“Gone in a Flash: What Your Employees May Be Storing on that iPod and Its Relationship to the Computer Fraud And Abuse Act”
Modern electronics have torn down the walls of the traditional corporate workplace. Employees work at home, on trains, and on park benches. Most believe that the ability of workers to free themselves from their desks has made business more efficient and more humane. The catch is that the technology spurring this revolution is the same technology that sometimes is used to misappropriate sensitive and valuable corporate information – in short, the corporate crown jewels. Ironically, the more companies rely on the efficiencies of e-business, the more they expose their vital information – not only to nefarious outsiders, but to insiders looking to profit from information that can be used in a competitive manner. Unlike the benefits of the electronic workplace, which are clear, the potential downside of a company’s information technology initiatives is not so straightforward or well understood.
The electronic expansion of the office – implementing technology that provides employees with easy, remote access to information – can create the potential for theft and misuse of that information. Although passwords and other electronic means can limit unauthorized access, an employee who has not yet advised his employer of his plan to leave the company may be tempted to take advantage of his position as an insider. The ease with which information can be transferred to personal email accounts and/or portable storage devices, such as flash drives, enables the quick transfer of confidential documents that can include information about clients, potential clients, and co-workers. That seemingly innocent employee leaving the office listening to his iPod may have stored thousands of documents containing sensitive information on that device. Alternatively, an employee can use his computer access to delete, alter, or hide valuable information as “revenge” before leaving the company.
More and more, these nightmare scenarios are becoming reality. In fact, according to a recent Government report, in 2007 alone, the Department of Justice filed 217 intellectual property and computer crime cases, which represented a 7% increase over cases reported in the prior year, and a 33% increase over cases reported in 2005. As technology proliferates, and it becomes easier for employees and outsiders alike to copy and transfer sensitive information, a premium is placed on efforts to both deter such events and to be prepared when such events do occur.
The Computer Fraud & Abuse Act (commonly referred to as the “CFAA”) has increasingly become a valuable tool in the arsenal of law enforcement, as well as victimized companies, in addressing computerized employee theft of information. The CFAA provides civil remedies for unauthorized access to protected computer systems. However, courts applying the CFAA to employee cases have begun to raise legal issues centered around whether the employee was “authorized” to access the employer’s computer systems at the time the alleged theft occurred. For the courts, the question is whether a CFAA claim can be maintained against an employee who took or destroyed electronic information at a time when they had authorization to access that information.
This Stroock Special Bulletin reviews recent case law bearing on the issue of employee authorization in the context of the CFAA and concludes with several proposals to help strengthen an employer’s chances of succeeding with a civil action under the CFAA.