As January draws to a close, we figured it seemed like a good time to take stock of where things stand in the world of non-competes and trade secrtets.  So we've paused to look around the blogosphere to see what's been happening and what's on the horizon.

 • Much has been written about the ongoing battle between Aon Risk Services and Alliant Insurance Services stemming from an alleged raid, which has spawn lawsuits on both ends of the continent.  David Clark provides a good summary on Epstein Becker's blog while Kenneth Vanko weighs in on the thorny venue issues that arise when parties file preemptive strike actions.

• Maryland is contemplating passage of a statute that would preclude enforcement of a "non-competition covenant" if an employee applies for and is deemed eligible for unemployment benefits.  The problem is the statute, in its current form, does not define "non-competition covenant" and will motivate more employers to contest more unemployment claims.  Some legislators need to think first, and legislate second.

• The suicide of Aaron Swartz, a well-known coder, entrepreneur, and political activist, has resulted in increased scrutiny of the federal Computer Fraud and Abuse Act, renewing debate over whether the law should be amended to narrow its scope.  There is no greater resource of material on this subject than John Marsh's Trade Secret Litigator Blog. 

• Have you heard the clamor that confidentiality contracts may run afoul of the National Labor Relations Act?  Lauri Rasnick tackles a recent decision from an NLRB administrative law judge and offers some practical and useful advice here.

• Ever wonder whether non-compete and trade secret litigation is on the rise?  Russell Beck of Beck Reed Riden asked and answered the same question in his Trade Secret and Non-Compete Survey.

• Have you ever wondered what the difference is between a works-for-hire and inventions assignment clause in an assignment clause in an employment agreement?  Thought leader Janette Levey Frisch dissects this topic and offers helpful tips on her blog The Emplawyerologist. 

Michael R. Greco is a partner in the Employee Defection & Trade Secrets Practice Group at Fisher & Phillips, and he received his mediation training from the Center for Dispute Settlement in Washington, D.C.  To receive notice of future blog posts either follow Michael R. Greco on Twitter or on LinkedIn or subscribe to this blog's RSS feed.

As readers of this blog know, we have been following the diverse and seemingly irreconciliable decisions from federal courts regarding the scope of the federal Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030.  Last week, in WEC Carolina Energy Solutions LLC (“WEC”) v. Miller, the U.S. Court of Appeals for the Fourth Circuit weighed in on what continues to be one of the hottest debates within the federal judiciary in recent memory: whether the CFAA applies to disloyal employees who access their employer's workplace computers to misappropriate, copy or otherwise transfer corporate data.  

The facts in WEC v. Miller were similar to those in other recent CFAA cases.  According to the Fourth Circuit’s opinion, a copy of which is available below, WEC provided specialized welding and related services to the power generation sector. As the Fourth Circuit explained, Arc Energy Services, Inc. (“Arc”) was one of WEC’s competitors in South Carolina.  WEC provided “Miller with a laptop computer and cell phone, and authorized his access to the company’s intranet and computer servers.”  According to WEC’s complaint, "Miller had access to numerous confidential and trade secret documents stored on … computer servers, including pricing terms, pending projects[,] and the technical capabilities of WEC.”  WEC implemented employment policies that prohibited the use of such information without authorization or downloading it to a personal computer.  But as the appellate court noted, “[t]hese policies did not restrict Miller’s authorization to access the information.”  

In its Complaint, WEC alleged that before Miller resigned, he and his assistant at WEC downloaded and emailed WEC’s confidential information to personal email accounts and a personal computer.  WEC claimed that this information was used by Miller in a successful pitch to Arc after Miller’s resignation.  Miller moved to dismiss WEC’s CFAA claims, and in opposition WEC argued that Miller violated the CFAA and WEC’s employment policies by downloading WEC’s confidential information to a personal computer.  WEC also argued that Miller breached his fiduciary duty to WEC when he downloaded this information to his personal computer, thereby losing the authority to access it.  WEC Carolina Energy Solutions, LLC v. Miller, No. 0:10-cv-2775-CMC, 2011 WL 379458, at *5 (D.S.C., Feb. 3, 2011).  These arguments were rejected by the district court, which held that “WEC’s company policies regulated use of information not access to that information.  Thus, even if Miller and Kelley’s purpose in accessing the information was contrary to company policies regulating use, it would not establish a violation of company policies relevant to access and, consequently, would not support liability under the CFAA.”

This decision was affirmed by the appellate court.  Diving headfirst into the debate regarding the scope of the CFAA, the Fourth Circuit observed that in interpreting the CFAA, “two schools of thought exist.”  The first comes out of Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006), in which the court held that “when an employee accesses a computer or information on a computer to further interests that are adverse to his employer, he violates his duty of loyalty, thereby terminating his agency relationship and losing any authority he has to access the computer or any information on it.”  The second school of thought, “articulated by the Ninth Circuit and followed by the district court here, interprets ‘without authorization’ and ‘exceeds authorized access’ literally and narrowly, limiting the terms’ application to situations where an individual accesses a computer or information on a computer without permission.”  

The appellate court rejected WEC’s arguments in favor of following the Citrin line of cases, and adopted what is perceived as the employee-centric view articulated in Brekka and Nosal.  As the appellate court held, “we adopt a narrow reading of the terms ‘without authorization’ and ‘exceeds authorized access’ and hold that they apply only when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access.”  In a nod to the potential impact of its opinion, the appellate court noted its “conclusion here likely will disappoint employers hoping for a means to rein in rogue employees.”  “But we are unwilling to contravene Congress’s intent by transforming a statute meant to target hackers into a vehicle for imputing liability to workers who access computers or information in bad faith, or who disregard a use policy.”

Brent Cossrow is a partner in Fisher & Phillips' Employee Defection & Trade Secrets Practice Group.  Mr. Cossrow's practice focuses on e-discovery and other electronically stored information issues.  As always, please feel free to share your thoughts and questions in the comment space below.

WEC v Miller.pdf (65.78 kb)

Dispute Seems Destined for United States Supreme Court

“Computers have become an indispensable part of our daily lives. We use them for work; we use them for play. Sometimes we use them for play at work. Many employers have adopted policies prohibiting the use of work computers for nonbusiness purposes. Does an employee who violates such a policy commit a federal crime? How about someone who violates the terms of service of a social networking website? This depends on how broadly we read the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030.”

And so begins the reasoning of the United States Court of Appeals for the Ninth Circuit on way to its conclusion that the CFAA does not apply to data theft by an employee who steals information he was permitted to access in the first place. 

The CFAA makes it unlawful to access a computer without authorization, or to exceed the scope of one’s authorization, for the purpose of obtaining or altering information in the computer that one is not entitled to obtain or alter. 

In US v. Nosal, the U.S. Court of Appeals for the Ninth Circuit acknowledged that the CFAA can be read either of two ways: First, it could refer to someone who's authorized to access only certain data or files but accesses unauthorized data or files.  This is colloquially known as ‘hacking.’

The Court offers an example.  “[A]ssume an employee is permitted to access only product information on the company's computer but accesses customer data: He would ‘exceed authorized access’ if he looks at the customer lists.”

But the Court noted that the statute also could be interpreted differently.  Namely, the language might refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information. “For example, an employee may be authorized to access customer lists in order to do his job but not to send them to a competitor.”

And so goes the dispute.  According to the government, employees violate the CFAA when they access information on their employer’s computer for an improper purpose.

A majority of the Ninth Circuit rejected the government’s view of the CFAA with a litany of colorful language and hypotheticals:

“The government's interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. Basing criminal liability on violations of private computer use polices can transform whole categories of otherwise innocuous behavior into federal crimes....For example, it's not widely known that, up until very recently, Google forbade minors from using its services. Adopting the government's interpretation would turn vast numbers of teens and pre-teens into juvenile delinquents and their parents and teachers into delinquency contributors.”

From the Ninth Circuit’s perspective, the danger is palpable.  “Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes.”

“Under the government's proposed interpretation of the CFAA, posting for sale an item prohibited by Craigslist's policy, or describing yourself as ‘tall, dark and handsome,’ when you're actually short and homely, will earn you a handsome orange jumpsuit.”

In reaching its conclusion, the Ninth Circuit acknowledged that its decision was at odds with numerous “decisions of our sister circuits” reaching different conclusions; e.g., the 5th, 7th and 11th Circuits.  But it simply asked that its “sister circuits” reconsider based on the content of the 9th Circuit opinion.

But the split of opinion in federal court is not simply a split among the circuits.  Notably, there was a dissenting opinion filed concurrently with the 9th Circuit’s decision in Nosal.

The Dissent

The dissent blasted the theoretical illustrations contained in the majority opinion.  “This case has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values. It has everything to do with stealing an employer's valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants' employment contracts.”

The dissent continued: “In ridiculing scenarios not remotely presented by this case, the majority does a good job of knocking down straw men, and far-fetched hypotheticals involving neither theft nor intentional fraudulent conduct, but innocuous violations of office policy.”

Offering its own analogy, the dissent observed that a bank teller is entitled to access a bank's money for legitimate banking purposes, but he may not take the money for himself.

In short, the dissent concluded that “it does not advance the ball to consider, as the majority does, the parade of horribles that might occur under different subsections of the CFAA.”  That is why courts have the authority to consider constitutional challenges to the manner in which statues are applied.

“The role of the courts is neither to issue advisory opinions nor to declare rights in hypothetical cases, but to adjudicate live cases or controversies....We need to wait for an actual case or controversy to frame these issues, rather than posit a laundry list of wacky hypotheticals.”

And so goes the internally conflicted thinking of the United States Court of Appeals for the Ninth Circuit.  One has to wonder, if the justices of the Ninth Circuit cannot agree among themselves whether to agree or disagree with other federal circuits, how long will it be before the U.S. Supreme Court has to weigh in on the matter?

Michael R. Greco is a partner in the Employee Defection & Trade Secrets Practice Group at Fisher & Phillips LLP.  To receive notice of future blog posts either follow Michael R. Greco on Twitter or on LinkedIn or subscribe to this blog's RSS feed.

US_v_Nosal.pdf (103.39 kb)

The past year has produced noteworthy decisions from the Sixth, Ninth and Eleventh Circuit Courts of Appeals – and recent Congressional hearings – regarding the applicability of the Computer Fraud & Abuse Act (“CFAA”) to employers’ claims that disloyal employees accessed their employers’ computers in order to take trade secrets, source code, and other valuable electronically stored information.  The CFAA provides a federal, private right of action against any person who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value… .”  18 U.S.C. § 1030(a)(4). 
 
The recent decisions and congressional hearings are fueling one of the hotter debates within the judicial and legislative branches of the federal government: the extent to which Congress meant to “federalize” certain computer-related disputes between employers and their employees.  On this legal question, there is a continuum of interpretations of the CFAA.  Some interpret the CFAA as giving employers a federal cause of action against their disloyal departing employees, in what has been perceived as a pro-employer interpretation.  On the other end of this continuum are what would appear to be employee-centric opinions holding that the CFAA does not create such a right in employers. 

The next case to watch in this debate over the scope of the CFAA might be Metabyte, Inc. v. Nvidia Corp., et al.  According to the Complaint (available in .pdf format below), Metabyte is an information technology services company that produces software and provides product development, consulting and related information technology staffing services.  Metabyte claims that it produced an original 3D technology, which consists of executable source code and enables a three-dimensional display through specialized glasses used for viewing computer screens.  The primary application for this software and the glasses is for personal computer-based gaming, according to the Complaint.

Metabyte alleges that it developed its 3D software through the investment of millions of dollars and the efforts of its software developer-employees, and Metabyte has made the conduct of these software developers the epicenter of its Complaint.  According to Metabyte, these employees – now Nvidia’s co-defendants – left Metabyte and joined Nvidia, where they allegedly developed a 3D technology for Nvidia that is similar to Metabyte’s 3D technology.  But before Metabyte’s former software developers left, Metabyte contends, they improperly copied the source code for Metabyte’s 3D technology, then used this source code to create Nvidia’s competing 3D technology. 

At the moment, only Metabyte’s side of the story is public.  However, the allegations in the Complaint set the stage for another "employer versus allegedly faithless employee" showdown.  The disposition of these allegationswill turn, among other things, on the district court’s interpretation of the scope of the CFAA, the accuracy of the allegations against Metabyte’s former software developers, the timing and circumstances of the purported accessing of Metabyte’s computers, and the extent to which Metabyte took steps to restrict the access of its software developers.   
 
This blog will keep its eye on Metabyte, and any decisions regarding the CFAA that result from this case.

Brent Cossrow is a partner in the Employee Defection & Trade Secrets Practice Group of Fisher & Phillips.  Mr. Cossrow’s practice focuses on e-discovery and other electronically stored information issues.  As always, please feel free to share your thoughts and questions in the comment space below.

Complaint - Metabyte v Nvdia, et al..pdf (4.61 mb)

Twas the night before Christmas, when all through the company;
A disgruntled employee kept saying “please jump with me.”
She was trying to line up a grand, mass departure;
Of which she was certain no one could outsmart her.

Her files had been copied, her clients all contacted;
She’d consulted a lawyer ‘bout things she had contracted.
He said that her covenants were quite overbroad;
Of this she was certain, they’d all be deemed flawed.

She proceeded to upload the secrets she’d learned;
On to flash drives, and emails and discs she had burned.
With not one regret, she reamed out her boss;
Quite sure she’d not erred, it would soon be his loss.

With eyes all upon her, out the door she receded;
Two colleagues joined with her, at least that's what she tweeted.
The office was stunned, and management surprised;
No one had foreseen that they’d soon be downsized.

“Let’s call up the lawyers. What options have we?
We’ll file a lawsuit, and then she will see!
Without our permission, our computers she hacked!
This must run afoul of the Computer Fraud & Abuse Act.”

“We must stop her now, her acts are illicit.
Without an injunction, our clients she’ll solicit.
And don’t forget the others who joined her, you see;
Together they formed a civil conspiracy.”

“Hold your horses," say the lawyers, "don’t get carried away.
Let’s pull out their contracts and see what they say.
But where are they kept? We’ve got piles and piles.
For sure they’ll be found in personnel files.”

“Let’s draft the complaint, and seek an injunction.
The defendants, you see, acted without compunction.”
The Court set a hearing, the plaintiff went first.
“Your Honor, it’s horrible, obscene and the worst!!”

“She’s taken our staff, our trade secrets, purloined;
She must be shut down, she must be enjoined!
In her contract she promised, she swore, she agreed.
The protections we seek are all guaranteed.”

“She may not solicit. It’s in simple prose.
She may not take secrets, or use or disclose.
But even without the help of contract;
Her conduct defies the trade secrets act.”

The lawyer sat down, feeling smart, feeling pleased;
The defense will be begging, they’ll get down on their knees.
So the court turned to the left where defense counsel sat;
And asked, “My dear sir, what do you say to that?”

“Your Honor, you see, they’ve got it all wrong.
Just hear me out, this won't take too long.
The data at issue are far from trade secrets.
You’ll find it in public, in brochures and on leaflets.”

“The contract is void, it lacks consideration.
And the covenants purport to cover the nation.
My clients, they acted at all times with great reason.
In contrast, the plaintiffs use contracts adhesion.”

Defense counsel sat, while the court thought about it;
Parsing through the arguments each party had spouted.
And finally the court was ready to rule;
To give its decision at this time of Yule.

“First let me address the non-compete clause;
Please wait ‘til I’m finished; please hold your applause.
The non-compete is too onerous, it’s unreasonable;
But I find that the covenants are quite severable.”

“Defendants have breached the clause nondisclosure;
Confidential information – indecent exposure.
And let’s not forget the non-solicitation;
That covenant is of reasonable duration.”

“So I’m going to issue a restraining order;
Please take this down, my dear court reporter;
A bond shall be posted at ten thousand dollars;

I say this to both parties and their legal scholars:

Explore resolution. Think how not to fight.
Merry Christmas to all, and to all a good night.”

Michael R. Greco is a partner in the Employee Defection & Trade Secrets Practice Group at Fisher & Phillips LLP.  To receive notice of future blog posts either follow Michael R. Greco on Twitter or on LinkedIn or subscribe to this blog's RSS feed

Could it possibly be equally as unlawful to lie about your age as it is to download trade secrets from your employer's computer?  Some say that both may constitute a violation of the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”), and therefore the statute must be amended.

In recent years, the number of prosecutions under the CFAA has increased.   These cases have been watched closely by many employers because the CFAA is not just a criminal statute.  Rather, provided certain conditions are met, the civil provisions of the CFAA create a private right of action against those who wrongfully access, or exceed their authorized access, to a protected computer (as defined by the CFAA to include computers used in interstate or foreign commerce or communication).

There has been a split of opinions among federal courts about what it means to "exceed authorized access."  For instance, the Eleventh Circuit concluded not too long ago that an employee "exceeded authorized access" under the CFAA by accessing information on a computer in a manner contrary to an employer's written policies.  Rejecting this analysis, the U.S. district court for the Southern District of New York stated that it would be wrong to "expand the reach of the CFAA to any employee who accesses a company's computer system in a manner that is adverse to her employer's interests. This would convert an ordinary violation of the duty of loyalty or of a confidentiality agreement into a federal offense."

While the courts continue to differ in their view, the debate recently shifted to the halls of Congress.  In testimony before the House Committee on the Judiciary, GWU Law Professor, Orin Kerr, offered some extreme examples with the hope that it would spur Congress to narrow the definition of "authorized access."  Professor Kerr explained: "It is common for computers and computer services to be governed by Terms of Use or Terms of Service that are written extraordinarily broadly....The Terms of Use of the popular Internet dating site Match.com says that “You will not provide inaccurate, misleading or false information ...to any other Member....If a user writes in his profile that he goes to the gym every day – but in truth he goes only once a month – he has violated Match.com's Terms of Use.  Similarly, a man who claims to be 5 foot 10 inches tall, but is only 5 foot 9 inches tall, has violated the Terms.  So has a woman who claims to 32 years old but really is 33 years old."  (A copy of Professor Kerr's written testimony is available in pdf format below.)

Providing a different view was Richard W. Downing, Deputy Chief Computer Crime and Intellectual Property Section Criminal Division of the Department of Justice.  Downing noted, "Some have argued that the definition of “exceeds authorized access” in the CFAA should be restricted to disallow prosecutions based upon a violation of contractual agreements with an employer or service provider.  We appreciate this view, but we are concerned that that restricting the statute in this way would make it difficult or impossible to deter and address serious insider threats through prosecution."  Downing continued, "Employers should be able to set and communicate access restrictions to employees and contractors with the confidence that the law will protect them when their employees or contractors exceed these restrictions to access data for a wrongful purpose."  (A copy of Mr. Downing's written testimony is available in pdf format below.)

Whether the CFAA will be amended remains an open question.  For now, the courts will likely continue to grapple with the extent to which Congress originally intended the statute to apply to alleged faithless employees.

Michael R. Greco is a partner in the Employee Defection & Trade Secrets Practice Group at Fisher & Phillips LLP.  To receive notice of future blog posts either follow Michael R. Greco on Twitter or on LinkedIn or subscribe to this blog's RSS feed.

Kerr Testimony.pdf (131.59 kb)

Downing Testimony.pdf (61.39 kb)

Lost Employee Productivity and Attorneys' Fees Also Count Toward "Loss" Required to Meet $5,000 Jurisdictional Requirement

An increasing number of courts have weighed in recently on whether the Computer Fraud & Abuse Act (“CFAA”) applies in the context of a faithless employee.  Despite this onslaught of decisions, there are still relatively few cases that delve into the details of what qualifies as a “loss” under the statute.  The definition matters because without a “loss” of $5,000 or more, employers (or anyone else) cannot bring a civil claim under the CFAA. 

In Animators At Law, Inc. v. Capital Legal Solutions, LLC, the U.S. District Court for the Eastern District of Virginia recently took on this issue and offered its view on whether an actual payment of money is required to establish a “loss.”  The Court also addressed whether bartered services, lost employee time, and attorneys’ fees may qualify.  The result is a decision that will make it easier to assert such claims if it is followed by other courts.  (A copy of the court’s decision is available in pdf format below.)

In Animators, an employer sued two former employees who allegedly took a laptop computer with them when they resigned.  The former employer, Animators At Law (“Animators”), hired a computer forensic firm to analyze the laptop computer after it was returned.  The overall investigation was spearheaded by Animators’ president and its outside counsel.

Animators sued the former employees and their new employer in federal court asserting a claim under the CFAA.  Animators sought to satisfy the $5,000 jurisdictional threshold in three ways.  First, it noted that the services performed by its computer forensic firm were valued at nearly $20,000.  Second, it argued that its president normally charges $300 per hour for his time as a consultant, and he spent in excess of 72 hours overseeing the investigation.  Third, Animators stated that its lawyer chimed in with an hourly rate of $445 for an additional $14,000. 

The defendants argued that Animators’ alleged “losses” did not qualify as the type of “loss” required by the CFAA.  First, with respect to the computer forensic fees, the defendants pointed out that Animators did not actually pay these fees.  Instead, in accordance with a “longstanding, ongoing business relationship,” Animators obtained the services of its computer forensic firm “in trade for other services” to be performed by Animators in the future.  The Court sided with Animators noting that “the CFAA does not require losses to be paid for in cash.”  According to the Court, “it would be passing strange for [the computer forensic firm] to spend more than sixty hours of time analyzing Animators’ data … without any expectation of compensation in some form….Thus, a jury could reasonably conclude that the costs of [the computer forensic firm’s] service were internalized by Animators and thus qualify as CFAA losses.”

Second, the defendants challenged Animators’ “loss” by arguing that the time spent by its president investigating the alleged violations should not count.  Relying on prior precedent, the Court noted that “‘many hours of valuable time away from day-to-day responsibilities” are contemplated within the CFAA’s definition of ‘loss.’” 

Finally, the defendants argued that the all of the fees incurred by Animators, including its attorney, were unreasonable.  On this point, the defendants made the most progress, but still were unable to persuade the Court.  Although the Court agreed that the CFAA “requires a plaintiff to prove that the losses in issue were reasonable,” it found that the amount of money that should be spent on an investigation is often easy to criticize in hindsight.  In the Court’s words:

[A]n investigation is often required to determine the cause and scope of a computer intrusion, and the financial impact of even a relatively narrow intrusion can be extensive.  In this case, had Animators’ confidential information about clients been compromised, Animators might well have had to address the security breach on a client-by-client basis, potentially adversely affecting Animators’ business activities….A jury…may reasonably conclude that, in light of this risk, Animators acted reasonably….In the end, Animators’ investigation may disclose that no files were compromised….  Yet, hindsight must not guide such an analysis of whether such actions were reasonably necessary in response to a CFAA violation; instead, as with any reasonableness inquiry, the analysis should focus on whether reasonable prudence was exercised in light of the risks and circumstances presented.

The Court summed up its decision by stating: “[P]erpetrators of unauthorized access should foresee that their actions may result in significant investigations and costs far exceeding the actual damage to the system.”

If other courts fall in line with this opinion from the Eastern District of Virginia, it will be easier for aggrieved parties to assert civil CFAA claims.  Between lost employee productivity and attorneys’ fees, the $5,000 jurisdictional threshold is likely to be established quite easily.

Michael R. Greco is a partner in the Employee Defection & Trade Secrets Practice Group at Fisher & Phillips LLP.  To receive notice of future blog posts either follow Michael R. Greco on Twitter or on LinkedIn or subscribe to this blog's RSS feed.

Animators at Law v Capital Legal Solutions.pdf (685.45 kb)

The debate rages on concerning the scope and extent of the federal Computer Fraud & Abuse Act.  In simple terms, the CFAA makes it unlawful to access a protected computer without authorization (or in excess of one's authorization) and to damage the computer or obtain information that one is not entitled to obtain.  Originally a criminal statute, the CFAA also provides for a civil claim if certain conditions are met.  Courts have long debated whether the statute applies in the context of an alleged faithless employee who accesses an employer's information contained on a computer for an improper competitive purpose.  Regardless of the varied judicial opinions addressing this point, the United States District Court for the Middle District of Florida recently rejected as "dubious" a somewhat novel argument that an employee violated the CFAA by accessing Facebook and her personal email at work.  (A copy of the Court's opinion is available in pdf format below.)

In Wendi Lee v. PMSI, Inc., Lee sued her former employer, PMSI, for pregnancy discrimination.  PMSI counterclaimed under the CFAA stating that Lee engaged in "excessive internet usage" and "visit[ed] personal websites such as Facebook and monitor[ed] and [sent] personal email through her Verizon web mail account."  In its opinion dismissing the CFAA claim, the Court began by noting the CFAA is originally a criminal statute designed to target hackers who access computers to steal information.  The Court noted that some courts have permitted CFAA claims against employees who send an employer's trade secrets or proprietary information via email.  Lee citing Shurgard Storage Centers v. Safeguard Self Storage (W.D. Wash. 2000).  Notwithstanding these cases, the Court concluded that "[b]oth the letter and spirit of the CFAA convey that the statute is not intended to cover an employee who uses the internet instead of working."

The Court's conclusion was based on more than it's impression of the purpose underlying the CFAA.  The Court examined the statute and observed that a CFAA violation occurs if a defendent damages a computer or obtains information to which the employee is not entitled.  In this case, PMSI failed to allege that Lee somehow damaged its computers or accessed its information.  The Court also recognized that a civil claim under the CFAA only exists if the alleged wrongful conduct causes a loss to one or more persons during a one-year period aggregating at least $5,000 in value.  18 USC. 1030(c)(4)(A)(i)(l).  Despite PMSI's creative argument, the Court held that the "statute does not contemplate 'lost productivity' of an employee" as the type of loss required to sustain a CFAA claim.

No doubt, the debate over the scope and applicability of the CFAA will continue to unfold in courts across the country.  Employers will continue to use the CFAA as a tool to protect their confidential and trade secret information, and eventually, the Supreme Court or Congress will likely address the split of opinion.  Wherever the line may be drawn eventually, for now, at least, the line has not been so broadly drawn as to apply the statute to employees who spend too much time on the internet at work.  Employers who seek to address this problem should do so through appropriately tailored written policies and careful implementation.

As always, we welcome your thoughts and input in the comment section below.  Let us know your reaction to this Court's opinion.

Michael R. Greco is a partner in the Employee Defection & Trade Secrets Practice Group at Fisher & Phillips LLP.  To receive notice of future blog posts either follow Michael R. Greco on Twitter or on LinkedIn or subscribe to this blog's RSS feed. 

Lee v. PMSI.pdf (29.40 kb)

More often than not when a management law firm informs its clients of recent case developments, the news is not good. This is an exception.

In a decision more in line with decisions from other circuits, the U.S. Court of Appeals for the 9th Circuit recently decided a Computer Fraud & Abuse Act ("CFAA") case which offers significant assistance to employers' efforts to protect their trade secrets and confidential information from theft or misuse by employees, so long as employers do it correctly. The case was entitled U.S. v. Nosal, and a copy of the decision is available in pdf format below.

David Nosal was a former employee of Korn/Ferry, an executive search firm. Nosal resigned his employment and convinced certain employees who were still employed by Korn/Ferry to provide him with information from the company's confidential Searcher database – considered by Korn/Ferry to be one of the most comprehensive databases of executive candidates in the world. Nosal was not authorized to access the Korn/Ferry database, and he did not do so. The currently employed individuals engaged by Nosal were authorized to access the Searcher database as part of their jobs, and they passed Searcher database information to Nosal.

An indictment followed, with the government claiming Nosal and his co-conspirators were criminally liable for violation of the CFAA which subjects to punishment under criminal statutes anyone who "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value." Employers should take note of this case as well because the CFAA also provides civil remedies for violations of its provisions.  These civil remedies include damages and injunctive relief.

The defendants argued they could not possibly be guilty of a violation of  CFAA because the employer authorized them to access the Searcher database. They claimed the CFAA was designed to penalize hackers who illegally entered company computer systems without authorization and not individuals like themselves who were authorized to access the database, regardless of what use they made of the company's database information.

The court agreed with the government that the employees violated the statute because they: 1) accessed the database; 2) obtained information from the computer; and, 3) used it for a purpose that violates the employer's restrictions on the use of the information. The case turned on the employer's restrictions on the use of information stored in its Searcher database and the meaning of authorized access.

A Dramatic Change In Direction

This distinction is more significant in light of an earlier 9th Circuit holding in a case titled LVRC Holdings LLC v. Brekka. In that case, Christopher Brekka, while an employee of LVRC Holdings, sent a number of the employer's business documents to his private email account. At the time he sent the documents, he was also engaged in negotiations for the purchase of the company. The negotiations did not result in agreement, and he left the company. Later LVRC learned of Brekka's transfer of its documents and proceeded against him for violation of the CFAA.

In that case, the court found no violation because the employer had not notified Brekka of any restrictions on his access to the computer. The Brekka court held: "Therefore, as long as an employee has some permission to use the computer for some purpose, that employee accesses the computer with authorization even if the employee acts with a fraudulent intent."

The Significance Of The Difference In The Two Approaches

The primary lesson from these two decisions is that it is imperative that an employer precisely define the limits of an employee's access to its computer systems and databases. If an employee's improper computer access is ever to be found to be illegal, the employer must have first placed limitations on the employee's permission to use the computer and the employee must have violated or exceeded those limitations. As seen from the Brekka decision above, failure to set limits means you may have little protection, even against fraudulently inclined employees.

In a classic summation of the principle, the Nosal court held: "Therefore, as long as the employee has knowledge of the employer's limitations on that authorization [to use the company computers and access company databases] the employee exceeds authorized access [under the statute] when the employee violates those limitations. It is as simple as that."

Despite the Ninth Circuit's wording, it may not be quite that simple, but it is clearly imperative that employers carefully define the scope of the permission they grant their employees to access and to use their information. If nothing is said, employees who access the information, even for fraudulent purposes, may not be found to have violated the CFAA. But if employers have defined the limits of the permission granted to employees to use their computer systems and databases, employees who violate that permission may be successfully prosecuted.

It's also important to note that Korn/Ferry had taken a number of steps before this lawsuit to protect its Searcher database – such as controlling electronic access to the database and controlling physical access to computer servers that contained the database. Korn/Ferry employees had unique usernames and created passwords for use on the company's computer system, including for use in accessing the Searcher database. Korn/Ferry included a phrase emphasizing the proprietary and confidential nature of the data on every report generated from the Searcher database. The company also had policies and agreements that explained the proprietary nature of information made available to employees and restricted use and communication of all such information, except for legitimate Korn/Ferry business.

Protect Your Assets

The specific methods an individual employer uses to protect its confidential, proprietary and trade secret information will vary depending on the nature of the information and the nature of the business operation. This is a situation in which one size does not fit all. Employers may be wise to speak with their labor and employment counsel before the horse bearing the company's crucial information leaves the barn.

Courts regularly tell employers, generally after they have unsuccessfully attempted to get the court's help in retrieving important information, that it is not the court's job to protect their confidential and proprietary information. It is the employer's job to do that in the first instance by implementing carefully thought out safeguards to protect its own systems. If employers have to seek a court's intervention, they want to make the court's job as easy as possible by being able to demonstrate that they have first taken reasonable steps to safeguard the information they are now telling the court is so crucial to the future success of the company.

This is an area where the employer has the right and the ability to set the rules for employee access to its important and crucial information. The takeaway: employers should establish systems and rules which will permit them to protect their valuable information to the maximum extent possible. Here's a simple equation to put this in perspective:

No Rules = Possibile Inability to Take Action Against Employees Who Steal Information From Computers.

Rules = Enhanced Ability To Protect Company Against Employees Who Might Be Tempted to Steal Company Secrets.

US v. Nosal.pdf (92.31 kb)

Now Available at Your Convenience!!

The use of online social media such as LinkedIn is becoming increasingly prevalent, and as a consequence, employees are often very casual about what they say and do online. They frequently share information first, and think about the consequences later. Any business that does not have a solid contract, a sound social networking policy, or does not train its employees on the do's and don'ts of social networking may have a critical security gap in the protection of its trade secrets and its confidential information. Click here to join us for this free one hour webinar led by Mike Greco and Chris Stief from the Employee Defection and Trade Secrets Practice Group at Fisher & Phillips LLP as they explore steps employers can take to address this growing threat.   

Michael R. Greco and Christopher P. Stief are partners in the Employee Defection & Trade Secrets Practice Group at Fisher & Phillips LLP.  To receive notice of future blog posts by Mr. Greco, Mr. Stief or other members of the Practice Group, you may subscribe to this blog's RSS feed or follow Mr. Greco on Twitter on on LinkedIn or follow Mr. Stief on Twitter or LinkedIn.  As always, please feel free to share your thoughts or pose your questions in the comment field below.