Employers are under constant attack in the employment law arena, often without much hope for going on the offensive. In Act I, a former employee draws the sword when he files a lawsuit. In Act II, the employer can do little but raise a shield. However, there may be some hope for employers that are sick of playing defense. Massachusetts courts have given lukewarm support to claims filed by employers against departing employees for violations of the Computer Fraud and Abuse Act (CFAA).
The CFAA penalizes classic computer “hacking” activities, but it also punishes employees who exceed their authorized computer access by taking confidential electronic files and data out the door when they leave their employment. A recent decision from a federal court in Massachusetts highlights the breadth of this federal law.
I’m leaving and taking the data with me
Thomas Pullen was the vice president of North American sales for Guest-Tek Interactive Entertainment. Guest-Tek provides IP-based services to the hospitality industry. As vice president, Pullen was involved in all aspects of Guest-Tek’s sales and marketing efforts and had access to confidential information and trade secrets stored on the company’s computer network.
Pullen resigned from Guest-Tek in 2009 to start his own competing business. According to Guest-Tek, before leaving, he copied thousands of its computer files onto his personal USB device to use in his new venture. Many of the files contained sensitive business-related information. Guest- Tek sued Pullen, alleging that he had violated the CFAA when he left with the sensitive data on his USB drive.
How does the CFAA fit in?
The CFAA was originally enacted in 1984 as a criminal statute meant to protect federal computers against hackers. Over time, a private right of action was added to the law, meaning individuals and entities could sue hackers for damages.
The CFAA prohibits a person from knowingly accessing a protected computer without authorization and with the intent to defraud. The law also punishes those who “exceed authorized access” with the same fraudulent intent. Damages for violations include compensation for losses resulting from the data breach (typically lost sales and harm to customer goodwill) along with costs associated with a forensic review of the employer’s computer system to determine what information was taken.
Former employer prevails
Pullen responded to Guest-Tek’s lawsuit by trying to get the CFAA claim dismissed. He argued that his data copying was lawful because he was “authorized” to access the computer network that housed the information. As the vice president of sales, he had unrestricted access to a bevy of sensitive data, including customer account information, pricing, internal financial information, marketing plans and strategies, business plans, and technical capabilities. He contended that he couldn’t be sued under the CFAA because he had permission to access those files, and he pointed to several courts that have followed this line of reasoning.
In response, Guest-Tek pointed out that those who “exceed authorized access” can also be liable under the CFAA. The employer argued that Pullen exceeded his access by copying the data in pursuit of an interest that was adverse to Guest-Tek — namely, starting his own competitive venture. Like Pullen, Guest-Tek cited several cases supporting its position.
The judge recognized that courts have treated the unauthorized access vs. exceeding authorized access dilemma in different ways. Although the trial court had no clear guidance on the issue from other courts in Massachusetts, it ultimately sided with the employer, noting that Congress has broadened the reach of the CFAA over the last few years. Older cases only address classic “hacking” activities, but a new wave of cases has expanded the scope of the CFAA to reach former employees who seek a competitive edge through wrongful use of information from their former employer’s computer system. The court denied Pullen’s motion to dismiss the claim and ruled that Guest-Tek’s lawsuit alleging violation of the CFAA could go forward.
A word of caution
Employers that consider responding to an employee’s wrongful termination lawsuit with a CFAA counterclaim need to be careful. Many employment- related statutes, including those regulating workplace discrimination and harassment, contain provisions that prohibit you from retaliating against employees after they file employment claims. Plaintiffs’ attorneys may consider your CFAA counterclaim to be nothing more than a retaliatory tactic and could countersue accordingly.
That game of back-and-forth is likely to end poorly for an employer that doesn’t have a good-faith basis for bringing a CFAA counterclaim. Be sure to investigate properly before drawing the CFAA sword against a former employee.
In today’s technology-based workplace, it isn’t uncommon for departing employees to deposit large stores of data onto devices the size of a small USB drive before their last day of work. The CFAA can provide a useful tool for employers that want to go on the offensive when the purloined data include confidential information and trade secrets, particularly when the departing employee wasn’t subject to a written confidentiality or noncompete agreement.
If you suspect a former employee has improperly taken data on his way out the door, be sure to perform a proper investigation before filing a lawsuit. Contact your labor and employment counsel if you need to discuss the proper steps for building an effective CFAA claim.