Previously, I have posted about non-compete agreements and the duty of loyalty for employees. Many times, businesses do not have written contracts to protect confidential and proprietary information from not only competitors and vendors, but also their own employees. Without a contract, the common law of Connecticut concerning breach of fiduciary duty is one of the ways attorneys can seek to protect business clients against improper use of confidential information.
Another method for attorneys to seek to protect their clients’ confidential information stored on a computer system or network is through the federal Computer Fraud and Abuse Act (CFAA). The CFAA is largely a criminal statute, but is being used more frequently in civil cases on behalf of businesses faced with loss or theft of confidential and proprietary information and trade secrets. The CFAA, 18 U.S.C. 1030, essentially provides for civil liability for unauthorized access to protected computers with intent to defraud or cause damage. There are civil enforcement provisions that allow private actions for recoverable loss related to prohibited conduct if a series of factors can be proved in court.
Recently, Peter J. Toren wrote an excellent article in the New York Law Journal where he detailed methods in which the CFAA might be useful for attorneys to protect client trade secrets and other confidential information. Peter listed the six factors necessary for proof of damages. Peter also noted some of the limitations of the CFAA when it comes to employee theft of trade secrets and described the narrow and broad views taken by different courts when interpreting improper access of a protected computer without authorization. Peter further provides some useful tips for businesses on how to construct a policy in light of the different court interpretations of improper access.
Lee Berlik, publisher of the Virginia Business Litigation Blog, also has a recent post about the series of hurdles necessary for attorneys to prove loss or damages under the CFAA. Lee’s post describes a threshold of $5,000 in value that must fit into the categories of potential loss defined in the CFAA. Similar to Peter’s article, Lee also describes how a case was unsuccessful in court because of insufficient facts to show loss under the CFAA.
In Connecticut federal courts, the reported cases under CFAA, largely have been unsuccessful for a variety of reasons, many of which Peter’s article details. Some cases were dismissed for failing to meet damages thresholds (Register.com v. Verio, 356 F.3d 393 (2004)) , while another case was dismissed because the facts were insufficient for unauthorized access (Cenveo, Inc. v. Rao, 659 F. Supp. 2d 312 2009)). However, in a recent case, in the federal district court, Judge Vanessa Bryant issued an order of sanctions and for production of electronic devices for forensic inspection in a case based, in part, and the CFAA. (Genworth Financial Wealth Mngmt. Inc., v. McMullan).
The takeaway here is that the CFAA provides another potential basis for a business to protect its confidential and proprietary information when the information resides on a computer system or network. Of course, there are a series of factors that must be met before liability can be established. Some of these factors may not apply and eliminate the CFAA as a method of recovery as we have seen in several reported cases. However, the CFAA should be considered and evaluated in any case involving unauthorized access of confidential information through a computer system as it provides an additional basis for potential recovery. Also, advanced planning with sound internal policies might provide a business with a better chance of success under the CFAA.
I will do a post soon on another statute, Connecticut’s Computer Crime Act, that may provide additional remedies for improper access of a computer system or network.