Companies constantly worry about the security of their confidential and proprietary business information. It is not uncommon for a departing employee to download or otherwise take with him or her information that could be very useful to a competitor. Employers try to protect against this misappropriation of their business information through written agreements with employees, or civil claims under state trade secret protection laws.
A new decision from the Ninth Circuit Court of Appeals suggests that federal criminal law may provide a powerful deterrent against such activity. In U.S. v. Nosal, the defendant left employment and helped start a competing venture. His employer discovered that the defendant transferred source lists, names and contact information from his employer's computer database prior to his departure. The Department of Justice prosecuted him under the federal Computer Fraud and Abuse Act (CFAA).
The defendant contended that CFAA does not apply to situations where an employee has authority from the employer to access the electronic information allegedly misappropriated. The statute was primarily intended to prosecute computer hackers who access systems without authorization. The Ninth Circuit rejected this contention, reinstating the indictment.
The court concluded that CFAA applies to situations where the authorized user exceeds such authorization by accessing the employer's electronic information in violation of use restrictions. In this case, the employer went to great lengths to secure its proprietary database, and to communicate to employees the extent of authorized use of the information.
The possibility of federal criminal prosecution presents a powerful tool for responding to employees who misappropriate confidential electronic business information. However, in order to build a case under the CFAA, employers will need to demonstrate clear and communicated policies regarding the extent of authorization for employees to access and use such information. This can be done through some combination of written agreements with employees, and clear computer use and confidential information policies. Computer security standards should also reflect the access and use limitations imposed by the employer.