When Employees Take Home More Than Office Supplies:

Employer Remedies Under the Federal Computer Fraud and Abuse Act

I. Introduction to the CFAA

            The Computer Fraud and Abuse Act (“CFAA”) was initially passed in 1984 in order to protect classified information on government computers from hackers.  The specific language prohibited unauthorized access of computer information.  An amendment to the statute in 1994 added civil remedies to what was previously a statute that was solely criminal in nature.  Then, in what has become key to employers in today’s context, in 1996 Congress extended the CFAA from government computers to any computer used in interstate or foreign commerce, essentially any computer connected to the internet.  Congress also removed the “unauthorized access” requirement, thereby allowing prosecution of company insiders as well as hackers.
The CFAA now applies when an employee accepts a job at another company, but continues working at the current job and continues to access the current employer’s computer system. Both the departing employee and the new employer can be sued under CFAA if, either separately or together, they seek to gain a competitive advantage through unauthorized use of information from the current employer’s computer system.
If brought within two years of discovery, any employer or person that suffers damage or loss due to a violation of the CFAA may obtain compensatory damages and injunctive or other equitable relief.  There are two elements that must be proved in order to establish a violation of the CFAA:  (1) intentional access of a protected computer without authorization or which exceeds authorized access; and (2) the access must cause damages of at least $5,000.00. CFAA covers more than the losses directly caused by the employee’s unauthorized access to the employer’s computer system. It also covers damage assessments, security update and restoration or replacement costs, and any revenue lost or costs incurred or other damages resulting from any impairment or interruption of service.  An employee that takes trade secrets, client information, or other key data from a computer at their current employer to their new employer may be prosecuted under this Act.

II. Key Cases for Employers Under the CFAA

One of the key CFAA cases for employers is Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000). Shurgard was an industry leader in self-storage. It attributed its growth to its having developed "a sophisticated system of creating market plans, identifying appropriate development sites, and evaluating whether a site will provide a high return on an investment." Shurgard claimed to have expended "significant resources in creating its marketing teams for each potential market."
Safeguard began operating as a direct competitor of Shurgard in 1997. In late 1999, Safeguard began courting Eric Leland, a Regional Development Manager at Shurgard. While still employed by Shurgard and without its knowledge or permission, Leland, who still had full access to Shurgard's confidential business and expansion plans, as well as other trade secrets, began emailing proprietary information and trade secrets to Safeguard. In October 1999, Leland was hired by Safeguard, where he continued to provide his new employer with confidential and proprietary information belonging to his former employer. In addition, Safeguard lured away other Shurgard key employees with intimate knowledge of Shurgard's business models and practices.
Shurgard sued, claiming that Safeguard had embarked on a systematic scheme to raid its key employees in order to steal its trade secrets. Safeguard moved to dismiss Shurgard's CFAA claims on several grounds. Safeguard first challenged Shurgard's claim on the basis that all Shurgard employees accused of transferring confidential information to Safeguard had full access to that information, and therefore, Shurgard could not claim that they acted without authorization or that they exceeded their authorized access to Shurgard's computers. The court rejected that argument, holding that the disloyal employees' authority to access Shurgard's computers ended when they began acting as agents of Safeguard.
Safeguard further argued that the CFAA only applied to "outsiders," not employees. The court held that, since the CFAA prohibits "whoever intentionally accesses," it was unambiguously applicable to the employees’ conduct at issue.
A review of the plain language of the CFAA, its amendments, and its legislative history, led the court to conclude that the statute was "intended to punish those who illegally use computers for commercial advantage [and] was intended to encompass actions such as those allegedly undertaken by [Safeguard]."
While there has yet to be a major Wisconsin decision on the CFAA, the 7th Circuit of Federal Courts, of which Wisconsin is a part, decided a seminal CFAA case, International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006).  In this case, a real estate business, IAC, issued its employee, Citrin, a company laptop computer to record prospect data collected as part of his employment.  Eventually, Citrin decided to quit his job and go into business for himself.
However, prior to returning the laptop to IAC, Citrin loaded a secure-erasure program, designed to permanently erase all electronic files on the computer by “writing over” deleted materials.  Citrin’s actions also deleted data that would have potentially revealed evidence of improper competitive conduct engaged in by him prior to his resignation.
The 7th Circuit Court of Appeals found in favor of IAC, noting that Citrin violated the part of CFAA that prohibits the unauthorized accessing of computers. Specifically, having already decided to quit his job in violation of his employment contract and resolved to destroy data that incriminated himself and destroy other company files, the 7th Circuit found that Citrin breached his duty of loyalty as an employee. As such, Citrin effectively terminated his agency relationship with his employer and, with it, his authority to access and delete information on his company laptop, even if such actions occurred prior to his final resignation date.

III.  Advice to Hiring Employers

New employers should take action to avoid potential CFAA claims, particularly by addressing conduct by the employee while they are still working for the old employer but after agreeing to join the new employer. They should remind a new employee not to take information from a former employer, to return all computer-generated data before starting the new job, and to bring only such data along if the former employer has given its permission to do so.  Further, the new employer should have new employees sign certifications stating the same.  Lastly, given a split of authority regarding the application of the CFAA, employers are advised to draft clauses into their confidentiality and non-compete agreements with employees that clearly define what access is authorized and what is unauthorized, and the precise time when authorized access becomes unauthorized. Such a clause may be very persuasive in a civil case under the CFAA later.

IV. Summary

CFAA offers employers many advantages. First and foremost, CFAA claims avoid the restrictive Wisconsin non-compete laws under Wis. Stat. §103.465. Second, the CFAA’s focus is not on the type of information or data stolen but on abuse of a computer system to obtain that information or data. Employers can bring CFAA claims without proving the information wrongfully accessed was a trade secret, constituted confidential or proprietary information, or breached an employment contract, confidentiality agreement, or non-compete agreement. Employers can bring CFAA actions even if they do not have any confidentiality, non-compete, or trade secret agreements with the disloyal employee.
Employers should consider using the CFAA in appropriate situations. Damages and injunctive relief are available. Key information for these type of CFAA suits are generally already in the hands of the employer or can be easily obtained by the employer’s own computer expert. CFAA is no longer the limited statute it was in 1984. Expansive court interpretations have converted it into an attractive weapon against wrongful conduct by disloyal employees.

If you are an employer looking for more information and guidance regarding the CFAA please contact Gerbers Law.