Employers have typically used several legal theories in actions against disloyal former employees -- copyright infringement for copying copyrighted code, trade secret misappropriation where the employee misuses or discloses confidential information or trade secrets, and possibly breach on a non-competition covenant.



Now, there's another theory derived from the federal Computer Fraud And Abuse Act -- a claim based on unauthorized access to the employer's computers or network. Do these claims actually hold up in court, and what can employers do to lay a foundation for a successful claim in the future?

The Computer Fraud And Abuse Act (CFAA)

Originally, the CFAA was intended to focus on hacking into US Government and financial industry computers and networks. However, since its passage the scope of the CFAA has been broadened and extended several times:

1984 - civil remedies added (extends coverage from just federal prosecutors to private litigants with private lawsuits); 1996 - broadened to cover "protected computers" (any computer in interstate commerce, i.e. connected to the Internet); and 2001 - broadened to cover any computer outside the United States that communicates within the United States.

Two elements must be proved to establish a violation of the CFAA:

* intentional access of a protected computer without authorization (or which exceeds authorized access);

* which causes damage of at least $5,000.

The term "exceeds authorized access" means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to obtain or alter. This is tailor-made for employers to use against disloyal employees who access a computer for improper purposes.

Early CFAA Cases Against Disloyal Employees

Early civil cases against disloyal employees focused on the "exceed authorization" element in the context of former employees who accessed a former employer's databases for purposes of competing in a new venture.

One good example of such a case is EF Cultural Travel BV v. Explorica, Inc., a 2001 case in the 1st Circuit Court of Appeals. In EF Cultural Travel, the employer claimed that the former employee breached a confidentiality agreement by accessing and scraping the employer's site for pricing information. The employer prevailed.

Later CFAA Cases

On the issue of "exceed authorization", some later cases have allowed recovery against disloyal employees on the basis that the employee's conduct conflicted with a company policy, and therefore exceeded authorization. Other courts have held for the former employees, provided that their access was "authorized" at an earlier time, but later became unauthorized after employment teminated. So, the law is not yet settled on the meaning of "exceed authorization".

Two 2008 cases, American Family Mutual Insurance Co. v. Rickman and Cohen v. Gulfstream Training Academy found for the employee based on the failure of the employer to prevail on the damages issue. In both cases, the employees had accessed their former employer's computer system and copied files. In the American Family case, the court held that to recover the employer must establish damage to a computer system or interruption to a computer service. In the Cohen case, the court similarly held that the employer must show loss or damage related to an interruption of service.

Conclusion

The earlier cases under the CFAA against disloyal employees were virtual slam dunks for employers. The damages element was relatively easy to prove and courts were lenient regarding the interpretation of "unauthorized access".

Later cases are split on the issue of "unauthorized access", and they also have raised the bar for employers regarding the damage element.

Despite recent decisions favoring employees, the CFAA remains a viable tool for employers to use against disloyal employees. Given the split of authority regarding "unauthorized access", employers are advised to draft clauses into their confidentiality agreements with employees that clearly define what access is authorized and what is unauthorized, and the precise time when authorized access becomes unauthorized). Such a clause may be very persuasive in a civil case under the CFAA later.