In today’s business environment, companies live and die by the information and data you possess. Your company’s confidential information is probably housed on a network that is accessible by some, or all, of your employees. Are you doing enough to protect your company’s data from computer fraud leaving with an employee and winding up with a competitor?
The Computer Fraud and Abuse Act (CFAA)
The CFAA is a federal law that makes it illegal to “intentionally access a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] . . . information from any protected computer.” 18 U.S.C. § 1030(a)(2). Although commonly used to prosecute criminal hackers, the CFA is valuable to employers for the following reasons: 1) the CFAA captures a broader range of conduct than does a traditional trade secrets claim (it doesn’t require a showing that the accessed information rises to the level of a trade secret); 2) the CFAA is one of the few independent causes of action an employer can use to pursue a federal cause of action relating to such theft; and 3) the CFAA allows criminal enforcement, compensatory damages, and injunctive relief.
In United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), the Ninth Circuit Court of Appeals (which has jurisdiction over California) took a narrow interpretation of when an employee “exceeds authorized access” to a company’s computer network. This makes it extremely important for companies in California to restrict access to information beyond a written computer use policy.
In that case, a former employee of an executive search firm allegedly convinced former colleagues to download and send him source lists, names and contact information from a confidential database on the company’s computer. The employees were authorized to access the database but the company had a policy that prohibited disclosing confidential information. The Ninth Circuit narrowly interpreted the CFAA to punish violations of restrictions on “access” to information rather than improper “use” of the information. Based on that interpretation of the statute, the Court held that there was no violation of the CFAA by the colleagues who were authorized to access the information even though they used that information in nefarious ways.
How Can You Protect Your Information?
- Have employees sign Confidentiality Agreements and create clear written policies regarding access to, use, and copying of company information.
- Implement strong technical access restrictions and use of privileged identity management software (PIMS) to limit access to your company’s sensitive information.
Contact me at (949) 529-0007 if you need assistance reviewing your policies and technical restrictions to information. Learn more about how to protect your business in 2016.
Please read our disclaimer.