Think your data is safe? Think again.
August 8, 2012
Article courtesy of SBAM Approved Partner ASE
By Anthony Kaylin
Common problem: your employee leaves the company, then uses your company’s data in the new job. What recourse do you have?
In April 2010, Mike Miller resigned from his position as Project Director for WEC Carolina Energy Solutions, Inc. (WEC). Twenty days later, he made a presentation to a potential WEC customer on behalf of WEC’s competitor, Arc Energy Services, Inc. (Arc). The customer ultimately chose to do business with Arc. WEC contends that before resigning, Miller, acting at Arc’s direction, downloaded WEC’s proprietary information and used it in his presentation to Arc. WEC sued Miller, his assistant Emily Kelley, and Arc. WEC alleges that, among other things, Arc violated the Computer Fraud and Abuse Act (CFAA).
When Miller worked for WEC, the company provided him with a laptop computer and cell phone, and authorized his access to the company’s intranet and computer servers. Miller had access to numerous confidential and trade secret documents stored on WEC servers, including pricing terms, ending projects and the technical capabilities of WEC. To protect its confidential information and trade secrets, WEC had instituted policies that prohibited using the information without authorization or downloading it to a personal computer. However, these policies did not restrict Miller’s authorization to access the information.
At trial, the court dismissed the CFAA allegations. WEC appealed to the 4th Circuit Court of Appeals.
To prove a case under the CFAA, the ex-employer must show that the ex-employee (1) “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer”; or (2) “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value”; or (3) “intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage[,] or . . . causes damage and loss.”
On appeal, the 4th Circuit upheld the trial court, adopting a narrow reading of the terms “without authorization” and “exceeds authorized access.” It held that these terms apply only when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access. The court then stated that WEC failed to allege that Miller and Kelley accessed a computer or information on a computer without authorization. The court then found that WEC’s complaint belied such a conclusion because the complaint stated that Miller “had access to WEC’s intranet and computer servers” and “to numerous confidential and trade secret documents stored on these computer servers, including pricing, terms, pending projects[,] and the technical capabilities of WEC.”
The court then found that that although Miller and Kelley may have misappropriated information, they did not access a computer without authorization or exceed their authorized access.
Currently, there are two interpretations of “without authorization” or “exceeds authorized access” making the rounds of the federal circuits. The 9th Circuit mirrors the 4th Circuit interpretation. The 9th Circuit holds that an employee’s misuse or misappropriation of an employer’s business information is not “without authorization” so long as the employer has given the employee permission to access such information. The 7th Circuit, by contrast, holds a broader interpretation of these terms. When an employee accesses a computer or information on a computer to further interests that are adverse to his employer, he violates his duty of loyalty, thereby terminating his agency relationship and losing any authority he has to access the computer or any information on it.
The 6th Circuit Court of Appeals, which covers Michigan, has not yet ruled on the meaning of these key terms yet. There is a case making the rounds in the Circuit, but there is no guarantee it will make it to the Appeals level. On the other hand, legal pundits knowledgeable in the 6th believe that the narrow interpretation will be followed.
Therefore, employers will need to ensure that their data accessing and termination policies are detailed and thorough as to the meanings of “authorization” and “exceeding authorization” when it comes to company data.
Have an IT or HR related question? SBAM’s member-only Ask an Expert service is available here.