Employee Owned Tablets and Technology Devices: Managing the Risks and Rewards Starts with BYOD Policy

Risk, Reduce, Avoid.jpgWith Christmas quickly approaching, employers should expect that their employees will be enjoying new technology devices entering the new year. And this means employers should expect new employment law compliance issues and technology risks for their companies. 

Bring Your Own Devices and Employment Law Compliance Issues

Employee owned devices create a minefield for employers when it comes to employment law compliance issues. This is especially true when it comes to wage and hour claims. These claims generally arise out of allegations that an employer failed to pay overtime wages. Wage and hour claims may be brought under the federal Fair Labor Standards Act (FLSA) or state wage-hour statutes. In either circumstance, wage and hour lawsuits expose employers to significant damages (hundreds of thousands of dollars and up) and legal fees.

Companies that provide employees the ability to remotely access the workplace through the Internet or using company issued smart phones, tablets, computers, etc. or employee owned devices essentially allow for 24/7 access to the workplace. But this also means these employees are performing work they should be compensated for, including overtime. For a very good explanation of these wage and hour claims, see Caryl Flannery's blog post, "Technology’s Got Me Working Overtime." 

Bring Your Own Devices and Technology Risks to the Company

As to the technology risks, last year we published a blog post about managing such risks. See Tis the Season to Tech the Workplace Halls - Managing Employee Owned Technology Devices. This article highlighted four of the major risks that employee-owned devices create for employers.

One way to mitigate these risks is through the use of an appropriately drafted technology policy. Such policies, sometimes referred to as a "bring your own device" or a BYOD policy, can either be a stand-alone policy or incorporated into an employee manual.

A BYOD policy should be considered a "must have" for any employer whose workforce is allowed and/or expected to use their own smart phones, tablets or other mobile devices for work either while at the office or during nonworking hours. As to what should be in your company's technology policy, the details should be discussed with management, your IT department, and legal counsel. The intent of bringing together these stakeholders is to make sure you end up with a workable policy that meets and balances the business needs with IT security and legal compliance issues.

Recommendations for What to Include in Your Company's BYOD Policy

A discussion of specific language that you should include in your company's technology policy is beyond the scope of this blog (the working draft our law firm uses for its business clients spans several pages). However, several points for discussion include: 

  • A process for registering or accounting for all employee devices. This should also include a means to confirm each such device is up-to-date as to anti-virus software and other security-related protections, e.g., tracking or remote disabling in the event a device is lost or stolen.
  • Implementing a procedure for reporting any device that is used for business purposes and that has been lost, stolen, or accessed by unauthorized persons or otherwise compromised.
  • Provisions making it clear that your company's policies covering the handling and protection of its confidential information and intellectual property, including trade secrets extend to the use of all devices, whether provided by the company or owned by the employee.
  • Making it clear that all content created on, transmitted to, received or printed from, or stored or recorded on any device that relates in any way to your company's business remains the the property of the company, regardless of who owns the device used. 

Employees should also be advised and consent to some degree of employer access to a device in order for the employer to monitor and enforce the technology policy. Unfortunately this should include investigating any instances of employee misconduct that may involve the device. 

For more information about technology related employment policies, including BYOD policies, contact Jason Shinn, an employment attorney who has addressed technology legal issues in the workplace since 2001. This technology experience includes investigating employee computer misconduct, managing e-discovery and litigation hold issues, and emerging social media legal issues. With this insight, Mr. Shinn works with companies to address the important steps that an organization should undertake when implementing a successful BYOD program – one that contains appropriate policies, procedures, and security measures to protect your company's business information and network.

Computer Fraud and Abuse Act Does not Protect Against Employee Violations of Company Computer Use Policies

Security_Computer_Laptop in Chain.jpegPreviously this blog outlined the various approaches Courts have taken to applying the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. 1030, to workplace misuse of employer provided computer resources.

A recent opinion from the Ninth Circuit Court of Appeals, however, seriously limits the applicability of the CFAA to the employer/employee relationship and challenges other courts to reconsider its application.

Specifically, the Ninth Circuit Court rejected the Justice Department's interpretation of the CFAA, which asserted the CFAA targets both hackers and individual employees who use a computer for an unauthorized purpose.

Factual Background

The case, U.S. v. Nosal (PDF) involved David Nosal who worked for Korn/Ferry International “Korn/Ferry”), an executive search firm. After leaving the company in 2004, Nosal and other Korn/Ferry employees allegedly conspired to help Nosal start a competing business, in violation of a a non-compete agreement.  

Korn/Ferry eventually learned that information contained within a confidential company database had been transferred to Nosal. Korn/Ferry argued this database was one of the most comprehensive of its type in the world. Accordingly, it had taken significant measures to protect the information from improper use. 

of the information.

Procedural Background and the Criminal Charges

After David Nosal was indicted on 20 counts, including violations of the CFAA, his lawyers argued that the CFAA charges should be thrown out. They argued that the CFAA targets only hackers, not employees who misappropriate information or who violate contractual confidentiality agreements by using employer-owned information in a manner inconsistent with those agreements. In other words, Nosal argued the Korn/Ferry employees could not have acted without authorization, nor could they have exceeded authorized access, because they had permission to access the database and its information.

The district court initially rejected Nosal’s argument. This decision, however was reversed because the trial followed the reasoning of a subsequent CFAA opinion, that later came out (LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009)), which construed narrowly the phrases “without authorization” and “exceeds authorized access” in the CFAA. Based on Brekka, the district court concluded that “[t]here is simply no way to read [the definition of ‘exceeds authorized access’] to incorporate corporate policies governing use of information unless the word alter is interpreted to mean misappropriate,” as “[s]uch an interpretation would defy the plain meaning of the word alter, as well as common sense.”

The government appealed but lost this decision before the Ninth Circuit Court of Appeals.

The Computer Fraud and Abuse Act and the Employment Relationship

The Ninth Circuit's ruling is at odds with the Fifth, Seventh and Eleventh Circuits, all of which have adopted a broader view of the CFAA's sweep. In responding to the conflict, Judge Kozinski said those other courts "failed to consider the effect on millions of ordinary citizens" and urged them to reconsider. Judge Kozinski further noted: 

Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it’s unlikely that you’ll be prosecuted for watching Reason.TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit.

Michigan Employers and the Computer Fraud and Abuse Act 

For Michigan employers and employees, it is important to note that the applicable federal circuit (the Sixth Circuit Court of Appeals) has upheld the criminal conviction of a CFAA violation arising out of the employment relationship.

Specifically, an employee who stole confidential data from his employer’s computers, but that decision was limited to the issue of whether the government had offered sufficient proof that the value of the data stolen exceeded $5,000 to qualify as a 5 year felony, 18 U.S.C. § 1030 (a)(2)(C)(c)(B)(iii), and whether the district court had abused its discretion in ordering restitution in the amount of $47,565. Additionally, the former employee's conviction was based on the fact that after he had been discharged he accessed his employer's computer network and confidential files at least 21 times, including through an employer server and 19 times through the email account of another employee.

Take Away for Employers

Certainly courts continue to debate whether the CFAA should, if at all, be applied to the employer/employee relationship. Setting aside this issue, it is important for employers to protect their company and confidential information. And these steps may improve the likelihood that, if necessary, the CFAA will be available to protect competitive advantages and defend against unfair competition.

Korn/Ferry provides an overview of protective measures employers should take to protect company computers and databases. Specifically, Korn/Ferry took the following steps:  

  • The placement of controls on electronic access of the database and its servers;
  • The creation of unique usernames and passwords for authorized users; 
  • A requirement that all employees sign an agreement confirming the confidential and proprietary nature of the information; and 
  • Having the opening screen of the database include the warning: “This product is intended to be used by Korn/Ferry employees for work on Korn/Ferry business only.”

Should the CFAA apply to the employment relationship? There are a number of reasons why the CFAA should have limited application in the employment context.    

Email Disclaimers May Protect Employers Against Inadvertent Contracts

Red Email ButtonEven now email continues to have an "informal" character, business transactions occurring over email thread may, in certain circumstances, create a binding contract. 

With this in mind, companies can avoid significant expense in relation to unintended contract obligations and litigation by simply addressing how their employees - especially those in sales or purchasing - conduct business through email.

The backdrop for this recommendation arises out of a matter where I've filed a motion to enforce a settlement agreement. The attorneys of record who were involved with the underlying case and in the circumstances leading up to and resulting in the settlement had seemingly reached the agreement now being disputed through email. One party, however, is claiming that the email arguably forming the acceptance should be disregarded.  

The offer and acceptance comprising the settlement agreement was not as "clean" as I would have preferred. For example the acceptance was an email from the Plaintiff's attorney that was simply signed "Jim." Also, the terms of the settlement payment had been previously reached at a deposition so the email simply referred back to those discussions.

Michigan Law Generally Enforces Electronic Signatures

Even so, under Michigan's Uniform Electronic Transactions Act (UETA) a “record or signature shall not be denied legal effect or enforceability solely because it is in electronic form.” MCL § 450.837. In other words, a party cannot argue that an email acceptance of an agreement (in this case a settlement agreement) should be disregarded simply because the acceptance occurred by way of email. 

While there are nuances to this general rule, Michigan courts have addressed my particular issue on substantially similar facts. In Kloian v Domino's Pizza, LLC, 273 Mich App 449, 454; 733 NW 2d 766 (2006), the court enforced a settlement agreement reached through email communications. 

Email Signatures and the Workplace

The above discussion about email contracting takes place in the context of settling a legal claim. But the same principles generally apply to private parties forming and enforcing a contract.

Interestingly the Wall Street Journal recently published an article deriding the use of inflated email disclaimers (subscription required). But I think the better practice is to view email disclaimers as a very cheap insurance policy against a company's employee inadvertently entering into an enforceable contract through email communications.

Accordingly, businesses should consider including a disclaimer, or take other steps to demonstrating that an e-mail is not intended to bind the sender. For example, I use the following language in my email disclaimer: 

Also, nothing in this e-mail is intended to constitute an electronic signature for purposes of the Electronic Signatures in Global and National Commerce Act (E-Sign Act), 15, U.S.C. §§ 7001 to 7006 or Michigan's Uniform Electronic Transactions Act, MCL § 450. 831, et seq., unless a specific statement to the contrary is included in this e-mail.

Would this disclaimer defeat a contract claim? Perhaps. But in answering this question, I'm reminded of a very underrated movie, True Romance. In this movie, the lead character, Clarence Worley played by Christian Slater, delivers the following line: "If there's one thing this last week has taught me, it's better to have a gun and not need it than to need a gun and not have it." 

Turning back to the motion to enforce the settlement agreement, there is no email disclaimer whatsoever that would arguably give the court a reason to disregard the email acceptance (the email was sent from the attorney's Yahoo! account, which is another story). But I'm sure the party opposing the settlement now wishes there was such a disclaimer.

New Weapon for Michigan Employers for Protecting Against Unfair Competition and Trade Secret Theft

Security_Computer_Laptop in Chain.jpegMichigan Companies were recently given a new tool for fighting back against trade secret misappropriation and unfair competition.

Specifically, in Actuator Specialties, Inc. v. Chinavare the Michigan Court of Appeals agreed with the trial court's determination that Actuator Specialties established a threat of misappropriation against its former employee and his new employer. This threat entitled it to an injunction prohibiting the former employee from working for any competitor of Actuator Specialties for three years.

As explained below, this decision is significant because the three year restriction on working for competitors was based on the Michigan Trade Secret Act rather than a noncompete agreement.

In this regard, Michael Khoury, a fellow business lawyer, noted that "This may be one of the first cases of this kind in Michigan relying solely on the [Michigan Trade Secret Act] ... most [court opinions] have relied on written employment or nondisclosure agreements."

Background

At the time Chinavare ended his employment with Actuator Specialties he was employed as a general manager. While employed, Chinavare had copied Actuator's files onto a personal USB drive.

He later testified that he copied these files to be able to work after hours away from the Actuator's offices. Chinavare further explained that after copying these files to his USB drive that he realized his personal computer did not have a USB port so he kept the USB drive containing the files of Actuator Specialties at his house in a closet. 

In 2008, Chinavare and two other Actuator employees quit and they begin working for a competing business called Renew Valve and Cleveland Valve & Gauge (Renew Valve). Shortly after this departure, Actuator Specialities discovered that only three days before their departure someone had accessed confidential files belonging to Actuator Specialties.  

This discovery prompted the former employer to file its lawsuit and seek a Temporary Restraining Order (TRO) on 2/12/08. The TRO was issued on 2/15/08, which did not prohibit Chinavare from working for Renew Valve. But on 2/13/08, Chinavare uploaded the data on his USB drive onto his Renew Valve computer. He also altered certain Actuator file documents to reflect Renew Valve in the letterhead.

Computer Forensic Inspection Revealed Wide Spread Theft & Use

The theft of computer files was later discovered and resulted in Actuator Specialities hiring a computer forensics company to conduct an analysis of digital evidence. Notably, this forensic inspection extended to Chinavare's computers and Renew Valve's computers. 

The inspection revealed hundreds of files in the possession of both Chinavare and Renew Valve that belonged to Actuator Specialties. It also revealed a missing or unidentified USB drive that had not been previously disclosed. This USB drive had been inserted into Chinavare's computer and later into four computers at Renew Valve.

After seven days of evidentiary hearings, the trial court issued a preliminary injunction enjoining Chinavare from working at RV or any similar competitor of Actuator Specialties for a three-year period, which was later converted to a preliminary injunction. The entry of this preliminary injunction was appealed by Chenevare only.

Trade Secret Theft Warranted a Three Year Injunction

In analyzing Chinavare's claim, the Court examined Michigan’s Uniform Trade Secrets Act (MUTSA), MCL 445.1901 et seq. Under this statute, Michigan courts are authorized to award injunctive relief for "actual or threatened misappropriation" of trade secrets.

In affirming the trial court's order for injunctive relief, the Court of Appeals noted that Actuator had showed that Chinavare (i) possessed its confidential information; (ii) had downloaded that information onto Renew Valve’s computer system; and (iii) used that information for the benefit of Renew Valve.

The Court further concluded that the evidence showed Renew Valve engaged in questionable behavior that showed a lack of trustworthiness (hiring three former employees away from Actuator at the same time and Renew Valve had used portions of a PowerPoint presentation created by Actuator as its own). 

Take-Away for Michigan Employees and Employers

It is important to note that this opinion is unpublished, which means it does not have any precedential effect under Michigan law. Accordingly, another court is not required to follow the ruling.

Even so, this opinion may provide persuasive authority for another court and, therefore, there a number of significant issues that individuals and companies on both sides of the employment fence (e.g., companies whose employees are departing and companies making new hires) should consider in relation to trade secrets and protecting competitive business interests:  

  1. First, for departing employees don't misappropriate company information. For employers of newly hired employees, don't encourage and don't allow misappropriated information to be used in your company. Such misappropriation may open the door for asserting computer fraud claims like those under the Computer Fraud and Abuse Act. And if you violate this rule, don't try and cover it up. Computer forensics - 11 times out of 10 (intentional hyperbole) - will uncover some type of "digital fingerprint" that will often point to unauthorized access of digital information. Covering up, i.e., deleting such evidence will often result in spoliation and sanctions, which is never a good thing. 
  2. Second, the Court of Appeals opinion in Actuator Specialties assumes without discussion that information taken met the statutory definition of "trade secret." Presumably, however, trade secret status was established at the trial level and it was not challenged on appeal. But "trade secret" designation should not be assumed by either side. In defending companies and employees against trade secret misappropriation claims, I've had success in showing that information does not rise to the statutory definition of trade secret or that the party claiming trade secret protections failed to take the appropriate steps to maintain trade secret protections.    
  3. Third, when it comes to new hires, a recommended practice for employers is to have the new employee confirm, in writing, that he or she is not subject to any noncompete agreements that would restrict the employee from accepting a position. But the Actuator Specialities case illustrates that more effort may be required of employers when it comes to new hires. Such efforts may include confirming a new hire has not improperly taken any information belonging to a former employer and make it clear that it is against company policy to use any such information. Upon learning that these efforts have failed, the new employer must promptly respond in order to limit its liability for trade secret misappropriation.
  4. Fourth, employers should follow the example set by Actuator Specialties. Specifically, shortly after the individual defendants terminated their employment on, an owner of Actuator Specialties - either by design or out of caution - made the stategic decision to investigate what, if any, company data may have been accessed or taken prior to its former employees departing. The results of this investigation provided the ammunition for Actuator Specailties to pursue its claims of trade secret misappropriation. 
  5. Fifth, William Hazlitt wrote: "Wit is the salt of conversation, not the food." Similarly, Michigan employers should consider using the Michigan Trade Secret Act to prohibit former employees from working for competitors as the salt of a company's intellectual property protection plan, not the food. In other words, employers must bolster its chance of successfully protecting its competitive advantages and intellectual property by strategically using noncompete agreements (sometimes referred to as covenants not to compete) to protect against unfair competition by former employees. One reason for this point is that properly drafted noncompete agreements will provide broader protections than available only under Michigan's Trade Uniform Secrets Act.  

Here is a link for additional recommendations and best practices for protecting company information from misappropriation or feel free to contact me about implementing a trade secret protection program, pursuing a trade secret/unfair competition claim, or defending against such claims.

Tis the Season to Tech the Workplace Halls - Managing Employee Owned Technology Devices

iPad gift wrappedNothing captures the meaning of the Holidays (it is surprising how many winter festivals/holidays one could choose from or - cynically speaking - could use to develop a religious discrimination claim) than the giving and receiving of gifts, especially tech gadgets. And this invariably means employers will ring in the new year with an influx of new technology devices, e.g., iPads, tablets, smart phones, etc., coming into the workplace. 

For companies, it is important for their IT managers, CIOs and other company leaders to make informed decisions when it comes to determining the best way to manage the influx of these tech gadgets into their organizations.

Workplace Technology Use Policies

Employee owned devices should be addressed in a Workplace Technology Use Policy. Such a policy will cover the full range of issues at the intersection of technology and employee issues, such as email use, social media policies, and Internet use

But before an employer chooses to address employee-owned technology devices, it is important for employers to understand and evaluate the benefits and risks in order to ultimately determine what makes the most sense for the business.

In regard to risks, a few areas that come to mind that employers should consider include the following: 

  • Illegal Software & Violation of Software Licenses: Regardless of what the hottest device happens to be this season, it is always a good time for employers to remind their employees that non-company software cannot be introduced (uploaded or downloaded) onto company property without the express written approval of an appropriate manager and that all such software must be properly licensed and registered for the company's use within the terms of any applicable licenses. 
  • Handling Company & Customer Information: Employers must determine and enforce how company or customer information will be treated. If employers allow such information to be transmitted between the company and employee owned devices, it is imperative that employers and employees exercise a great degree of caution in securing and handling all company and customer information. It is also a good practice to have some sort of audit trail so that the company will know who has what and when. This type of access information will also come in handy if an employer needs to later prove an employee misappropriated company assets on his or her way to working for a competitor. At the very least, employers should require employees to secure their technology devices with strong passwords and encrypting all company data stored on employee owned devices.  
  • Not all Data is Created Equal: It is also important for employers to educate employees as to what company data will not be permitted to be transferred to employee-owned devices. Consider for example that regulations governing certain types of data, such as health information protected under the Health Insurance Portability and Accountability Act (HIPAA) and HIPAA's Security Rule requires that electronic protected health information (EPHI) be treated in certain ways. Additionally, many industries have regulatory obligations that require certain data, such as personally identifiable information, to be encrypted. 
  • If Nothing Else, Encrypt the Data Before it Leaves the Company: Even if there are no legal or regulatory requirements for data to be encrypted, employers should insist that any company data transferred to an employee owned device must be encrypted. One reason for this requirement is because many data breach laws, including Michigan's data breach law, contain specific exemptions and protections for businesses if there is a data breach of encrypted data. In other words, if there an employee owned device is lost or stolen, a company limit or outright avoid the need for costly breach notifications if the customer information was encrypted. 

Conclusion

Implementing a company technology use policy comes down to balancing business, legal, and practical considerations. Specifically, IT-management policies with rigid parameters regarding what devices are acceptable for corporate use will often provide the most protection to the business. But the broad appeal and adoption of tech gadgets by officers, managers, and employees make such a rigid approach unfeasible. But these two competing interests must be resolved with an understanding of the applicable risks and legal requirements. 

Criminal Indictment for Failing to Report Child Pornography

Computer Crime HandcuffsI previously discussed an employer's obligation for reporting child pornography found on company IT resources. See What Should an Employer Do if Child Pornography is Discovered in the Workplace. One of the recommendations made in that post was to report child pornography to law enforcement, "no exceptions."

The importance for following this recommendation was recently highlighted by the indictment of a Kansas City, Missouri Bishop for failing to report hundreds of images of alleged child pornography on a priest's laptop.  

Specifically, Father Ratigan was charged with three state child pornography counts earlier this year. The indictment claims that Bishop Robert Finn learned of these images in December 2010, but failed to report them to the police until May 2011. 

The Take Away for Employers

This indictment is an unfortunate reminder for any employer responding to the discovery of child pornography in the workplace that careful consideration must be given to the employer's legal obligations for reporting such conduct.

For a comprehensive overview of points that should be considered and discussed with competent legal counsel, see the recommendations provided here

 

 

Employees: The Weakest Link in the Company Data Security Defense

Weak Link.jpgLast week I had the opportunity to present at the 2011 Thomas M. Cooley Law Review Symposium's  Who's Mining Your Business: Privacy Infringement and Profits. The Law Review members, spearheaded by Dayana Echeverry, put together a phenomenal program. It was a great opportunity to share the stage with an incredible panel of Internet privacy and data mining thought leaders. Specifically, Dick De Veaux and Chris Clifton and Andreas Weigend. Also, Professor Derek Witte did a great job (as usual) moderating the event.  

Here is a copy of my presentation, which focused on Information Protection and Privacy Law for businesses (PDF).

While the overall focus of the seminar was on consumer data mining and the applicable regulatory and legal landscape, here are a few important points relevant to employers and employees.

Michigan Data Breach Notification Statute 

Michigan, like most states, has a data security breach notification law. This law imposes certain obligations on businesses if there is breach of "personal identifying information" (Personal Information"). Personal Information is statutorily defined, but it includes information commonly collected by businesses in the ordinary course of operations, such as name, contact information, social security number, place of employment, mother's maiden name, a person's account password, or credit card number. 

Under Michigan's data breach law, one trigger for notifying consumers of a data breach is the access and acquisition by an unauthorized person of unencrypted or unredacted computerized data or of encrypted data if there was also unauthorized access to the encryption key. MCL 445.72. Failing to comply with the notification provisions of Michigan Data Breach statute is $250 for each failure to provide notice, with cumulative liability not to exceed $750,000. MCL 445.72(12).

In terms of national numbers, the nonprofit Identify Theft Resource Center identified over 360 data breaches that have occurred through September 2011. These breaches involve cumulatively over 13 million records.

Employees are often the Cause of Most Data Breaches 

When it comes to security breaches, employees are often the weakest link in a company's data security defense. In fact, the majority of breach investigations I've been involved with trace back to employee mistakes - usually inadvertent mistakes. This anecdotal evidence is also consistent with reported breaches. Consider for example, the following:

  • Aetna discovered on May 28, 2010 that a file cabinet containing individual health information was not cleaned out before it was given to a vendor for removal. The documents inside the file cabinet contained the individual health information of approximately 6,372 individuals, including names, addresses, zip codes, dates of birth, and social security numbers of Aetna's members.
  • Blue Cross & Blue Shield of Rhode Island reported on April 6, 2010, that it had inadvertently donated a filing cabinet to a non-profit organization on December 20, 2009, that contained approximately 12,000 members protected health information. This information included names, addresses, telephone numbers, Social Security numbers, and Medicare identification numbers.

Again, these examples, like many others, are human and process failures - not technology failures.  

Recommendations for Preventing Data Breaches

Businesses are a prime target for casual and organized hackers because they often maintain troves of consumer data. To guard against data breaches it is important to be proactive and not reactive. A few points that businesses should consider include: 

  • Develop, implement, and test the data breach response plan. That plan should identify a response team and tasks each member is responsible for once a breach is discovered;
  • Educate and train all employees who have access to Personal Information about best practices for protecting this data while in their possession and on the appropriate use and transfer of this information. Updates on information security best practices and the latest threats should be provided on a regular basis; and  
  • Assess what information the business organization possesses and only retain data that serves a business or legal purpose. Properly secure the data to be retained with respect to industry acceptable standards and legal requirements. And properly dispose of information that will no longer be retained.

A complete data security protocol is beyond the scope of this post. It should, however, be developed in collaboration with internal IT professionals, executive management, and legal counsel. But a signficant cornerstone of this protocol must focus on educating and training employees on best practices for handling consumer data.  

What's the Harm in a Little Workplace Porn? For Starters, Unemployment Benefits.

Porn Keyboard.jpgA recent denial of unemployment benefits in Berglund v Industrial Technology Institute (7/21/2011) offers important insight for both employers and employees when it comes to accessing Internet pornography in the workplace and technology use policies.   

Overview of Michigan Unemployment Benefits

Under Michigan law, an employee is disqualified from receiving unemployment benefits if he or she is discharged or suspended for “misconduct connected with … work." MCL 421.29(1)(b). Employers bear the burden of proving misconduct. And normally this is a high burden to meet because "misconduct" must evince a "willful or wanton disregard of an employer's interest as is found in deliberate violations or disregard of standards of behavior" that an employer has the right to expect of its employee. Carter v MESC, 364 Mich 538, 541, 111 NW2d 817 (1961). 

Willfulness can be shown by an employee’s conscious violation of an important, well-known employer policy or rule, particularly if the employee has been warned previously about such a violation. 

The Initial Denial of Unemployment Benefits

In the Berglund case, the hearing referee made an initial determination that the discharged employee, Mr. Berglund, was guilty of misconduct and, therefore, denied him unemployment benefits. The Michigan Employment Security Commission Board of Review upheld the denial of unemployment benefits. 

The misconduct consisted of evidence presented by the employer that:

  • Mr. Berglund visited a number of inappropriate web sites, including "teenagecheerleaders.com," "sextelevision.net," and other sites involving swimsuit models and Victoria's Secret;
  • These sites contained images of scantily dressed females, nudity, and other images considered pornographic;
  • Mr. Bergland admitted to receiving and keeping emails that were pornographic and that he "might have" instructed his computer to access a site like sextv.com; and 
  • In an eight hour day, records reflected approximately 3½ to 4 hours was spent by Mr. Berglund visiting these types of sites.

The Denial of Unemployment Benefits is Reversed

The Employment Security Commission Board of Review's decision, however, was reversed by the Wayne County Circuit Court. In reversing this decision, the Court noted that the employer did not present any evidence that Mr. Berglund violated an employer policy or technology use policy in accessing these sites. Further, there was no evidence that the employer directed Mr. Berglund not to view such sites.

The Circuit Court also noted that there was no evidence that Mr. Berglund's accessing any sites negatively affected his work performance. Additionally, the Court noted that personal use of work computers was allowed by the employer. 

The Denial of Unemployment Benefits is Reinstated

When the issue of Mr. Berglund's unemployment benefits reached the Michigan Court of Appeals, it reinstated the Michigan Employment Security Commission Board of Review's decision to deny unemployment benefits. Interestingly, the Court touched on the idea that accessing websites of the type at issue can lead to spam, pop ups, and cookies, which can impair a network and, therefore, harm the interest of the employer: 

An employer has an interest in maximizing the capability of its network. An employee who deliberately accesses websites that hinders the work network's capability harms the interests of the employer.

Under the Court's reasoning, this "harm" also supported a finding of misconduct. 

The Take Away

Certainly no one would seriously dispute that accessing pornographic websites or other sites of a sexual nature would fall into the category of a "good career move." But this case illustrates the considerable range of opinions that can be reached as to whether such conduct should be the basis for denying an employee unemployment benefits.    

Employees

For individual employees, it is critical to follow an employer's computer use policies. It is also equally important that in the absence of such policies or when it comes to "grey areas," common-sense should be exercised in using workplace resources to access the Internet. And if you are ever uncertain - a good rule of thumb is accessing pornography sites at work is never a good idea. Further, it should be assumed that your workplace Internet use is monitored.     

Employers

First, it would have been much harder for the circuit court to reverse the denial of unemployment benefits if the employer had in place a technology policy that expressly prohibited accessing or displaying any kind of sexually explicit image or document using company resources. This is because there would have been no need to make judgment calls made by the circuit court to reverse the denial of benefits. 

Second, it is not unreasonable to expect (and in my experience it should be anticipated) that employees use company resources to access Internet pornography or similarly inappropriate sites while at work. For this reason, it is critical for companies to have a policy that expressly puts employees on notice that accessing or displaying any kind of sexually explicit image or document on any company system is not permitted, a violation is subject to discipline, up to and including discharge, and that Internet usage may be monitored to, in part, enforce the policy. 

Third, the argument that cookies, spam, and pop-up ads provided sufficient harm to the employer to justify a denial of unemployment benefits was unconvincing. Such Internet flotsam is present to some degree on all commercial websites and this particular employer did not place any restrictions on accessing any sites for personal use.

Also, any network traffic is going to impact an employer's network to some degree. But to say a cookie, which is simply a text file, will take up sufficient bandwidth to hinder network traffic is a stretch (any network administrators please weigh in on this issue). And this stretch would fall flat if it had been shown that other employees were allowed to access video content or stream Internet music over the company network because both actually devour significant amounts of bandwidth.

A stronger argument would have been to take the position that accessing, downloading, or saving images using company resources that contain sexually explicit material violated the company's sexual harassment policy (assuming the employer had such a policy). It is far more convincing that such conduct approaches the "willful or wanton" disregard of an employer's interest - preventing sexual harassment or a hostile work environment - to warrant a finding of misconduct warranting a denial of unemployment benefits than the network traffic argument. 

Computer Fraud and Abuse Act: A Criminal Statute That Extends to the Employment Relationship?

Fingerprint shackle.jpgA recent article in the Wall Street Journal, As Criminal Laws Proliferate, More Ensnared (Gary Fields and John Emshwiller), details the increasing number of federal criminal statutes and federal prosecutions - a threefold increase over the last 30 years. The article attributes - in part - this upward spiral to the criminalization of issues generally considered more appropriate for civil lawsuits. 

The Computer Fraud & Abuse Act

The Computer Fraud and Abuse Act ("CFAA"), discussed in the preceding article, is a prime example of a criminal statute increasingly applied to civil matters and especially to matters arising in the context of the employment relationship. 

In fact, a federal judge in dismissing CFAA claims against a former employee for excessive internet/facebook use, echoed concerns similar to those raised in the WSJ's article:  

The CFAA is a criminal statute originally designed to target hackers who access computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possess the capacity to "access and control high technology processes vital to our everyday lives ....

Despite the original "design" of the CFAA as a primarily criminal statute, now anyone "who suffers damage or loss ... may maintain a civil action ... to obtain compensatory damages and injunctive relief or other equitable relief." 18 U.S.C. § 1030(g). The CFAA lacks a "specific intent" requirement, which simply means that a violation does not require a person to intend to wrongfully access and cause damage. Instead, criminal and civil liability are essentially based upon accessing or obtaining information from a protected computer without authorization.

But "access without authorization" has become such an elastic concept that the statute has been applied to a number of common employment scenarios:

The Take-away

Reasonable people can certainly debate the appropriateness of applying a federal criminal computer hacking statute to employment related disputes. But the bottom line is that a computer engineer who decides to copy some interesting source code "just in case" he needs it at his next job, or the budding entrepreneur who downloads a customer database in preparation to start a competing business, or any number of situations where an employee accesses an employer's computer "without authorization" may form the foundation for imposing liability under the CFAA. 

Former Employee Gets a Free Pass for Deleting Evidence in Employment Dispute

Free Pass.jpgA recent employment termination turned litigation offers important lessons for employers and employees when it comes to preserving computer information maintained on company issued laptops and related equipment.

In Larkin v. Trinity Lighting, Inc. (PDF) (S.D. Miss. Apr. 20, 2011), Larkin was employed by Trinity as a salesperson and provided a company laptop, desktop computer, and an external hard-drive.

He was terminated and Trinity directed Larkin to return all of these devices. Larkin complied ... sort of. He returned the devices, but not before deleting all of the files (approximately 111,384 files).

Larkin then filed suit against Trinity alleging it failed to make bonus payments. Trinity filed a counterclaim asserting, among other claims, that Larkin breached his fiduciary duty and engaged in fraudulent activity during the course of his employment, including fraudulently altering a bonus structure.

Trinity sought to compel Larkin to pay the costs associated with the restoration of the deleted computer evidence, which was estimated to cost between $8,000 and $10,000 to restore a portion of these files (the retrievable user-created files deleted after Larkin's termination).

Trinity argued that Larkin had actual knowledge that he was not to delete these files and that he did so in anticipation of the impending law suit because the files contained evidence of Larkin's breach of fiduciary duty and fraudulent activity. In further support, Trinity pointed to the fact that Larkin consulted with an attorney prior to the deletion of the files.

Larkin admitted that he deleted the files. But he contended that he did not anticipate that litigation would be filed and he only consulted counsel solely for the purpose of negotiating severance pay. Thus, Larkin contended that he had no duty to preserve the computer files.

In deciding the issue, the Court accepted that Larkin committed spoliation (destroyed evidence that should have been preserved due to the litigation), but declined to impose sanctions. In assessing sanctions, the Court focused on the following factors: (1) The degree of fault of the party who altered or destroyed the evidence; (2) The degree of prejudice suffered by the opposing party; and (3) Whether there is a lesser sanction that will avoid substantial unfairness to the opposing party.

While factors one and three seemed to clearly weigh in favor of Trinity, the Court, in a conclusory fashion, noted that Trinity had not ultimately been deprived of any information as the the information was "apparently retrievable" and Trinity could retrieve it at its cost.

The Take Away for Employers and Employees

The Duty to Preserve Evidence and When this Duty Arises

Larkin obtained a good result - he avoided paying a $10,000 computer forensic bill - but that does not necessarily mean he made a good decision. In fact, I'm surprised the Court did not impose sanctions against Larkin in light of the undisputed facts: A former employee admitting to deleting all files - company and personal - from the company owned computers after being advised to return all such property - computers and files - against the backdrop of a dispute over a lot of money (court filings indicate over $200,000). 

The right decision would have been to understand the duty to preserve evidence: A legal duty exists to preserve information under the control of a party who reasonably knows or can reasonably foresee such information being material to a potential or pending legal dispute. This duty may arise under statutory authority, case law, court procedural rules, or the inherent authority of the court. 

The threshold for preserving evidence is "reasonable anticipation," which most frequently arises after a lawsuit has been filed, and a party receives service of the complaint or counterclaim. For non-parties, the duty often arises upon being served a subpoena or deposition notice, which provides express notice of pending litigation. But courts also have concluded that a duty to preserve evidence may arise prior to litigation, when a defendant or non-party receives pre-litigation communications or once it becomes reasonably certain that an action will be filed. 

Computer/Technology Use Policy

Providing company issued laptops and computers to remote employees like Larkin is commonplace. Consider that eighty-two employers in Fortune's 2011 list of "100 Best Companies to Work For" offer telecommuting opportunities to employees. Further, a survey by the Society for Human Resource Management found that 84% of organizations offering telecommuting provide company laptops and desktop computers to their employees (page 18).

Regardless of whether your company offers a formal telecommuting program, it should have a computer/technology policy restricting the deletion of any company files and the personal use of employer provided computers, including the saving and storing of non-work, personal information.

Trinity, however, made no reference to such a computer/technology use policy to eliminate or undercut Larkin's stated reason for his mass deletion: He did not have enough time to delete only personal files and information. My assumption is that Trinity did not have such a policy in place. Whether such a policy would have changed the outcome is uncertain. But it is certain not having a policy did not help Trinity's position. 

Targeting "Excessive" Social Media Use as Violation of Computer Fraud & Abuse Act Misses the Mark

Social Media (2).jpgComputer Fraud and Abuse Act Claim (CFAA) against a former employee based on "excessive Internet usage," including visiting Facebook was recently dismissed by a Federal District Court in Florida. 

Specifically, in Lee v. PMSI, Inc., the former employer claimed Wendi Lee, engaged in "excessive Internet usage" and visited "personal websites such as Facebook" and sent and reviewed her "personal web mail account. PMSI filed the CFAA claim after Ms. Lee sued for pregnancy discrimination.

Before shooting down PMIS's CFAA claim, the Court set the stage by noting: 

The CFAA is a criminal statute originally designed to target hackers who access computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possess the capacity to "access and control high technology processes vital to our everyday lives .... Both the letter and the spirit of the CFAA convey that the statute is not intended to cover an employee who uses the Internet instead of working.

Against, this backdrop, the Court quickly picked apart PMSI's claim:  

  • First, a critical element for a CFAA claim involves "unauthorized access." PMSI, however, expressly admitted that it knew of Ms. Lee's excessive computer/Internet usage while she was employed and never terminated her authorization to use her work computer. 
  • Second and building upon the preceding point, PMSI made no reference to any express computer policy that Ms. Lee violated. Instead, the employer compared Ms. Lee's computer usage to two other employees in her department and argued that this discrepancy transformed acceptable Internet usage into a violation of the Computer Fraud and Abuse Act.
  • Third, another required element is a loss in excess of $5,000. PMSI argued "dubiously" (court's description) that Ms. Lee caused PMSI "financial losses in excess of $5,000, due to her lack of productivity. The Court flatly rejected that "loss" under the CFAA should include lack of productivity.
  • Fourth, obtaining or altering information on a protected computer is also a required element. But Ms. Lee accessed her Facebook, personal email, and news websites, i.e., information not on PMSI's computer system. Thus, Ms. Lee never "obtained or alter[ed] information" on a "protected computer." 

Practical Considerations in Applying the Computer Fraud and Abuse Act to the Employment Relationship

From a practical perspective, one estimate has over 116,010,760 Americans on Facebook. Facebook itself estimates having over 500 million active users with 30% of this consisting of U.S. residents. Taking these numbers at face value, a recent survey identified that 77% of workers who have a Facebook account use it during work hours.

So following PMSI's logic and only considering Facebook (as opposed to other non-work web browsing), at any given moment a significant number of American employees are violating a criminal statute while accessing Facebook at work. This remains true even if the number of Facebook users is lowered to account for those who are not employed. And if you include accessing and monitoring March Madness or Fantasy Football stats on employer time, well I would have to exercise my Fifth Amendment rights against self-incrimination

The Take Away for Employers and Employees

The bottom line is the CFAA is a criminal statute focused on hacking of computers for criminal purposes, e.g., stealing information or destroying functionality. This statute also includes civil provision applicable to certain situations. But as the Lee Court appropriately noted, employers and their attorneys should not fall into the lazy reasoning that the CFAA's civil provision is applicable to the regulation of private sector employment relationships:

Extension of a federal criminal statute to employee misconduct in the private sector is a legislative responsibility and not a proper occasion for aggressive statutory interpretation by the judiciary.

There are certainly compelling factual situations where a Computer Fraud and Abuse Act claim against a current or former employee falls squarely within the scope and purpose of the statute. And Courts have reached a range of results favorable to employers when it comes to such claims involving employmee/employer related facts. PMSI's CFAA claim, however, does not come within a gunshot of falling in that range. 

Computer Fraud and Abuse Act Continues to be Potent Weapon Against Disgruntled and Departing Employees

Business professional in handcuffs.jpgA recent opinion from the Ninth Circuit Court of Appeals (PDF) confirms that the Computer Fraud and Abuse Act (essentially a federal computer hacking statute) continues to be a significant resource for employers to protect against the loss and damage of mission critical information due to departing or rogue employees.

To add the Computer Fraud and Abuse Act ("CFAA") to your tool-box, however, requires careful planning and potentially retooling your company's computer use policy. 

This is because in the context of the employment relationship, a violation of the statute turns on whether an individual "intentionally accesses a computer without authorization" or "exceeds authorized access" 18 U.S.C § 1030(e)(6). The CFAA defines "exceeds authorized access" as accessing a "... computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." The CFAA does not define the phrase "without authorization" and courts have reached conflicting interpretations as to both of these phrases when it comes to the employment relationship.

Acting adversely to Employer's Interest May Trigger Computer Fraud and Abuse Act Violation

Some Courts take an employer friendly approach and recognize that "unauthorized" or "exceeding authorized" access" is established if an employee accesses the employer's computer for a purpose adverse to the employer’s interests, i.e., violates a duty of loyalty. A common fact pattern in these cases involves an employee obtaining company or proprietary information from the employer's computers for use in a competing venture or on behalf of a competitor. Such action has been found to establish "without authorization" or "exceeding authorization" under the Computer Fraud and Abuse Act. See International Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, (7th Cir. 2006) reversing dismissal of CFAA claims where employee went into business for himself and used "scrubbing" software to delete all of the files on his company-issued computer). 

The Computer Fraud and Abuse Act is concerned with access, not subsequent use or misuse of information.   

Another line of decisions distinguish between "exceeds authorized access' and "exceeds authorized use." What this boils down to is that employees are not acting "without authorization" in accessing company information when they have "permission to use" a company network even if that employee later misuses that information, e.g., to improperly compete against the former employer. See LVRC Holdings LLC v. Brekka (2009). This concept was explained in the case of U.S. v. Aleynikov (2010) where a New York Federal District Court dismissed claims against an employee and overturned his conviction under the CFAA for copying and removing software trading codes. The court reasoned that the statute should be restricted to prohibiting people from "hacking" into a computer system, not the subsequent use or misuse of information.

Violation of Computer Fraud and Abuse Act occurs when an employer's express limitations for accessing company information are violated.   

A third line of cases focus on an employer's express limitations as to accessing company data/networks. An employee accessing the employer's computer in excess of the express limitations violates the employer's access restrictions, which may include the use of the computer or of the information contained in that computer. This situation was illustrated in the recent Ninth Circuit's Opinion in U.S. v. Nosal (2011) (PDF), which concluded: 

as long as the employee has knowledge of the employer's limitations on that authorization, the employee 'exceeds authorized access' when the employee violates those limitations. It is as simple as that.

Take away for Employers

Certainly there is a robust debate as to how the Computer Fraud and Abuse Act should, if at all, be applied to the employer/employee relationship. But there are important steps employers should take to improve the likelihood that, if necessary, the CFAA will be available to protect competitive advantages and defend against unfair competition. 

The most important step is to review the employer's computer use policy and what it restricts. If an employer lacks a computer use policy or it is deficient, then the employer will likely be left to rely upon Citrin and the line of cases where liability under the CFAA depends upon a violation of a "duty of loyalty."

But if you ask me, the reasoning in Citrin and similar cases is inherently unworkable. This is because it overlooks that an employee's authorization to access a particular document on the same computer may change throughout his or her employment (It pains me to say that Citrin got it wrong because it was authored by the venerable Richard Posner, a judge on the Seventh Circuit Court of Appeals and a favorite jurist of mine).  

For example, an employee's access rights to particular information would change if the employee began looking for employment. And in pursuing alternative employment if an employee accessed such information to assist in the job search - i.e., refreshing the employee's memory about accomplishments or better describe skills and abilities on a resume or in an interview. Under Citrin, a violation of the CFAA arguably occurred because there was access for reasons adverse to the employer and thereby access without authorization. But if that same employee decided not to seek outside employment and accessed the same information for work related reasons, the employee's interests would again be aligned with the employer and, therefore, access would be authorized. 

The better strategy is to make sure the computer use policy expressly restricts employees from using, copying, and accessing any information on the company's computer systems for personal gain. Such a provision allows employers to argue that any access for personal gain is without authorization and thereby keep in play the Computer Fraud and Abuse Act claims without having to resort to Citrin's duty of loyalty reasoning.