The Electronic Wake Employees Leave Behind
Employer sues ex-employee for not updating his LinkedIn profile — Jefferson Audio Visual Systems, Inc. v. Light, 2013 WL 1947625 (W.D. Ky. May 9, 2013).
What would you do if your ex-employee told everybody he still works for you? One company’s response was to sue. In the first case of its kind, the company decided to sue its former employee for fraud for not updating his LinkedIn profile.
Jefferson Audio Visual Systems, Inc. (JAVS) fired its sales director, Gunnar Light, after he mishandled a potentially lucrative deal and made defamatory statements about JAVS to a prospective customer. Shortly afterwards, JAVS filed a lawsuit against Light alleging various claims, including fraud. JAVS argued that Light was fraudulent in failing to update his LinkedIn profile to reflect that he was no longer a JAVS employee. A Kentucky federal court dismissed the fraud claim because JAVS failed to show that it was defrauded by Light’s LinkedIn profile. At most, JAVS alleged that the profile tricked others. Under Kentucky law, a party claiming fraud must itself have relied on the fraudulent statements.
LegalTXTS Lesson: JAVS’ actions against its ex-employee might have been rather extreme, but the case is a reminder that ex-employees can leave behind an electronic wake that is damaging. Because computer technology is an integral part of work life, management needs to be intentional in disengaging ex-employees from the electronic systems and online persona of the organization. Each organization must determine for itself what measures for dealing with such post-termination issues are feasible, effective, and consistent with its objectives, but here are some suggestions:
1. Promptly update the organization’s website, social media profiles, and any other official online presence to reflect that the former employee no longer works for the organization.
2. Specify who owns Internet accounts handled by the ex-employee for the organization’s benefit and the information stored in the accounts. This includes social media accounts and cloud storage accounts (e.g., DropBox, Google Drive, SkyDrive) to the extent they contain proprietary data. As part of this measure, be sure to obtain the information needed to access the accounts, including any updates to login credentials.
3. Restrict the amount of access to which former employees, as well as current employees whose departure is imminent, have to workstations, databases, and networks of the organization. Limiting access helps to prevent theft of trade secrets and proprietary information. Many CFAA lawsuits have been spawned by a failure to take this precaution.
4. Check if the employee left behind anything that would enable him or her to gain unauthorized access to company systems, like malware, viruses, or “back doors.”
5. Enable systems that allow of erasure of the organization’s data from electronic devices used by the ex-employee to remotely access the work network, such as smartphones, laptops, and tablet computers.
6. Establish guidelines on employee use of the company’s intellectual property on personal internet profiles (e.g., Facebook, Twitter, LinkedIn), including trademarks and trade names.
A Hack By Any Other Name
The Computer Fraud and Abuse Act (CFAA) criminalizes forms of “hacking” other than actually breaking into a computer system — United States v. Nosal, 2013 WL 978226 (N.D .Cal. Mar. 12, 2013)
Nosal is back. This is the case that spawned a Ninth Circuit decision narrowing the reach of the CFAA to hacking activity. The case returned to the trial court after the Ninth Circuit decision. The trial court recently convicted the defendant (David Nosal) of violating the CFAA. But before analyzing the decision, let’s take a brief look at the background.
Nosal is a former employee of Korn/Ferry, an executive search and recruiting firm. After leaving Korn/Ferry, Nosal obtained access to Korn/Ferry’s confidential and proprietary data with help from others. In some instances, Nosal got Korn/Ferry employees to give their passwords to outsiders to enable them to access the firm’s computer systems. In another instance, a Korn/Ferry employee logged onto the firm’s computer system using her password and then allowed a non-employee to use the system. Nosal used the stolen data to start his own executive search business. Nosal and his co-conspirators were indicted for violating the CFAA by exceeding authorized access to Korn/Ferry’s computers “knowingly and with intent to defraud.”
An en banc panel of the Ninth Circuit held that the CFAA’s prohibition on accessing computers “without authorization” or “exceeding authorized access” is limited to violations of restrictions on access to information, not restrictions on its use. The Ninth Circuit reasoned that the CFAA primarily targets hacking rather than misappropriation of information. The Ninth Circuit returned the case to the trial court to determine if Nosal violated the CFAA under its interpretation of the statute.
Nosal tried to persuade the trial court to push the Ninth Circuit’s rationale one step further. Nosal argued that, since the CFAA is an anti-hacking statute, it is violated only when someone circumvents technological barriers to access to a computer. Under this narrow interpretation, not every form of unauthorized access to a computer necessarily violates the CFAA. The trial court disagreed with Nosal’s interpretation because the Ninth Circuit did not base CFAA liability on the manner in which access is restricted. Moreover, password protection is a form of a technological access barrier, and Nosal and his co-conspirators clearly bypassed password restrictions.
Nosal next argued that his co-conspirators did not act “without authorization” because they used a valid password issued to a Korn/Ferry employee. The court wasn’t enamored with this argument either. Whether an act is authorized must be viewed from the perspective of the employer who maintains the computer system. Clearly, an employer would not authorize an employee to allow another person to use his or her password. Nosal attempted to analogize consensual use of an employee’s computer password to consensual use of an employee’s key to gain physical access to a building, a situation that Nosal argued would not violate trespass law. The court also rejected this argumen.
Finally, Nosal argued that the Korn/Ferry employee who engaged in “shoulder surfing” (i.e., logging into the firm’s computer system and then letting another person use the system) did not engage in unauthorized “access.” The court found no difference between an employee who gives her password to an outsider and an employee who logs into the firm’s computer system with her password and then lets an outsider use the system. Both situations qualify as “access” under the CFAA.
LegalTXT Lesson: The CFAA targets hacking instead of misappropriation (so the Ninth Circuit says), but hacking could take various forms. According to the latest Nosal decision, the CFAA criminalizes at least these forms: (a) breaking into a computer system; (b) letting an outsider use your password to access a system; (c) logging into a system with your password and then letting an outsider use the system.
Related articles
Another Court Interprets the CFAA Narrowly
A New York federal judge rules that misuse of computer information gained through legal access does not violate the CFAA – Advanced Aerofoil Techs., AG v. Todaro, 2013 WL 410873 (S.D.N.Y. Jan. 30, 2013)
Judge Carter of the Southern District of New York joined a growing number of federal courts adopting a narrow interpretation of the Computer Fraud and Abuse Act (CFAA) that precludes liability for misappropriation under the Act. Several high-level personnel in the plaintiff companies (AAT) defected to a competing company, apparently taking with them AAT’s confidential and proprietary technology. AAT sued the ex-employees for, among other things, alleged violations of the CFAA.
An obstacle that AAT faced in pressing the CFAA claim was the fact that the ex-employees had “unfettered and unlimited access” to the information they took with them. Liability under the CFAA requires that the defendant have “access[ed] a computer without authorization.” Courts across the country are split on whether the CFAA is violated where a person legally accesses to a computer but misuses the information obtained with such access, such as what the former AAT employers allegedly did.
After noting that the Second Circuit has not decided the issue, and surveying decisions on both sides of the issue, including those written by his colleagues in the same district, Judge Carter answered the question in the negative. A CFAA violation occurs when one accesses a computer without permission. Judge Carter gave three reasons for his conclusion. First, the ordinary meaning of the word “authorization” refers to the absence of permission. Second, the legislative history of the CFAA indicates that the Act is directed primarily at access instead of misuse. Third, a violation of the CFAA could lead to criminal liability, the statute should be read narrowly, and ambiguities should be resolved in favor of the defendant. Because AAT had not revoked the defendants’ unlimited access to its system when they siphoned off the confidential and proprietary information, the court dismissed the CFAA claim.
LegalTXTS Note: I’ve blogged on this issue quite a bit. That indicates increased use of the CFAA in data misappropriation cases, or the uneasiness courts have in stretching the CFAA beyond its origin as an anti-hacking statute–or both. Here are my previous posts on similar cases.
Court Carves Back Oracle’s Computer Fraud and Abuse Act Claim Against Gray Market Reseller
One Is Not Like the Other: Access vs. Use Restrictions Under the CFAA
Read MoreCFAA: Recent Cases
A round-up of recent developments in CFAA litigation is in order. In the last three months, a series of cases have provided answers to important questions about the requirements for bringing a CFAA claim under the Computer Fraud and Abuse Act (CFAA). The recent cases address three general questions:
1. What kinds of activity are considered “unauthorized access” or “access exceeding authorization”?
2. What computers are subject to the protections of the CFAA?
3. What “losses” count toward the standing requirement to bring a civil claim under the CFAA?
What kinds of activity are considered “unauthorized access” or “access exceeding authorization”?
The CFAA prohibits various activities involving the access of a computer “without authorization” or “exceeding authorized access.” Whether the defendant’s actions constitute wrongful access is frequently litigated in CFAA cases. The recent cases are no exception. The cases considered three different factual situations and found that two of them satisfied the wrongful access requirements.
Downloading Information From a Publicly Accessible Website
Downloading information from a website that any member of the public could access via a hyperlink posted on another site does not constitute access “without authorization,” according to CollegeSource, Inc. v. AcademyOne, 2012 WL 5269213 (E.D. Pa. Oct. 25, 2012). The case involved two competing business that offered online access to college catalogs. One of the plaintiff’s (CollegeSource) services was CataLink, which provides subscribing schools with a link to CollegSource’s digital archive of the school’s course catalogs. The link could be inserted into the school’s homepage. If a person browsing on the school’s homepage clicked on the link, he or she would be sent to CollegeSource’s website without being told that they were leaving the school’s web domain. Unlike CollegeSource’s other offerings, CataLink is not a subscription-based service.
The defendant (AcademyOne) maintained an online course description database. To populate its database, AcademyOne hired a company to collect college catalogs available on the Internet. AcademyOne’s contractor obtained over 700 catalogs through CataLink.
The court was not persuaded by CollegeSource’s argument that AcademyOne accessed the CataLink service “without authorization” given that CataLink is available to anyone with an Internet connection. The court also did not accept CollegeSource’s argument that AcademyOne exceeded its authorization to use CataLink because it violated the terms of use governing the CollegeSource website. The terms of use were not binding on AcademyOne because the link to CataLink material appeared on the webpage of a school, and clicking on the link did not trigger a notice that the user was leaving the school website and being forwarded to the CataLink page.
Enlisting the Aid of a Person With Authorized Access to Obtain Restricted Information
Asking others to get you information that you’re not entitled to have will get you in trouble. In Synthes, Inc v. Emerge Medical, Inc., 2012 WL 4205476 (E.D. Pa. Sept. 19, 2012), former employees of a medical devices company who formed a competing business obtained the company’s proprietary information from current employees of the company. Inducing those with authorization to access a computer to retrieve and give information to a person who is not entitled to access such information constitutes access of a computer “without authorization,” the court held.
Hacking Into an Employees’ Email Account
This seems fairly obvious, but hacking into an employee’s email account could constitute a violation of the CFAA. The litigants in Mintz v. Mark Bartelstein & Associates, Inc., 2012 WL 5391779 (C.D. Cal. Nov. 1, 2012), didn’t even bother to fight over whether the defendant-employer violated the CFAA by ordering an employee to hack into the plaintiff’s Gmail account. The wrongfulness of the act was undisputed. The parties instead dueled over whether the plaintiff sustained “loss” as a result of the unauthorized access (see below).
What constitutes a “protected computer”?
Various prohibitions in the CFAA are tied to the accessing of a “protected computer,” which has two definitions. A “protected computer” could be a computer used exclusively by a financial institution or the U.S. government, or if not exclusively, then for a use affected by the conduct that violated the CFAA. A “protected computer” could also be a computer “which is used in or affecting interstate or foreign commerce or communication ….” 18 U.S.C. § 1030.
In Freedom Banc Mortgage Services, Inc. v. O’Harra, 2012 WL 3862209 (S.D. Ohio Sept. 5, 2012), the court held that a computer with a connection to the Internet is enough to satisfy the definition of a “protected computer” because of its use in or effect on interstate commerce. If a computer is connected to the Internet (and an allegation that the computer is used for email communications sufficiently establishes that fact), no additional link to interstate commerce needs to be shown.
What “losses” count toward meeting the standing requirement?
A claimant must have suffered “damage or loss by reason of a violation of” the CFAA to maintain a civil action under the CFAA. 18 U.S.C. § 1030(g). One way to meet this standing requirement is to establish loss during any 1-year period aggregating at least $5,000. § 1030(c)(4)(A)(i)(I). What costs qualify toward the threshold amount, and how they can be aggregated to meet the threshold, is a common issue.
The court in CollegeSource held that the costs to conduct an internal investigation, hire a computer expert, and implement subsequent security measures in response to an incident of unauthorized access count as qualifying “losses.” To that list, Synthes added expenses to conduct damage assessments; identify and trace the information that has been misappropriated; and restore data, programs, systems, and information to the condition they were in before the defendant engaged in CFAA violation. Legal expenses, however, are not “losses” unless necessary to remedy the harm caused by the violation. So in Mintz, attorneys’ fees incurred by the plaintiff to issue subpoenas to confirm the identity of the person who hacked into his email account were not “losses” because the plaintiff already knew who the hacker was before the subpoenas issued. The Mintz court contrasted another case (SuccessFactors, Inc. v. Softscape, Inc., 544 F. Supp. 2d 975 (N.D. Cal. 2008)) in which the victim of a hacked email account had to hire attorneys to identify the recipients of the victim’s confidential information that the hacker obtained and distributed. The attorneys’ fees in that case were “losses” because the plaintiff needed to know whom it had to contact to mitigate the damage caused by the hacker.
In regards to whether losses can be aggregated, the Freedom Banc court held that qualifying “losses” need not flow from a single wrongful act. Losses stemming from multiple CFAA violations could be added together to meet the threshold $5,000 amount.
Read MoreNarrow Loss
A civil CFAA claim for damages requires damage to computers, systems, or data – Schatzki v. Weiser Capital Mgmt, LLC, 2012 WL 2568973 (S.D.N.Y. July 3, 2012)
As I said in a previous post, we are seeing more activity dealing with the Computer Fraud and Abuse Act (CFAA). The CFAA is both a criminal and civil statute. The CFAA imposes criminal penalties on someone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer” or “intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage.” A civil claim is available if, in addition to establishing the elements of a criminal violation, the plaintiff can show “damage or loss” as a result of the violation. The damage or loss must be at least $5,000.00.
Schatzki is the latest case to read the terms “damage” and “loss” narrowly. The defendants in the case allegedly obtained information from plaintiff’s computer systems without authorization and trafficked in computer passwords. This access enabled the defendants to obtain valuable private and confidential information about the plaintiff’s clients, the plaintiffs said. As a result, the plaintiffs had to hire consultants and incur legal fees.
The court said that the plaintiffs did not show the required “damage” or “loss,” and here’s why. The plaintiffs failed to allege that the defendants’ access to the computer system damaged the data accessed or the system itself, or that the costs to recover the system/data exceeded $5,000. The court also would not allow the plaintiffs to base their CFAA claim on other kinds of damages like lost profits, invasion of privacy, trespass to personal property, or misappropriation of confidential data.
LegalTXT Lesson: Quantify your damages if you are bringing a civil claim under the CFAA. Also, remember that the CFAA is more in the nature of an anti-hacking statute than an anti-misappropriation statute. Attempts to seek damages under the CFAA on a theory that someone gained access to electronic information and used it for improper purposes might not go very far.
Read More
About the Author
View Elijah's LinkedIn Profile
Follow us on Twitter
Subscribe to this blog via RSS