Stealing Confidential Information, Quirky Question # 78

Posted by on January 26, 2009 · Leave a Comment 

Quirky Question # 78:

I am the HR Director at our company.  I just learned that one of our most valuable employees has resigned and taken a position with a competitor.  I requested our IT Department to make an evaluation of his computer.  They reported to me that before he left, he emailed to himself and his new employer customer and rate information  We consider that information to be highly sensitive, potentially providing our ex-employee the chance to divert a significant portion of our business to his new employer.

Most of our employees have non-competition agreements but, as it turns out, the employee who just quit never signed one.  I also doubt that we could claim the data he took is trade secret.  Unfortunately, we have not taken reasonable steps to protect the confidentiality of this information.  Are we out of luck?

[Readers: The question below was posed to my partner, Nick Akerman, who works in Dorsey's New York office. Nick, an expert on the Computer Fraud and Abuse Act, provides the following analysis. If you would like to communicate with Nick, don't hesitate to contact him at 212.415.9217 or akerman.nick@dorsey.com. More information about Nick is available on our firm's Website; see http://www.dorsey.com/akerman_nick/. Regards, Roy]

Nick’s Analysis:

As you recognize, your company’s position would be enhanced either if: a) your employee had executed an agreement containing post-employment restrictive covenants such as a non-compete or non-disclosure obligation, or b) your company had taken appropriate steps to protect the confidentiality of the data so that you could seek protection pursuant to the Uniform Trade Secrets Act. Despite the unavailability of potential contract or statutory claims based on these legal theories, however, you are not out of luck.

When data has been stolen, a company also has the option under the Computer Fraud and Abuse Act (“CFAA”) to file a lawsuit in federal court for injunctive relief and damages. Title 18, U.S.C.§ 1030. The injunction can direct the employee and his new employer to return the stolen data and prevent the employee and his new employer from contacting the customers who are the subject of the stolen data. In other words, you may be able to obtain the same relief as if your employee had a valid restrictive covenant requiring him not to conduct business with your customers.

Primarily a criminal statute, the CFAA provides that “[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” § 1030(g). Because it is a federal statute, you can file in federal court. (State causes of action for theft of trade secrets and breach of a restrictive covenant cannot be filed in federal court unless there is diversity of citizenship or there are other federal claims.)

The CFAA was enacted in 1984 as a criminal statute to criminalize the theft of national security and banking data. In 1992 it was amended to include the ability for an individual injured by a violation of the statute to bring a civil action, much like the Racketeer Influenced and Corrupt Organizations (“RICO”) statute, Title 18, U.S.C. § 1961, et seq. The CFAA has since been amended a number of times to keep up with new technologies and the ubiquity of computers in society. The CFAA was last amended in 2001 in the U. S. Patriot Act to include computers located outside the United States if they communicate with the United States or are involved in commerce with the United States.

The CFAA outlaws the entire panoply of computer crime including stealing computer data. There is no need to show that the data is trade secret protected, copyrighted, confidential or proprietary. Rather, one of the key elements necessary to prove a CFAA civil action, as explained in more detail below, is to show that the employee accessed the company computer without authorization or exceeded the authorization he had been granted.

As a jurisdictional prerequisite to filing a civil CFAA action, the plaintiff company must allege and ultimately prove $5,000 in loss. “Loss” is defined by the CFAA as

“any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

The “federal courts have sustained actions based on allegations of costs to investigate and take remedial steps in response to a defendant’s misappropriation of data.” Modis, Inc. v. Bardelli, 531 F. Supp. 2d 314, 320 (D. Conn. Jan. 22, 2008). Such costs must of course relate to the computer. In Nexans Wires, SA 319 F.Supp. 2d 468, (S.D.N.Y 2004), aff’d, 166 Fed. Appx. 559, 562-63 (2d Cir. 2006), for example, the court held that $8,000 spent by two corporate executives to fly to Manhattan from Germany to examine the computer intrusion and discuss the breach at the French restaurant Le Cirque did not qualify for the $5,000 loss because the expense was not sufficiently related to the company computer.

The CFAA encompasses what it defines as a “protected computer.” The CFAA’s definition of protected computer, however, covers every conceivable type of computer. § 1030(e)(1). As the defendant rightly claimed in United States v. Mitra, 405 F. 3d 492, 495 (8th Cir. 2005), “[e]very cell phone and cell tower is a ‘computer’ under this statute’s definition; so is every iPod, every wireless base station in the corner coffee shop, and many another gadget.”

Four of the seven causes of action under this statute require proof that the person who accessed the computer did so “without authorization or exceeding authorization.” Title 18, U.S.C., §§ 1030(a)(2), (a)(4), 5(A)(ii), and 5(A)(iii). The courts have acknowledged that the difference between unauthorized access and exceeding authorized access is “paper thin.” Inter’al Airport Centers, LLC v. Citrin, 440 F.3d 418, 420 (2006). For example, in the employee/employer context an employee is authorized to access the company computers to perform work for the company but exceeds that authorization when the computer is accessed to steal data for a competitor. Lack of authorization, as interpreted by the courts, can be established in four separate ways.

First, lack of authorization can be shown when an employee violates his agency relationship with his employer by accessing the employer’s computer for a purpose that is contrary to the interests of the employer. It is the breach of the “duty of loyalty” that terminates “the agency relationship “and with it” the “authority to access” the computer. Citrin, 440 F.3d at 420-21. In Citrin, the defendant employee Citrin used an erasure program to destroy data on his employer’s computer immediately prior to his resignation from the company to join a competitor. Thus, the court found that Citrin’s authorization to access the computer terminated when he “resolved to destroy files that incriminated himself and other files that were also the property of his employer.” Citrin, 440 F.3d at 420.

The agency theory upon which authorization is based is not universally accepted by the lower courts. There are at least five reported federal district court decisions that have refused to adopt the agency standard as a predicate to an employee’s authorization to use an employer’s computers. These district courts take the simplistic view that if the employee was authorized to use the employer’s computer, he was authorized to use if for all purposes. Thus, even if the employee accessed the computer to steal the employer’s data, the employee did not violate the CFAA because the employee, as part of his duties, was authorized to access the computer.

For that reason, these courts ruled that the intent of the employee in accessing the computer was irrelevant to the question of authorization and that “the phrase ‘without authorization’ generally only reaches conduct by outsiders who do not have permission to access the plaintiff’s computer in the first place.” Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962, 964-65 (D. Ariz. 2008); Diamond Power Intern., Inc. v. Davidson, Nos. 1:04-CV-0091-RWS-CCH and 1:04-CV-1708-RWS-CCH, 2007 WL 2904119, at *13 (N.D. Ga. Oct. 1, 2007); Brett Senior & Assocs., P.C. v. Fitzgerald, No. 06-1412, 2007 WL 2043377, at *2-4 (E.D. Pa. July 13, 2007); Lockheed Martin Corp. v. Speed, No 6:05-CV-1580-ORL-31, 2006 WL 2683058, at *5 (M.D. Fl. Aug. 1, 2006); Int’l Ass’n of Machinists and Aerospace Workers v. Werner-Masuda, 390 F.Supp.2d 479, 495 (D.Md. 2005).

None of the Circuit courts, however, have adopted this view of authorization, and this issue has not yet reached the Supreme Court. For example, the 11th Circuit in United States v. Salum, 257 Fed. Appx 225, 230 (11th Cir. 2007) upheld a criminal conviction for a violation of the CFAA, where the defendant employee was authorized to access the computer but did so for an improper purpose. In that case the court affirmed the criminal CFAA conviction of a police officer with the Montgomery Police Department, who had provided information from the FBI’s National Crime Information Center database to a private investigator. Although the defendant police officer “had authority to access the NCIC database” [just like any employee has the authority to access his company's computers] the Court held that there was sufficient evidence to convict on the element of lack of authorization because the defendant knew the information he accessed was to be used “for an improper purpose.” The court did not cite either the Diamond Power case or Lockheed Martin the two district court cases from the 11th Circuit which dismissed CFAA civil cases finding that the defendants’ motive in accessing the computers had no bearing on whether the access was authorized. Nonetheless, Salum effectively overruled these two lower court cases.

Second, the limits of authorization to access a computer can be set by agreement. In EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583-84 (1st Cir. 2001) the court upheld a preliminary injunction entered by the district court based on a violation of the CFAA because the defendants, all former employees of the plaintiff, had accessed and downloaded pricing data on EF Cultural’s website by violating their confidentiality agreements with EF Cultural. In that case the former employees used EF Cultural’s confidential information concerning its public website to create an automatic robot to download from the website all 154,293 prices for high school tours in a two-day period.

Third, lack of authorization can be established by a violation of company rules and policies. The CFAA is a unique statute in the sense that it allows companies to set the rules that form the predicate for a violation of the statute. In EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003), the court recognized that the “CFAA . . . is primarily a statute imposing limits on access and enhancing control by information providers.” Thus, a company “can easily spell out explicitly what is forbidden.” Id. at 63. Doe v. Dartmouth-Hitchcock Medical Center, 2001 WL 873063 *2 (D.N.H. 2001) provides a clear example of the critical nature of promulgating workplace rules for accessing data. In that case, the court interpreted “unauthorized access” based on the hospital’s Graduate Medical Training Manual which contained “policies governing the confidentiality of patient records, which generally prohibit interns and Fellows, like . . . [the Defendant] from accessing patient records absent a ‘professional ‘need to know.’” Based on these policies, the court found that the defendant, who was a resident in psychiatry at the Dartmouth hospital, “was granted only limited access to Dartmouth’s computerized patient records” and this limitation was imposed “for the very purpose of protecting patient confidentiality.” Id. at *5.

A patient whose records had been allegedly viewed by a hospital intern for reasons unrelated to treatment sued the hospital and the intern for violations of the CFAA. The court dismissed the CFAA claim against the hospital finding that it had been victimized by its “own policies.” Id. at * 5. For that reason it would be inconsistent with the purpose of the CFAA “to protect computer systems . . . from unauthorized access and concomitant damage – to find the hospital was vicariously liable for the actions of the resident.” Id.

Fourth, the courts have found that access is without authorization when it exceeds the expected norms of intended use of the computer. In United States v. Phillips, 477 F.3d 215 (5th Cir. 2007) a student at the University of Texas was provided access to a school secured network through a password consisting of his Social Security number. The student, however, used what is known as “’brute-force attack program’ which automatically transmitted to the website as many as six Social Security numbers per second, at least some of which would correspond to those of authorized . . . users.” Id. at 218. This program allowed Phillips “[o]ver a fourteen-month period” to gain “access to a mother lode of data about more than 45,000 current and prospective students, donors, and alumni.” Id. The court upheld the student’s criminal conviction under the CFAA, finding that his access to the computer was not authorized because the “brute force attack” exceeded the expected norms of intended use of the computer.

In sum, the CFAA provides your company a legitimate basis on which to seek redress for the wrongful conduct of your former employee, given that he used your company’s computers to copy critical customer and rate information, and forwarded that data to both himself and his new employer. Other claims may be available to your company as well, such as a claim for breach of fiduciary duty, or a claim based on your state’s unfair competition laws. In the future, however, you can further enhance the protections for your company by ensuring that all appropriate employees execute the agreement containing your post-employment restrictive covenants. Similarly, as you recognize, it would be prudent for your company to take appropriate measures to ensure that your company’s confidential information is treated in a manner that ensures protection under the Uniform Trade Secrets Act.

Filed under Computer Fraud and Abuse Act, Confidential Information, Misappropriation of Trade Secrets, Non-Competition Agreements, Post-Employment Restrictive Covenants, Trade Secrets · Tagged with

Executive Termination, Quirky Question # 1

Posted by on October 14, 2007 · Leave a Comment 

Quirky Question # 1:

We recently terminated one of our executives “without cause.”  Under his employment contract, we are obligated to pay one year’s severance for terminations without cause.  In contrast, we have no obligation to pay him anything if he is terminated “with cause.”  Following his departure, we reviewed his computer hard drive.  We discovered two areas of concern.

First, he had downloaded pornography onto his work computer, in violation of our clear policies regarding use of company computers and sexual harassment.  Second, much to our surprise, we found on his computer a substantial number of confidential documents that he had taken from the company where he worked before joining our firm.  This too violates our company policies – we strictly prohibit employees from introducing confidential, proprietary and trade secret information belonging to a former employer into our work place, whether in hard copy or electronic form.

Had we known these facts, we would have fired the executive for cause.  Do we still have to pay him his one year severance pay?

Roy’s Analysis:
Here are my thoughts on our first Quirky Question, relating to Executive Termination.
 
The courts have recognized a legal theory called the “after-acquired evidence doctrine.” The basic notion of this theory is that information learned after the employee has separated from his/her employer may bear upon the employee’s claims in litigation and the employer’s post-employment obligations to the former employee. This is true even if the employer did not know this information at the time of the discharge. For example, assume that a company fired a 56-year-old employee as part of a reduction-in-force and the employee sued for age discrimination. Assume further that the employer then discovered that the employee had been embezzling from the company. In this context, the courts have held that the “after-acquired” evidence (i.e., the facts discovered about the embezzlement) can cut off the employee’s damages in the age discrimination lawsuit even if the employer was ignorant about these facts at the time of the employee’s discharge.
 
This legal theory developed in the context of discrimination claims under Title VII and the Age Discrimination in Employment Act. The United States Supreme Court recognized the legitimacy of the after-acquired evidence doctrine in the case of McKennon vs. Nashville Banner Publishing Co., 513 U.S. 352 (1995). In McKennon, the high court found that while after-acquired evidence could not bar a liability determination, it could be used to cut off the employee’s damages claim. The Court stated, “Where an employer seeks to rely upon after-acquired evidence of wrongdoing, it must first establish that the wrongdoing was of such severity that the employee in fact would have been terminated on those grounds alone if the employer had known of it at the time of the discharge.” The Supreme Court also held that because of the important public policies underlying the country’s anti-discrimination statutes, the employer had to prove that it would have discharged the employee by “clear and convincing” evidence, an unusually high legal standard in a civil lawsuit.

In recent years, the after-acquired evidence doctrine has been applied in breach of contract cases – the type of case you would be confronting if you elected not to pay your former employee his severance compensation. For example, in a case directly relevant to your situation, the Supreme Court of Tennessee held that the after-acquired evidence applied in breach of contract cases. The court noted that a “majority of jurisdictions” allowed the use of after-acquired evidence as a complete bar to an employee’s recovery or to mitigate damages. The court stated that “those jurisdictions that have concluded that a complete bar to recovery is appropriate, generally reason that under well-established principles of contract law, the prior misconduct of the employee excuses the employer’s subsequent breach.” Teter vs. Republic Parking System, Inc., 181 S.W.3d 330 (Tenn. 2005). In the Teter case, like your situation, the company had discovered pornography on the former employee’s work computer. Importantly, the Supreme Court of Tennessee also found that because a breach of contract case did not implicate any particular public policies, the employer need only prove its contention that it would have fired the employee by the more typical civil liability “preponderance of the evidence” standard.

The situation you described adds another issue as well – the introduction of a different employer’s confidential and proprietary information into your workplace. This fact potentially provides you a separate justification for applying the “for cause” discharge standard.

The key question you will need to answer, both with respect to the pornography and the other employer’s confidential data, is whether your company would have fired the executive had it been aware that he had downloaded pornography, or brought confidential data belonging to another employer into your work environment, or both. If your firm can demonstrate that in the past, it has fired employees for downloading pornography, or for disregarding your policies regarding introducing another company’s proprietary or trade secret data into your workplace, your position will be enhanced significantly. Conversely, if your company has tolerated these kinds of actions by other employees in the past (especially if it has done so without imposing any discipline), your efforts to withhold the severance compensation based on your former employee’s wrongful conduct will be more difficult to justify.

Of course, as reflected in the Readers’ Responses below, there are a variety of practical considerations that also are likely to influence your decision regarding how to proceed. How much money is involved in the one year severance payment? How much will it cost to defend the litigation, assuming the employee sues? Has the company terminated other employees for introducing pornography or competitors’ proprietary data into the workplace and is it committed to doing so in the future? Weighing these and other factors, and considering the governing legal principles, should enable your company to make a thoughtful decision regarding how to proceed in this situation

******************************************************************************************

Thanks to the many individuals who have sent in a response to the first Quirky Question.  As you will see, the consensus from the readers seems to be that the company should pay the executive his severance compensation and move on.

Response # 1:  No, I don’t believe they are able to now use the issues that they have recently uncovered in order not to pay severance. That due diligence should have been done before the employee’s dismisal.

Response # 2:  It seems to me that the executive has already been terminated, therefore you cannot go back to terminate for “cause” for something found AFTER his termination.

Response # 3:  Really interesting question. The obvious place to start is the contract itself. (How’s that for a shocker?!) Does the contract define cause? Usually, the definition of cause includes “misconduct”. So far, so good. But some contracts also require the employer to give written notice of any misdonduct and/or an opportunity for the Executive to cure the problem. In that situation, the Executive would have the better argument. The employer would have to rely on the argument that the misconduct was of a nature that could not be cured. That’s a little dicey. The more interesting scenario is where the definition does not give the Executive a right to cure the misconduct. Then, let the games begin! The Executive may argue that this “after-acquired evidence” does not alter the employer’s reason for the discharge. The employer has already gone on record as describing the separation as a termination without cause and, therefore, should be estopped from changing its tune. But the employer can use the “after-acquired” evidence principle to its advantage. By analogy, in discrimination cases, where after-acquired evidence of misconduct is found, courts allow damages to be cut off from the date the evidence is discovered, if it was of a nature that would have caused the termination. The employer bears the burden of proof that it would have terminated the Executive. To show this, the employer should marshal evidence that it in fact terminated others who violated this policy. But if other violators were only reprimanded or suspended, the argument is considerably weakened. That is a good reminder of why every termination decision is a precedent of sorts.

Response # 4:  Had he sued for wrongful discharge, your liability would have been limited to the time you discovered the terminable event. However, this is not a wrongful discharge case. He was terminated, admittedly, without cause at the time of termination. As such, the contract prevails unless it has a provision providing for later discovered cause. There is little question but that if you terminate the severance payments the executive will bring an employment claim. Even if it were defensible, the cost of defense (and probable settlement) probably meets or exceeds the cost of severance. My recommendation is to put this behind you and learn valuable lessons including the need to better supervise executives. One thing you could do is notify the former employer about the confidential info. discovered by sending them a copy of everything you found with a cover letter explaining how you found it and assuring them that you have now destroyed all copies in your possession. They DO have a claim against him and perhaps they will pursue it. Lastly, subject to contractual commitments to the contrary, you are free to provide this information to prospective future employers under the limited privilege available to employers.

Response # 5:  When the Company separated the executive they were not aware of the violation of their sexual harassment policy and their confidential information policy. Even though the Company probably has a policy that the computer is their property and they can view what is contained in it at anytime, the point is they hadn’t done so at the time the decision was made to ask him to leave without cause. It is problematic to change your mind later on based on after acquired evidence, especially when you could have found the information if you had looked. I say pay him his one year of severance and be glad you’re rid of him before you had a sexual harrassment or Confidential Information lawsuit filed against him and the Company.

Response # 6:  Response #3 (as well as some of the other responses) encompassed a lot of my thoughts.  In counseling the remaining execs on this issue, I would sure raise the after-acquired evidence rationale/doctrine as a possible way to deny the severance, but I would also remind the executives that this could sure look like a bad faith, post-termination attempt to wiggle out of paying the $ (not to mention quite possibly constitute a breach of contract for which the company could be liable for not only the damages but also the exec’s attorney’s fees, costs, etc…)  Of course, denying the severance $ based on the “porno” and “confidential” information of the prior e’er also raises the question of why the company didn’t do a search for these things while exec was employed — it looks (and would be portrayed by a plaintiff’s attorney) like the company was a-okay with him looking at the porno and using the confidential/proprietary info as long as he was with the company, but, now that he’s gone, the company is looking for any reason to deny the $.  No doubt also that if the company wants to deny the $, it had better do some thorough due diligence before denying the $, in order to check the computers of its other higher-ups to see if similar materials are on their computers.  It may be that the remaining execs become far less interested in denying the severance $ if they know that what is on their computers could be subject to discovery/scrutiny.  As always, uniformity/consistency of enforcement of company policies and practices would also come into play.  In the end, I bet most companies would pay the $ and be done with it, but may also revise future exec employment agreements to cover post-separation “bad acts” like this.  A potential middle ground would be to confront the exiting exec with the “bad info” (possibly complete with actual images taken from his computer) and negotiate something less than 100% $; that way, if successful, some action has been taken, and a positive precedent set, but hopefully litigation and the associated dirty laundry airing would be avoided.  Fun stuff.

Filed under Misappropriation of Trade Secrets, Sexual Harassment, Termination, Termination For Cause, Termination Without Cause · Tagged with