X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
It is a paradox of business technology that the more important it becomes to an organization, the harder it is to control. Most modern businesses of any substantial size have a computing architecture that includes, at the very least, a central server or servers for storing important company (and/or client) documents. These systems are usually password protected and often include various other levels of security that may be effective in protecting the company’s confidential data from prying eyes. Of course, if the prying eyes are inside the company, all of that security is essentially useless. When employees decide to leave a company, either to work for a competitor or to start their own competing business, they may decide to take sensitive corporate documents with them. Not so long ago, that meant printing out or photocopying the materials and removing them physically. Now, employees may attach “flash drives” (small, portable storage devices with solid state memory) or portable hard drives to remove enormous amounts of material. They may also use outside e-mail or file-transfer services to transfer files before they leave. Misappropriation of sensitive documents by departing employees is not uncommon, and it is fertile ground for litigation. Depending on the specific facts, there are several potential causes of action. If the employees are subject to contractual non-disclosure agreements that cover the misappropriated materials, there may be grounds for injunctive relief or damages for breach of those agreements. Even in the absence of contractual non-disclosure obligations, willful misappropriation and misuse of confidential company materials can be the basis for claims of breach of fiduciary duty, misappropriation of trade secrets, unfair competition and other related tort claims. Unfortunately, this kind of litigation is not particularly efficient, largely because these inquiries are highly complex and fact-specific: They can turn on the precise nature of the documents taken, the steps the company took to protect them, the uses the employees made of them and the trust the company placed in those employees, to name just a few factors. In addition, state law may sharply limit the scope of trade secret protection and may even prevent the enforcement of some kinds of non-disclosure agreements if they are deemed overbroad. One way for employers to avoid that uncertainty and keep their documents out of the hands of competitors is to assert statutory claims arising not from the use of the documents, but from the unauthorized access to the computer system itself. Although there is a federal statute providing civil penalties and injunctive relief for unauthorized computer access (the Computer Fraud and Abuse Act) there is not a specific analogous New York state statute. There is, however, an analogous New Jersey statute, and recently a New York court considered its extraterritorial application in New York cases. In its length and well-reasoned opinion in A&G Research Inc. v. GC Metrics Inc., 1 a state court found that the New Jersey unauthorized access statute could be applied in a misappropriation case brought in New York, thus adding an additional layer of protection for some employers against faithless employees. The most frequently invoked statute in “faithless employee” misappropriation cases is the Computer Fraud and Abuse Act (CFAA), 2 a federal statute that generally prohibits accessing a computer and obtaining information “without authorization” or “exceeding authorized access” to do so. The statute covers a broad range of conduct, focused primarily on outside attackers (traditional hacking), but §1030(a)(2)(C) provides for penalties against anyone who “intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains information from any protected computer if the conduct involved an interstate or foreign communication.” A “protected computer” is defined as one used by the U.S. government or a financial institution, or any computer “which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.” In other words, CFAA applies to essentially any computer connected to the Internet. CFAA grants a number of benefits: it places the litigation in a federal forum, offers the possibility of injunctive relief and can provide protection for documents that might fall outside the increasingly limited definition of trade-secret or confidential material under state law. But CFAA claims against faithless employees are not a slam-dunk. In fact, there is currently a split among the federal courts as to whether CFAA should apply to these kinds of claims at all. A few courts have taken the position that the protections of CFAA are limited to outside attackers and that the statute, which includes criminal sanctions, must be read narrowly to include only that kind of conduct. 3 Under that view, a user who has a valid password (such as a present employee) cannot violate the statute no matter what he does with that password, even if he uses it to steal documents, because his “access” is not, in and of itself, “unauthorized.” Even if an employee has already decided to leave the company and has become a “faithless servant,” he cannot violate CFAA, under this narrow view, until he has left the company and his password has been revoked. This narrow view is largely an outlier, though it has been adopted by some courts. If nothing else, it runs into problems with the statutory language, which provides penalties not only for unauthorized access, but also for “exceed[ing] authorized access.” If the only access control is a password, and the user has a password, the statute must still contemplate some conduct that “exceeds” the authorized access granted by that password – and misappropriation of sensitive documents for the use of a competitor would seem to fit that definition. More fundamentally, an employee’s “authority” to access the system can be thought of as similar to the authority of an agent to act on behalf of a principal, which terminates (to the extent it benefits the agent) the moment the agent becomes adverse to the principal, regardless of whether or not the principal is aware of the change. On that view, the employee’s authority to access the system does not turn on whether or not he has a password; it turns on whether he remains a faithful employee. Leading Case This is the argument advanced by the U.S. Court of Appeals for the Seventh Circuit in the leading case arguing for broader application of CFAA, International Airport Centers v. Citrin. 4 In that case, Judge Richard A. Posner held that an employee who had decided to quit his company, but had not yet resigned, violated CFAA when he accessed a computer system to which he had a valid password for the invalid purpose of destroying data. This broader interpretation has been followed by the majority of federal courts, including at least one New York court. In Calyon v. Mizuho Securities USA Inc., a group of employees left an investment bank to go to work at a competitor, but before doing so they logged in to their computers to copy various materials to take with them. The bank sued under CFAA and the defendants moved to dismiss on the theory that only outsiders were subject to the act. The court rejected the theory, noting that “the plain language of the [CFAA] seems to contemplate that, whatever else, ‘without [authorization]‘ and ‘exceeds authorized access’ would include an employee who is accessing documents on a computer system which that employee had to know was in contravention of the wishes and interests of his employer.” 5 New York therefore appears to permit a CFAA claim against faithless employees, provided the other requirements of the statute are met. There are, however, a few limitations to claims under the federal statute. First, damages may be limited, in some situations, to the actual harm arising out of the unauthorized access. Typically, the “harm” includes the costs of investigating the break-in, replacing lost resources or securing or repairing any damage to the system, but it may be difficult, in some cases, to recover the indirect or consequential business damages arising out of the former employees’ use of the misappropriated documents under CFAA. Second, company document servers may be some of the few computers that might not meet the requirements of interstate availability found in the statutory definition of “protected computer.” If the company does not make the servers available remotely – that is, outside of the office – they may not be sufficiently connected to meet the requirements of the federal statute. If either of these is a concern, CFAA may not be an appropriate avenue. New Jersey Statute Although New York has various criminal statutes governing unauthorized access to computer systems, they do not provide private rights of action. New Jersey’s Computer Related Offenses Act, however, does. The statute prohibits, among other things, purposeful or knowing, and unauthorized: altering, obtaining, damaging, taking or destruction of any data, database, computer program, computer software or computer equipment; or accessing or attempt to access any computer, computer system or computer network. 6 Employers in New Jersey have successfully used the statute in civil suits against departing employees who misappropriated sensitive documents from the corporate computer system while still employed, regardless of whether those documents would otherwise have constituted protectable trade secrets. In Fairway Dodge LLC v. Decker Dodge Inc., 7 for example, a group of employees left a Dodge dealership to work for a nearby competitor. Before leaving, however, two of the employees used their otherwise valid access to download various documents from the company computers for use by the competitor. The court upheld the lower court’s finding of liability under the statute as to the two defendants who had actually done the downloading (though not against two others who may only have been aware of the conduct). Specifically, the court upheld the Appellate Division’s holding that an employee’s downloading of computerized data which he were not authorized to take is sufficient to establish liability under the statute, even if the data would not otherwise be protected as proprietary or confidential information. The broad reach of the statute thus makes it a very effective tool for New Jersey employers. New York Application Recently, the reach of the New Jersey statute was tested in a New York court for the first time. In A&G Research Inc. v. GC Metrics Inc., 8 a group of employees left a market research firm to form their own, competing business, taking with them over 5,000 company documents – one of the employees had simply hooked a hard drive up to her computer and copied the entire contents of the company’s server. The company sued, asserting a variety of claims, including claims under the New Jersey Computer Related Offenses Act. Defendants moved for summary judgment and presented a number of arguments against the statute’s applicability. The court rejected defendant’s arguments and held that, although issues of fact precluded entry of summary judgment for plaintiffs, the New Jersey statute could nonetheless be applicable in New York. Defendants’ arguments included almost every possible objection to the statutes’ application in New York. This case involved only New York parties, though plaintiff’s headquarters were in New Jersey and the conduct took place there. The court found that was sufficient to trigger the New Jersey statute. Defendants argued that, under a conflict of laws analysis, New York law should govern the action, but the Court noted that New York law was not substantively in conflict with the New Jersey statute and that, even if there were a conflict, New Jersey would have the greater interest in enforcement because the conduct took place there. Defendants also argued that the statutory language, which provides that an injured party “may sue the actor therefor in Superior Court,” limited the venue for actions under the statute to New Jersey Superior Court. The court rejected that argument as well, noting that the word “may” does not confer exclusive jurisdiction and citing New York and Supreme Court case law to the effect that any attempt by a state to create exclusive jurisdiction in its own courts for a substantive statutory rights would not be binding on the New York courts. Finally, Defendants argued that many of the documents at issue were actually client work files that belonged to the clients, or publicly available information that the plaintiff had released to the public in marketing surveys. Defendants therefore argued that the plaintiff lacked standing to bring their claims. The court found, however, that the fact that some of the documents might belong to other parties did not rob the plaintiff of standing to sue under the statute for the removal of documents (at least some of which it owned) from a computer system it concededly did own. Having rejected all of the defendants’ arguments as to both standing and extraterritorial application of the statute, the court found that the plaintiff’s statutory claims (along with claims based on New Jersey’s more general theft statute) could go forward. Growth of Statutory Claims There is no question that the use of computer intrusion statutes by employers in civil suits against faithless employees is a growing trend. New York currently lacks a civil statute, and the federal statute presents certain issues, particularly in proving damages, but the New Jersey statute is far broader. The major gap in traditional state tort actions occurs when employee’s conduct is plainly improper, but the state’s trade secret or confidential information jurisprudence (or the employee’s ability to cover his tracks) makes it difficult to fit that conduct into existing tort models. To the extent the New Jersey statute is adopted as a model elsewhere, it should provide additional protection to employers in those situations. Stephen M. Kramarsky , a member of Dewey Pegno & Kramarsky, focuses on complex intellectual property litigation. Endnotes: 1. No. 05870/2007, 19 Misc.3d 1136(A), 2008 WL 2150110 (N.Y. Sup. May 21, 2008). 2. 18 U.S.C. §1030. 3. See Diamond Power Int’l Inc. v. Davidson, Civil Action Nos. 1:04-CV-0091, 1:04-CV-1708 (RWS-CCH), 2007 WL 2904119 (N.D. Ga. Oct. 1, 2007) (collecting cases on both sides of the issue and recognizing that the narrow view is an outlier). 4. 440 F.3d 418, 420-21 (7th Cir. 2006). 5. No. 07 Civ. 2241(RO), 2007 WL 2618658, at *1 (S.D.N.Y. Sept. 5, 2007). 6. N.J. Rev. Stat. §2A: 38A-1 et seq. 7. 924 A.2d 517 (N.J. 2007). 8. No. 05870/2007, 19 Misc.3d 1136(A), 2008 WL 2150110 (N.Y. Sup. May 21, 2008).

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.