(Protecting Your Digital Information Using the Federal Computer Fraud and Abuse Act)
Legal protection for sensitive computer files has been strengthened by a new decision from the Ninth Circuit Federal Court of Appeals.1
Imagine this scenario: Your computer programmer remotely downloaded sensitive files before dawn. On arriving at the office, the programmer resigned without notice. The Navy awarded you a desirable contract because those sensitive files provided you with a unique capability. Now you find out that the programmer will be consulting for a competitor who wants to take the place of your company when the contract is up for renewal. What can you do? What could you have done to discourage or prevent this?
Trade Secret Law Protections
There are many deterrents and remedies available under trade secret law. A trade secret owner can seek money damages and can often seek an injunction to prevent use of the trade secret by others. Requirements for making out a case can include showing that the material taken was in fact confidential, it provided some business advantage, and that the owner took all proper steps to protect the information. Requirements are simpler if a company can seek recovery based on the elements of an employee’s unauthorized taking or damaging of sensitive data after gaining authorized entry into the computer. Federal law provides for recovery based on these elements.
The Computer Fraud and Abuse Act
One of the most effective tools in dealing with the risk described above is the Computer Fraud and Abuse Act2 (CFAA). The CFAA permits civil suits for access to a computer followed by an unauthorized damaging action. The CFAA is also a criminal statute that defines a number of different computer crimes.
Even if a valid password is used to gain access to a computer, taking damaging action in excess of a user’s authorization is forbidden. Unauthorized actions include obtaining information “fraudulently” or damaging a computer or computer data. Taking data for the employee’s own purposes and to the detriment of the computer owner is “fraudulent.”
Until this year there had been some doubt as to whether a violation could be made out if a user entered a computer with a valid password. This year, the Ninth Circuit Court of Appeals, which covers California and a number of other states, interpreted the CFAA to put this doubt to rest. A password provides authorization for a user to enter a computer. However, it does not allow a user to do anything he or she wishes once access has been gained. An employee “exceeds authorized access” by violating the employer’s rules governing conduct after gaining access to the computer by, e.g., stealing or damaging files.
Setting the Limits of Authorization
Authorization must be defined. Otherwise, it cannot be exceeded.
To be protected, an employer must have published a computer access policy, e.g., in the employee manual, which defines conditions for entry into a computer and which limits actions that may be taken once conditions for entry have been met. Employees must be aware of the policy.
An employer can provide copies to employees, and have employees acknowledge in writing that they have received and understand the policy. Some employees may feel like they are being treated like suspicious characters. However, a policy need not create an adverse relationship. The policy can be presented as a tool for working with employees as trusted team members who are being provided with clear computer use standards. The rules protect the company’s business and the employees’ jobs.
The policy should be tailored to the company’s business. Some companies will need to allow remote access by many employees and perhaps by many customers. Other companies may need to have servers with very rigorous controls. One example of a computer use standard is, “Employees are not authorized to download any Company data onto any computer or memory media not owned by the company.”
Establishing clear boundaries on authorization simplifies understanding the boundaries of authorized access.
Many cases of unauthorized access have been detected. Ignoring this issue could be costly. However, the cost of working with counsel to establish an internal system for establishing protection under the CFAA is small, especially compared to the value of programs and data which may form the entire basis for a company’s revenue. It is up to an employer to take appropriate steps to ensure protection under the CFAA.
1. United States v. Nosal, 642 F.3d 781 (9th Cir. 2011)
2. 18 U.S.C. § 1030