South Carolina BAR Journal
SC Lawyer, November 2012, #1.
Courts Hack Away Claims Under the CFAA
South Carolina LawyerNovember 2012Courts Hack Away Claims Under the CFAABy Daniel J. BallouI was at my desk recently when I received a call from a friend who worked as a sales manager for a local business. My friend, who I'll call Skip, had helped his employer start the company and had built up a substantial book of business, compiling valuable contacts and other sales information that was stored on the company's computer network. Over the years, he had occasionally e-mailed himself a copy of quarterly sales reports so he could monitor his commissions, and he had used this information, including names, contact information and sales histories, to verify with his employer how much he was owed on a number of lucrative accounts. He had become so successful in sales that he had recently been offered a job at a substantial raise by their biggest competitor, a regional firm anxious to enter the local market. Having decided to take the new job, Skip downloaded the most recent sales information to a USB drive and gave notice he was leaving.
Within a week of starting his new job, Skip had been sued by his former employer in federal court for violation of, among other things, the Computer Fraud and Abuse Act. Specifically, the employer alleged that he had acted "without authorization or in excess of his authorization" when he downloaded the sales information, and that he had done so in violation of the CFAA by breaching company policies prohibiting the disclosure of confidential information and trade secrets. I told him he should make an appointment because we needed to talk.
Skip was one of a growing number of employees who change jobs only to find themselves on the receiving end of a federal lawsuit under the CFAA. The combination of increasing transience among workers and the ease with which computerized data is stored, accessed and transmitted has created a target rich environment for lawsuits against departing employees. In many cases, these suits are filed against nefarious pilferers bent on corporate espionage who are determined to take as much inside information with them as they can to unfairly benefit a competing business. In other cases, the CFAA has become a bludgeon wielded by aggressive U.S. Attorneys and irate employers to enforce the terms of private employment agreements in federal court.
Origins of the CFAA
You would be hard pressed today to find a business that does not store most if not all of its most valuable information on a computer network of some kind, whether on a stand alone desktop PC, a company server or even the ubiquitous "cloud." Whether the information consists of correspondence, e-mails, sales histories, pricing information, technical specifications or other information obtained and developed over the years, the data stored on a company computer is often the most valuable asset the business owns. Moreover, giving employees access to some or all of that information is often a practical necessity for the success of the business. The problem arises when someone who has been entrusted with access ends up using the information against the interests of the employer.
The CFAA was first and foremost a criminal statute enacted by Congress in 1986 as the Counterfeit Access Device and Computer Fraud and Abuse Act, as a response to the relatively new (at the time) crime of computer hacking. The Act was originally used to prosecute everything from garden variety hackers to credit card thieves who had unlawfully accessed protected computers. In 1994, however, the Act was amended to add, among other things, a civil cause of action allowing the recovery of compensatory damages and injunctive relief. With this amendment in place, aggrieved employers could bring civil...