You may be familiar with the Computer Fraud and Abuse Act (CFAA) – a federal law that was intended to target hackers seeking access to protected computers (i.e., governmental or financial services industry computers) in order to access confidential information or to distribute worms or viruses. Since its enactment, however, the CFAA has been repeatedly amended to add greater protection for privately-maintained computers, a private right of action for civil remedies, and to adapt the statute to the Internet age. As it reads today, the CFAA provides that “[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.”
Until recently, many employers (and many courts) interpreted the CFAA to permit the United States government to criminally prosecute violations of the CFAA, which has obvious advantages for employers seeking to protect their confidential information.
Recently, however, the federal Court of Appeals covering a number of western states (including California) issued a decision in the case of US v. Nosal, and held that the “exceeds authorized access” provision of the CFAA should be read narrowly so as to be “limited to violations of restrictions on access to information, and not restrictions on its use.” This ruling represents a split from three other federal appellate courts in other parts of the country, and some have gone so far as to suggest that this decision gives a license to employees to steal from company computers.
What Should You Do In The Wake Of Nosal?
Even if the Nosal decision is not a license to steal, it has exposed a weakness in the CFAA in terms of its application. In most parts of the country you may continue to attempt to use the CFAA to address employees who have misused their employer’s computer information. But employers in all jurisdictions should consider that there are other – and perhaps better – ways to protect confidential business information that do not depend on the CFAA or a possible future clarification by the U.S. Supreme Court.
First, carefully consider which of your employees should have access to which information. Perhaps your manufacturing employees do not need to have access to your sales information. In such a case, you are well advised to use the different technical means that are available to segregate different categories of information so that access is limited to those with a “need to know.”
Second, consider other physical safeguards that restrict access to computerized information under circumstances that are relevant to your security regime, such as requiring your employees to use high-security passwords, or change passwords often.
Third, use comprehensive confidentiality agreements with all of your employees who have access to sensitive business information.
Fourth, it is important to have detailed computer use policies. These policies should be specific, clearly-written, and enforced regularly and consistently so that your employees would be deemed to have fair notice as to what types of conduct is prohibited. Policies should specify that employees’ authorization to access company information and systems ends upon termination and that it is a violation of policy to assist a former employee in accessing information. Train supervisors on how policies should be interpreted and applied. Require employees to sign confirmations that they have reviewed and agreed to these policies, and maintain these confirmations in employees’ personnel files. Make these computer use policies easily accessible to your employees and regularly remind them about these policies.
Fifth, give appropriate notice and regularly monitor your employees’ computer usage for unusual usage patterns and any usage that may be in violation of your computer usage policy.
Sixth, where applicable, use enforceable, properly tailored and specific restrictive covenants in order to provide additional protection against your information landing in the hands of competitors.
The CFAA can still be a valuable tool for employers faced with employee theft of sensitive business information, even with the attention the Nosal case is getting due to its somewhat controversial decision. But the CFAA remains only one arrow in your quiver, and the other arrows mentioned above are equally, if not more, important.
This post is a summary version of a post that appeared on Troutman Sanders LLP’s Information Intersection blog. Please click here to be directed to the complete post that appeared on that site. You may also be interested in reviewing the Westlaw Journal of Computer and Internet article (beginning on page 7 of the pdf) discussing the Nosal decision.