Using the Computer Fraud and Abuse Act to Protect Employers’ Information

All employers are faced with the risk of employees misusing their work computers: not only can employees waste time watching sports, checking and updating social media, and navigating through inappropriate and unsecure websites, but there is also the risk of employees accessing files without authorization and even obtaining confidential information to compete against or disparage the employer. Employers are not helpless in facing these issues. Under the Computer Fraud and Abuse Act, employers have the right to maintain a civil action against employees who obtain “anything of value” from the employer’s computer. This right is available to employers even if the information obtained by the employee does not rise to the level of a trade secret, or the employer is unable to prove conversion. Thus, under the Act, employers are entitled to economic damages, injunction, or other equitable remedy that would otherwise not be available to them.

Among other things, the Computer Fraud and Abuse Act, prohibits “accesses[ing] a protected computer without authorization, or exceed[ing] authorized access, and by means of such conduct further the intended fraud and obtain anything of value.” Some courts have interpreted “exceed[ing] authorized access” broadly to include violations of restrictions on use of the information an employee is allowed to access. For instance, one court has held that a Social Security Administration employee exceeded authorized access, by obtaining personal records of 17 individuals for nonbusiness reasons even though the employee was authorized to access those records. Another court found that a bank employee exceeded authorized access by providing a third party with customer account information (which the employee was allowed to access). Another court found that the actions of a former employee who deleted files in an employer-provided computer before returning the computer to employer could aptly be described as exceeding authorized access.

Some courts have limited the application of the Computer Fraud and Abuse Act to violations of access restrictions, rather than use restrictions. In California, a federal court suggested that the broad application of the Act could make the Act applicable to millions of employees, who violate employers’ use restrictions every day. Such broad application makes employees guilty of committing a federal crime.

Nevertheless, the Computer Fraud and Abuse Act is a powerful tool for employers to protect important electronic assets and information. Therefore, employers should consider posting, or including in employee handbooks or “Computer Use” policies that violations of computer use restrictions could result in a criminal prosecution. This would not only put employees on notice, but might deter employees from misusing the employer’s electronic assets. Should an employee not be deterred from misusing the employer’s computers, the employer may then seek an injunction as well as economic damages, even if the information obtained by the employee does not qualify as a trade secret.

For more information regarding the Computer Fraud and Abuse Act and/or any questions regarding protection of trade secrets or other confidential information, please contact Frank J. Coughlin, Esq. at (714) 558-7886.