The Computer Fraud and Abuse Act:
A New Tool for Protecting Information
Cutting-edge office technology—particularly computer technology—is the lifeblood of the 21st century business platform. The efficient management and flow of information is no longer a vague concept to which successful businesses pay mere lip service. Information is king, and burgeoning IT departments consume ever-increasing percentages of today’s operating budgets.
Technology’s rapid ascendance has transformed the manner in which businesses now compete, and as is so often the case with revolutionary change, the benefits realized are mitigated by unforeseen challenges. In the technology realm, perhaps the greatest challenge is managing information flow in a manner that ensures both accessibility and security. This is particularly important in the context of today’s fast-paced and fluid business world, where employee longevity and loyalty seem to be waning.
CFAA Emerges as a Potential New Tool
From the relative obscurity of the white-collar criminal world, where it was originally enacted to combat illegal computer hacking, the Computer Fraud and Abuse Act (CFAA) is increasingly being invoked by employers to prosecute former employees who surreptitiously co-opt confidential or proprietary information from a company’s computer system prior to leaving their employment. The June 2006 issue of the Litigation & Counseling Alert provided insight into the Illinois Trade Secrets Act, which can be a very useful tool in addressing departed employees who seek to compete with their former employer by using confidential information acquired during employment. However, a successful trade secret claim requires more than mere proof that the employee misappropriated information. A company must also show that the information in question provided an economic value by virtue of the fact that it is not otherwise available to the company’s competitors. In addition, the employer is required to prove that it took reasonable steps to protect the secrecy of the misappropriated information.
In marked contrast, the employer’s burden of proof under the CFAA is relatively simple. Among other things, proof of a CFAA claim does not depend upon the confidential nature or content of the misappropriated information, nor does it require the existence of internal controls to protect the information in question. In order to assert a CFAA claim, the employer need only establish two relatively simple jurisdictional requirements: 1) that the employee accessed a “protected computer,” and 2) that the employer suffered at least one of five statutorily prescribed harms.
As defined by the CFAA, a “protected computer” is any computer that is used in interstate or foreign commerce—in other words, any computer connected to the Internet or an interstate intranet, even if the employee’s use is strictly local in nature. As for proof of a requisite harm, the CFAA identifies five different types, of which the most easily established is a “loss” that amounts to at least $5,000 in value and accrues over a period of time of up to one year. As interpreted by relevant case authority, the “loss” required in order to make out a CFAA claim can be comprised of a number of different components, including costs incurred in responding to a suspected employee misappropriation, the cost of obtaining damage estimates, the cost of restoring of data and any related loss of revenue.
Once the employer has satisfied those two jurisdictional requirements, there are seven types of misconduct that constitute a CFAA claim. In a typical employment-related misappropriation scenario, the most adaptable claim involves proof that an employee accessed a “protected computer” without authorization and obtained confidential information by dishonest means. Because an employee generally has authority to access the information that he or she is alleged to have wrongfully appropriated, the biggest challenge for the employer in establishing a CFAA claim is showing that the misappropriation occurred as a result of “unauthorized access.”
Looking Ahead
The good news for employers is that recent cases interpreting the CFAA in a civil context suggest a shift toward a more liberal interpretation of “unauthorized access.” As that trend evolves, the protections afforded to employers under the CFAA should expand.
As a federal statute, the CFAA’s protections are currently available only in federal court; however, for companies located in the greater Chicago area, there is little additional inconvenience or expense involved in litigating claims against former employees in the federal district court, as opposed to the state court. The attorneys in Much Shelist’s Litigation & Dispute Resolution practice group can help companies assess whether the CFAA can or should be invoked on their behalf in dealing with future employee misappropriation claims.
|
