Articles

4416 East West Highway
Fourth Floor
Bethesda, MD 20814-4568
Phone: (301)986-9600
Fax: (301)986-1301
Toll Free: (888)986-9600
E-mail: sgro@sgrolaw.com

Use CFAA To Protect Computer Data

You Can Sue Competitors for Unauthorized Access

A key employee -- let’s call him Ralph -- e-mails copies of correspondence and reports from his office computer to a competitor who has promised to hire him. You hadn’t copyrighted the documents or treated them as trade secrets -- nonetheless they give your competitor a commercial advantage. Can you sue Ralph or your competitor for disclosure of -- or unauthorized access to -- those files?

Because the data lacked copyright or trade secret protection, you probably couldn’t sue Ralph for violating intellectual-property law. But what about the federal Computer Fraud & Abuse Act (CFAA) that bars obtaining information by unauthorized computer access? The act’s original version wouldn’t have helped you, because you authorized Ralph to access your company files.

But two recent court decisions based on CFAA amendments have broadened the definition of “unauthorized” to cover disloyal employees’ acts and competitors’ spying. Here’s a summary of the CFAA’s broadened protections -- and how you can prove violations in court.

Criminal and Civil Actions

Congress enacted the CFAA in 1984 to protect data on government and some financial institutions’ computers. The act makes it a crime to “knowingly access a computer without authorization” to fraudulently obtain information or to maliciously damage computer files. And disclosing a secret password is a misdemeanor.

Congress amended the act in 1994 and 1996 to:

• Cover all computers involved in interstate commerce, in both public and private organizations. Courts generally consider that any business computer used to communicate or conduct business over the Internet is engaged in interstate commerce.
• Allow companies injured by computer fraud and abuse to sue under the CFAA for damages or injunctive relief.

Breach of Loyalty

In Shurgard Storage Centers v. Safeguard Self-Storage, the court broadened the definition of “without authorization” to include employees who act against their current employers’ interests. Some storage-facility employees with authorized access to computer information accepted jobs with a direct competitor. Before leaving, they e-mailed trade secrets and other proprietary information to the competitor. The facility sued the competitor, alleging CFAA violations. The court held that the employees’ authorized access to the facility’s computers ended when they “acquired adverse interests” and “committed a serious breach of loyalty” by acting on their new employer’s behalf.

Unauthorized Purpose

In Register.com v. Verio Inc., a federal court extended the CFAA’s protections to a computer database that was in the public domain -- not treated as a trade secret. The case involved an accredited registrar of Internet domain names that also sold related services to registrants. It provided online access to its list of registrants (including contact information) and their domain names, as required by law.

A competitor used an electronic robot to download registration data from the registrar’s Web site, and then contacted registrants to sell them the same kinds of services. The data weren’t trade secrets, so the registrar couldn’t sue the competitor in state court claiming intellectual-property violations.

The court rejected the competitor’s argument that the CFAA didn’t bar using robotic software to download public-domain information or bar any particular end use of computer data. The court found that the competitor used unauthorized means to gain access to the database and used the data for an unauthorized purpose. The court enjoined the competitor from using its robot to continue mining the registrar’s customer database and held that:

• The use terms posted on the registrar’s Web site didn’t authorize the use of a robot to access the database, and
• The competitor’s access would be unauthorized anyway because it knew, before entering the Web site, that it would later use obtained data “for an unauthorized purpose.”

Take Precautions

As more CFAA lawsuits are filed, courts are expected to further clarify and extend its protections. But you’ll still need to take traditional precautions, such as:

• Instituting noncompete agreements and confidentiality policies,
• Classifying trade secrets as such, and
• Using passwords and other security measures.

If you have questions about how to protect your computer files against abuse by disloyal employees or predatory competitors, please call us.

How To Maximize CFAA Protection

To win a lawsuit under the Computer Fraud & Abuse Act, you must prove that your employee or competitor gained unauthorized access to a computer you owned. You can take steps now to reduce the chances of unauthorized access and ensure that you’ll have proof if you need it. Here’s how:

• Set up your computer system or network to record outsiders’ entry dates and times, as well as the nature of any outsider-downloaded data. Ask your attorney how long to keep these records.
• Make sure your system also records e-mails containing critical information sent by employees to third parties.
• Closely monitor departing employees’ e-mail use, passwords and storage media they can use to transfer vital information to competitors.
• Install a built-in warning system on your Web site to alert you to incursions by robots designed to mine company databases.
• Provide a clear terms-of-use statement on your Web site, specifying unauthorized access methods and data uses.

Before monitoring voicemail and computer communications, adopt a monitoring policy, distribute it to employees and have them sign an acknowledgement form. Otherwise, you risk civil and criminal penalties for violating the Electronic Communications Privacy Act, federal wiretapping laws, employees’ privacy or even possibly the National Labor Relations Act.