Twas the night before Christmas, when all through the company;
A disgruntled employee kept saying “please jump with me.”
She was trying to line up a grand, mass departure;
Of which she was certain no one could outsmart her.

Her files had been copied, her clients all contacted;
She’d consulted a lawyer ‘bout things she had contracted.
He said that her covenants were quite overbroad;
Of this she was certain, they’d all be deemed flawed.

She proceeded to upload the secrets she’d learned;
On to flash drives, and emails and discs she had burned.
With not one regret, she reamed out her boss;
Quite sure she’d not erred, it would soon be his loss.

With eyes all upon her, out the door she receded;
Two colleagues joined with her, at least that's what she tweeted.
The office was stunned, and management surprised;
No one had foreseen that they’d soon be downsized.

“Let’s call up the lawyers. What options have we?
We’ll file a lawsuit, and then she will see!
Without our permission, our computers she hacked!
This must run afoul of the Computer Fraud & Abuse Act.”

“We must stop her now, her acts are illicit.
Without an injunction, our clients she’ll solicit.
And don’t forget the others who joined her, you see;
Together they formed a civil conspiracy.”

“Hold your horses," say the lawyers, "don’t get carried away.
Let’s pull out their contracts and see what they say.
But where are they kept? We’ve got piles and piles.
For sure they’ll be found in personnel files.”

“Let’s draft the complaint, and seek an injunction.
The defendants, you see, acted without compunction.”
The Court set a hearing, the plaintiff went first.
“Your Honor, it’s horrible, obscene and the worst!!”

“She’s taken our staff, our trade secrets, purloined;
She must be shut down, she must be enjoined!
In her contract she promised, she swore, she agreed.
The protections we seek are all guaranteed.”

“She may not solicit. It’s in simple prose.
She may not take secrets, or use or disclose.
But even without the help of contract;
Her conduct defies the trade secrets act.”

The lawyer sat down, feeling smart, feeling pleased;
The defense will be begging, they’ll get down on their knees.
So the court turned to the left where defense counsel sat;
And asked, “My dear sir, what do you say to that?”

“Your Honor, you see, they’ve got it all wrong.
Just hear me out, this won't take too long.
The data at issue are far from trade secrets.
You’ll find it in public, in brochures and on leaflets.”

“The contract is void, it lacks consideration.
And the covenants purport to cover the nation.
My clients, they acted at all times with great reason.
In contrast, the plaintiffs use contracts adhesion.”

Defense counsel sat, while the court thought about it;
Parsing through the arguments each party had spouted.
And finally the court was ready to rule;
To give its decision at this time of Yule.

“First let me address the non-compete clause;
Please wait ‘til I’m finished; please hold your applause.
The non-compete is too onerous, it’s unreasonable;
But I find that the covenants are quite severable.”

“Defendants have breached the clause nondisclosure;
Confidential information – indecent exposure.
And let’s not forget the non-solicitation;
That covenant is of reasonable duration.”

“So I’m going to issue a restraining order;
Please take this down, my dear court reporter;
A bond shall be posted at ten thousand dollars;

I say this to both parties and their legal scholars:

Explore resolution. Think how not to fight.
Merry Christmas to all, and to all a good night.”

Michael R. Greco is a partner in the Employee Defection & Trade Secrets Practice Group at Fisher & Phillips LLP.  To receive notice of future blog posts either follow Michael R. Greco on Twitter or on LinkedIn or subscribe to this blog's RSS feed

Lost Employee Productivity and Attorneys' Fees Also Count Toward "Loss" Required to Meet $5,000 Jurisdictional Requirement

An increasing number of courts have weighed in recently on whether the Computer Fraud & Abuse Act (“CFAA”) applies in the context of a faithless employee.  Despite this onslaught of decisions, there are still relatively few cases that delve into the details of what qualifies as a “loss” under the statute.  The definition matters because without a “loss” of $5,000 or more, employers (or anyone else) cannot bring a civil claim under the CFAA. 

In Animators At Law, Inc. v. Capital Legal Solutions, LLC, the U.S. District Court for the Eastern District of Virginia recently took on this issue and offered its view on whether an actual payment of money is required to establish a “loss.”  The Court also addressed whether bartered services, lost employee time, and attorneys’ fees may qualify.  The result is a decision that will make it easier to assert such claims if it is followed by other courts.  (A copy of the court’s decision is available in pdf format below.)

In Animators, an employer sued two former employees who allegedly took a laptop computer with them when they resigned.  The former employer, Animators At Law (“Animators”), hired a computer forensic firm to analyze the laptop computer after it was returned.  The overall investigation was spearheaded by Animators’ president and its outside counsel.

Animators sued the former employees and their new employer in federal court asserting a claim under the CFAA.  Animators sought to satisfy the $5,000 jurisdictional threshold in three ways.  First, it noted that the services performed by its computer forensic firm were valued at nearly $20,000.  Second, it argued that its president normally charges $300 per hour for his time as a consultant, and he spent in excess of 72 hours overseeing the investigation.  Third, Animators stated that its lawyer chimed in with an hourly rate of $445 for an additional $14,000. 

The defendants argued that Animators’ alleged “losses” did not qualify as the type of “loss” required by the CFAA.  First, with respect to the computer forensic fees, the defendants pointed out that Animators did not actually pay these fees.  Instead, in accordance with a “longstanding, ongoing business relationship,” Animators obtained the services of its computer forensic firm “in trade for other services” to be performed by Animators in the future.  The Court sided with Animators noting that “the CFAA does not require losses to be paid for in cash.”  According to the Court, “it would be passing strange for [the computer forensic firm] to spend more than sixty hours of time analyzing Animators’ data … without any expectation of compensation in some form….Thus, a jury could reasonably conclude that the costs of [the computer forensic firm’s] service were internalized by Animators and thus qualify as CFAA losses.”

Second, the defendants challenged Animators’ “loss” by arguing that the time spent by its president investigating the alleged violations should not count.  Relying on prior precedent, the Court noted that “‘many hours of valuable time away from day-to-day responsibilities” are contemplated within the CFAA’s definition of ‘loss.’” 

Finally, the defendants argued that the all of the fees incurred by Animators, including its attorney, were unreasonable.  On this point, the defendants made the most progress, but still were unable to persuade the Court.  Although the Court agreed that the CFAA “requires a plaintiff to prove that the losses in issue were reasonable,” it found that the amount of money that should be spent on an investigation is often easy to criticize in hindsight.  In the Court’s words:

[A]n investigation is often required to determine the cause and scope of a computer intrusion, and the financial impact of even a relatively narrow intrusion can be extensive.  In this case, had Animators’ confidential information about clients been compromised, Animators might well have had to address the security breach on a client-by-client basis, potentially adversely affecting Animators’ business activities….A jury…may reasonably conclude that, in light of this risk, Animators acted reasonably….In the end, Animators’ investigation may disclose that no files were compromised….  Yet, hindsight must not guide such an analysis of whether such actions were reasonably necessary in response to a CFAA violation; instead, as with any reasonableness inquiry, the analysis should focus on whether reasonable prudence was exercised in light of the risks and circumstances presented.

The Court summed up its decision by stating: “[P]erpetrators of unauthorized access should foresee that their actions may result in significant investigations and costs far exceeding the actual damage to the system.”

If other courts fall in line with this opinion from the Eastern District of Virginia, it will be easier for aggrieved parties to assert civil CFAA claims.  Between lost employee productivity and attorneys’ fees, the $5,000 jurisdictional threshold is likely to be established quite easily.

Michael R. Greco is a partner in the Employee Defection & Trade Secrets Practice Group at Fisher & Phillips LLP.  To receive notice of future blog posts either follow Michael R. Greco on Twitter or on LinkedIn or subscribe to this blog's RSS feed.

Animators at Law v Capital Legal Solutions.pdf (685.45 kb)

The difference between having a trade secret and not can come down to the steps that a company takes to protect its secrets.  The Uniform Trade Secrets Act, a version of which has been adopted in 46 states, provides that information qualifies for trade secret protection only if the owner takes steps that are reasonable under the circumstances to protect its secrecy.  Employers commonly take the obvious steps to protect their trade secrets – for example, requiring employees to sign confidentiality agreements or restrictive covenants, implementing electronic controls; and let’s not forget sending demand letters and threatening litigation.  These steps are obvious and therefore widely observed.  But what about proactive monitoring?  If you have a trade secret, you ought to keep an eye and ear out to make sure it’s not being used or disclosed.  But, be careful; doing so is not without its risks.

With recent (and not so recent) advances in technology, employers have substantial means at their disposal to monitor their employees’ conduct and communications.  Available options range from reviewing employees’ email communications and computer usage to monitoring telephone discussions.  In general, these tactics are lawful unless specifically prohibited by statute or the employee has a reasonable expectation of privacy under the circumstances. 

Surveillance of Employee Email

The Electronic Communications Privacy Act, 18 U.S.C. § 2510 (“ECPA”) was originally enacted to address the interception of wire, oral and electronic communications.  The statute was specifically amended to cover email communications. Under the ECPA, electronic communications may be intercepted with the consent of one party to the communication, or under certain conditions, by a service provider if necessary incident to the provision of the service or to protect the provider’s rights and property.  Some courts have held that a “service provider” includes an employer who provides email access to its employees.  The “service provider” exception becomes even stronger if the employer is monitoring emails once they are in storage (as opposed to during transmission) because such communications are subject to Title II of the ECPA, known as the Stored Communications Act (“SCA”). 

Despite these employer friendly exceptions under the ECPA/SCA, employers can make life easier for themselves by obtaining the express written acknowledgment and consent of employees.  To this end, employers should provide employees with clear and simply written policies noting the employer’s right to monitor all employee communications that involve the use of employer-provided technology.  It is a good idea to require employees to sign a written statement that they have been advised of the employer’s right to monitor communications.  Employers might even consider providing employees with electronic notification of these rights that requires employees to manually acknowledge receipt of the employer’s policy and understanding of its content through the clicking of certain boxes on screen.  Posting open and conspicuous notices throughout the work area will likewise serve to establish that employees lacked a reasonable expectation of privacy in their electronic communications.  (While you are at it, a well written policy may make the difference between having and not having a claim under the Computer Fraud & Abuse Act.)

Monitoring Use of Computers

Employers often provide employees with computers to use for work purposes that are capable of accessing workplace computer networks via direct and/or remote internet access.  Employees commonly can access the internet from workplace computers enabling them to receive and transmit information related to the employer’s business.  Employers should reserve, and just as importantly, employers should exercise, the right to monitor employees’ activities on these networks and via the internet.  The need to do so is heightened when there is cause to believe an employee has engaged in misconduct.  As with email communications, it is prudent to unambiguously advise employees that their activities are subject to monitoring, and to require their express acknowledgment.

Surveillance of Telephone Communications

Interception of telephone communications is yet another way to monitor the use and potential misuse of your trade secrets, but it is here that the ECPA has great potential to apply.   The ECPA generally prohibits interception of telephone calls, but a number of notable exceptions leave employers well positioned to monitor such calls.  The most notable includes interception with prior consent.  Consequently, if an employer intends to monitor telephone calls, the strongest form of consent is express consent.  Consequently, the best practice requires that employees should be informed and their consent obtained in writing.  This will leave little room to doubt whether employees had a reasonable expectation of privacy in their communications.  As noted below, some state laws require consent of all parties to the communication.  For this reason, we have all heard at one time or another the prerecorded message that “this call may be recorded for quality assurance purposes.”  In the absence of express written consent, other exceptions may apply.  Consult your counsel for details.

A Final Thought

As noted at the beginning of this article, employers are generally free to monitor their employees unless specifically prohibited by statute.  Federal statutes such as the National Labor Relations Act (NLRA) and the Labor Management Relations Act (LMRA) impose significant restrictions on employers’ abilities to monitor the union organizing activities of employees.  In addition, the ECPA does not preempt more stringent state laws, and accordingly, many states offer greater protection.  For example, California, Delaware, Florida, Massachusetts, and Pennsylvania are a handful of the many states that require “two-party consent” before an employer can intercept or record a telephone call in real time.  Similarly, Delaware and Connecticut have enacted statutes that address email monitoring.  Consequently, employers operating in multiple states or communicating with third parties from other states are wise to consider state law.

The bottom line?  If you have a trade secret, proactive monitoring of employees to protect your trade secret rights is worthwhile, but not without risks.  Consult your counsel and come up with a plan that balances your need to police use and disclosure of your trade secret, on the one hand, with the statutory rights and reasonable privacy expectations of your employees, on the other hand. 

Michael R. Greco is a partner in the Employee Defection & Trade Secrets Practice Group at Fisher & Phillips LLP.  To receive notice of future blog posts either follow Michael R. Greco on Twitter or on LinkedIn or subscribe to this blog's RSS feed.

Time and time again, this blog has outlined the ongoing debate in the courts over whether the federal Computer Fraud & Abuse Act (“CFAA”) applies in the context of departing employees.  Namely, federal courts differ over whether the CFAA applies when an employee is accused of misappropriating his or her employer’s confidential information or trade secrets by means of the employer’s computer, to which the employee had authorized access as a result of his or her employment.  A recent opinion by the United States Court of Appeals for the Eleventh Circuit may be seen by some as adding to debate.  

In United States v. Roberto Rodriguez, the 11th Circuit took on the question of whether an employee “exceeds authorized access” under the CFAA by accessing information on a computer in a manner contrary to an employer’s policies.  Rodriguez is a former employee of the Social Security Administration (“SSA”).  The SSA established a policy that prohibits employees from obtaining information from its databases without a business reason.  The SSA notified employees of this policy through training sessions, notices published in the office, and banners that appear on computer screens daily.  Employees were also required to sign forms annually acknowledging the policy.

In apparent disregard of this policy, Rodriguez was accused of repeatedly using SSA databases to obtain personal information concerning people he knew, including women in whom he had romantic interests.  On one occasion, Rodriguez sent flowers on Valentine’s Day to a woman he had met that had not given him her address.  He later arrived at her doorstep uninvited.  Some time later, he called to wish her a happy “half-birthday” even though she had not shared her birthday with him.  He also accessed SSA databases to obtain information concerning several other women he met and to obtain information concerning their family members. 

Rodriguez was charged and later convicted of criminally violating the CFAA by “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] … information from any department or agency of the United States.”  18 U.S.C. § 1030(a)(2)(B).  Although this case involves a criminal indictment and prosecution, it is instructive in civil cases because the 11th Circuit’s decision revolves around an element commonly at issue in civil claims; namely, what it means to access a computer in excess of one’s authority.

Rodriguez argued that he did not violate the CFAA because he accessed only databases that he was authorized to access as an employee of the SSA.  The 11th Circuit found “his argument ignores both the law and the record.”  The Court explained:

“The Act defines the phrase ‘exceeds authorized access’ as ‘to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to obtain or alter.’  The policy of the [Social Security] Administration is that use of databases to obtain personal information is authorized only when done for business reasons.  Rodriguez conceded at trial that his access of the victims’ personal information was not in furtherance of his duties as a TeleServices representative and that ‘he did access things that were unauthorized.’  In light of this record, the plain language of the Act forecloses any argument that Rodriguez did not exceed his authorized access.’”

In its decision, the 11th Circuit stated that its opinion was not at odds with the Ninth Circuit’s decision in LVRC Holdings v. Brekka because Brekka could be distinguished: “Brekka is distinguishable because the Administration told Rodriguez that he was not authorized to obtain personal information for nonbusiness reasons.”  Although this is an accurate observation, a California court recently cited Brekka in support of its decision rejecting an employer’s CFAA claim even though the employer argued that the employee accessed information in a manner contrary to company policy.  See prior post Computer Fraud & Abuse Act: Court Rejects Argument That Employer's Corporate Policies Can Make Employee Access "Unauthorized" Under the CFAA.

After the 11th Circuit’s opinion in Rodriguez, one thing remains clear:  employers and employees will continue to interpret and apply the CFAA differently.  A copy of the 11th Circuit's decision in U.S. v. Rodriguez is available in pdf format below.

Michael R. Greco is a partner in the Employee Defection & Trade Secrets Practice Group at Fisher & Phillips LLP.  To receive notice of future blog posts either follow Michael R. Greco on Twitter or subscribe to this blog's RSS feed.

US v. Rodriguez.pdf (88.81 kb)

1. Texas Supreme Court Decision: Can Money Serve as Consideration for a Non-Compete?

In April of 2010, the Texas Supreme Court agreed to review an appellate court decision that will require the Court to answer the following question: Can money serve as consideration for a non-compete?  In Marsh USA v. Cook, a high level employee received stock options in exchange for a signing a non-compete.  After the employee left, the employer attempted to enforce his restrictive covenants and failed.  Why?  In simple terms, Texas has a statute governing non-compete agreements.  The statute says restrictive covenants must be ancillary to an otherwise enforceable agreement at the time the agreement is made, and the otherwise enforceable agreement must give rise to the need for protection.  What does that mean?  It seems a lot of courts and lawyers in Texas have been asking the same question.  For example, suppose an employer promises to provide an employee with confidential customer information, but requires the employee to agree not to solicit clients.  Various Texas cases find this to satisfy statutory requirements.  The employer has made “an otherwise enforceable agreement” – an agreement in which it obligates itself to provide the employee with confidential information – and at the time the agreement is made, the employee executes a restrictive covenant that is ancillary to the "otherwise enforceable agreement" which gives rise to the need for protection.  In Marsh USA, the employee argued that providing stock options did not give rise to a need for a restrictive covenant.  In response, Marsh argued that such a holding is hostile to economic development and that employers should be able to protect goodwill that exists in the form of customers relationships.  The Texas Supreme Court accepted the case in early April 2010.  Perhaps a decision will be issued in 2011.

2. California Clarity on Trade Secrets Exception  

In 2008, the California Supreme Court addressed the ‘narrow restraint’ exception to enforcement of non-competes in California.  Specifically, in Edwards v. Arthur Andersen LLP, the California Supreme Court rejected the argument that California’s statutory proscription on non-competes only applies to restraints that totally prohibit an employee from engaging in his or her profession.  Prior to Edwards, some courts held that a restrictive covenant was permitted if it contained a mere limitation on an employee’s ability to compete.  The Court expressly stopped short of addressing the validity of what it termed the “so-called trade secret exception” in which California courts permit contractual restrictions that are “necessary to protect an employers’ trade secrets.”  Look for California appellate courts to address this ongoing issue in 2011.

3. Computer Fraud & Abuse Act: A Split Among the Circuits

In recent years, there has been an ongoing debate within the judiciary over whether the federal Computer Fraud & Abuse Act applies in the context of a faithless employee. Namely, some federal courts question whether the CFAA applies to a faithless employee’s misappropriation of his or her employer’s confidential information or trade secrets by means of the employer’s computer, to which the employee had authorized access as a result of his or her employment.  On this legal issue, there is a continuum of interpretations of the CFAA within the federal judiciary.  Some district and appellate courts hold that the CFAA gives employers a federal cause of action against their disloyal departing employees, in what has been perceived as a pro-employer interpretation.  On the other end of this continuum are what would appear to be employee-favorable opinions holding that the CFAA does not create such a right in employers.  As the federal circuits line up on each side of this issue, it is reasonable to assume the issue will be pressed on appeal at some point.  2011 seems as good of a time as any to do so.

4. Non-Compete Legislation to Resurface in Massachusetts 

Much was written about the non-compete bill working its way through the Massachusetts legislature in 2010.  In March of 2010, the bill was favorably reported out of committee and, on May 25, 2010, it was submitted to the Judiciary Committee for its consideration. Later in the year, it was attached to an economic development bill, and then removed.  Look for the bill to be reintroduced in 2011.

5. Social Media Issues Gain Traction 

In a sobering reminder that online social media is changing the way many companies do business in unforeseen ways, a federal court shot down an employer's trade secret claim in 2010 based largely upon the availability of information via the internet.  In Sasqua Group, Inc. v. Courtney, a magistrate judge for the United States District Court for the Eastern District of New York held that although an employer's customer list may have been a trade secret years ago, "the exponential proliferation of information made available through full-blown use of the Internet [presents] a different story."  The district court subsequently adopted and approved the magistrate's lengthy and detailed opinion.  Others have debated the extent to which non-solicitation agreements and other restrictive covenants apply to conduct undertaken by employees through online social media, such as post-employment communications with clients through sites such as LinkedIn.  As online social media spreads in popularity and usage, look for more and more courts (and commentators) to address this interesting issue.

Michael R. Greco is a partner in the Employee Defection & Trade Secrets Practice Group at Fisher & Phillips LLP.  To receive notice of future blog posts either follow Michael R. Greco on Twitter or subscribe to this blog's RSS feed.
 

No sooner than we posted last week’s blog regarding the dismissal of the United States’ Computer Fraud and Abuse Act (“CFAA”) claims against Sergey Aleynikov in the Goldman Sachs’ high-frequency trading code criminal prosecution, a California federal district court issued a similar noteworthy opinion dismissing CFAA claims against an employee who was accused by his former employer of using the employer’s computer systems to misappropriate trade secrets and confidential information.  Accenture, LLP v. Sidhu,  No. C10-2977-TEH (N.D. Cal., Nov. 9, 2010).  A pdf copy of the Court's opinion is available below.

As readers of this blog know well by now, the CFAA provides a federal, private right of action against any person who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value… .”  18 U.S.C. § 1030(a)(4). 

There is a division within the federal judiciary over whether the CFAA applies to a faithless employee’s misappropriation of his or her employer’s confidential information or trade secrets by means of the employer’s computer, to which the employee had authorized access as a result of his or her employment.  On this legal issue, there is a continuum of interpretations of the CFAA within the federal judiciary.  Some district and appellate courts hold that the CFAA gives employers a federal cause of action against their disloyal departing employees, in what has been perceived as a pro-employer interpretation.  On the other end of this continuum are what would appear to be employee-centric opinions holding that the CFAA does not create such a right in employers.  (Some bloggers, such as our respected colleague, Marc Dobin of Jupiter, Florida openly advocate for the employee centric view.)

Along the continuum of decisions, the Sidhu opinion is more employee-centric, and several aspects of the court’s analysis support this perception.  Sidhu was an employee of Accenture.  Accenture alleges that during an extended medical leave, Sidhu started working for HCL, Accenture's direct competitor.  However, Accenture contends that for the duration of Sidhu's medical leave, Accenture made available to Sidhu its secure online network containing confidential and proprietary information.  According to Accenture, Sidhu downloaded more than 900 documents from Accenture’s proprietary computer KX system while on medical leave and, notably, after he began working for HCL.  Accenture had two company-wide corporate policies that were relevant to its CFAA claims: first, a policy that prohibited employees from transmitting work documents to their personal computers and, second, a policy that prohibited dual-employment.  As is often true in these types of cases, the ultimate facts are likely to be hotly contested.

After Accenture filed suit, Sidhu filed a motion to dismiss, and  the court dismissed Accenture’s CFAA claims.  The court’s analysis was grounded in LVRC Holdings, LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), where an appellate court held that “an employer gives an employee ‘authorization’ to access a company computer when the employer gives the employee permission to use it.”  Brekka, 581 F.3d at 1133.  Under the CFAA, the phrase “exceeds authorized access … means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”  18 U.S.C. § 1030(e)(6).  This statutory definition “implies that an employee can violate employer-placed limits on accessing information stored on the computer and still have authorization to access that computer,” the Brekka court observed.  Brekka, 581 F.3d at 1135.  As the court reasoned, an individual only “exceeds authorized access” if he has permission to access a portion of the computer system but uses that access to “obtain or alter information in the computer that [he or she] is not entitled so to obtain or alter.” 

In holding that Sidhu was given access to Accenture’s computers by Accenture, the court rejected Accenture’s arguments that it limited Sidhu’s access through its corporate policies.  First, Accenture argued that it implemented policies that prohibited its employees from transferring documents from work computers to personal computers. Sidhu, at * 9-10.  “[A]ccess is not established by employers’ policies, but by the extent the employer makes the computer system available to the employee,” the court concluded.  Id. at *10. 

Also rejected by the court was a variant of the agency theory of the CFAA’s access provision.  Under this theory, an employee is an agent of his or her employer.  Such agents are authorized to access their employers’ computer systems as long as the agents are loyal.  However, as soon as the employee undertakes a disloyal act – such as misappropriating trade secrets or confidential information in order to compete against the employer – the agency is terminated.  Under this theory, the disloyal employee would be unauthorizedly accessing his or her employer’s computer systems.

The variant of the agency theory argued by Accenture emphasized its policy that prohibited dual employment.  During Sidhu’s medical leave, Accenture argued, Sidhu lied to Accenture’s human resources and began working for Accenture’s competitor.  Given these allegations, and under the agency theory, Sidhu’s access to Accenture’s computer system was unauthorized, according to Accenture.  This argument was rejected by the court as an attempt to “incorporat[e] corporate policy into the substance of the CFAA,” the court held.  Id. at *11.  “Whether Sidhu was deceptive, and whether he would have been fired pursuant to Accenture’s Dual Employment Policy had Accenture learned of his deception, are irrelevant.’  Id. at * 12.

These explicit rejections of an employer’s attempt to restrict access to its computers through corporate policies crystallizes the importance of taking concrete steps in order to limit employee access to trade secrets and confidential information residing on an employer’s computer systems.  Under the reasoning employed in Sidhu, simply saying that an employee may not access information under certain circumstances may not be enough.

Brent Cossrow is a member of Fisher & Phillips' Employee Defection & Trade Secrets Practice Group.  Mr. Cossrow's practice focuses on e-discovery and other electronically stored information issues.  As always, please feel free to share your thoughts and questions in the comment space below.

Accenture v. Sidhu.pdf (81.92 kb)

A few days ago, this blog reported on two recent noncompete cases in which former employers have asserted RICO claims against departing employees.  (Click here to see that post.)  Previously, we have also commented on Computer Fraud & Abuse Act claims in similar contexts.  It is the rare case, however, that involves claims under both statutes by employers against a departing employee.  A few days ago, U.S. District Judge Colleen McMahon dismissed a CFAA claim in just such a case, and she hinted that a dismissal of the RICO claim could soon follow.  Shortly thereafter, the plaintiff voluntarily dismissed the action reserving its right to pursue its claims in arbitration or state court.

The suit began in May, 2010, when legal recruiting firm Major, Lindsey & Africa filed a complaint against a former Managing Director, Sharon Mahn.  Until recently, it was difficult to piece together the allegations because the complaint was sealed by the court, but the recent decision granting Mahn’s motion to dismiss the CFAA claim sheds some light on MLA’s claims. 

According to the court, MLA alleged that Mahn disclosed confidential information, which she obtained from MLA’s computers, to a few of its competitors.  This was purportedly done in violation of the confidentiality provisions in Mahn’s employment agreement, but MLA filed in federal court basing jurisdiction in part on the CFAA.  Simply stated, the CFAA makes it unlawful for a person to access a protected computer “without authorization” or “in excess of one’s authorization” to obtain something of value or to impair the integrity of data.  Some courts hold that an employee acts “without authorization” or “exceeds authorization” if an employee is accessing information for purposes contrary to his or her employment.  Other courts note that the statute’s legislative history suggests Congress enacted the statute simply to address computer hacking, and not to provide employers with a remedy against faithless employees.  Judge McMahon agreed with the latter school of thought, but noted that a conclusion to the contrary is not “implausible.”

Dismissing the CFAA claim, Judge McMahon noted that continuing federal jurisdiction was dependent upon the survival of MLA’s RICO claim.  In this respect, her comments took on a more colorful tone.  “This Court has ample experience with the assertion of bogus RICO claims for the purpose of (1) obtaining federal jurisdiction over an action that belongs in the state courts, and/or (2) extracting a coercive settlement due to the in terrorem nature of labeling someone a racketeer.”  She continued, “I frankly have no interest in retaining a case in which it appears that federal charges have been trumped up in order to avoid litigating what are essentially state and common law claims in [state] court.”  Against this backdrop, Judge McMahon stated that she would not permit discovery to proceed until MLA supplemented its “thermonuclear” allegations with a RICO case statement and Mahn (along with the other defendants) has an opportunity to file a motion to dismiss.  Whether the RICO claims would have survived will never be known.  In the face of this ruling, MLA dismissed its federal court claims. 

For a copy of the order dismissing MLA’s CFAA claim, click on the pdf file below.

Order Granting Motion to Dismiss CFAA Claim.pdf (130.14 kb)

Since the addition of civil remedies in 1994, the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”), has evolved into a potentially powerful claim in the departing employee context.  In addition to the often-included claims for breach of restrictive covenant, misappropriation of trade secrets and/or unfair competition, CFAA claims are being alleged against more and more employees who transfer employment to a competitive firm.  The likelihood of success on CFAA claims against departing employees, however, varies by jurisdiction.  Recently, numerous courts have debated, and issued divergent rulings, on the enforceability of CFAA claims against departing employees.

The debate surrounding the application of CFAA claims against departing employees often focuses on the statute’s “without authorization” or “in excess of one’s authorization” requirement.  In 2000, the United States District Court for the Western District of Washington issued a ruling holding that an employee’s “authorization” to access his or her employer’s computer systems ends when the employee begins to act as another employer’s agent.  See Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 199 F. Supp. 2d 1121 (W.D. Wash. 2000) (“the authority of an agent terminates if, without knowledge of the principal, he acquired adverse interests or if he is otherwise guilty of a serious breach of loyalty to the principal”).  Subsequent to the Shurgard opinion, two distinct schools of thought on the CFAA’s “authorization” requirement have emerged.  The majority of courts considering the issue, including the First and Seventh Circuit Courts of Appeal, have followed the Shurgard Court’s analysis, holding that an employee exceeds the scope of his or her authorized access to an employer’s computer systems by acting for a purpose against the employer’s best interests, acting for a competitive purpose and/or acting as someone else’s agent – even if such action takes place when the employee is still employed and technically has “authorization” to utilize the company’s computer systems.  See EF Cultural Travel BV, EF v. Explorica, Inc., 274 F.3d 577 (1^st Cir. 2001); International Airport Centers, LLC v. Citrin, 440 F. 3d 418 (7^th Cir. 2006).  Numerous district courts have accepted this legal theory, concluding that if an employee breaches his or her duty of loyalty to an employer, the employee’s authorization to access the employer’s computer systems terminates and subsequent access may gives rise to a CFAA violation.  See, e.g., Caylon v. Mizuho Securities USA, Inc., No. 07-Civ. 2241, 2007 U.S. Dist. LEXIS (S.D.N.Y. Sept. 5, 2007) (“the plain language of the [CFAA] seems to contemplate that, whatever else, ‘without access’ and ‘exceed authorized access’ would include an employee who is accessing documents on a computer system which that employee had to know was in contravention of the wishes and interests of his employer”); Hub Group, Inc. v. Clancy, No. 05-2046, 2006 WL 208684 (E.D. Pa. Jan. 25, 2006) (finding the employee exceeded the scope of his authorization into his employer’s electronic database of customer information by taking the employer’s information for use at a competitive company).

The diverging school of thought on the CFAA’s “authorization” requirement believes that the statute was enacted to protect against the unauthorized access (i.e. procurement or alteration) of computerized information – not to protect against any subsequent use or misuse of information.  The Ninth Circuit Court of Appeals, in analyzing the CFAA’s “authorization” requirement, has held that if an employee accesses his or her employer’s computer systems during employment and, therefore, with the employer’s authorization, subsequent disloyal treatment of the information accessed does not give rise to a CFAA violation.  See LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9^th Cir. 2009).  A recent decision from the United States District Court for the Western District of Pennsylvania, Consulting Professional Resources, Inc. v. Concise Technologies LLC, Civ. A. No. 09-1201, 2010 WL 1337723 (W.D. Pa., Mar. 9, 2010), follows the Brekka Court’s analysis, dismissing an employer's CFAA claim against a departing employee and stating: “[t]his court likewise declines to construe the CFAA by reliance upon agency principles where the defendant's intent governs whether the access was without authorization or exceeded authorized access.” 

It does not appear that this debate regarding the CFAA’s “authorization” requirement will be resolved any time soon.  As recently as May 27, 2010, a Motion to Dismiss was filed in the United States District Court for the Southern District of New York based, in part, on an argument that the reach of the CFAA does not extend to instances where the employee was authorized to access the information he later transferred and utilized to the detriment of his former employer.  See Aon Risk Services Northeast Inc. v. Kornblau et al., Case No. 10-cv-2244(RMB)(JCF) (Document 31).  If the Aon Court accepts the former employer’s arguments regarding the CFAA’s authorization requirement, the decision would represent another rejection of the enforcement-friendly agency theory of departing employee violations of the CFAA that was the basis of the opinions Shurgard, EF Cultural Travel and Citrin.  Stayed tuned to further blog updates regarding the Aon Court’s decision and further debate among the district courts regarding the CFAA’s “authorization” requirement.

            The Computer Fraud & Abuse Act, 18 U.S.C. § 1030 (“CFAA”), since its amendment in 1994 to include civil provisions, has become a potentially powerful tool that employers can use against departing employees and their new employers.  The civil provisions of the CFAA create a private right of action against those who wrongfully access, or exceed their authorized access, to a protected computer (as defined by the CFAA to includes computers used in interstate or foreign commerce or communication), thereby causing the requisite damage or loss. 

Applicable Provisions of the CFAA

The CFAA includes seven distinct offenses, set forth in section 1030(a)(1) through (a)(7).  The sections most relevant to a potential claim by an employer related to departing employee misconduct or unfair competition are set forth at: 18 U.S.C. 1030(a)(2)(C) (unlawful to intentionally access a protected computer without authorization or in excess of one’s authorization and thereby obtain information); 18 U.S.C. 1030(a)(4) (unlawful to knowingly, and with the intent to defraud, access a protected computer without authorization or in excess of one’s authorization, and by means of such conduct further the intended fraud and obtain anything of value); 18 U.S.C. 1030(a)(5)(A)(i) (unlawful to knowingly cause the transmission of information, and as a result of such conduct, intentionally cause damage without authorization); and 18 U.S.C. 1030(a)(5)(A)(ii)-(iii) (unlawful to intentionally access a protected computer without authorization, or in excess of one’s authorization, and as a result of such conduct, cause damage or recklessly cause damage).

In addition to fitting within one of the sections outlined above, an employer attempting to assert a claim under the CFAA must also consider Section 1030(g), which requires that the conduct complained of must involve a “loss to one or more persons during a 1-year period . . . aggregating at least $5,000 in value.”

Courts analyzing the CFAA requirements as outlined above have focused on two main hurdles facing employers who attempt to assert CFAA claims against departing employees: (1) establishing that the employee accessed the computer without authorization or in excess of the employee’s authorized access; and (2) establishing that the employer sustained a loss aggregating at least $5,000 in value.

“Authorization” Requirement

An employer’s best argument that a departed employee accessed its computer system without authorization or in excess of the employee’s authorized access is that the employee’s authorization ended the very moment that the employee began acting as a agent for someone else or began acting against the employer’s best interest.  Numerous courts have held that once an employee breaches his or her duty of loyalty to the employer, including by operating in competition with the employer, the employee’s authorization to access the employer’s computer systems terminates.  See, e.g., Hub Group, Inc. v. Clancy, No. 05-2046, 2006 WL 208684 (E.D. Pa. Jan. 25, 2006) (employee exceeds the scope of his authorization into his employer’s electronic database of customer information by taking the employer’s information for use at a competitive company).  It is important, however, for employers to know the current state of the law in the jurisdiction where they are seeking to assert a CFAA claim against a departing employee.  Recently, some courts have held that an employee does not act without authorization or in excess of his or her authorized access under the CFAA by accessing the employer’s computer systems during employment – even if the employee subsequently uses the accessed information to compete with the employer.  See LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9^th Cir. 2009) (holding that disloyal treatment of information accessed by an employee during employment does not give rise to a CFAA violation).

“Loss” Requirement

With regard to the “loss” requirement of the CFAA, it is clear that certain expenses – including amounts expended in responding to an unauthorized access or “re-securing” the computer system, salaries paid to individuals for time spent fixing computer problems, and costs associated with hiring consultants to evaluate the integrity of the computer system – may be counted in reaching the $5,000 “loss” threshold.  Courts differ, however, on whether employers can count a loss of business or loss of clients toward meeting the $5,000 “loss” threshold.  Again, employers need to review the state of the law in the jurisdiction where they plan to allege a CFAA violation against a departed employee in order to evaluate their ability to prove the requisite loss under the statute.

Potential Benefits of CFAA Claims

If an employer is able to meet the CFAA’s requirements and successfully assert a claim against a departed employee, there are certain benefits to asserting a claim under the Act.  For example, because the CFAA is a federal statute, it provides a basis for federal jurisdiction and thereby expands the choice of forums presented to a potential plaintiff.   In addition, the CFAA does not require a showing that the information accessed by the employee is confidential or proprietary in nature.  Thus, an employer may be entitled to injunctive relief under the CFAA even where a claim for misappropriation of trade secrets may fail based on the alleged confidential status of the information at issue.

In sum, in addition to the often-included claims for breach of restrictive covenant, misappropriation of trade secrets and/or unfair competition in the departing employee context, employers should also consider whether they have a claim under the CFAA.  Although the CFAA is a complicated statute, an employer who is able to evaluate and properly state a claim under the CFAA benefits by adding a powerful tool to its arsenal against defecting employees.

You are the Assistant General Counsel for Employment with a national company and just learned that the Branch Manager and the entire sales team from your Kansas City branch office have jumped ship and joined your largest competitor.  The Branch Manager attended all of your strategic planning meetings in late 2009, which led to the roll-out of your company’s 2010 marketing plan.  The sales reps control four of the company’s ten biggest accounts, and already you have heard that they are calling your customers.  Your Regional Vice President’s first reaction:  "let’s go after them."  But HR reminds you that all these employees were from the company that you acquired a few years back – the one that didn’t have any of its employees sign non-competes.  So now you are asked, “what can we do when we don’t have a contract?” 

Well … you are not necessarily out of luck.  Here are some of the key claims to consider:

Misappropriation of trade secrets.  For sales employees, the key question is whether your customer list can qualify as a trade secret.  It may qualify if it is a “retail” list of individuals.  Their names may be in the phone book, but of course the phone book doesn't have any cross reference that identifies names might be your customers.  But if your customer base is “institutional” -- well-known companies that obviously would need your product, such as if you sell windshield glass auto manufacturers – your list is easy to figure out and probably isn’t secret enough to qualify.  Compare, for example, Merrill Lynch v. Zimmerman, 1996 WL 707107 (D. Kan. 1996) (retail stockbrokerage customer list is a trade secret) with Reed, Roberts Assocs. v. Strauman, 353 N.E.2d 590 (N.Y. 1976) (customer list not a trade secret; plaintiff’s consulting business advised companies on unemployment compensation and workers compensation issues).  Even if your customer list is not a secret by itself, additional data about customers, such as sales history, preferences, and the like, may qualify, if you can prove it meets the common law or statutory standards.  See, e.g., Zoecon Corp. v. American Stockman Tag Co., 713 F.2d 1174 (5^th Cir. 1983) (in this case, trade secret customer information included “type and color” of items purchased, “date of purchase,” “amount purchased,” as well as names and addresses of otherwise obvious purchasers of livestock ear tags).

The Branch Manager has knowledge of marketing and business information.  You may be able to argue that the information he learned during your strategic planning qualifies as a trade secret.  See, e.g., PepsiCo, Inc. v. Redmond, 54 F.3d 1262 (7^th Cir. 1995).  The question is whether it has been kept secret, or is it now obvious because you rolled out the plan?

What kind of relief can you get on a trade secrets claim?  Listed from easiest to obtain, to hardest, you may be able to get:  (1) non-disclosure – an order prohibiting the employees from disclosing information; (2) return of information – requiring them to return it; (3) non-use -- an order prohibiting the competitive use of the information; (4) non-solicit – prohibiting them from soliciting trade secret customers; and (5) non-compete – prohibiting them from working for your competitor.  The non-compete order relies on a theory of "inevitable disclosure" of the trade secrets.  Such relief is hard to get, and in some states is completely unavailable.  Where available, it usually requires evidence that the employee cannot be trusted, and that lesser relief is inadequate. 

Breach of duty of loyalty:  This focuses on pre-resignation conduct.  Before they resigned, did they:  (a) solicit customers; (b) recruit employees; or (c) divert business opportunities?  Soliciting customers and putting a business opportunity in the “back pocket” to pursue at their new place are both out of bounds.  Some discussions with employees may be okay, but in certain jurisdictions managers may not solicit underlings to follow them to their new company.  This sometimes boils down to a question of whether communication about the new jobs constituted "solicitation" or something less. 

Unfair competition / raiding:  Unfair competition or “raiding” tends to be an “I know it when I see it” type of claim.  This vagueness is both an asset and impediment.  The claim is elastic enough to use it in unusual situations, but its vagueness also makes it difficult to assess its chances of success.  In most instances, you'll have to prove “malice”:  an intent by the hiring firm to harm your business, rather than just an intent to help their own business by adding talent. 

Computer Fraud & Abuse Act, 18 U.S.C. § 1030:  Under the CFAA, you must prove (a) the employees either fraudulently or "intentionally" accessed your computers; (b) they did so without authorization or exceeding the scope of their authorized access; and (c) that they caused damage.  Did they go into your computer and take information, such as customer lists or business data?  If so, you may have a claim, although the decisions are far from unanimous in applying the CFAA to departing employee cases (including differing interpretations of what constitutes "damage").  Advantages of a CFAA claim:  (a) no need to prove the information was secret; and (b) no need to prove “malice.”  See, e.g., Shurgard Storage Centers, Inc. v. Safeguard Self-Storage, Inc., 119 F.Supp.2d 1121 (W.D. Wash. 2000).  But see Condux Int'l Inc. v. Hangum, 2008 US Dist. LEXIS 100949 (D. Minn 2008).  There also are special provisions in the Act that apply in a medical or financial business context.  For further discussion, see Heather Steele's blog entry: "Establishing the 'Without Authorization' Element under the Computer Fraud & Abuse Act".  

Civil conspiracy:  This is an option for multiple employee departures.  Generally, co-conspirators may be held liable for all violations of each conspirator, but there must be an underlying and independelty actionable improper act by one of the conspirators.  This works well with tort claims such as trade secrets or duty of loyalty, and may apply with statutory claims such as the CFAA.  In certain states, it may even work where some employees have contracts and others don’t – you may be able to bind them all to the contracts if they all are conspiring to violate.  See, e.g., Catercorp, Inc. v. Catering Concepts, Inc., 431 S.E.2d 277, 282 (Va. 1993).  Other states don't recognize claims for conspiracy to breach a contract.     

So, there may be some things you can do, even without a contract.  To enhance your position, consider taking these steps now:

• Get contracts:  sign employees up if you acquire a company that did not use them.  Consider whether you should roll out contracts if your company is not using them yet. 
• Protect your information:  to help establish trade secret status you can use non-disclosure agreements; build computer system firewalls; remind employees of confidentiality (in manuals, log-in screens, memos, bulletin board postings); and limit access to files, lead lists, and other sensitive data. 
• Monitor computer activity:  make sure you can determine -- quickly -- if someone accessed or removed information via computer prior to their departure.