Member News

Reavis Parent Lehrer Partner Mark H. Moore on Federal Anti-Hacking Statutes in December Corporate Counsel

Previously published at corpcounsel.com see here

Four Things You Need to Know about Federal Anti-Hacking Statutes in Employment Disputes

Every time an employee logs onto a work computer, and every time an employer shows an interest in what that employee is up to, there is a possibility that the federal anti-hacking statutes, the Stored Communications Act (SCA) and the Computer Fraud and Abuse Act (CFAA), will come into play.
These statutes, designed to prevent unauthorized use or interference with electronic communications and data, have direct applications to the workplace. As several recent cases demonstrate, companies and employers both need to weigh their decisions about their electronic communications and their use of stored data to ensure that they do not run afoul of the law.

Here are some of the key upshots for in-house lawyers from these cases:

1. As a general proposition, the federal anti-hacking statutes do not prevent company monitoring of employee communications on company-owned systems.

Because the federal anti-hacking statutes are designed to protect only unauthorized usages of computer systems and data, they generally cannot shield an employee’s communications within company systems. Thus, in Williams v. Rosenblatt Securities. (S.D.N.Y. Oct. 7, 2015), the district court followed precedent in rejecting the SCA claims of a former investment strategist who alleged that he was terminated for whistleblowing to the U.S. Securities and Exchange Commission, and was then subjected to a post-termination search of his electronic communications on the firm network. The court, in rejecting the SCA claim, determined that the employee lacked any expectation of privacy in his electronic communications. The system was company-owned, and the firm was governed by the self-regulating Financial Industry Regulatory Authority Inc. (FINRA), which requires securities firms to review internal and external communications to ensure compliance with federal securities law.

Nor was the New York court alone. Last January, in Barbulescu v. Romania, (2016 Eur. Ct. H.R. 61), the European Court of Human Rights came to the same conclusion. It found that a Romanian employer, which had monitored an employee’s usage of a Yahoo Messenger account established for work purposes, did not violate Article Eight of the European Convention on Human Rights, which provides that “[e]veryone has the right to respect for his private and family life, his home and his correspondence.” The employee, knowing that the account had been established for the benefit of the employer, had no expectation of privacy.

On the other hand, employers still risk violating the federal anti-hacking statutes if they wrongfully access an employee’s privately stored communications. Thus, in Owen v. Cigna (N.D. Ill. May 25, 2016), a federal district court in Illinois held that a former employee could assert a claim under the SCA against a company that had allegedly gained access to her private email account following her departure and without her consent. Therefore, should an employee depart, even under suspicious circumstances, an employer should take care not to access that employee’s privately stored emails generated outside the company-owned network.

2. Employers continue to utilize federal anti-hacking statutes to pursue employees accused of obtaining trade secrets or other information from company systems. However, the courts have struggled with what usages of electronic systems are “authorized” within the meaning of the statutes.

Section 2701 of the SCA bars a current or former employee from intentionally obtaining stored electronic communications “without authorization” or by “exceeding authorization” to obtain the communications. Similarly, Section 1030 of the CFAA prevents an employee from intentionally accessing a computer “without authorization” or by exceeding “authorized access.”

There is currently a split in the federal appellate courts as to how to interpret this language, over the issue of whether an employee who accesses information in violation of company policy is in violation of the anti-hacking statutes. For example, late last year, the U.S. Court of Appeals for the Second Circuit, in the notorious case of United States v. Valle (2d Cir. 2015), invalidated the conviction of a police officer who appeared to be conspiring with other internet denizens to murder and devour various family members and others—though there seemed to be a great deal of evidence that there was never any actual intention to carry out any actual attacks. The officer had been convicted, among other crimes, of violating the CFAA by using the police force’s electronic database to investigate one of the proposed “victims.” The Second Circuit narrowly interpreted the CFAA by holding that the statue does not apply to an employee who was authorized to use the data but who then exceeds the scope of the intended use. In contrast, several other federal circuits—for example, the Seventh Circuit in International Airport Centers v. Citrin (2006)—have held that a defendant who accesses information for a purpose other than that for which access was originally authorized may be held liable.

There is one area of agreement across the federal circuits. The federal courts uniformly hold that a former employee who gains access to stored data without authorization violates the SCA and CFAA, as was recently held in Cloudpath Networks v. SecureW2 (D. Colo. Jan. 13, 2016). In that case, the employee—along with a confederate—was accused of downloading proprietary information and software code, and deleting and corrupting sales lead and customer information on behalf of a competing company, which the employee joined after leaving the first company. According to the complaint, after his departure the employee continued to use his access to the first company’s systems to assist his new employer. The federal district court in Colorado would not permit the company to pursue claims under the SCA or CFAA for the time that the defendant was still employed by the first company—but permitted claims for the post-employment period.

3. The Defend Trade Secrets Act will likely supplant the CFAA and SCA as a vehicle for employers who have claims against former employees for the improper use of trade secrets.

Over the past several years, the CFAA and SCA have become increasingly popular with employers wanting to assert federal claims against employees who had commandeered their trade secrets—especially in federal circuits where employees could be sued for exceeding their authorization in accessing company data. However, in May the Defend Trade Secrets Act (DTSA) became federal law, and this new statute provides a far more straightforward remedy for employers seeking to protect their trade secrets.

Prior to the passage of the DTSA, claims of misappropriation of trade secrets were a matter of state law, and could not be brought in federal court unless some independent basis for federal court jurisdiction existed (such as another federal claim or diversity of citizenship among the parties). With the passage of the DTSA, “misappropriation” and “trade secrets” are given uniform meaning in the federal courts and employers are entitled to bring their claims in federal court. The DTSA also provides strong remedies, including money damages, injunctive relief, seizure of property to protect trade secrets from disclosure, punitive damages and attorney fees.

A key advantage of the DTSA over the federal anti-hacking statute is that a party under the DTSA does not need to establish that the theft of a trade secret made use of a particular electronic device or methodology, as is required under both the SCA and CFAA.

4. Any suspicion of theft of trade secrets should be fully investigated—with an eye to the best statutory remedy.

In particular, an employer suspecting a former employee of accessing and transmitting data should do the following:

• The employee must be cut off from access to all computer business systems, including internet access and email. This will end any argument that the employee has continued and authorized access to the employer’s systems.

• The employer should conduct an immediate review of all email sent or received by the employee for the past several months. The company must retrieve any company-owned laptop computer or other such equipment used by the employee for a thorough review.

• The company should focus its review on any email sent to the employee’s home computer, family members or personal email account and on the transfer of any large blocks of data. If anything out of the ordinary is discovered, an outside computer forensic expert should be engaged to conduct a thorough analysis and to preserve evidence of any wrongdoing.

• The company should review the DTSA and the federal anti-hacking statutes (as well as any applicable state law remedies) to determine the scope of available relief.

Mark H. Moore is a partner of Reavis Parent Lehrer, and is a member of its litigation group. He frequently represents institutions and individuals in business and employment disputes where stored electronic communications play a key role. He also litigates cases involving theft of trade secrets and advises clients on policies and procedures for protecting their own.

Compliments of Reavis Parent Lehrer – a member of the EACCNY