Follow Us on

Computer Fraud and Abuse Act Does Not Extend to Employees Taking Company Data


|

By Patricia Porter Kryder

Executives of search and placement agencies formed a new company in order to purchase the assets of another search and placement agency. Under the terms of an asset purchase agreement, the newly formed company purchased everything from goodwill, customer lists, post-closing accounts receivable, personal property as well as the selling company’s lease.  As part of the deal, the chief executive of the selling company was required to continue her participation in the business. She agreed to help the new company build its executive search business, and she agreed not to compete with the new company and to make reasonable efforts to induce clients to work with the new company.

The owners of the new company became suspicious when the chief executive failed to sign a single new account and engaged in efforts to verify she had not booked any revenue.  During these efforts, the owners discovered the chief executive had left her personal email account open on a company computer. Upon searching this personal email account, the owners found an array of emails allegedly showing the chief executive: (1) had been in contact with present and former clients; (2) had received fees from at least one client pursuant to an invoice marked with her initials; (3) had referred clients to a competitor, rather than retaining them for the new company; and (4) had discussed fee-sharing arrangements with competitors. In essence, these emails showed the chief executive was working with her competitors to steal business opportunities belonging to the new company, and to divert them to her competing enterprise.

The owners of the new company sued the chief executive under the CFAA, claiming she violated the statute by misappropriating the new company’s proprietary information, including client lists, which information they obtained either by (1) copying it to the chief executive’s personal laptop and sharing it with her competitors; (2) lifting it from the new company’s computers using a flash drive; and/or (3) obtaining it remotely via spyware for the purpose of using the information to advance their competing business.

The court considered whether the CFAA could apply to claims of misappropriation of computer data through taking by an employee.  In particular, the court analyzed whether such activity results in either a “loss” or “damage,” which is required to support a claim under the CFAA.  The court analyzed the definition of “loss” under the CFAA and found the statute is not intended to guard against misuse of proprietary information. The court reasoned “loss” is defined rather narrowly and is intended to compensate a company for either damage assessment, data recovery, or damages due to an interruption in service resulting from the alleged conduct. Courts have not extended this definition to include lost profits or other business damages typically associated with trade secret theft.

The court in this case joined several other district courts in determining simple theft of trade secrets or confidential information from a company’s computer or server is not sufficient to support a claim under the CFAA.  Often companies will seek to use the CFAA as a means to file a claim against a former employee in federal rather than state court when there is no other basis for a federal court’s jurisdiction.  More and more courts are rejecting this attempt to forum shop and requiring employers to pursue their former employees in state court under state theories of recover, such as violation of a statute protecting against the misappropriation of trade secrets and breach of an employee’s duty of loyalty.


 

Add comment


Security code
Refresh