Targeting "Excessive" Social Media Use as Violation of Computer Fraud & Abuse Act Misses the Mark

Social Media (2).jpgComputer Fraud and Abuse Act Claim (CFAA) against a former employee based on "excessive Internet usage," including visiting Facebook was recently dismissed by a Federal District Court in Florida. 

Specifically, in Lee v. PMSI, Inc., the former employer claimed Wendi Lee, engaged in "excessive Internet usage" and visited "personal websites such as Facebook" and sent and reviewed her "personal web mail account. PMSI filed the CFAA claim after Ms. Lee sued for pregnancy discrimination.

Before shooting down PMIS's CFAA claim, the Court set the stage by noting: 

The CFAA is a criminal statute originally designed to target hackers who access computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possess the capacity to "access and control high technology processes vital to our everyday lives .... Both the letter and the spirit of the CFAA convey that the statute is not intended to cover an employee who uses the Internet instead of working.

Against, this backdrop, the Court quickly picked apart PMSI's claim:  

  • First, a critical element for a CFAA claim involves "unauthorized access." PMSI, however, expressly admitted that it knew of Ms. Lee's excessive computer/Internet usage while she was employed and never terminated her authorization to use her work computer. 
  • Second and building upon the preceding point, PMSI made no reference to any express computer policy that Ms. Lee violated. Instead, the employer compared Ms. Lee's computer usage to two other employees in her department and argued that this discrepancy transformed acceptable Internet usage into a violation of the Computer Fraud and Abuse Act.
  • Third, another required element is a loss in excess of $5,000. PMSI argued "dubiously" (court's description) that Ms. Lee caused PMSI "financial losses in excess of $5,000, due to her lack of productivity. The Court flatly rejected that "loss" under the CFAA should include lack of productivity.
  • Fourth, obtaining or altering information on a protected computer is also a required element. But Ms. Lee accessed her Facebook, personal email, and news websites, i.e., information not on PMSI's computer system. Thus, Ms. Lee never "obtained or alter[ed] information" on a "protected computer." 

Practical Considerations in Applying the Computer Fraud and Abuse Act to the Employment Relationship

From a practical perspective, one estimate has over 116,010,760 Americans on Facebook. Facebook itself estimates having over 500 million active users with 30% of this consisting of U.S. residents. Taking these numbers at face value, a recent survey identified that 77% of workers who have a Facebook account use it during work hours.

So following PMSI's logic and only considering Facebook (as opposed to other non-work web browsing), at any given moment a significant number of American employees are violating a criminal statute while accessing Facebook at work. This remains true even if the number of Facebook users is lowered to account for those who are not employed. And if you include accessing and monitoring March Madness or Fantasy Football stats on employer time, well I would have to exercise my Fifth Amendment rights against self-incrimination

The Take Away for Employers and Employees

The bottom line is the CFAA is a criminal statute focused on hacking of computers for criminal purposes, e.g., stealing information or destroying functionality. This statute also includes civil provision applicable to certain situations. But as the Lee Court appropriately noted, employers and their attorneys should not fall into the lazy reasoning that the CFAA's civil provision is applicable to the regulation of private sector employment relationships:

Extension of a federal criminal statute to employee misconduct in the private sector is a legislative responsibility and not a proper occasion for aggressive statutory interpretation by the judiciary.

There are certainly compelling factual situations where a Computer Fraud and Abuse Act claim against a current or former employee falls squarely within the scope and purpose of the statute. And Courts have reached a range of results favorable to employers when it comes to such claims involving employmee/employer related facts. PMSI's CFAA claim, however, does not come within a gunshot of falling in that range. 

Michigan's Whistleblowers' Protection Act: Protecting Employees Who Are "About to Report" A Violation

Whistle.jpgA recent opinion from the Michigan Court of Appeals illustrates the significant challenges employees have in successfully bringing a certain claim under the Michigan Whistleblowers' Protection Act (WPA) and opportunities employers have for dismissing such claims. 

Challenges for Employees making an "About to Report" Whistleblowers' Protection Act Claim

Under Michigan's Whistleblowers' Protection Act (WPA), MCL 15.361, an employer is prohibited from, among other things, discharging an employee because the employee "reports or is about to report" a violation or suspected violation of the law. 

One reason a Whistleblowers' Protection Act claim based on an "about to report" theory is challenging for plaintiffs to successfully assert is because it requires a plaintiff to prove by clear and convincing evidence that he or she was about to report a statutory covered violation. MCL 15.363(4). A clear and convincing evidence is the most demanding standard applied in civil cases.  

Assessing "About to Report" Claims under Whistleblowers' Protection Act

In assessing whether there is "clear and convincing evidence" that a plaintiff was "about to report" a violation covered by the WPA, Michigan courts will often look to the spectrum of activity leading up to the adverse employment action. 

This point was recently illustrated in the recent case of Pope v. Brinks Home Sec. Co. (2011) where the entirety of plaintiff's evidence that she was "about to report" a violation of commission stealing and other alleged unethical behavior was her testimony that she told her supervisor that she was going to make a report to the EEOC and attorney general. Her supervisor denied this statement was ever made. Thus, plaintiff's testimony raised a factual question that a jury would normally decide, it was not enough to meet the required "clear and convincing standard" called for under the WPA. 

In contrast, Michigan courts have found the preceding was established where an employee threatened to report violations covered by the WPA if the employer did not take corrective action, she actually discussed the violations with her supervisor and coworkers, and documented dates that she had discussions with others regarding the need to report.  

Take-Aways

Employees who believe they were fired or received other adverse treatment because they were "about to report" a violation covered by the Michigan Whistleblowers' Protection Act need to understand that it is rarely going to be enough to claim "I was fired but only because I was about to report a violation." Instead, courts are essentially looking for credible evidence that the employee actually intended to report violations independent of the employee's own intent or testimony. Following through with reporting the violation after the adverse employment decision may provide some evidence of a pre-termination decision to make a report covered by the WPA. Also, documenting dates of discussions and who was involved with discussions about suspected violations also provides additional evidence supporting an "about to report" WPA Claim. 

For employers, the WPA does not prevent discharging an employee for legitimate, non-retaliatory reasons. But even with the high evidentiary burden employees may have to overcome in bringing a WPA claim, it is important to gather as much information to make an informed decision as to whether the discharge may violate the WPA. And it is important to make this assessment from the perspective of a judge or jury or may be "second-guessing" the employer's decision.    

This post on the Michigan Whistleblowers' Protection Act is only an overview of a very narrow aspect of the Act. And like many areas of employment law, the WPA has specific, complicated, and nuanced statutory requirements, which should be addressed with experienced legal counsel. Reading even a beautifully written post like this is not a substitute for an attorney’s independent judgment, experience, and research. 

Computer Fraud and Abuse Act Continues to be Potent Weapon Against Disgruntled and Departing Employees

Business professional in handcuffs.jpgA recent opinion from the Ninth Circuit Court of Appeals (PDF) confirms that the Computer Fraud and Abuse Act (essentially a federal computer hacking statute) continues to be a significant resource for employers to protect against the loss and damage of mission critical information due to departing or rogue employees.

To add the Computer Fraud and Abuse Act ("CFAA") to your tool-box, however, requires careful planning and potentially retooling your company's computer use policy. 

This is because in the context of the employment relationship, a violation of the statute turns on whether an individual "intentionally accesses a computer without authorization" or "exceeds authorized access" 18 U.S.C § 1030(e)(6). The CFAA defines "exceeds authorized access" as accessing a "... computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." The CFAA does not define the phrase "without authorization" and courts have reached conflicting interpretations as to both of these phrases when it comes to the employment relationship.

Acting adversely to Employer's Interest May Trigger Computer Fraud and Abuse Act Violation

Some Courts take an employer friendly approach and recognize that "unauthorized" or "exceeding authorized" access" is established if an employee accesses the employer's computer for a purpose adverse to the employer’s interests, i.e., violates a duty of loyalty. A common fact pattern in these cases involves an employee obtaining company or proprietary information from the employer's computers for use in a competing venture or on behalf of a competitor. Such action has been found to establish "without authorization" or "exceeding authorization" under the Computer Fraud and Abuse Act. See International Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, (7th Cir. 2006) reversing dismissal of CFAA claims where employee went into business for himself and used "scrubbing" software to delete all of the files on his company-issued computer). 

The Computer Fraud and Abuse Act is concerned with access, not subsequent use or misuse of information.   

Another line of decisions distinguish between "exceeds authorized access' and "exceeds authorized use." What this boils down to is that employees are not acting "without authorization" in accessing company information when they have "permission to use" a company network even if that employee later misuses that information, e.g., to improperly compete against the former employer. See LVRC Holdings LLC v. Brekka (2009). This concept was explained in the case of U.S. v. Aleynikov (2010) where a New York Federal District Court dismissed claims against an employee and overturned his conviction under the CFAA for copying and removing software trading codes. The court reasoned that the statute should be restricted to prohibiting people from "hacking" into a computer system, not the subsequent use or misuse of information.

Violation of Computer Fraud and Abuse Act occurs when an employer's express limitations for accessing company information are violated.   

A third line of cases focus on an employer's express limitations as to accessing company data/networks. An employee accessing the employer's computer in excess of the express limitations violates the employer's access restrictions, which may include the use of the computer or of the information contained in that computer. This situation was illustrated in the recent Ninth Circuit's Opinion in U.S. v. Nosal (2011) (PDF), which concluded: 

as long as the employee has knowledge of the employer's limitations on that authorization, the employee 'exceeds authorized access' when the employee violates those limitations. It is as simple as that.

Take away for Employers

Certainly there is a robust debate as to how the Computer Fraud and Abuse Act should, if at all, be applied to the employer/employee relationship. But there are important steps employers should take to improve the likelihood that, if necessary, the CFAA will be available to protect competitive advantages and defend against unfair competition. 

The most important step is to review the employer's computer use policy and what it restricts. If an employer lacks a computer use policy or it is deficient, then the employer will likely be left to rely upon Citrin and the line of cases where liability under the CFAA depends upon a violation of a "duty of loyalty."

But if you ask me, the reasoning in Citrin and similar cases is inherently unworkable. This is because it overlooks that an employee's authorization to access a particular document on the same computer may change throughout his or her employment (It pains me to say that Citrin got it wrong because it was authored by the venerable Richard Posner, a judge on the Seventh Circuit Court of Appeals and a favorite jurist of mine).  

For example, an employee's access rights to particular information would change if the employee began looking for employment. And in pursuing alternative employment if an employee accessed such information to assist in the job search - i.e., refreshing the employee's memory about accomplishments or better describe skills and abilities on a resume or in an interview. Under Citrin, a violation of the CFAA arguably occurred because there was access for reasons adverse to the employer and thereby access without authorization. But if that same employee decided not to seek outside employment and accessed the same information for work related reasons, the employee's interests would again be aligned with the employer and, therefore, access would be authorized. 

The better strategy is to make sure the computer use policy expressly restricts employees from using, copying, and accessing any information on the company's computer systems for personal gain. Such a provision allows employers to argue that any access for personal gain is without authorization and thereby keep in play the Computer Fraud and Abuse Act claims without having to resort to Citrin's duty of loyalty reasoning. 

A Road Map for Responding to Requests for Accommodations under the Americans with Disability Act

Road Map.jpgA common issue under the Americans with Disabilities Act concerns asking for and responding to a request for a reasonable accommodation.

It is important for employers to understand their obligations in responding to such a request because under the ADA unlawful discrimination specifically includes "not making reasonable accommodations [for a] qualified individual with a disability..." 42 USC 12112(b)(5)(A).

Making and Responding to a Request for a Reasonable Accommodation

  1. An employee generally has the initial burden of putting the employer on notice that deficiencies in his or her performance are related to an ADA disability, proposing an accommodation, and showing that that accommodation is objectively reasonable. But this general rule has exceptions: Employers have been required to initiate the interactive process even if the employee does not request accommodation where the employee’s disability and its adverse impact on job performance are obvious. Brady v Wal-Mart Stores, Inc (2008) (Employee had cerebral palsy, which manifested itself in noticeably slower walking and speech).
  2. The EEOC Enforcement Guidance on Reasonable Accommodation and Undue Hardship provides that a: "... modification or adjustment is 'reasonable' if it 'seems reasonable on its face, i.e., ordinarily or in the run of cases;' this means it is 'reasonable' if it appears to be 'feasible' or 'plausible.' An accommodation also must be effective in meeting the needs of the individual." 
  3. To determine the appropriate reasonable accommodation it may be necessary for the employer and employee to engage in an informal, interactive process. 29 C.F.R. § 1630.2(o)(3) (2010). The EEOC Regulations provide that this process should focus on: 
    • Analyzing the particular job involved and determine its purpose and essential functions;
    • Consulting with the employee with a disability to determine the precise job-related limitations imposed by the employee's disability and how those limitations could be overcome with a reasonable accommodation;
    • Identifying potential accommodations and assessing the effectiveness each would have in enabling the employee to perform the essential functions of the position; and
    • Considering the preference of the employee to be accommodated and selecting and implement the accommodation that is most appropriate for both the employee and the employer.
  4. If the plaintiff establishes that a reasonable accommodation is possible, the employer bears the burden of proving how the accommodation would cause an undue hardship on the operation of the business. 42 U.S.C. § 12112(b)(5)(A). The ADA defines "undue hardship" to mean "an action requiring significant difficulty or expense, when considered in light of the [following] factors": 
    • The nature and cost of the accommodation needed;
    • The overall financial resources of the facility or facilities involved in the provision of the reasonable accommodation; the number of persons employed at such facility; the effect on expenses and resources, or the impact otherwise of such accommodation upon the operation of the facility;
    • The overall financial resources of the covered entity; the overall size of the business of a covered entity with respect to the number of its employees; the number, type, and location of its facilities; and
    • The type of operation or operations of the covered entity, including the composition, structure, and functions of the workforce of such entity; the geographic separateness, administrative, or fiscal relationship of the facility or facilities in question to the covered entity. 42 U.S.C. § 12111(10). 
  5. Employers should carefully and critically assess whether an accommodation is an "undue hardship  because a court will often engage in an individualized inquiry to ensure that the employer's justifications "reflect a well-informed judgment grounded in a careful and open-minded weighing of the risks and alternatives . . .". Johnson v. City of Pontiac, (E.D. Mich. 2007). Also, courts will reject an employer's "undue hardship" argument if it is not supported with specific facts. See Smith v. Henderson, (6th Cir. 2004) (employer failed to set forth "specific facts indisputably demonstrating that ... the accommodation would have resulted in 'significant difficulty or expense.").

While these topics will be an important starting point for employees and employers to meaningfully participate in the interactive accommodation process under the ADA, any such issues should be addressed with competent legal counsel. 

Protecting Company Information Using the Computer Fraud and Abuse Act

Security Padlock.jpgA 2011 Sixth Circuit Court of Appeals opinion, underscores the importance of the Computer Fraud and Abuse Act plays in combating disgruntled employees who steal company data. This case also highlights important steps employers should take in protecting company IT infrastructure and digital information from internal threats.

In that case, the former employer worked in the IT department of Campbell-Ewald, a Michigan advertising company. During his employment, the former employee accessed Campbell-Ewald's computer server and copied confidential computer files belonging to its CEO without authorization.  

Campbell-Ewald strategically responded by firing the individual, contacting the authorities, hiring a security investigation firm, and retaining legal counsel. 

The FBI investigated and determined:

  • The former employee had accessed Campbell-Ewald's confidential files no fewer than twenty-one times after his firing, twice through a Campbell-Ewald server and nineteen times through the email account of another employee, "SM." 
  • The files the former employee accessed consisted of "confidential pieces of information . . . including executive compensation, financial statements of the firm, goals and objectives for senior executives of the company reporting to the chairman, and some strategic plans." These files were normally stored on the CEO's desktop computer but had been moved by the company to its server.
  • The former employee admitted that he had learned of employee SM's username and password in the course of his employment. While SM had slightly altered his password after the former employee was fired, he was able to guess the new password through trial and error.

The former employee was eventually convicted under the Computer Fraud and Abuse Act, 18 U.S.C.S. § 1030(a)(2)(C) and (c)(2)(B)(iii). The court also awarded the former employer restitution in the amount of $47,565 for private security investigation costs. This decision from the United States District Court for the Eastern District of Michigan was upheld on appeal. 

Protecting Company Information Before it is Compromised

The former employee's conviction under the Computer Fraud and Abuse Act is significant with respect to a number of legal issues. But for employers focused on preventing a similar IT disaster from happening, the following are important take-away points to consider: 

  1. Computer security is often an "all or nothing" process in that if you miss a single link in your security chain you leave the network vulnerable. Consider implementing the topics in this Employer's Technology Checklist for Departing Employees to minimize your company's vulnerable spots; 
  2. Before a theft or a data breach occurs, employers should coordinate with IT, human resources, legal and business units to carefully and critically draft computer/network policies clearly defining the permitted access to sensitive company data and customer information. Further, employees must understand that exceeding their authorized access is strictly prohibited and subject to discipline, including termination; 
  3. Information should be segregated so that employees have access only to data relevant to their jobs and this segregation should be routinely audited to confirm data remains accessible only by those who have a business-related need for access;
  4. Additionally, it is essential to properly draft employment policies to trigger the Computer Fraud and Abuse Act. This is not always possible as Courts do not agree how critical issues such as "unauthorized access" or "exceeding authorized access under the Computer Fraud and Abuse Act should be applied in the context of the employment relationship. Strategic drafting can greatly increase the chance of having a viable Computer Fraud and Abuse Act claim if an employee compromises or steals corporate data; and 
  5. Properly securing and preserving computer-related evidence must be a top priority in responding to potential computer misconduct. Otherwise, companies run a significant risk of compromising or outright destroying computer evidence, which may result in its exclusion at trial. Consider U.S. v Khoo (Oregon Dist. Court 2011) where the court excluded computer evidence in a federal criminal matter involving the theft of corporate data (Khoo Order.pdf) (Court excluded forensic image after the company owner inadvertently compromised / tampered with evidence while investigating an employee's suspicious activity on a company laptop. See Susan Brenner of CYB3RCRIM3 for a full explanation of this case. Also, see this prior write-up about investigating and preserving company computer data with contributions from the Michigan State Police Computer Crime Unit.