The Ninth Circuit’s decision is certainly inconsistent with the Seventh Circuit’s analysis, to the extent the Seventh Circuit based liability under the CFAA on an agency theory where the servant (the employee) unilaterally aquireed an interest inconsistent with his principle (his employer) the serverant (the employee) lost his right (authorization) to access his employer’s (the principle’s) protected computer. The operative language cited in Citrin (following the Restatement (Second) of Agency §§ 112, 387 (1958): “Unless otherwise agreed, the authority of the agent terminates if, without knowledge of the principal, he acquires adverse interests or if he is otherwise guilty of a serious breach of loyalty to the principal.”

Because the employee in LVRC Holdings was authorized to use the company computer and to access the information, he did not violate the CFAA regardless of his motivation. The opinion most likely would have been different under a slightly different factual scenario. First, if the employer had a policy prohibiting employees from emailing company data to their personal email accounts or requiring employees to return or destroy confidential information upon the conclusion of their employment then the employee would have exceeded his level of authorization regardless of whether his interests were aligned or not aligned with his former employer. In LVRC Holding the employee was authorized to use the company computer and to access the information, he did not violate the statute, under the 9th Circuit’s decision the former employee’s motivation is irrelevant.

I believe the conclusion reached by the 9th circuit and 7th circuit can be rationally reconciled based on the factual differences between the two cases. The Court in Citrin properly reasoned that congress intended that the CFAA should apply to disgruntled employees in certain situations but the 9th circuit’s decision provides a better basis for defining culpability under the CFAA. Courts do not want to engage in mind-games to assess the employee’s intention (or motivation) in order reach a conclusion regarding whether an employee’s conduct violated or did not violate the CFAA

The CFAA was intended to reach:

Attacks by virus and worm writers, on the one hand, which come mainly from the outside, and attacks by disgruntled programmers who decide to trash the employer’s data system on the way out (or threaten to do so in order to extort payments), on the other. If the statute is to reach the disgruntled programmer, which Congress intended by providing that whoever “intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage” violates the Act, 18 U.S.C. § 1030(a)(5)(A)(ii)attacks by virus and worm writers, on the one hand, which come mainly from the outside, and attacks by disgruntled programmers who decide to trash the employer’s data system on the way out (or threaten to do so in order to extort payments), on the other. If the statute is to reach the disgruntled programmer, which Congress intended by providing that whoever “intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage” violates the Act, 18 U.S.C. § 1030(a)(5)(A)(ii).

However, the CFAA cannot become a catchall basis for finding criminal and/or civil liability in the absence of other relevant legal authority.

          

9th Circuit Decision in LVRC Holdings Rejects 7th Circuit’s Holding in Citrin Based on a Motivation Theory of Liability Under the Computer Fraud and Abuse Act originally appeared on Law Blog 2.0 on September 18, 2009.

Employee Theft

With unemployment reaching 10% employers are  more at risk then ever from former employees who are let go, regardless of the reason attempt to take punitive action against their former employer.  Recent cases highlight actions by former employees which put their former employer at risk through the spoliation of relevant data and/or theft of company trade secrets.   Spoliation occurs when a party is aware of pending litigation, or should reasonably be able to anticipate pending litigation, and the party fails to suspend the destruction of documents that may be relevant to anticipated litigation; the party is also required suspend routine document purging (or passive) destruction of data by systems.  Accordingly, in anticipation of potential legal issues resulting with from the termination of an employee’s, an employer should specifically define the scope (or absence thereof) of the employee’s right/expectation of privacy when using work owned information systems or computers in a policy or employee handbook. Nat’l Econ. Research Assocs., Inc. v. Evans, 2006 WL 2440008 (Mass. Super. Ct. Aug. 3, 2006)(relating to privilege of attorney-client communication of employee with his/her attorney), see also Sprenger v. The Rector and Board of Visitors of Virginia Tech, 2008 U.S. Dist. LEXIS 47115 (W.D. Va. June 17, 2008)(relating to spousal privilege).  Second, the employer should remind the departing employee of the former employee’s duty not to steal company trade secrets and/or other confidential material regardless of the reason.  Finally, employer should inform the former employee that he/she should not delete and/or destroy relevant data if he/she anticipates bringing legal action.

Spoliation

The Eastern District Court of Virginia, in Rambus a 2004 a case arising out of an intellectual property dispute, stated the relevant principle: “even if a party’s intentional destruction of documents was not in bad faith, it would be guilty of spoliation if it reasonably anticipated litigation when it did so.”  In this case, as a result of the Defendant failure to stop both active and passive deletion of data, the Court granted the Defendant’s motion and ordered the Plaintiff to produce documents relating to its document retention.  See Rambus, Inc. v. Infineon Technologies AG, 222 F.R.D. 280 (E.D. Va. 2004); see also In re Intel Corp. Microprocessor Antitrust Litig., 2008 WL 2310288 (D. Del. June 4, 2008)(Intel did not turn off the 35 day auto-delete function on its employee e-mail system.  Intel claimed this was unnecessary because it instructed employees to hold important documents and because key employees (“custodians”) were moved to a different server that automatically stored the emails.  Intel discovered a lapse in the plan and hired outside counsel to interview the custodians and correct the problem.  The Court ordered the production of the attorney’s notes from the interviews).

Theft by Terminated Employees

Terminated employees often bring legal action against their former employer (or the former employer, on discovering theft of trade secrets and other confidential information files, brings suit against the former employee and his/her new employer).  In anticipation of this action, an employee may take home his company owned laptop and delete and/or destroy company data or attempt to hold hostage company confidential information under the auspices that said information relates to the former employee’s discrimination action against their former employer.  Alternatively, the former employee may seek to leverage trade secrets taken from their former employer to get a new position with the former employer’s key competitor.  Many employees fail to appreciate the gravity of these actions.

Often former employees (and the new employers) fail to take appropriate steps to preserve data even when they not only anticipate bringing a subsequent legal action but actually hire an attorney and file a complaint against their former employer.  In one recent case, a former employee accused of stealing company trade secrets was sued by his former employer.  In  Beard Research, Inc. v. Kates, 2009 WL 1515625 (Del. Ch. May 29, 2009) the Defendant former employee had purchased a computer for work purposes, and subsequent to the commencement of legal action deleted data from his drive, and then later had the drive replaced with a new drive when the old drive failed by his new employer (also a Defendant in the case).  The old drive subject to the ligation hold was disposed of by the Defendant’s new employer’s technical support group (who happened to be also handling the e-discovery aspects of the case).  Just prior to turning over the drive the former employee also defragmented the hard drive (after deleting potentially relevant evidence).  The Defendant failed to notify the Plaintiffs’ of his actions which resulted in the loss of key data.  The Plaintiffs’ claimed that defendants interfered with business relationships and misappropriated trade secrets, plaintiffs sought sanctions for the destruction of information which belonged to a former employee of plaintiff (a defendant in the case).

The Court found that “drawing an adverse inference is appropriate when an actor is under a duty to preserve evidence and takes part in the destruction of evidence while being consciously aware of the risk that he or she will cause or allow evidence to be spoliated by action or inaction and that the risk would be deemed substantial and unjustified by a reasonable person,” the court determined that an adverse inference was appropriate in this case for deletion of the data and the replacement/loss of the original drive.  The Court also found that Defendants responsible for the loss of evidence resulting from Defendant’s failure to “take reasonable steps to ensure that [Defendant] preserved his laptop computer…”

Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act (18 USC 1030) provides an alternative cause of action whereby an employer may effectively counter the bad acts of a former employee who takes advantage of his/her former privledges either to delete data and/or duplicate trade secrets for their own purposes. Generally 18 USC 1030 provides that whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains (a) information contained in a financial record of a financial institution [or] (b) information from any protected computer if the conduct involved an interstate or foreign communication then (c) a plaintiff may maintain a civil action against the violator, if the plaintiff suffers damage or loss by reason of a violation of this section in excess of 5000 dollars. The distinction between authorized access to an information system and when an action becomes unauthorized and/or the employee exceeds his/or her authorization has been clarified over the last couple of years In a series of cases, former employers were able to sustain actions under the Computer Fraud and Abuse Act. See Charles Schwab & Co., Inc. v. Carter, Not Reported in F.Supp.2d, 2005 WL 2369815 (N.D.Ill., September 27, 2005); HUB Group, Inc. v. Clancy, 2006 U.S. Dist. LEXIS 2635 (E.D. Pa., January 26, 2006)(Integrity of Plaintiff’s database damaged by Defendants actions actionable under 18 USC 1030). The clasical application of this law in the employment context is where an employee accepts a jobs with a competitor but the employee uses his/her position to collect company secrets to deliver to the employee’s new employer. However a recent case has extended the application of 18 USC 1030 to employees who refuse to return work computers following termination of employment and the former employee deleted information from said laptop. See Lasco Foods Inc. v. Hall and Shaw Sales, Marketing & Consulting LLC, — F.Supp.2d , 2009 WL 151687 (E.D.Mo., 2009).

Key issues to keep in mind are (1) maintaining control over key pieces of evidence, (2) ensuring a proper chain of custody form accounting for each individual who has touched a piece of evidence, (3) be proactive in reminding opposing counsel of his/her duties and obligations and (4) do not be afraid to use the Computer Fraud and Abuse Act to mitigate damage done by former employers unauthorized use of your company’s information system.

          

Former Emloyees Misuse of Company Owned Computers: E-Discovery Issues and Claims Under 18 USC 1030 originally appeared on Law Blog 2.0 on July 6, 2009.