Employees' Misappropriation of Electronic Data: Federal and Kansas Computer Tampering Acts

• Citation: Vol. 80 No. 5 Pg. 16
• Pages: 16
• Publication year: 2011

Employees' Misappropriation of Electronic Data: Federal and Kansas Computer Tampering Acts NO. 80 J. Kan. Bar Assn 5, 16 (2011) Kansas Bar Journal May, 2011

I. Introduction

Virtually every business in America uses computers. Many companies provide their employees with laptop computers or personal digital assistants (PDAs) to facilitate their ability to access and utilize company data. Moreover, numerous companies allow their employees to access their computer systems and data remotely through Citrix, virtual private networks, or otherwise. Businesses are thus understandably concerned about safeguarding against the unauthorized access or misappropriation of their company's data or systems. A recent national survey revealed that 59 percent of employees who quit, were laid off, or were terminated admitted to stealing data.^[1] Most of those departing employees stole their employers' data directly from their employers' computers or networks.^[2]

Concern about improper access, alteration, copying, or downloading of computer data by departing employees is particularly heightened when an employee accepts employment with a competitor or starts a competing business. In such a situation, the former employer may request that its information services department or a third-party computer forensics expert examine the hard drive of the departing employee's computer to determine if any computer data has been improperly accessed or taken from the employer's computer system. If it appears that there has been improper access, federal computer tampering statutes may provide businesses with civil remedies. The primary purpose of this article is to discuss those statutes, the remedies they provide, and other possible causes of action for the improper access or misappropriation of electronic data. In addition, this article will discuss Kansas criminal computer tampering statutes and offer some suggestions for protecting electronic data.

II. Civil Actions Under the Federal Computer Fraud and Abuse Act

Although originally only a criminal statute, the Computer Fraud and Abuse Act (CFAA) now provides for both criminal and civil remedies.^[3] The CFAA allows persons who suffer damage or loss by reason of computer fraud to file civil lawsuits seeking compensatory damages, injunctive relief, and other equitable relief.^[4] The CFAA requires that any civil action for a violation must be brought within two years of the date of the act complained of or the date of the discovery of the damage.^[5] Importantly, the CFAA provides a basis for federal question jurisdiction, allowing a plaintiff to bring its claims in federal court.

A. Conduct prohibited by the CFAA

Among other things, the CFAA prohibits the following conduct:

(1) Intentionally accessing a computer without authorization or exceeding authorized access and thereby obtaining information from any protected computer;^[6]

(2) Knowingly, and with the intent to defraud, accessing a protected computer without authorization, or exceeding authorized access, thereby furthering the intended fraud and obtaining anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any one-year period;^[7] or

(3) Knowingly causing the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causing damage without authorization, to a protected computer.^[8]

A "protected computer" under the CFAA is any computer "which is used in interstate or foreign commerce or communication."^[9] With the widespread use of email and the Internet, this encompasses virtually all computers.

B. Establishing a civil action under the CFAA

The CFAA provides a civil action to "any person who suffers damage or loss" as a result of conduct prohibited by the CFAA.^[10] Although the statute uses the conjunction "or," courts disagree as to whether damage or loss alone is sufficient to state a civil claim under the CFAA or whether both are required.^[11] Although the legislative history indicates that both are required, some courts have found otherwise.^[12] A federal court decision in Kansas has adopted the less-strenuous damage or loss formulation.^[13] However, the safest practice is to allege both damage and loss when pleading a claim for violation of the CFAA.

The "damage" and/or "loss" resulting from the defendant's conduct must also include one of the following elements in order for a civil action to exist under the CFAA:^[14]

• Loss to one or more persons during any one-year period aggregating at least $5,000 in value;^[15]

• The modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of one or more individuals;^[16]

• Physical injury to any person;^[17]

• A threat to public health or safety;^[18] or

• Damage affecting a computer system used by or for an entity of the United States government in furtherance of the administration of justice, national defense, or national security.^[19]

The first element — loss during one year aggregating at least $5,000 — is the element most likely to be present in a civil action for damages under the CFAA. The damages recoverable for a violation involving only the first element are limited to economic damages, which "precludes damages for death, personal injury, mental distress, and the like."^[20]

C. Unauthorized access or access exceeding authorization

As noted in subsection A above, violations of the CFAA generally require that the defendant access the plaintiff's computers either "without authorization" or that the defendant "exceeds authorized access."^[21] The CFAA does not define the term "without authorization." The term "exceeds authorized access" means "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."^[22]

1. Employee's access (and subsequent misuse) of employer data

Federal courts disagree about whether an employee accesses a computer either "without authorization" or "exceeds authorized access" by accessing the employer's computer data that he or she is otherwise permitted to access during employment and subsequently using that information to benefit a com-petitor.^[23] Some courts hold that an employee loses the right to access the employer's computer "when he obtains information from his employer's computer for a wrongful purpose, such as the disclosure of confidential information to a competitor," and focus on the defendant's intent or use of the information.^[24] Those courts generally reason that any access after that point is "without authorization" or in excess of authorized access under the statute, even if the employee is still employed in a position that would otherwise allow him to access the computer, because authorization terminates by operation of law when the employee violates the duty of loyalty to the em-ployer.^[25] Other federal district courts have determined that what an employee does, or intends to do, with information accessed by a computer is irrelevant under the statute, so long as the employee remained within the employee's authorized access when the employee obtained the information. Those courts generally reason that the CFAA is meant to regulate whether access was authorized, not whether the use (or misuse) of the information accessed was authorized.^[26]

The U.S. Court of Appeals for the Seventh Circuit, in International Airport Centers LLC v. Citrin, concluded that an employee acted "without authorization" when, while still employed by the company, but after deciding that he was going to quit and pursue interests adverse to the company, he accessed the companys computer to destroy files.^[27] The Citrin court noted that the difference between "exceeded authorized access" and "without authorization" is "paper thin."^[28] The court reasoned that the employee's breach of the duty of loyalty terminated his authority to access his employer's computer, regardless of the fact that he was still employed at the time he accessed the computer. Thus, accessing the computer for an improper purpose was without authorization.^[29]

Under somewhat similar circumstances, the U.S. District Court for the District of Connecticut, in Modis Inc. v. Bardel-li, used different reasoning than the Citrin court to conclude that a plaintiff properly pleaded that the defendant, a former employee of plaintiff, "exceeded her authorization."^[30] The employer claimed that its former employee had obtained and used information from the employer's database for the benefit of the employee's new employer.^[31] The employee, in defense, claimed that as an employee she was authorized to access the database at issue.^[32] Unlike in Citrin, the employee had agreed in an employment agreement "to refrain from taking or reproducing or allowing to be taken or reproduced any [of plaintiff's] Property except in furtherance of [plaintiff's] business."^[33]The court held that the employer sufficiently pleaded that the employee exceeded her authorized access when she used her access for the purpose of misappropriating the employer's confidential information, because under the agreement her access was limited to "access "˜in furtherance of [plaintiff's] business.'"^[34]

Contrary to the results in Citrin and Bardelli, some federal courts have reached entirely different conclusions in cases with similar facts, holding that the CFAA is not implicated by the misuse or misappropriation of information that an employee was permitted to access during his or her employment. For example, in LVRC Holdings LLC v. Brekka, the Ninth Circuit rejected Citrin and held that an employee remained authorized to access a computer under the CFAA even when he accessed the company computer to further his own personal interests...