CFAA Case Reminds Employers to Limit Employee Data Access

When Hardev Sidhu took a medical leave from his job at consulting giant Accenture in 2009, his employer continued his pay, benefits and access to its secure online network, which contained proprietary information.

Accenture did not know that Sidhu had fabricated the illness and started working for HCL, a direct competitor, two months into the leave. About a year later, Accenture discovered the deception and found that Sidhu had downloaded more than 900 documents during his leave.

To protect its electronically stored confidential information against such employee theft, Accenture had implemented employment policies covering confidentiality, security, workstation security, mobile devices and dual employment. It cited these policies in its federal lawsuit seeking restitution from Sidhu under the Computer Fraud and Abuse Act (CFAA), which provides both for criminal prosecution and private rights of action against any person who, "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended frauds and obtains anything of value."

When the case of Accenture LLP v. Sidhu came before the Federal District Court for the Northern District of California in November 2010, the court dismissed it.

Federal district and circuit courts of appeal have taken varying stands on when and how employers can use the CFAA to prosecute departing employees who steal trade secrets.

Sidhu reminds companies they must go beyond policy statements to protect information stored in their computer systems.

"[The decision] crystallizes the importance of taking additional steps to limit employee access to trade secrets and confidential information on computer systems," says Brent Cossrow, a member of Fisher & Phillips' Employee Defection and Trade Secrets practice group.

Courts in Conflict

When Congress passed the CFAA in 1984, its primary goal was to enhance the government's ability to prosecute criminals who access computers to steal information or disrupt networks. However, the private right of action established under the CFAA can help businesses recoup losses in some cases of employee data theft, says Jackson Lewis Partner Joseph Lazzarotti.

But courts have reached different conclusions about what constitutes a valid case against an employee or former employee. Those differences center on what the statute means when it prohibits computer access by a person "without authorization" or who "exceeds authorized access."

The controversy grows out of the 9th Circuit's 2009 decision in LVRC Holdings LLC v. Brekka, in which the court held that employees are not acting "without authorization" when their employer has given them "permission to use" a company network.

Nick Akerman, a partner at Dorsey & Whitney, says the Sidhu decision shows the court, relying on Brekka, was interested only in its test of whether Accenture had at one point allowed Sidhu to use its computer system, and not whether the permission was limited or "whether the employee had obtained that permission through deception."

In another case taking a Brekka position, U.S. v. Aleynikov, the Federal District Court for the Southern District of New York in September 2010 dismissed claims against an employee and overturned his conviction under the CFAA for copying and removing high-frequency software trading codes from Goldman Sachs.

The court in Aleynikov held that "damage" under the statute is limited to a narrow congressional intent in passing the CFAA--prohibiting people from "hacking" into a computer system, not the subsequent use or misuse of information.

Akerman disagrees with this interpretation. "The notion that the CFAA is limited to outside hackers is a narrow view that has not been adopted by any of the circuit courts except the 9th Circuit in Brekka," he says.

But Cossrow says the perceived reluctance by some courts to enforce the CFAA in employer-brought cases could be because "it would federalize certain misappropriation-related claims against disloyal employees, which for the most part already give rise to state-law causes of action. These decisions are well-reasoned analyses that reflect a legitimate, robust debate within the federal judiciary."

Employer-Centric Cases

At the other end of the spectrum from Brekka are enforcement-friendly cases. In 2006, the 7th Circuit in Int'l Airport Centers LLC v. Citrin recognized that previously authorized use of a computer system may become unauthorized when an employee breaches his duty of loyalty to his employer and reversed the district court's dismissal of CFAA claims by the employer against a former employee.

Similarly, in December 2010 the 11th Circuit in United States v. Roberto Rodriguez upheld the conviction of a former Social Security Administration employee who used the agency's databases to obtain personal information concerning people he knew.

And in United States v. Batti, the 6th Circuit in January upheld an employee's conviction and restitution to his former company under the CFAA in a case in which the FBI determined the employee had accessed the computer system, stealing confidential data after he was fired.

Limiting Access

While experts agree it is important that law departments incorporate the 7th Circuit's Citrin duty of loyalty standard into company policy by clearly defining the purposes for which an employer's computer and other electronic communications systems may and may not be used, such policy alone is not always enough.

In Sidhu, the court declared that access is established not by policies, but by "the extent the employer makes the computer system available to the employee."

As a result, Lazzarotti recommends that employees have access only to data required to do their jobs with clear policies defining the permitted level of access."

That requires a coordinated effort among IT, human resources, legal and business units that deal with sensitive data and customer information.

"The correct response to issues of data security is not, 'We have an IT department and it deals with security,'" Lazzarotti adds.

Cossrow suggests companies prepare a checklist for employee separations to ensure remote access is terminated, and all data on flash drives and other mobile media is returned and, in some instances, to have a forensic expert review employee e-mail accounts.

Contributing Author

Michael Kozubek

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.