Computer Fraud and Abuse Act: An Effective Enforcement Tool

February 6, 2012

Over the last several weeks, I have read a number of articles about the Federal Computer Fraud and Abuse Act (the Act). It was enacted by Congress in 1986, and the Act has been subsequently amended in 1988, 1994, 1996, 2001, 2002, and 2008. The Act was originally intended to reduce the unauthorized hacking of computer systems. The articles I have read indicate the provisions of the Act can be effectively used as a way of protecting an employer’s information concerning its business from a departing employee who may have determined to use that information to his or her advantage. The classic example is where a departing employee may have access to a customer list, but the employer has no written agreement protecting that information and imposing restrictive covenants. In such circumstance, the Act can serve to provide the employer with a means of prohibiting the use of information.

In the insurance setting, I always advise that insurance agencies have written employment contracts with customer service representatives and producers. These contracts should contain restrictive covenants. The type of restrictive covenant I recommend is a “no‑solitication clause.” Essentially, if the Producer/CSR leaves the employ of an agency, the departing employee cannot use information obtained from the agency to solicit agency customers and have their business transferred elsewhere. One of the most valuable assets of any agency is its book of business; and without the benefit of written employment contracts containing restrictive covenants, it is very difficult to protect that asset.

Even where agencies have written employment agreements, many times litigation arises as to whether or not the agreements are enforceable. There have been numerous court decisions over the last 25 years, some of which have favored employers and many of which have favored employees. In light of the constant evolution of the law relating to restrictive covenants, it is virtually impossible for any attorney who drafts any kind of restrictive covenant to absolutely guarantee that a court will enforce the covenant in each and every circumstance. It is against this backdrop that I consider the implications of the Act. I think the Act adds an important tool to the tool chest held by an agency that seeks to protect and preserve its book of business. That tool chest contains many such tools. Written employment agreements containing a reasonable no‑solicitation clause are perhaps the most important tool. In addition, there are other tools that can provide assistance to the employing agency.

If the information is a “trade secret,” it is protected as a matter of law. Unfortunately, it is my view that most of the information in an insurance agency dealing with customer lists, lists of prospects, expiration dates, etc., does not meet the definition of a trade secret under applicable provisions of law. That is a defined term; and in order to constitute a trade secret, certain prerequisites have to be established. Unfortunately, most agencies have not established these prerequisites. If the information is not a trade secret, then what else can be utilized?

There is a Wisconsin Statute, Sec. 943.70, which sets forth various computer crimes. One such crime is where an individual willingly, knowingly, and without authorization copies data from a computer system. I am aware of at least one instance in the State of Wisconsin where a departing producer utilized the agency’s computer system to print off a customer list. The district attorney subsequently prosecuted that departing producer; and was successful in convicting that producer of a computer crime, i.e., theft of data. The Wisconsin Statute is a criminal statute, and there is a question as to whether or not any kind of civil relief can be granted. The statute does allow an “aggrieved” party to obtain injunctive relief prohibiting the disclosure of information. However, the statute is silent as to the recovery of damages due to a prior disclosure or use. This is where the Act may provide significant assistance to the agency in question.

The Act specifically authorizes a private cause of action in a civil lawsuit. To bring a civil claim, a party must: (i) establish one or more of the enumerated “categories of misconduct” set forth in the Act; and (ii) satisfy the “damage or loss” requirement. Assuming these are satisfied, the party may obtain compensatory damages and/or injunctive relief. There are a number of “categories of misconduct.” The Act can be violated when a person intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer if the conducted involved is an interstate communication. A “protected computer” is virtually any computer that is connected to the Internet. The Act also contains an intent‑to‑defraud element, which has been interpreted to mean that the agency need only establish that the departing producer participated in dishonest methods to obtain agency information. The final element is that the unauthorized access of the computer resulted in damage of at least $5,000. This loss is defined as any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data or programming. In other words, if an agency had to hire a computer consultant to see what the departing producer had done to the computer system, the cost would count towards the $5,000 threshold. Loss also includes loss of business and goodwill as a result of the unauthorized access.

Once the requirements of the Act have been satisfied, any person who has suffered the damage or loss by reason of a violation of the Act can maintain a civil action against the person violating the Act to obtain compensatory damages and injunctive relief. There is a two‑year statute of limitations in bringing actions.

With respect to preserving an agency’s book of business, it is essential every agency have a tool chest providing for effective enforcement tools. The first and foremost enforcement tool is a written agreement containing reasonable restrictive covenants. In addition, the Act provides a way of protecting data that has been taken by a departing employee from the computer system of the agency. In such event, the question would be one of proof as to whether or not the data was, in fact, removed or copied. Where proof exists, the Act will be an effective enforcement tool.

To subscribe to email alerts from Axley Law Firm, click here.

For more information about "Computer Fraud and Abuse Act: An Effective Enforcement Tool," contact Timothy D. Fenner at tfenner@axley.com or 608.283.6733.