CFAA – Confidentially Yours or Mine?

Confidentially, how good is your NDA –  the Non-Disclosure Agreement you have your employees sign periodically? For the time being, it appears better to be in New England to protect your private data where the U.S. 1st Circuit Court of Appeals has upheld legal protections under federal law. In the Pacific Northwest –  the 9th Circuit Court of Appeals, with worse weather, data protection is under a cloud. We key in today on the Computer Fraud and Abuse Act (CFAA) providing for criminal and civil penalties for an employee “knowingly and with the intent to defraud” accessing “a protected computer without authorization, or exceeds authorized access, and by means of such conduct” furthering “the intended fraud and obtains anything of value.” As Massachusetts Lawyers Weekly (MLW) reported  a 9th Circuit decision that damaged an arrow often used by employers to target employees who use confidential information from company computer systems.

The value of a claim under the act is that injunctive relief may be available to stop former workers from using improperly accessed information for their own benefit and to the detriment of the employer, said Amy K. Jensen, a  San Francisco attorney

“That may give the employer some recourse” when a contract claim may not, Jensen said. (Kimberly Atkins – MLW 6/7/2012)

The U.S. Court of Appeals for the Ninth Circuit made employer lawsuits more difficult in their circuit with its United States v. Nosal decision. The Ninth Circuit decided that an employee, when accessing information in a computer, does not violate the CFAA when he or she violates an employer’s computer use restrictions.  We note, by the way, that it was the CFAA that caused much criticism of its abuse by the U. S. Attorney in the prosecution of MIT hacker Aaron Swartz who was indicted under the Act when he sadly committed suicide.  Some brand the Act a notoriously broad statute enacted by Congress seemingly to criminalize use of a computer out of proportion to many offenses.

As Harvard Law School Internet scholar Lawrence Lessig has written for The Atlantic: “For 25 years, the CFAA has given federal prosecutors almost unbridled discretion to bully practically anyone using a computer network in ways the government doesn’t like.”

If you are an employer in the New England area, however, the 1st Circuit Court of Appeals concluded that contracts creating restrictions may serve as the basis for claims for “damage or loss” meeting the $ 5,000 threshold under the CFAA.  It granted the employer the right to sue under the act when employees use  access it for improper purposes in violations of the NDA they signed while at their former employer. EF Cultural Travel v. Explorica Inc, 274 F.3d 577 (1st Cir., 2001)

The CFAA provides for criminal and civil penalties against an employee who “knowingly and with the intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.”

Penalties for violating the CFAA include fines and imprisonment, with the term varying with severity and number of violations with a maximum length ranging from a year to many years in the most severe cases.

The Fourth Circuit recently asked the Supreme Court to review recent cases and help define the law. The U.S. Supreme Court’s denial of certiorari, basically meaning that it was not ready to look at it, has left the scope in cyberspace! While New England certainly favors employers for the time being, other circuits are not so protective of data but more so of individuals.  We will closely watch the CFAA in the future.

Massachusetts has its own criminal access statute but with penalties of 30 days in jail or a $ 1,000 fine. See G. L. Ch. 266, Sec. 120F, Unauthorized access to computer systems.

DISCLAIMER: All content that appears on this blog or on the website does not constitute legal advice. Thus the materials in this advisory should not be relied upon in making decisions about your personal situation. Every person’s situation is unique and the appropriate legal advice depends upon the facts of your situation. You should seek competent, professional legal counsel from a lawyer, such as Attorney Morse, to learn about your specific case and your available options. This Blog/Web Site is made available by the lawyer or law firm publisher for educational purposes only, as well as to give you general information and a general understanding of the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney client relationship between you and the Blog/Web Site publisher. The Blog/Web Site should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

About Larry

Attorney Morse represents individual and business clients throughout Massachusetts some remotely. He handles a variety of employment matters, negotiating employment agreements, severance agreements, confidentiality and non-disclosure language to protect trade secrets, etc., and resolving disputes. He assists businesses and partnerships at all stages through sale or dissolution. He helps clients in the purchase and sale of businesses and as an adviser to closely held corporations & limited liability companies.
This entry was posted in Business Law and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *