Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
It is a common scenario that hopefully has not happened to you (yet). Your employees leave and start a competing business. You soon learn that one or more of them accessed your computer system in the days prior to departure, and they forwarded your proprietary information to their personal email accounts.
Setting aside other avenues of recourse, have they violated the federal government’s Computer Fraud and Abuse Act (CFAA)? According to United States v. Nosal [pdf], the answer depends on whether you have a policy by which you defined the permitted access to your computers and computer systems.
Nosal is welcome news for employers with operations in the states governed by the Ninth Circuit (including California, Oregon, Nevada, Washington, Alaska, Hawaii, Idaho, Montana). The Ninth Circuit previously held in LVRC Holdings LLC v. Brekka that an employer without a policy prohibiting the employee from emailing company documents to his personal email account had no claim under the CFAA against a former employee who did just that. To employers it may seem self-evident that taking company documents is theft, but the court took a different view and dismissed the claim. It ruled that without a policy defining an employee’s authorized access, the employee “had no way to know whether – or when – his access would have become unauthorized.”
In Nosal, the employer had recourse under the CFAA because it had in place a policy with “clear and conspicuous restrictions on the employees’ access both to the system in general and to the [ ] database in particular.” To claim violation of the CFAA, employers must define the access that is being authorized: “as long as the employee has knowledge of the employer’s limitations on that authorization, the employee ‘exceeds authorized access’ when the employee violates those limitations. It is as simple as that.”
The message for employers is clear: Take steps to verify that your employees – and especially those in sensitive positions with access to proprietary information – are aware of policies that clearly and appropriately restrict their access to your computers, computer systems and databases. Taking this step is critical to any claim for violation of the CFAA should the unfortunate scenario described above happen to you