Two new developments this past year have made it easier for employers to sue employees in federal court for stealing data from company computers. The most recent is the U.S. Court of Appeals for the Ninth Circuit’s July decision in U.S. v. Nosal interpreting what it means to access a company computer “without authorization” under the Computer Fraud and Abuse Act (CFAA), the federal computer criminal statute. 18 U.S.C. 1030. The other development is the May amendment to the Economic Espionage Act (EEA), the federal criminal trade secrets act, permitting companies to file a federal civil action against individuals who steal the company’s competitively sensitive data. 18 U.S.C. 1831, et. seq.
Ransomware. It’s a data security buzzword that has caught on among civilians and businesses. And it’s real. It threatens system security and costs victims plenty. But what is ransomware? Why is it more of a threat than typical cyber viruses and infections? What do you do to keep yourself immune from ransomware? If affected, what are your options?
Companies should take three steps now to ensure use of the Defend Trade Secrets Act.
In May, President Barack Obama signed into law the Defend Trade Secrets Act that creates a federal civil cause of action for the misappropriation of trade secrets. This new law amends the Economic Espionage Act, which makes it a federal crime to steal and use trade secrets. Title 18 U.S.C. 1831, et. seq. For companies that depend on confidential information to provide them a competitive edge, there are several proactive steps they should take to ensure their use and the full benefits of this statute if their trade secrets are stolen.
Most significantly, the Defend Trade Secrets Act, unlike the state trade secrets laws, provides for an ex parte “order for the seizure of property necessary to prevent the propagation or dissemination of the trade secret,” upon a showing of “exceptional circumstance.” Traditional state court equitable remedies are limited to a temporary restraining order and a preliminary injunction. The law also makes the theft, possession and use of trade secrets a predicate act for the Racketeer Influenced and Corrupt Organizations Statue, which can form the basis of a civil RICO action for treble damages and attorney fees. (In the past, federal courts have been reluctant under most circumstances to find a RICO “pattern” for trade secrets theft as part of a scheme to defraud based on the mail and wire fraud statutes. See, e.g., Bro-Tech Corp. v. Thermax (E.D. Pa. 2009).
In December, a divided panel of the U.S. Court of Appeals for the Second Circuit in U.S. v. Valle interpreted the Computer Fraud and Abuse Act to exclude employees who access their employer’s computers. The upshot is that if you are an employee in the Second Circuit and steal data from your employer to commit identity theft or to provide it to a competitor, you cannot be prosecuted by the Department of Justice or sued by your employer under the CFAA.
A recent ruling shows that plaintiffs must act fast when using a federal criminal statute for a civil suit.
The U.S. Court of Appeals for the Second Circuit in August addressed the proper application of the statute of limitations to a civil action—in the context of allegations of malicious statements made on the Internet over a broken romance and sexual misconduct—brought under the federal computer crime statute, the Computer Fraud and Abuse Act (CFAA). The case was Sewell v. Bernardin.
The recent decision in Allied Portables v. Youmans from the U.S. District Court for the Middle District of Florida underscores the need for businesses to establish explicit, well-advertised written policies identifying the scope of permissible employee access to company computers. Absent such policies, employers may be precluded from using the civil remedy in the federal computer crime statute, the Computer Fraud and Abuse Act, to sue employees who steal or destroy data from a company computers.
Allied properly recognized that for a CFAA claim to succeed, the plaintiff employer must be able to show the critical element that the defendant employee accessed a company computer by exceeding the authorized access to the computer.
The fundamental shift for businesses in the past 15 years from paper documents to computer data has forced the courts to decide whether intangible electronic data should enjoy the same legal protections as physical property.
Because of this shift, it is important to review the judicial response to the electronic-data issue in the context of a federal criminal statute, the National Stolen Property Act (NSPA), and common law conversion.
The NSPA makes it a felony for one who “transports, transmits, or transfers in interstate or foreign commerce any goods, wares, merchandise … of the value of $5,000 or more, knowing the same to have been stolen, converted or taken by fraud.” Conversion is the state civil cause of action for the theft of property.
Although headlines have focused on foreign cyberattacks, plenty are U.S.-based—and can be remedied. Over the past year the national press has repeatedly reported on the vulnerability of our intellectual property to nation-state hackers like China, which have reportedly accessed and stolen highly confidential data by entering computer systems through public websites. Lost in the headlines… Read More
In all jurisdictions the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030, the federal computer crime statute, applies to former employees who steal data from the company computer, but in two federal circuits it does not apply when the theft occurs during employment. The difference in jurisdictions is significant to employers because the CFAA provides a civil remedy for damages and injunctive relief for a company that “suffers damage or loss” by reason of a violation of the CFAA. 18 U.S.C. 1030(g).
Last year the U.S. Court of Appeals for the Ninth Circuit in U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012), disagreed with certain of its sister circuits and narrowly interpret-ed what it means to access the company computer “without authorization,” effec-tively eliminating a company’s ability in that jurisdiction to use the CFAA against current employees. This column will review the conflicting interpretations of the CFAA that distinguishes between current and former employees and the strategies and options companies can employ to navigate this conflict.
Four separate circuit court rulings this year enhanced the ability of businesses to use Computer Fraud and Abuse Act. To print or view this article as a pdf go to: link By Nick Akerman Four recent decisions handed down by four different federal courts of appeals during the past year have, in combination, greatly… Read More