Court has declined to review the Act.
Likewise, Congress has been pressed to amend the Act since the Aaron Swartz prosecution here in Boston.
Mr. Swartz downloaded journal articles wholesale from an MIT network with the intent to make them freely available to the public as a political statement. The U.S. Attorney charged (or overcharged, some would say) Mr. Swartz with two counts of wire fraud and eleven counts of violating the Computer Fraud and Abuse Act. Mr. Swartz, facing a maximum sentence of 35 years in jail and despondent over this potential severe punishment for actions he took for his beliefs in free access to Internet information, hung himself.
Following Mr. Swartz’s suicide, the Justice Department has indicated that it supports amending the Act.
Notwithstanding these events and the possible amendment of the Act, the First Circuit Court of Appeals, the court that establishes the law for the Federal courts in Massachusetts (as well as Maine, New Hampshire, Rhode Island, Vermont, and Puerto Rico) has ruled that the Computer Fraud and Abuse Act can apply to a former employee for accessing data in violation of a confidentiality agreement. This decision is consistent with similar decisions in three other Federal Courts of Appeal that have applied the Computer Fraud and Abuse Act when an employee breaches a confidentiality or computer use agreement.
Therefore, until either the Supreme Court changes the First Circuit’s decision or Congress amends the Act, all businesses should consider documenting their computer use and data confidentiality protocols. Documentation by way of a formal data or computer use policy or by way of signed confidentiality agreements will give companies the basis for using the Act to protect their proprietary and confidential business data.
As one Federal Appeals Court stated: “Employers . . . are increasingly taking advantage of the [Computer Fraud and Abuse Act’s] civil remedies to sue former employees and their new companies who seek a competitive edge through wrongful use of information from the former employer’s computer system.”
The reason companies are using the Act is that it provides new rights and remedies that companies can more easily prove by simply showing evidence of an employee’s or other person’s unauthorized access to its confidential computer-stored data. Additionally, the basis for the Act’s remedies rests upon confidentiality and computer use agreements that a company should have in force in the ordinary course of its business, anyway.