In LVRC Holdings LLC v. Brekka, 581 F.3d 1127, (9th Cir. 2009) the employee emailed to himself competitively sensitive data so he could use it to compete against his current employer. Disagreeing with Citrin, the 9th Circuit refused to hold that an employee’s authorization to access the company computer is based on the law of agency. Instead, the court held that the Computer Fraud and Abuse Act did not apply to the theft because an employee cannot act “without authorization” because his employer gave his “permission to use” the company computer. Id. at 1133. Read relevant article.
In International Airport Centers, LLC v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006) the court held that an employee was liable under the Computer Fraud and Abuse and the employee’s “authorization to access the [company] laptop terminated, when, . . . [the employee] resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee.” Read Relevant Article.
What Is Required and How to Comply
Contributed by: Melissa J. Krasnow, Dorsey & Whitney LLP
The Massachusetts Office of Consumer Affairs and Business Regulation (“MOCABR”) recently issued the final version of the Massachusetts privacy regulation (Regulation). This article provides a summary of this Regulation, which applies to each person or entity that owns or licenses personal information about a Massachusetts resident (Covered Entity) “Owns or licenses” means receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment. “Personal information” means a Massachusetts resident’s first and last name or first initial and last name in combination with a (i) Social Security Number; (ii) driver’s license or state-issued identification card number or (iii) financial account number. According to the MOCABR, this Regulation is not preempted if a Covered Entity complies with the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act requirements. Consequently, this Regulation could apply to any type of business.
A Covered Entity must be in full compliance with this Regulation on or before March 1, 2010, including developing, implementing and maintaining a comprehensive, written information security program applicable to records containing personal information (Program).
This Regulation establishes minimum standards for safeguarding personal information in paper and electronic records. The Program must be written in one or more readily accessible parts and contain administrative, technical and physical safeguards consistent with the safeguards for protection of personal information and information of a similar character in any state or federal regulations to which the Covered Entity may be regulated.
The safeguards must be appropriate to (i) the size, scope and type of business of the Covered Entity; (ii) the amount of resources available to the Covered Entity; (iii) the amount of stored data and (iv) the need for security and confidentiality of both consumer and employee information.
The Regulation requires a Covered Entity to take the following action:
1. Designate one or more employees to maintain the Program;
2. Identify and assess reasonably foreseeable internal and external risks to the security, confidentiality or integrity of any electronic, paper or other records containing personal information, and evaluate and improve, where necessary, the effectiveness of the current safeguards for limiting these risks (e.g., ongoing temporary, contract and regular employee training, employee compliance with policies and procedures and means for detecting and preventing security system failures);
3. Develop security policies for employees relating to the storage, access and transport of records containing personal information outside of business premises;
4. Impose disciplinary measures for violations of the Program;
5. Prevent terminated employees from accessing records containing personal information;
6. Take reasonable steps to select and retain third-party service providers (i.e., any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a Covered Entity) that are capable of maintaining appropriate security measures to protect such personal information consistent with this Regulation and any applicable federal regulations;
7. Require third-party service providers by contract to implement and maintain appropriate security measures for personal information (though a contract a Covered Entity has entered into no later than March 1, 2010 with a third-party service provider satisfies this provision even if the contract does not include a requirement that the third-party service provider maintain such appropriate safeguards, until March 1, 2012);
8. Implement reasonable restrictions on physical access to records containing personal information and store the records and data in locked facilities, storage areas or containers;
9. Regularly monitor to ensure that the Program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information and upgrade information safeguards as necessary to limit risks;
10. Review the scope of the security measures at least annually or when there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information;
11. Document responsive actions taken when a data security breach incident occurs and conduct a mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to the protection of personal information; and
12. Establish and maintain a security system, covering its computers and any wireless system, for a Covered Entity, which, at a minimum and to the extent technically feasible (i.e., if there are reasonable means through technology to accomplish a required result):
a.) secures user authentication protocols, including (i) control of user IDs and other identifiers; (ii) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies (e.g., biometrics or token devices); (iii) control of data security passwords to ensure that these passwords are kept in a location or format that does not compromise the security of the data they protect; (iv) restricting access to active users and active user accounts only and (v) blocking access to user identification after multiple unsuccessful attempts to gain access or limiting access for the particular system;
b.) has secure access control measures that (i) restrict access to records and files containing personal information to those who need personal information to perform their job duties and (ii) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
c.) encrypts (i.e., transforms data into a form in which meaning cannot be assigned without the use of a confidential process or key) all transmitted records and files containing personal information that will travel across public networks, and encrypts all data to be transmitted wirelessly;
d.) has reasonable monitoring of systems for unauthorized use of or access to personal information;
e.) encrypts all personal information stored on laptops or other portable devices;
f.) includes reasonably up-to-date firewall protection and operating system security patches for files containing personal information on a system that is connected to the Internet, reasonably designed to maintain the integrity of the personal information;
g.) has reasonably up-to-date versions of system security agent software, which includes malware protection and reasonably up-to-date patches and virus definitions or a version of this software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis; and
h.) educates and trains employees on the proper use of the computer security system and the importance of personal information security.
The statute under which this Regulation was issued provides for enforcement by the Massachusetts Attorney General.
Companies that are developing or have developed comprehensive, written information security programs need to revisit what they have done thus far to make sure it complies with the Regulation, and whether it is subject to the Nevada encryption law. Under the Nevada encryption law, a company (except for a telecommunications provider) doing business in Nevada that deals with personal information must comply with specific encryption requirements if it does not accept a payment card (a credit card or similar card) in connection with a sale of goods or services. This law also requires that a company that does accept payment cards in connection with a sale of goods or services comply with the current version of the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is an industry security standard developed by the PCI Security Standards Council (including American Express, Discover, JCB, MasterCard and Visa) for the protection of customer account data. The compliance deadline for the Nevada encryption law is January 1, 2010.
Other companies immediately need to determine whether they are covered by the Regulation. Their compliance efforts should begin now if they determine that they are covered. Finally, companies that determine that they are not covered typically prepare a written summary of their determination.
THE PRACTICECommentary and advice on developments in the law
Three recent court decisions make it important for companies to begin the new year with a thorough review of their computer-use policies with a focus on two issues: ensuring that employees have no expectation of privacy in using the company computer systems and delineating the scope of the employee’s permissible accessto the company computers. This article will discuss these three decisions and their implications for creating effective corporate computer policies that protect the company against the theft of its data.
Two of these recent decisions—Quon v. Arch Wireless Operating Co. Inc., 529 F.3d 892 (9th Cir. 2008), cert. granted, 2009 WL 1146443 (2009), and Stengart v. Loving Care Agency Inc., 408 N.J. Super. 54 (N.J. App. Div. 2009)—af fect a company’s ability to gather evidence from its own computers. Both cases found company computer policies insufficient to defeat the employee’s expectation of privacy in using the company computers for per sonal reasons. Whether an employee has an expectation of privacy on the company com puters can become a critical issue when it is suspected that an employee may have stolen corporate data.
In Quon, the U.S. Court of Appeals for the 9th Circuit held that a review of text mes sages on pagers provided to municipal police officers violated the Fourth Amendment as an unreasonable search. Although the city had no express policy “directed to text mes saging by use of the pagers,” it did have a general “Computer Usage, Internet and E-Mail Policy” applicable to all employees that limited the “use of City-owned com puters and all associated equipment, software, programs, networks, Internet, e-mail and other systems operating on these computer” to city business.
The policy warned that “[t]he use of these tools for personal benefit is a sig nificant violation of” city policy, that “[a]ccess to all sites on the Internet is record ed and will be periodically reviewed by the City,” that the city “reserves the right to moni tor…all network activity, including email and Internet use,” and that “[u]sers should have no expectation of privacy or confidentiali ty when using these resources.” The policy also warned against using “these systems…for personal or confidential communications” because the information produced on the sys tem “is considered City property.” This policy was acknowledged in writing by each city employee, and it was announced orally that this policy applied to pagers.
The 9th Circuit affirmed the district court’s finding that Jeff Quon had a reason able expectation of privacy with respect to the text messages because the policy did not reflect the “operational reality” at the police department where the staff were told that the department “would not audit their pagers so long as they agreed to pay for any overages” that exceeded a “25,000 character limit.” Id. Consistent with that informal pol icy, Quon had exceeded that limit “ ‘three or four times’ and had paid for the overages every time without anyone reviewing the text of the messages,” demonstrating that the police department “followed its ‘infor mal policy’ and that Quon reasonably relied on it.”
In Stengart, the issue of the computer policies arose in the context of the attorney-client privilege. Marina Stengart used her employer’s laptop computer to communi cate with her attorney about an anticipated lawsuit against her employer “through her personal, web-based, password-protected Yahoo email account.” After Stengart filed a discrimination suit, her then-ex-employer found numerous e-mails on the company computer between Stengart and her attorney. The employer’s computer policy was nearly identical to the policy addressed in Quon with one significant exception. Unlike the written policy in Quon, which limited use of the computers to the employer’s business, the policy in Stengart provided that “[o]ccasional personal use is permitted.”
The court found two specific “ambiguities” with the computer policy that “cast doubt over the legitimacy of the company’s attempt to seize and retain personal e-mails sent through the company’s computer via the employee’s personal email account.” First, the “policy neither defines nor suggests what is meant by ‘the company’s media systems and services,’ nor do those words alone convey a clear and unambiguous understanding about their scope.” Second, the court found that one could reasonably conclude “that not all personal emails are necessarily company property because the policy expressly recognizes that occasional personal use is permitted.” Given these ambiguities, Stengart could have assumed her e-mails with her attorney would be confidential.
The third decision relates to a company’s ability to use evidence found on its own computers to bring a viable court action against the disloyal employee under the federal Computer Fraud and Abuse Act (CFAA) to retrieve the stolen data and pre vent its dissemination in the marketplace. The CFAA, the federal computer crime stat ute, provides a civil remedy for a company that “suffers damage or loss” by reason of a violation of the CFAA. 18 U.S.C. 1030(g). A critical element in proving most CFAA claims is that the violator accessed the com puter “without authorization” or “exceed ing authorized access.”
THE ISSUE OF PERMISSIBLE ACCESS
That case, LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), has made it more important than ever for corporate computer policies to address what is not permissible access to the company computer system. Until Brekka, no other circuit court had disagreed with the 7th Circuit’s holding in Int’l Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), that an employee’s authorization to access the company computers is predicated on his agency relationship with his employer such that when an employee violates his duty of loyalty by stealing his employer’s data, his authorization to access the company comput ers terminates. Brekka refused to apply the CFAA to a theft of employer data, holding that employees cannot act “without autho rization” because their employer gave them “permission to use” the company computer.
Although this division in the circuit courts will ultimately have to be resolved by the U.S. Supreme Court, from an employ er’s standpoint it is important to empha size that the agency relationship with the employee is not the only way to prove that an employee’s access to the company computer was unauthorized or exceeded authorization. Employers can proactively establish the predi cate for unauthorized access by promulgating the rules of access through company policies. The “CFAA…is primarily a statute imposing limits on access and enhancing control by information providers.” EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003). Thus, a company “can easily spell out explic itly what is forbidden” through a compliance code or an employee handbook or through employee agreements. See Cont’l Group Inc. v. KW Property Mgmt., 622 F. Supp. 2d 1357 (S.D. Fla. 2009); EF Cultural Travel B.V. v. Explorica Inc., 274 F.3d 577 (1st Cir. 2001).
In designing corporate computer policies and employee agreements, it is important not to lose sight of the well-established operating principle that company computers are com pany property, and, as such, the company can “attach whatever conditions to their use it wanted to,” even if these conditions are not “reasonable.” Muick v. Glenarye Electronics, 280 F.3d 741, 743 (7th Cir. 2002). Nonetheless, in light of Quon, Stengart and Brekka, a company should review its computer policies to ensure that they do the following:
- Clearly define the computer systems cov ered by the policy; expressly encompass what ever technology is used, such as text mes saging or instant messaging; and address not only the servers but removable media such as thumb drives and disks.
- Make clear that all data created in fur therance of any personal use belongs to the company—including use of the company systems to access personal Web-based e-mail accounts—and may be monitored by the company and will not be confidential.
- Reflect operational reality and are audited at least annually to ensure they reflect operational reality.
- Spell out precisely the scope of an employee’s permissible authorization to the company computers, particularly what they are not permitted to do, e.g., access the company computers to retrieve company data for a competitor.
The time to get this right is now before the company finds itself the victim of a data theft.
Technology poses a special risk to companies whose businesses depend on such valuable competitive data. With just a couple of mouse clicks or through the use of a thumb drive that can be slipped into a pocket, an employee can easily remove from the workplace what amounts to multiple file cabinets worth of documents. Last year, for example, I represented a client where the data at issue was worth more than $1 billion in business to the company. The employees in that case removed the data from the company by simply downloading it to several compact disks and e-mailing it to their home e-mail addresses. I also represented a company in a case involving the theft of data relating to government contracts worth hundreds of millions of dollars where the stolen data was used to divert the business to a major competitor. The data in that case was removed on floppy disks. In addition to traditional lawsuits that can last a year or two through discovery and trial, a major part of my practice is filing emergency court actions for injunctive relief—temporary restraining orders and preliminary injunctions—to seek the immediate return of competitively sensitive data that is stolen from a company. In those cases, the client suddenly discovers that a trusted employee has taken valuable data to a competitor. In response, I go into action marshalling the evidence, drafting the necessary court papers, and within a day or two find myself appearing before a judge asking for the immediate return of the data. These actions are important to my clients who cannot afford to have their competitive positions in the marketplace undermined by a competitor using their key information.
Time to review corporate computer policies
The National Law Journal
February 1, 2010
PDF copy of original article: View The National Law Journal