INFOTECH AND THE LAW
Computer Fraud Law Extends to Employees
By Jonathan Cain
Suppose a trusted employee leaves the company. She has had access to proprietary source code, programming techniques and plans for product improvements. The employee has not had access to marketing plans.
Before leaving, she takes a memo outlining product improvements, accesses a restricted server directory that keeps versions of source code and inserts a few lines to disable the code after three months, and e-mails an electronic copy of her confidential company programmer's manual to her personal e-mail box.
Each of these actions concern unauthorized access to the confidential information of her employer, but not all are legally actionable under most state laws.
For example, accessing and editing the source code server might not be actionable under state laws unless her employment contract forbid such access. Merely sending herself a copy of the programmer's manual to which she has authorized access is permissible; problems do not arise unless she shares it with a third party. Stealing the marketing plan would be actionable.
But a federal court late last month ruled that the Computer Fraud and Abuse Act creates federal causes of action, enforceable in federal courts, for accessing the source code and e-mailing the manual. This is a significant change in the law governing employee use of proprietary company information and, if adopted by other federal courts, creates additional risks for departing employees.
The act was intended to give federal law enforcement officers a tool to charge sophisticated criminals who defraud banks and credit card companies, nuclear spies and 15-year-olds who hack into supposedly secure Defense Department computers. It addresses a unique class of problems that only arise through the use of computers; federal prosecutors have used it successfully in all of the examples given above.
The act makes it a federal crime to access a nonpublic computer of the federal government, to access and obtain information from computers of financial institutions, credit card and consumer credit companies, to transmit codes or commands that intentionally cause damage to a "protected computer," to access a protected computer without authorization and cause damage, or to "obtain anything of value" from a protected computer without authorization. A protected computer is one "which is used in interstate or foreign commerce or communication."
In addition to the criminal penalties, the act contains a provision that entitles private parties to bring civil claims for money damages and injunctive relief.
These private right-of-action provisions did not attract much attention until the recent federal court decision. The case involved employees of the plaintiff who used their employer's computers to e-mail trade secrets to the defendant.
The defendant tried to have the case dismissed on two grounds: that the employees had rights to access the employer's data, and that the fraud and abuse act was only intended to protect the information of government and the other specified businesses.
The court refused. First, the court said that the right of employees to access employer information for the use of the employer does not extend to a right to access that information for other purposes, including to deliver the information to others without further authorization.
Next, the court read the definition of a protected computer and concluded that the statute is written to protect any computer that is used in interstate or foreign commerce or communication.
Finally, the court ruled any wrongdoing using the protected computer that results in a damage above the nominal statutory minimum of $5,000 in any 1-year period is covered by the act. The plaintiff does not have to prove traditional elements of fraud.
In our opening example, the computer is used for interstate communication via e-mail, so it is a protected computer under the act. The employee's access to the restricted directory is unauthorized and intentional, and so is her unauthorized insertion of the disabling code. The result of her action will cause more than $5,000 of damage over the next year in lost time, service to customers and loss of customer good will.
Her termination ends her authorization to use the programming manual, and her action in e-mailing the manual would also be illegal under the act. She has just become a federal felon.
Federal prosecutors probably would take no interest the case, but her employer has civil claims that he can now bring in federal court for injunctive relief and money damages.Jonathan Cain is with the law firm Mintz Levin Cohn Ferris Glovsky & Popeo PC in Reston, Va. The opinions expressed in this article are his. He can be reached by e-mail at firstname.lastname@example.org.