The California based law firm Littler Mendelson’s Unfair Competition and Trade Secrets Practice Group discussed a recent dismissal of a Computer Fraud and Abuse Act claim brought by a company against its former employee.
The case, Ajuba International, L.L.C. v. Saharia (PDF), involved the U.S. federal court for the Eastern District of Michigan rejecting a broad interpretation of the Computer Fraud and Abuse Act (the “CFAA”).
Littler’s blog post provides a thorough discussion of the facts and procedural background of this case along with further analysis of the reasons that the court used to justify its decision, which I won’t duplicate.
Instead, I’d like to point out that this case highlights three important issues that employers should consider with respect to using the CFAA for protecting trade secrets and other company confidential information.
Overview of Claims under the Computer Fraud and Abuse Act
The CFAA prohibits seven types of “unauthorized access” of computers (See 18 U.S.C. § 1030(a)(1)-(7). Ajuba involved the subsection of this statute that prohibits conduct that often arises in the context of the employment relationship:
- A violation for accessing a protected computer “without authorization;” and
- A violation for “exceeding authorized access.”
Follow this link for additional background on the CFAA and how it has been applied against former employees.
The Michigan Federal Court Limits An Employer’s Use of the CFAA
Returning to Ajuba International, the Court dismissed the CFAA claim against the employer’s former employee because the court reasoned that a violation for “without authorization” only occurs where an employee was never permitted access and a violation for “exceeding authorized access” only occurs if the employer initially permitted access to certain information, but the access of other information is not permitted.
In contrast, the employer initially granted the employee in question “unrestricted access” to its computers that stored information that the defendant former employee later misappropriated.
Take Aways for Employers
In essence, the Court concluded that essentially if a disloyal employee was provided unlimited authority to access the employer’s computer system at the time of the misappropriation, there is no CFAA claim. This is a narrow interpretation of the CFAA, which obviously does not favor employers. But there are steps that employers may take to increase their opportunity for effectively bringing a CFAA claim.
First, company information should be segregated so that employees have access only to data relevant to their jobs. For example, there is no reason a company’s corporate strategy and related strategic plans should be available to anyone who may be employed by the company. This segregation should be routinely audited to confirm data remains accessible only by those who have a business-related need for access.
Second, it is essential to properly draft employment policies to trigger the Computer Fraud and Abuse Act. This is because the Ajuba Court perfectly explains the disagreement as to how critical issues such as “unauthorized access” or “exceeding authorized access under the Computer Fraud and Abuse Act should be applied in the context of the employment relationship. Strategic and careful drafting can greatly increase the chance of having a viable Computer Fraud and Abuse Act claim if an employee compromises or steals corporate data.
Third, if an employer believes it may have a CFAA claim against a former employee for misappropriating company information it is absolutely critical to properly secure and preserve computer-related evidence. Otherwise, companies run a significant risk of compromising or outright destroying computer evidence, which may result in its exclusion at trial.