The federal Computer Fraud and Abuse Act (“Act”), 18 U.S.C. § 1030, gives employers a helpful tool to use against former employees who wrongfully use information from the employer’s computer system to assist competitors in competing unfairly. As the Third Circuit recently noted “[e]mployers . . . are increasingly taking advantage of the [Act’s] civil remedies to sue former employees and their new companies who seek a competitive edge through wrongful use of information from the former employer’s computer system.”
The Act makes it unlawful for anyone to access a “protected computer” “without authorization” or in excess of authorized access and thereby obtain, alter or damage information or data. 18 U.S.C. §1030(a)(2)(c). The Act also makes it unlawful to knowingly, and with intent to defraud, access a “protected computer” without authorization or in excess of authorization and thereby further the fraud and obtain anything of value. 18 U.S.C. § 1030 (a)(4). The Act defines a “protected computer” as any computer “used in interstate or foreign commerce or communication.” 18 U.S.C. §1030(e)(2)(B). Because virtually all corporate computer systems and laptops are connected to the internet, virtually any misuse of a corporate computer system will involve a “protected computer.”
Since 1994, the Act has provided for a private federal cause of action in favor of any person who suffers “damages” or “loss” as a result of a violation of the Act, entitling them to “maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” 18 U.S.C. § 1030(g). To bring a civil claim under the Act, the plaintiff must show damage or loss related to the computer in excess of $5,000. 18 U.S.C. § 1030(a)(5)(B)(1). Employers have successfully used the Act to obtain injunctions against both former employees who have violated the Act and the competitors who hire them.
This article surveys recent federal case law construing the Act. The Seventh Circuit has issued a very recent decision making it easier under the Act for employers to sue employees who used existing corporate authorization to steal data by holding that such employees are acting “without authorization” for purposes of the Act. Courts have been stricter in construing what constitutes “damages” or “loss” within the meaning of the Act. Courts in the Second Circuit, in particular, have foreclosed use of the Act as a vehicle for recovery of loss of goodwill or business caused by a former employee’s unfair competition based on misuse of computer data. Nonetheless, no other circuit has as of yet foreclosed a plaintiff from seeking damages for lost profits or goodwill under the Act, and it remains an effective tool to obtain injunctive relief from a federal court.
A. Courts Liberally Interpret When an Employee Acts “Without Authorization” or “With Intent to Defraud.”
1. “Without Authorization” means contrary to the employer’s interests.
In order to state a claim under the Act the employer must prove that the employee acted “without authorization,” in excess of authorization or with “intent to defraud.” Clearly, a former employee who uses knowledge of a former employer’s computer system post termination to obtain non-public information from that system on behalf of a new employer is acting without authorization or in excess of authorization. More commonly, however, an employer discovers only after an employee resigns that shortly before the resignation the employee downloaded or copied information he or she was authorized to access. Can such action really be deemed to be “without authorization” or to “exceed authorized access?”
The Act defines “exceeds authorized access” as:
to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.
One might plausibly argue that use of existing corporate authorization to obtain (as opposed to destroy or alter) data to which the employee is otherwise entitled to access is not “unauthorized” and hence not subject to the Act.
Several federal courts have rejected such literalistic application of the term “unauthorized” or in excess of authorization. In Shugard Storage Centers, Inc. v. SafeGuard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash 2000) the district court relied on common law principles to find that an employee who abused corporate authorization to copy data for purposes of competing unfairly was acting “without authorization” for purposes of the Act. Under the common law an employee who acts adversely to the interests of the employer, without the employer’s knowledge, or who is otherwise guilty of a serious breach of loyalty has effectively terminated the agency relationship and lost whatever authorization he or she might otherwise have enjoyed. This expansive interpretation of “without authorization” arguably renders all pre-termination computer misuse hostile to the employer’s interests “unauthorized” within the meaning of the Act.
Very recently, the United States Court of Appeals for the Seventh Circuit, in an opinion authored by Judge Posner, endorsed the Shugard court’s theory of “without authorization.” In Citrin, an employee of a real estate company decided to compete against his former employer. Before returning his laptop he completely wiped it clean, using a data erasure program. As a consequence, all the information on the computer, including information on real estate acquisition opportunities and data which would have revealed improper conduct engaged in by the employee prior to leaving was irretrievably lost. 440 F.3d at 419. The Seventh Circuit ruled that the employee acted “without authorization,” even though he was technically authorized to access his laptop at the time of the misuse :
For his authorization to access the laptop terminated, when having already engaged in misconduct and decided to quite IAC in violation of his employment contract, he resolved to destroy files that incriminated himself and other files . . . in violation of the duty of loyalty that agency law imposes on an employee.”
Other courts have simply concluded that acts contrary to the employer’s stated policies are per se unauthorized. It appears courts will employ a common sense approach and conclude that access for improper reasons is in fact “without authorization” regardless of whether the access was achieved using pre-existing authorization.
2. “Intent to Defraud” requires only use of dishonest means.
The Shugard court also expansively construed the section of the Act prohibiting the “knowing and with intent to defraud” access[ing of] a protected computer.” In Shugard, the employer alleged that while still employed, the former employee sent e-mails containing its confidential information to a competitor, whom the employee went to work for shortly thereafter. The Shugard court ruled these allegations were sufficient to state a claim of accessing a protected computer “with intent to defraud.” The Shugard court rejected the argument that it was necessary to allege the common law elements of fraud (i.e., misrepresentation or omission, justifiable reliance, etc). Instead, all that was necessary was that the plaintiff allege the defendant “participated in dishonest methods of obtaining information,” which it had done. Another court has adopted the Shugard interpretation of “intent to defraud.” Such an interpretation makes it easier to plead and prove a claim of intent to defraud. These decisions evidence a penchant towards liberal construction of the Act in favor of employers harmed by a broad variety of computer misconduct.
B. Courts Permit Assertion of Claims Under the Act Against Competitors Who Hire Employees Who Have Engaged in Computer Misuse.
Because the Act provides sanctions against those who unlawfully access the computer, a question arises as to whether a competitor who hires a former employee who has stolen information from the employer’s computer can also be subject to liability under the Act. An early decision from a federal court in New Hampshire indicated that the Act could only be applied against the individuals who actually engage in the computer misconduct, and not their employers. In that case, however, a physician of a hospital accessed a patient’s records without authorization, but in so doing, acted directly contrary to the employer hospital’s policies and thereby victimized the hospital. Subsequent decisions have allowed claims to be asserted against competitors who hire employees who have engaged in misconduct under a theory of vicarious liability, where the employer pleads an agency relationship between the former employee and the competitor at the time of the computer misuse. The trend clearly permits assertion of claims against both former employees who engage in computer misconduct and the competitors who hire them.
C. Courts are More Restrictive in Interpreting “Damages” and “Loss”.
Courts have been more restrictive in evaluating whether particular financial outlays qualify as “damages” or “loss” sufficient to meet the Act’s $ 5,000 threshold. The Act defines “damages” as “any impairment to the integrity or availability of data, a program, a system, or information, that . . . causes loss aggregating at least $5,000 in value during any one year period.” 18 U.S.C. §1030(e)(8). “Loss” is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11).
Courts have interpreted “damages” and “loss” to include virtually all reasonable out expenses and costs incurred by the employer in responding to the employee’s misconduct, other than attorneys fees, so long as the expenses and costs can in some fashion be directly tied to the computer or computer system at issue. Examples include: (1) the costs of diagnostic measures taken by the employer after it learns of the potential misuse, including expenses for fees paid to consultants; and (2) costs of subsequent prophylactic measures the employer takes to prevent future infiltration of its system. Courts have however refused to credit towards the $5,000 threshold any expenses not directly related to the computer system at issue. Courts are divided on whether claims for lost profits or goodwill are damages recoverable under the Act. Courts in the Second Circuit interpret the Act narrowly in terms of compensable losses. Other Courts are more liberal. To the extent an employer has incurred damages from an employee’s computer misuse which are not recoverable under the Act, these can usually be recovered under standard common law remedies such as trade secret misappropriation and/or breach of fiduciary duty.
In order to meet the $5,000 jurisdictional threshold, employers are well-advised to keep meticulous time records of computer technicians and consultants must spend of the time investigating misconduct, as well as the cost of any fixes to upgrade system security once potential misconduct has been identified. Assuming that an employer can demonstrate that it has or will have to expend at least $5,000 to investigate and remedy the damage to its computer system caused by a former employee, the Act provides both a federal forum and the right to injunctive relief against former employees and the companies who hire them. While use of the Act as a vehicle for recovering of economic damages caused by former employees is less certain, frequently injunctive relief is more critical than damages. To the extent former employee has caused significant damages, those usually can be recovered under traditional common law or statutory principles of trade secret law, tortious interference with contract, breach of fiduciary duty and unfair competition against employees who engage in computer misuse. Alleging a violation of the Act will enable the employer to litigate its claims against the former employee in federal court, which may be a more desirable forum under appropriate circumstances.
P.C. Yonkers, Inc. v. Celebrations the Party and Seasonal Superstore, 428 F.3d 504, 510 (3d Cir. 2005) quoting Pacific Aerospace & Electronics, Inc. v. Taylor , 295 F.Supp.2d 1188, 1196 (E.D. Wash. 2003).
See, e.g., Charles Schwab & Co., Inc. v. Carter, 2005 WL 2639815 at *8 (N.D. Ill. Sept. 27, 2005) (downloading files from employer’s system involved interstate commerce because plaintiff maintained interstate computer network).
See, e.g, E.F. Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001) (affirming injunction against new employer and former employees who had used their knowledge of former employer’s website to gain information from the employer’s computer system which was not otherwise available to the public); Keg Technologies v. Laimer, 436 F. Supp. 2d 1364, 1380-81 (N.D. Ga. 2006) (enjoining new employer and its employees from further accessing former employer’s computer and ordering all computer files obtained from the former employer destroyed); Creative Computing v. Getloaded.com LLC, 386 F.3d 930, 937 (9th Cir. 2004) (affirming injunction enjoining competitor and former employees from copying or storing plaintiff’s trade secrets, selling plaintiff’s customer lists or contacting plaintiff’s customers or assisting anyone else in doing such things); Hub Intern. Insur. Services v. Kilzer, 2006 W.L 2619360 (N.D. Cal. Sept. 12, 2006) (enjoining former sales representative who printed out customer prospect files and deleted them from employer’s computer from soliciting the customer prospects, using or disclosing the prospect information and requiring him to maintain any commissions received from the prospects).
EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 579-81 (1st Cir. 2001) (former employee who instructed computer consultant to design an automated “scraper” program that would query former employer’s website on behalf of new employer violated Act since employee’s decision to use scraper relied on his knowledge of former employer’s website and business practices.)
See, e.g., Allied North America Insur. Brokerage Corp. v. Woodruff Sawyer, 2005 WL 2354119 at *4 (N.D. Calif. Sept. 26, 2005) (finding employee did not act without authorization where he had unfettered access to all system data; mere fact that employee had never transmitted files to home computer before or accessed the same volume of documents as he did in the weeks before his resignation was insufficient to raise a fact issue or whether the employee exceeded his authority in downloading files for home use).
See Restatement (Second) of Agency § 112 (1958) (“Unless otherwise agreed, the authority of an agent terminates if, without knowledge of the principal, he acquires adverse interests or he is otherwise guilty of a serious breach of loyalty to the principal.”).
International Airport Centers , LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006).
Id. at 420.
See, e.g., Intern. Security Management Group, Inc. v. Sawyer, 2006 WL 1638537 at *21 (M.D.. Tenn. June 6, 2006) (“There is no dispute that Sawyer exceeded his authority when he emailed to [competitor] documents that [employer] considers proprietary and trade secret.”); George S. May Intern. v. Hostetler, 2004 WL 197395 at *3 (N.D. Ill. May 28, 2004) (“While Hostetler may very well be correct that he was entitled to access the information when employed by GSMIC, it is no stretch of the imagination to conclude that his authorization did not extend to removing copyrighted material from the computer system for his personal benefit or that of a competitor.”)
Id. at 1125-26.
 George S. May Intern. v. Hostetler, 2004 W.L. 197395 at *4 (N.D. Ill. May 28, 2004) (following Shugard and holding that intent to defraud merely requires participation in dishonest methods to obtain plaintiff’s secret information.).
Doe v. Dartmouth-Hitchcock Medical Center, 2001 WL 873063 at * 5 (D.N.H. July 19 2001) (“Expanding the private cause of action created by Congress to include one for vicarious liability against persons who did not act with criminal intent and cannot be said to have violated the statute . . . would be entirely inconsistent with the plain language of the statute.”).
Charles Schwab & Co.. v. Carter, 2005 W.L. 2369815 at *5 (N.D. Ill. Sept. 27, 2005) (distinguishing Dartmouth-Hitchcock and holding that the statute permits assertion of vicarious liability against competitors who affirmatively encourage the former employee to access the former employer’s computer system without authorization); Shugard, 119 F.Supp.2d at 1124-25 1124-26 ( refusing to dismiss claim under Act asserted against competitor only based on allegation that it hired former employees of plaintiff who had unlawfully accessed data while employed by the plaintiff); .”); George S. May Intern. v. Hostetler, 2004 W.L. 197395 (N.D. Ill. May 28, 2004) (refusing to dismiss claim against new employer where it was “reasonable to infer that Hostelter was acting as an agent of [new employer] at the time the claimed acts occurred”); Creative Computing v. Getloaded.com LLC, 386 F.3d 930, 937 (9th Cir. 2004) (affirming broad injunction enjoining competitor and former employees pursuant to Act.).
EF Cultural Travel VB v. Explorica, Inc., 274 F.3d 577, 584-85 (1st Cir. 2001) ($20,000 fee to consultant to determine whether website was compromised satisfied $5,000 threshold).
Shugard Storage Centers, Inc v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121, 1127 (W.D. Wash. 2000) (expenses incurred in modifying computers to preclude further unauthorized data transfer qualified as “loss”).
See, e.g., Nexan Wires, S.A. v. Sark-USA, Inc., 319 F. Supp. 2d 468, 472-75 (S.D. N.Y. 2004) ($8,000 in business expenses consisting of travel expenses for two corporate officers to conduct damage assessment, including a meal at Le Cirque restaurant did not qualify as loss since there was no computer technician or consultant involved and no evidence that preventative measures were added to system as a result of meetings); In re Pharmatract, Inc. Privacy Litig., 200 F. Supp. 2d 4, 15 (D. Mass. 2002) (dismissing claim under Act because plaintiff’s claim they suffered loss from invasion of privacy and loss of contract over dissemination of private information did not qualify as “loss”); Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238, 252 n.12 (S.D. N.Y. 2000) (lost business or goodwill would not constitute loss absent impairment or unavailability of data or systems.).
See Register.com v. Verio, Inc., 126 F.Supp. 2d 238, 252 n.12 (S.D. N.Y. 2000) (loss business or goodwill could not constitute loss absent the impairment or unavailability of data or systems); Nexan Wires, S.A. v. Sark-USA, Inc., 166 Fed. Appx. 559 (2d Cir. 2006) (district court correctly recognized that lost revenue is only recoverable if connected to an “interruption in service.”); Civic Center Motors, Ltd. v. Mason Street Import Cars, Ltd., 387 F. Supp. 378, 382 (S.D. N.Y. 2005) (claims for loss profits and loss of competitive edge are not the kind of losses that are the result of computer impairment or computer damage and hence were not compensable losses).
See, e.g., C.H. Robinson World Wide, Inc. v. Command Transp., LLC, 2005 WL 3077998 at *3 (N.D. Ill. , Nov. 16, 2005) (loss of competitive advantage could constitute “loss” within meaning of the Act); Creative Computing v. Getloaded.com LLC, 386 F.3d 930, 935 (9th Cir. 2004) (affirming $150,000 verdict on claim under Act noting that “loss of business” and business goodwill were economic damages recoverable under the Act).