The CFAA and its Application to the Electronic Workplace

October 24, 2008

America’s economy is rapidly changing from a manufacturing-based economy to a knowledge-based one, a change that’s sometimes referred to as the “electronic revolution.” One of the key features of the new American workplace is the increasing use of electronic technology, which has led to a number of changes in the law that directly address employers’ rights to protect their computer data.

While many employees are respectful of their employer’s interests in maintaining safe computer data, there are unfortunate situations in which disgruntled or departing workers have inflicted damage on a company’s computer infrastructure, erasing valuable files, misappropriating trade secrets, or actually going so far as to intentionally infect the computer system with viruses. That conduct can result in devastating financial losses and significant disruption to a company’s operations. The Computer Fraud and Abuse Act (CFAA) provides you with a powerful tool for combating employees’ inappropriate actions.

CFAA basics
The CFAA is a federal statute originally enacted in 1984 to protect government computers from attacks by “outside” computer hackers. Through a number of amendments, the Act now provides civil remedies for damage to any “protected computer,” including any “computer used in interstate or foreign commerce or communication.” That change and others significantly expand the reach of the CFAA and the protection it provides employers. Today, employers are increasingly invoking the protections of the statute in lawsuits involving employees who have destroyed or damaged the company computer system or data stored on it.

The CFAA creates a private legal claim when someone:

  1. Intentionally accesses a computer without authorization or exceeds his authorized access and thereby obtains information from any protected computer;
  2. Knowingly, and with the intent to defraud, accesses a protected computer with authorization or exceeds authorized access and by means of such conduct furthers the intended fraud and obtains anything of value;
  3. Knowingly causes the transmission of a program, information, code, or command that intentionally causes damages, without authorization, to a protected computer; or
  4. Intentionally accesses a protected computer without authorization and, as a result, causes damage.

Under those provisions, the CFAA prohibits an employee from accessing a computer or system without authorization and forbids conduct that “exceeds authorized access.” Under the CFAA, “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in a computer that the accessor is not entitled to so obtain or alter.” The law’s provisions, viewed separately or together, have empowered employers with strong statutory remedies when employees damage or otherwise take action to impair the integrity of computer data. Damages under the CFAA are limited to economic damages.

Applying the law
The CFAA can be used both offensively and defensively if you have a dispute with a former employer. It’s critical to understand that employers themselves often face liability for CFAA violations that are committed by employees who violate the law while working within the course and scope of their employment. Aside from that, however, the CFAA can provide you with leverage against employees who are suing or threatening to sue your company. While the destruction of computer data can lead to a claim against an employee for breach of the duty of loyalty, the CFAA imposes additional restrictions on employees who act to impair the integrity of company data and simultaneously provides for federal jurisdiction over the dispute.

Violations of the CFAA can also provide “after-acquired evidence” that may cut off your liability for front pay under various antidiscrimination statutes. That’s why it’s important to immediately sequester and examine a former employee’s computer if he has threatened or actually instituted litigation. His computer may contain valuable information to support a claim under CFAA, providing you with leverage in any resulting litigation.

Bottom line
The CFAA is one of many legal tools that protect employers against employee misconduct. As technology continues to advance and infiltrate the workplace, it’s critical to implement clear and objective policies that define access to, authority for, and restrictions on the use of your computers and computer data. You should also implement very clear policies that govern employee use of the e-mail system and access to the Internet, along with the retention and destruction of electronically stored information.

Those policies, coupled with the protection provided by the CFAA, create a defense in those rare and unfortunate situations when an employee leaves the company on bad terms and destroys valuable computer data in the process.

To subscribe to email alerts from Axley Law Firm, click here.