by ·1 Comment

Employer sues ex-employee for not updating his LinkedIn profileJefferson Audio Visual Systems, Inc. v. Light, 2013 WL 1947625 (W.D. Ky. May 9, 2013).

What would you do if your ex-employee told everybody he still works for you?  One company’s response was to sue.  In the first case of its kind, the company decided to sue its former employee for fraud for not updating his LinkedIn profile.

Jefferson Audio Visual Systems, Inc. (JAVS) fired its sales director, Gunnar Light, after he mishandled a potentially lucrative deal and made defamatory statements about JAVS to a prospective customer.  Shortly afterwards, JAVS filed a lawsuit against Light alleging various claims, including fraud.  JAVS argued that Light was fraudulent in failing to update his LinkedIn profile to reflect that he was no longer a JAVS employee.  A Kentucky federal court dismissed the fraud claim because JAVS failed to show that it was defrauded by Light’s LinkedIn profile.  At most, JAVS alleged that the profile tricked others.  Under Kentucky law, a party claiming fraud must itself have relied on the fraudulent statements.

LegalTXTS Lesson: JAVS’ actions against its ex-employee might have been rather extreme, but the case is a reminder that ex-employees can leave behind an electronic wake that is damaging.  Because computer technology is an integral part of work life, management needs to be intentional in disengaging ex-employees from the electronic systems and online persona of the organization.  Each organization must determine for itself what measures for dealing with such post-termination issues are feasible, effective, and consistent with its objectives, but here are some suggestions:

1.  Promptly update the organization’s website, social media profiles, and any other official online presence to reflect that the former employee no longer works for the organization.

2.  Specify who owns Internet accounts handled by the ex-employee for the organization’s  benefit and the information stored in the accounts.  This includes social media accounts and cloud storage accounts (e.g., DropBox, Google Drive, SkyDrive) to the extent they contain proprietary data.  As part of this measure, be sure to obtain the information needed to access the accounts, including any updates to login credentials.

3.  Restrict the amount of access to which former employees, as well as current employees whose departure is imminent, have to workstations, databases, and networks of the organization.  Limiting access helps to prevent theft of trade secrets and proprietary information.  Many CFAA lawsuits have been spawned by a failure to take this precaution.

4.  Check if the employee left behind anything that would enable him or her to gain unauthorized access to company systems, like malware, viruses, or “back doors.”

5.  Enable systems that allow of erasure of the organization’s data from electronic devices used by the ex-employee to remotely access the work network, such as smartphones, laptops, and tablet computers.

6.  Establish guidelines on employee use of the company’s intellectual property on personal internet profiles (e.g., Facebook, Twitter, LinkedIn), including trademarks and trade names.
Enhanced by Zemanta

by ·0 Comments

Cyberbullying. Employer social media password requests. Crowdfunding. Those were some of the hot tech topics that the Hawai‘i State Legislature grappled with this session.  (See my post on Internet related legislative proposals in the 2013 session).    The bills addressing those topics didn’t pass, however.  In fact, none of the bills listed in my chart of Internet Related Legislative Proposals survived.  The closest to passing, perhaps, were two bills prohibiting employer requests to employees to disclose their personal social media account information, but the bills got stuck in committee.

That’s not to say that the 2013 session was completely devoid of tech.  I’ve prepared a chart of all the bills related to electronic, digital, and information technology that the Hawai‘i State Legislature passed this session.  (Many thanks to the Legislative Reference Bureau for providing the summaries that are incorporated into the chart).  Governor Neil Abercrombie has already signed some of the bills into law.  Others are pending a decision from the Governor.  To summarize, the legislature this year addressed:

  • Adoption of the Uniform Electronic Legal Material Act
  • Portable electronics insurance
  • Clarification of relationship between Uniform Commercial Code Article 4A and Electronic Fund Transfer Act
  • Licensing requirements for telemedicine practitioners employed by the U.S. Department of Defense
  • Duties of the State Chief Information Officer
  • Electronic posting of reports of Department of Health inspection of state licensed care facilities
  • Availability of State open data
  • Approval of broadband related permits
  • Electronic prescriptions
  • Tax credits for film and digital media industry
  • Ban on use of mobile electronic devices while operating a motor vehicle

For summaries of all the bills that passed this session, read the full LRB report.  For even more information visit the Legislature’s website for the full text of bills, committee reports, and testimony.  I’ll update the chart after the Governor’s veto deadline has passed, so check back in a while.

Related articles

 

Enhanced by Zemanta

by ·0 Comments

The Computer Fraud and Abuse Act (CFAA) criminalizes forms of “hacking” other than actually breaking into a computer system — United States v. Nosal, 2013 WL 978226 (N.D .Cal. Mar. 12, 2013)

Nosal is back.  This is the case that spawned a Ninth Circuit decision narrowing the reach of the CFAA to hacking activity.  The case returned to the trial court after the Ninth Circuit decision.  The trial court recently convicted the defendant (David Nosal) of violating the CFAA.  But before analyzing the decision, let’s take a brief look at the background.

Nosal is a former employee of Korn/Ferry, an executive search and recruiting firm.  After leaving Korn/Ferry, Nosal obtained access to Korn/Ferry’s confidential and proprietary data with help from others.  In some instances, Nosal got Korn/Ferry employees to give their passwords to outsiders to enable them to access the firm’s computer systems.  In another instance, a Korn/Ferry employee logged onto the firm’s computer system using her password and then allowed a non-employee to use the system.  Nosal used the stolen data to start his own executive search business.  Nosal and his co-conspirators were indicted for violating the CFAA by exceeding authorized access to Korn/Ferry’s computers “knowingly and with intent to defraud.”

An en banc panel of the Ninth Circuit held that the CFAA’s prohibition on accessing computers “without authorization” or “exceeding authorized access” is limited to violations of restrictions on access to information, not restrictions on its use.  The Ninth Circuit reasoned that the CFAA primarily targets hacking rather than misappropriation of information.  The Ninth Circuit returned the case to the trial court to determine if Nosal violated the CFAA under its interpretation of the statute.

Nosal tried to persuade the trial court to push the Ninth Circuit’s rationale one step further.  Nosal argued that, since the CFAA is an anti-hacking statute, it is violated only when someone circumvents technological barriers to access to a computer.  Under this narrow interpretation, not every form of unauthorized access to a computer necessarily violates the CFAA.  The trial court disagreed with Nosal’s interpretation because the Ninth Circuit did not base CFAA liability on the manner in which access is restricted.  Moreover, password protection is a form of a technological access barrier, and Nosal and his co-conspirators clearly bypassed password restrictions.

Nosal next argued that his co-conspirators did not act “without authorization” because they used a valid password issued to a Korn/Ferry employee.  The court wasn’t enamored with this argument either.  Whether an act is authorized must be viewed from the perspective of the employer who maintains the computer system.  Clearly, an employer would not authorize an employee to allow another person to use his or her password.  Nosal attempted to analogize consensual use of an employee’s computer password to consensual use of an employee’s key to gain physical access to a building, a situation that Nosal argued would not violate trespass law.  The court also rejected this argumen.

Finally, Nosal argued that the Korn/Ferry employee who engaged in “shoulder surfing” (i.e., logging into the firm’s computer system and then letting another person use the system) did not engage in unauthorized “access.”   The court found no difference between an employee who gives her password to an outsider and an employee who logs into the firm’s computer system with her password and then lets an outsider use the system.  Both situations qualify as “access” under the CFAA.

LegalTXT Lesson: The CFAA targets hacking instead of misappropriation (so the Ninth Circuit says), but hacking could take various forms.  According to the latest Nosal decision, the CFAA criminalizes at least these forms: (a) breaking into a computer system; (b) letting an outsider use your password to access a system; (c) logging into a system with your password and then letting an outsider use the system.

Related articles
Enhanced by Zemanta

by ·1 Comment

Proof of actual damages is not necessary to recover the minimum $1,000 in statutory damages under the Stored Communications ActShefts v. Petrakis, 2013 WL 1087695 (C.D. Ill. Mar. 14, 2013)

A person who brings a successful Stored Communications Act (SCA) claim can recover at least $1,000 without having to prove actual damages.  In Shefts v. Petrakis, the plaintiff (Shefts) sued his former employer for violating the SCA by illegally accessing his various messaging accounts, including a Yahoo! email account.  (See my post on an earlier decision in this case regarding after-the-fact authorization of access to emails.)  Shefts did not seek actual damages, but instead, statutory damages under the SCA.  The SCA states that “[t]he court may assess as damages . . . the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $1,000.”  18 U.S.C. § 2707(c).  The defendants argued that Shefts could not recover statutory damages without proving actual damages.  Shefts countered that he may recover statutory damages as an alternative to actual damages.

The trial court agreed with Shefts.  Finding no Supreme Court precedent on point, the court looked at the plain language of the damages statute, legislative history, and other district court decisions.  The court found that the plain language of the statute entitled a successful plaintiff to obtain minimum recovery of $1,000 in statutory damages.  The legislative history also evidenced the intent of Congress to allow recovery of at least $1,000.  Also persuasive to the court were other district court decisions finding that the SCA does not require actual damages as a condition to recovery.  The court’s ruling meant that, assuming Shefts could establish liability under the SCA, his failure to seek actual damages would not preclude him from recovering statutory damages.

by ·0 Comments

Sharing a link to unauthorized video capture of proprietary information is not a violation of Stored Communications ActCastle Megastore Group, Inc. v. Wilson, 2013 WL 672895 (D. Ariz. Feb. 25, 2013)

In closing arguments to the jury at the O.J. Simpson murder trial, defense attorney Johnnie Cochran famously quipped, “If it doesn’t fit, you must acquit.”  Plaintiff’s attorneys looking to add a Stored Communications Act (SCA) claim to their complaint would do well to heed Cochran’s advice.  There have been a rash of cases dismissing ill-fitted SCA claims (see my recent posts here and here).  Castle Megastore Group, Inc. v. Wilson is the latest.

Castle Megastore Group, Inc. (CMG) sued its former employees for allegedly sharing confidential company information with other companies while they were still employed at CMG.  CMG claimed that Flynn, who was employed by CMG as its “Social Media Specialist,” violated the SCA by posting a video of a confidential CMG managers meeting on Vimeo, a third party website, and sending co-workers the link to the video and the password to his personal Vimeo account.

This scenario didn’t fit into within the prohibitions of the SCA, the court said.  CMG argued that Vimeo was an “electronic communication service” within the meaning of the SCA, that the defendants knew the video contained confidential content before accessing it, and that Flynn lacked authority to give others access to the video.  The court agreed that Vimeo is an electronic communication service, but Vimeo is where Flynn shared the video, not where he obtained it.  The CMG did not allege that Flynn obtained the video through unauthorized access to a CMG-owned electronic communication service.  Flynn was authorized to grant access to his personal Vimeo account.  Sharing a link and password to that account did not violate the SCA, the court ruled.

LegalTXTS Lesson:  Read the SCA carefully before making a claim under it.  Understand how the various concepts in the statute (like “access,” “without authorization,” “facility,” and “electronic communication service”) fit together.  Just because one or more of the concepts is present in a given situation doesn’t mean you’ve a viable SCA claim.