The Electronic Wake Employees Leave Behind

Posted by on May 21, 2013 in Data Security, Employment and Labor

Employer sues ex-employee for not updating his LinkedIn profileJefferson Audio Visual Systems, Inc. v. Light, 2013 WL 1947625 (W.D. Ky. May 9, 2013).

What would you do if your ex-employee told everybody he still works for you?  One company’s response was to sue.  In the first case of its kind, the company decided to sue its former employee for fraud for not updating his LinkedIn profile.

Jefferson Audio Visual Systems, Inc. (JAVS) fired its sales director, Gunnar Light, after he mishandled a potentially lucrative deal and made defamatory statements about JAVS to a prospective customer.  Shortly afterwards, JAVS filed a lawsuit against Light alleging various claims, including fraud.  JAVS argued that Light was fraudulent in failing to update his LinkedIn profile to reflect that he was no longer a JAVS employee.  A Kentucky federal court dismissed the fraud claim because JAVS failed to show that it was defrauded by Light’s LinkedIn profile.  At most, JAVS alleged that the profile tricked others.  Under Kentucky law, a party claiming fraud must itself have relied on the fraudulent statements.

LegalTXTS Lesson: JAVS’ actions against its ex-employee might have been rather extreme, but the case is a reminder that ex-employees can leave behind an electronic wake that is damaging.  Because computer technology is an integral part of work life, management needs to be intentional in disengaging ex-employees from the electronic systems and online persona of the organization.  Each organization must determine for itself what measures for dealing with such post-termination issues are feasible, effective, and consistent with its objectives, but here are some suggestions:

1.  Promptly update the organization’s website, social media profiles, and any other official online presence to reflect that the former employee no longer works for the organization.

2.  Specify who owns Internet accounts handled by the ex-employee for the organization’s  benefit and the information stored in the accounts.  This includes social media accounts and cloud storage accounts (e.g., DropBox, Google Drive, SkyDrive) to the extent they contain proprietary data.  As part of this measure, be sure to obtain the information needed to access the accounts, including any updates to login credentials.

3.  Restrict the amount of access to which former employees, as well as current employees whose departure is imminent, have to workstations, databases, and networks of the organization.  Limiting access helps to prevent theft of trade secrets and proprietary information.  Many CFAA lawsuits have been spawned by a failure to take this precaution.

4.  Check if the employee left behind anything that would enable him or her to gain unauthorized access to company systems, like malware, viruses, or “back doors.”

5.  Enable systems that allow of erasure of the organization’s data from electronic devices used by the ex-employee to remotely access the work network, such as smartphones, laptops, and tablet computers.

6.  Establish guidelines on employee use of the company’s intellectual property on personal internet profiles (e.g., Facebook, Twitter, LinkedIn), including trademarks and trade names.
Enhanced by Zemanta

Read More

A Hack By Any Other Name

Posted by on May 8, 2013 in Data Security, Employment and Labor

The Computer Fraud and Abuse Act (CFAA) criminalizes forms of “hacking” other than actually breaking into a computer system — United States v. Nosal, 2013 WL 978226 (N.D .Cal. Mar. 12, 2013)

Nosal is back.  This is the case that spawned a Ninth Circuit decision narrowing the reach of the CFAA to hacking activity.  The case returned to the trial court after the Ninth Circuit decision.  The trial court recently convicted the defendant (David Nosal) of violating the CFAA.  But before analyzing the decision, let’s take a brief look at the background.

Nosal is a former employee of Korn/Ferry, an executive search and recruiting firm.  After leaving Korn/Ferry, Nosal obtained access to Korn/Ferry’s confidential and proprietary data with help from others.  In some instances, Nosal got Korn/Ferry employees to give their passwords to outsiders to enable them to access the firm’s computer systems.  In another instance, a Korn/Ferry employee logged onto the firm’s computer system using her password and then allowed a non-employee to use the system.  Nosal used the stolen data to start his own executive search business.  Nosal and his co-conspirators were indicted for violating the CFAA by exceeding authorized access to Korn/Ferry’s computers “knowingly and with intent to defraud.”

An en banc panel of the Ninth Circuit held that the CFAA’s prohibition on accessing computers “without authorization” or “exceeding authorized access” is limited to violations of restrictions on access to information, not restrictions on its use.  The Ninth Circuit reasoned that the CFAA primarily targets hacking rather than misappropriation of information.  The Ninth Circuit returned the case to the trial court to determine if Nosal violated the CFAA under its interpretation of the statute.

Nosal tried to persuade the trial court to push the Ninth Circuit’s rationale one step further.  Nosal argued that, since the CFAA is an anti-hacking statute, it is violated only when someone circumvents technological barriers to access to a computer.  Under this narrow interpretation, not every form of unauthorized access to a computer necessarily violates the CFAA.  The trial court disagreed with Nosal’s interpretation because the Ninth Circuit did not base CFAA liability on the manner in which access is restricted.  Moreover, password protection is a form of a technological access barrier, and Nosal and his co-conspirators clearly bypassed password restrictions.

Nosal next argued that his co-conspirators did not act “without authorization” because they used a valid password issued to a Korn/Ferry employee.  The court wasn’t enamored with this argument either.  Whether an act is authorized must be viewed from the perspective of the employer who maintains the computer system.  Clearly, an employer would not authorize an employee to allow another person to use his or her password.  Nosal attempted to analogize consensual use of an employee’s computer password to consensual use of an employee’s key to gain physical access to a building, a situation that Nosal argued would not violate trespass law.  The court also rejected this argumen.

Finally, Nosal argued that the Korn/Ferry employee who engaged in “shoulder surfing” (i.e., logging into the firm’s computer system and then letting another person use the system) did not engage in unauthorized “access.”   The court found no difference between an employee who gives her password to an outsider and an employee who logs into the firm’s computer system with her password and then lets an outsider use the system.  Both situations qualify as “access” under the CFAA.

LegalTXT Lesson: The CFAA targets hacking instead of misappropriation (so the Ninth Circuit says), but hacking could take various forms.  According to the latest Nosal decision, the CFAA criminalizes at least these forms: (a) breaking into a computer system; (b) letting an outsider use your password to access a system; (c) logging into a system with your password and then letting an outsider use the system.

Enhanced by Zemanta
Read More

Nevada Court Applies CDA Immunity To a Slew of State Tort Claims

Posted by on Feb 21, 2013 in First Amendment, Litigation

Court Finds That State Law Claims Against Online Forum Operator For Misappropriation, Theft, and Tortious Interference Hinge on “Publisher” or “Speaker” Status–Stevo Design, Inc. v. SBR Marketing Ltd., 2013 WL 308996 (D. Nev. Jan. 25, 2013)

A Nevada federal court held that Communications Decency Act (CDA) immunity barred state tort claims asserted in a lawsuit involving the dissemination of sports betting information.  The court’s holding was based on a liberal interpretation of what it means to be a “publisher” or “speaker” under section 230 of the CDA.

Stevo Design, Inc. (Stevo) sells licenses for access to its sports betting reports.  SBR operates a website with a discussion forum where users may post messages relating to sports betting and handicapping and to send messages to other users.  SBR encourages activity on its website by awarding loyalty points to users for doing different things on the website, including posting original content.  The loyalty points may be redeemed for credits at offshore gambling websites.  Stevo claimed that SBR and its users published Stevo’s protected works on the SBR website without obtaining a license.

In addition to bringing claims for copyright and trademark infringement, Stevo asserted a slew of state-law claims against SBR.  SBR asked the court to dismiss these state-law claims.  The court first determined if SBR qualified for CDA immunity.  The key question was whether SBR had a hand in developing the online content at issue.  If so, then SBR does not enjoy CDA immunity.

Relying on Fair Housing Council of San Fernando Valley v., 521 F.3d 1157 (9th Cir. 2008), the court concluded that SBR did not “develop” the offending online content.  SBR encouraged its users to post original content.  It did not specifically encourage its users to publish information illegally on the website.  The fact that SBR users could freely contribute loyalty points to each other further evidenced the minimal role that SBR played in monitoring the content of forum posts.  That SBR “sporadically” tried to eliminate infringing content did not persuade the court that SBR was a developer of unlawful content—the CDA allows interactive computer services to perform some editing of user-generated content without becoming liable for all unlawful messages they do not edit or delete.

Having determined that SBR qualified for CDA immunity, the court next considered the impact of immunity on the state-law claims.  CDA immunity effectively precludes the operator of the interactive computer service from being considered the “publisher or speaker” of user-generated content.  As a result, only claims requiring the defendant to be the “publisher or speaker” are barred by CDA immunity.  Applying the meaning of “publisher or speaker” status liberally, the court concluded that CDA immunity barred each of the state-law claims:

Misappropriation of trade secrets: Misappropriation involves either “acquisition” or “disclosure” of a trade secret.  The court easily found that “disclosure” of trade secrets through user posts on the SBR website to require there to have been publishing or “speaking.  The court found “acquisition” to be a closer question, but the only kind of acquisition alleged in the complaint involved user posts on the SBR website, so the CDA barred that kind of misappropriation as well.

Misappropriation of licensable commercial property:  The court is not sure such a claim exists under Florida common law, but assuming it is a form of misappropriation, the plaintiff must have suffered competitive injury due to the defendant’s taking of information.  Stevo alleged that SBR injured it giving away its copyrighted information for free.  The only way SBR could have done that was by disclosing the information, i.e., it acted as a publisher or speaker.

Contributory misappropriation of licensable commercial property:  This claim merely required that SBR induced others to speak or publish.  The court refused to allow circumvention of CDA by alleging that the defendant induced publication or speech instead of itself doing the publishing or speaking.  Since SBR did not tell users what kind of information to include in their posts or encourage infringing content, it enjoyed immunity from this claim.

Civil theft:  Common law theft is defined as obtaining or using the property of another with intent to appropriate the property to his or her unauthorized use.  The only plausible way SBR procured or used Stevo’s property was through publication.  This claim is barred.

Tortious interference with contractual relations:  This claim requires interference with a business relationship.  The only interference that could be inferred from the complaint involved SBR’s publication of Stevo’s works.  As this claim depended on SBR’s status as the publisher, it is barred.

Read More

Another Court Interprets the CFAA Narrowly

Posted by on Feb 7, 2013 in Data Security, Employment and Labor

A New York federal judge rules that misuse of computer information  gained through legal access does not violate the CFAAAdvanced Aerofoil Techs., AG v. Todaro, 2013 WL 410873 (S.D.N.Y. Jan. 30, 2013)

Judge Carter of the Southern District of New York joined a growing number of federal courts adopting a narrow interpretation of the Computer Fraud and Abuse Act (CFAA) that precludes liability for misappropriation under the Act.  Several high-level personnel in the plaintiff companies (AAT) defected to a competing company, apparently taking with them AAT’s confidential and proprietary technology.  AAT sued the ex-employees for, among other things, alleged violations of the CFAA.

An obstacle that AAT faced in pressing the CFAA claim was the fact that the ex-employees had “unfettered and unlimited access” to the information they took with them.  Liability under the CFAA requires that the defendant have “access[ed] a computer without authorization.”  Courts across the country are split on whether the CFAA is violated where a person legally accesses to a computer but misuses the information obtained with such access, such as what the former AAT employers allegedly did.

After noting that the Second Circuit has not decided the issue, and surveying decisions on both sides of the issue, including those written by his colleagues in the same district, Judge Carter answered the question in the negative.  A CFAA violation occurs when one accesses a computer without permission.  Judge Carter gave three reasons for his conclusion.  First, the ordinary meaning of the word “authorization” refers to the absence of permission.  Second, the legislative history of the CFAA indicates that the Act is directed primarily at access instead of misuse.  Third, a violation of the CFAA could lead to criminal liability, the statute should be read narrowly, and ambiguities should be resolved in favor of the defendant.  Because AAT had not revoked the defendants’ unlimited access to its system when they siphoned off the confidential and proprietary information, the court dismissed the CFAA claim.

LegalTXTS Note: I’ve blogged on this issue quite a bit.  That indicates increased use of the CFAA in data misappropriation cases, or the uneasiness courts have in stretching the CFAA beyond its origin as an anti-hacking statute–or both.  Here are my previous posts on similar cases.

Court Carves Back Oracle’s Computer Fraud and Abuse Act Claim Against Gray Market Reseller

CFAA: Recent Cases

One Is Not Like the Other: Access vs. Use Restrictions Under the CFAA

Don’t Just Because You Can

Read More

One Is Not Like The Other: Access vs. Use Restrictions Under the CFAA

Posted by on Jul 6, 2012 in Data Security, Employment and Labor

Courts continue to read the CFAA narrowly to limit criminal liabilityWentworth-Douglass Hospital v. Young & Novis Prof’l Ass’n, 2012 WL 2522963 (D.N.H. June 29, 2012), and Dana Ltd. v. American Axle & Mfg Holdings, Inc., 2012 WL 2524008 (W.D. Mich. June 29, 2012)

Suppose a terminated employee logs in to her work account one last time (just to copy and delete her personal files, she promises), which the company allows her to do, but she ends up copying files containing the company’s trade secrets and taking them to her new job at a competing company. Employers dealing with this kind of scenario increasingly seem to be turning to the Computer Fraud and Abuse Act (CFAA) for relief (see the post on a recent case just last week).  Under the CFAA, “[w]hoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer” is exposed to both criminal penalties and civil liability.  18 U.S.C. § 1030(a)(2)(C).  Since the CFAA is a criminal statute, a growing number of courts have been reluctant to read the CFAA too broadly.  These courts limit the kind of conduct that would qualify as “access[ing] a computer without authorization” and “exceed[ing] authorized access.”  Case in point is the Ninth Circuit’s en banc decision in United States v. Nosal issued in April of this year.  And last week, two trial courts issued decisions continuing that trend.

In Dana Limited, employees of the plaintiff copied company files and took them with them to their new jobs with a competing company.  Wentworth-Douglass Hospital similarly involved a scenario where ex-employees of a hospital copied data from the hospital’s computers onto portable storage devices.  In both cases, the courts decided there was no criminal liability under the CFAA because there was no evidence that the former employers were unauthorized to access the computer systems in the way that they did.  How they used the information they obtained might have violated company policy, but the act of access itself was not unauthorized.

Wentworth-Douglass Hospital is noteworthy also because it involved an additional scenario that the court did find to be a violation of the CFAA — another ex-employee of the hospital used her wife’s password to access the hospital’s computers.  Although the hospital had issued him his own password, apparently his wife’s account provided access to certain data to which he was not given access.  The court granted judgment as a matter of law on the CFAA claim based on those facts.

Two technical comments in the decisions are worth noting.  The court in Dana Limited addressed the argument that the ex-employees accessed computer files in an unauthorized manner because they deleted files while logged on, which the company argued amounted to unauthorized “altering” of information.  (Note: the CFAA defines “exceeds authorized access” as using unauthorized access to a computer “to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”)  The court rejected the argument because there was no proof that the ex-employees deleted original files.  The company had backups of the deleted files and was able to function without difficulty despite the deletions.  Whether any “altering” occurred was speculative.

The second comment of interest concerns the employer’s argument inWentworth-Douglass Hospital that a company policy stating that employees “are to access only information necessary for completing job responsibilities and to ensure the integrity of the information in their work areas” limited access and use.  The court was unpersuaded by this argument, reasoning that an employer cannot convert a use policy into an access restriction simply by calling it one.  In the court’s view, an access restriction limits the degree of access an employee has to certain systems and data, while a use restriction limits the varying uses to which such systems and information, once access, can be put to legitimate use.  As an example, the court said that a policy prohibiting employees from accessing company data for the purpose of copying it to an external storage device is not an access restriction because its true purpose is to forbid employees from putting company information to personal use.  In other words, the policy does not bar the employee from accessing the information; it just says he cannot copy it on to a personal device, presumably for uses unrelated to his job.

LegalTXT Lesson: This recent line of cases provides two quick takeaways for employers.  First, be intentional in phrasing internal policies relating to use of company computers and other forms digital technology.  Know the difference between an access restriction and a use restriction and be sure the wording of the policy clearly spells out the type of restriction intended.   Second, a CFAA claim may not be the best avenue for getting relief.  Other claims could be more suitable, such as breach of an employment contract, violation of a trade secrets act (if your state adopts one), and unfair competition.

Read More
%d bloggers like this: