Security Padlock.jpgA 2011 Sixth Circuit Court of Appeals opinion, underscores the importance of the Computer Fraud and Abuse Act plays in combating disgruntled employees who steal company data. This case also highlights important steps employers should take in protecting company IT infrastructure and digital information from internal threats.

In that case, the former employer worked in the IT department of Campbell-Ewald, a Michigan advertising company. During his employment, the former employee accessed Campbell-Ewald’s computer server and copied confidential computer files belonging to its CEO without authorization.  

Campbell-Ewald strategically responded by firing the individual, contacting the authorities, hiring a security investigation firm, and retaining legal counsel. 

The FBI investigated and determined:

  • The former employee had accessed Campbell-Ewald’s confidential files no fewer than twenty-one times after his firing, twice through a Campbell-Ewald server and nineteen times through the email account of another employee, “SM.” 
  • The files the former employee accessed consisted of “confidential pieces of information . . . including executive compensation, financial statements of the firm, goals and objectives for senior executives of the company reporting to the chairman, and some strategic plans.” These files were normally stored on the CEO’s desktop computer but had been moved by the company to its server.
  • The former employee admitted that he had learned of employee SM’s username and password in the course of his employment. While SM had slightly altered his password after the former employee was fired, he was able to guess the new password through trial and error.

The former employee was eventually convicted under the Computer Fraud and Abuse Act, 18 U.S.C.S. § 1030(a)(2)(C) and (c)(2)(B)(iii). The court also awarded the former employer restitution in the amount of $47,565 for private security investigation costs. This decision from the United States District Court for the Eastern District of Michigan was upheld on appeal. 

Protecting Company Information Before it is Compromised

The former employee’s conviction under the Computer Fraud and Abuse Act is significant with respect to a number of legal issues. But for employers focused on preventing a similar IT disaster from happening, the following are important take-away points to consider: 

  1. Computer security is often an “all or nothing” process in that if you miss a single link in your security chain you leave the network vulnerable. Consider implementing the topics in this Employer’s Technology Checklist for Departing Employees to minimize your company’s vulnerable spots; 
  2. Before a theft or a data breach occurs, employers should coordinate with IT, human resources, legal and business units to carefully and critically draft computer/network policies clearly defining the permitted access to sensitive company data and customer information. Further, employees must understand that exceeding their authorized access is strictly prohibited and subject to discipline, including termination; 
  3. Information should be segregated so that employees have access only to data relevant to their jobs and this segregation should be routinely audited to confirm data remains accessible only by those who have a business-related need for access;
  4. Additionally, it is essential to properly draft employment policies to trigger the Computer Fraud and Abuse Act. This is not always possible as Courts do not agree how critical issues such as “unauthorized access” or “exceeding authorized access under the Computer Fraud and Abuse Act should be applied in the context of the employment relationship. Strategic drafting can greatly increase the chance of having a viable Computer Fraud and Abuse Act claim if an employee compromises or steals corporate data; and 
  5. Properly securing and preserving computer-related evidence must be a top priority in responding to potential computer misconduct. Otherwise, companies run a significant risk of compromising or outright destroying computer evidence, which may result in its exclusion at trial. Consider U.S. v Khoo (Oregon Dist. Court 2011) where the court excluded computer evidence in a federal criminal matter involving the theft of corporate data (Khoo Order.pdf) (Court excluded forensic image after the company owner inadvertently compromised / tampered with evidence while investigating an employee’s suspicious activity on a company laptop. See Susan Brenner of CYB3RCRIM3 for a full explanation of this case. Also, see this prior write-up about investigating and preserving company computer data with contributions from the Michigan State Police Computer Crime Unit.