Although the CFAA is a criminal law statute, private individuals and companies may bring suit under the provision of the statute that creates a right of action for private persons injured by such crimes.
|
|
|
|
|
 |
Computer Security:
Employer Fails In Attempt
To Use Federal Law Against
Data-Stealing Employee
By Christopher W. Olmsted
Most of the articles in our Legal Update report on cases involving employees suing employers, but sometimes the roles are reversed. LVRC Holdings, LLC (LVRC) was an employer that went on the offensive against two former employees. In a case titled LVRC Holdings v. Brekka, the employer filed a lawsuit in federal district court against its former employee, Christopher Brekka.
LVRC discovered that Mr. Brekka, a former employee had emailed himself critical company data while he was an employee. Additionally the company had evidence that after his employment terminated, someone had logged into a company data system using the former employee’s password. Apparently this former employee went to work for a competitor and LVRC was concerned that the data would be used to gain inappropriate advantage.
In the lawsuit LVRC alleged that Mr. Brekka violated the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, by accessing LVRC’s computer “without authorization,” both while Brekka was employed at LVRC and after he left the company.
The CFAA was enacted in 1984 to enhance the government’s ability to prosecute computer crimes. The act was originally designed to target hackers who accessed computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possessed the capacity to “access and control high technology processes vital to our everyday lives . . .”
The CFAA prohibits a number of different computer crimes, the majority of which involve accessing computers without authorization or in excess of authorization, and then taking specified forbidden actions, ranging from obtaining information to damaging a computer or computer data.
Criminal penalties can be imposed on any person who “intentionally accesses a computer without authorization or exceeds authorized access” and obtains information.
Although the CFAA is a criminal law statute, private individuals and companies may bring suit under the provision of the statute that creates a right of action for private persons injured by such crimes.
The key to establishing liability is showing that the individual accessed the computer without authorization. Unfortunately for LVRC, it could not make that showing.
The district court granted summary judgment in favor of the employee, and the appellate court affirmed the decision, ending the case.
The problem was that Mr. Brekka was authorized to use LVRC’s computers while he was employed at LVRC. Mr. Brekka was employed by LVRC at the time he emailed documents to himself and his wife, and there was no evidence that Brekka had agreed to keep the emailed documents confidential or to return or destroy those documents upon the conclusion of his employment. The company had permitted Brekka to work from remote locations with access to the company computer system. Therefore, he did not access a computer “without authorization” in violation of the CFAA.
The fact that the employee may have used the computer in a manner contrary to the expectations of his employer did not matter to the court given that the employee had authorization to use the system.
Second, the district court held that LVRC had not proven that Mr. Brekka logged into the LVRC website after leaving LVRC’s employ. Although someone had logged in using his password, evidence suggested that other employees had access to his password and it could not be ruled out that someone else had logged in.
Comments
Although other court decisions have interpreted the CFAA more favorably for employers, this case illustrates that the CFAA is a poor tool to use to pursue employees who have improperly accessed the employer’s computer systems. If the employee has permission to use a company computer (e.g. it is part of his job) then even if he exceeds his authority and accesses restricted data, he has not violated the CFAA.
On the other hand, an employee with no authorization to use a system may be found in violation of the law.
The case seems to suggest that a former employee could be held liable under the CFAA for accessing the company computer system post-termination. The catch is that the employer must have sufficient evidence to prove that the former employee, and not someone else, was the culprit.
Certainly an employer may have other legal claims, such as theft of trade secrets, breach of confidentiality agreements or nondisclosure agreements, and the like.
It is helpful to promulgate companies policies specifying proper and improper computer use. Care should be taken to define who may access what data, and what may or may not be done with the data.
Incidentally, this case illustrates the need to promptly cancel all passwords and remote access upon termination. Had LVRC done so, neither Mr. Brekka, or any other person could have accessed the data using the old password.
Related Article:
Employee Privacy Update: Review Of Employee Text Messages Deemed Invasion Of Privacy.
Download entire October 2009 Legal Update in PDF format.
This article is intended as a brief overview of the law and are not intended to substitute as legal advice. Any questions or concerns regarding any statute or case law should be addressed to a licensed attorney. Copyright © 2009 by Barker Olmsted & Barnier, APLC. San Diego, California. All rights reserved.
|
Copyright © 2007 Barker Olmsted & Barnier.
All Rights Reserved. Powered by Infinitude.net Disclaimer.
Privacy Notice. 