Data BreachA former employee’s accessing a Google Drive he set up for his employer may result in a violation of the federal Computer Fraud and Abuse Act (CFAA). This case also serves as a reminder to carefully evaluate how your company uses any third-party services like Dropbox, Google Drive, etc.

Computer Fraud and Abuse Act Background

The CFAA is primarily a criminal statute focused on combating hacking. It was later expanded to provide civil remedies. Specifically, it grants “[a]ny person who suffers damage or loss by reason of a violation of this section” the ability to bring a civil action “to obtain compensatory damages and injunctive relief or other equitable relief.” 18 U.S.C. § 1030(g). Violating any of the statute’s provisions exposes the offender to both civil and criminal liability.”

The CFAA is frequently used against former employees believed to have improperly used or accessed company information. See “Courts Continue to Narrow Application of Computer Fraud and Abuse Act Against Former Employees.”

Accessing Former Employer’s Database

That happened in this case, Estes Forwarding Worldwide LLC v. Cuellar (3/9/17). This case was filed in federal court in Virginia where Estes Forwarding Worldwide LLC alleged its former employee wrongfully accessed and downloaded information from a Google Drive account used in Estes’ shipment and vendor business.

Estes fired Cuellar in February 2015. Cuellar then worked for a competitor of Estes. In May 2016, over one year after his termination, Cuellar accessed the Google Drive account from his home and removed both a recovery phone number associated with the account and a secondary email address on file. This email went directly to Estes. Cuellar also changed the password for the account and created an archive of the spreadsheets it contained.

Later that same day, Cuellar again accessed the account. This time, he accessed the account from his work. At that time, Cuellar downloaded the entire archive he created earlier that morning. The archive was over 1,900 spreadsheets generated by Estes employees. Cuellar then deleted the account.

Distinction Between Personal Account and Business Account

Cuellar moved to dismiss the CFAA claim. One argument he made focused on “authorization.” Cuellar argued that “[w]hen a person provides personal information to register an email account with a service provider like Google or Yahoo, and establishes a password, it is the service provider that authorizes that person’s access to the account and not the employer.”

In other words, Cuellar argued that “[f]or purposes of unauthorized access to the [account] under the CFAA, Estes does not get to create [the] rules [governing authorization]; only the Google Terms of Use can do that.”

To support this argument (and as discussed below this point is important for employers), Cuellar cited to another case (Hoofnagle v. Smyth-Wythe Airport Comm’n, 5/24/16) in which a former airport worker could pursue a claim that his employer accessed his Yahoo e-mail account without authorization. The Hoofnagle court said that although the plaintiff created the account in part to conduct airport business, he did so with his personal information and used the account for personal use.

The Court rejected this argument. It reasoned that Cuellar unlike the employee in Hoofnagle, created the account within the scope of his employment with Estes and at its direction. This was not Cuellar’s personal account and it had never been used by Cuellar or any other employee for personal use.

What Employers Should Do to Protect their Business

For any company that uses third-party services – think Dropbox, Box, Google Drive, etc. – to conduct business, this case should be a wake-up call. This is because the case itself involved a clear-cut issue of wrongful access to a company database by a former employee – Cuellar was terminated in February 2015 and accessed the Google Drive account over a year later without permission.

But the court opinion suggests that a different result may have been reached had Cuellar originally used the Google Drive for personal use in addition for business reasons or if he had set up the account using his personal information. In our experience, both situations commonly happen.

For this reason, your business should immediately audit of any third-party data or file sharing services used, officially or otherwise, to conduct business. As part of this audit, you will want to:

  1. Make sure these accounts are in your company’s name. For any account created by an employee or that is in the name of the employee, immediately take appropriate steps to transfer the account or rights to the account;
  2. Confirm the account is used only for your company’s business;
  3. Identify anyone with access to the accounts and data stored in any such account;
  4. Have a written policy specifically advising employees that the information belongs exclusively to the employer, the account and information is to be used only for business, and it may only be accessed for business; and
  5. Make sure an individual’s access to the account is disabled upon termination.

For more information about the Computer Fraud and Abuse Act, and litigating claims under the CFAA, contact attorney Jason Shinn. On behalf of businesses and individuals, Mr. Shinn has brought and defended against CFAA and related trade secret misappropriation issues in federal and Michigan courts.