The federal Computer Fraud and Abuse Act (CFAA) and the Stored Communications Act (SCA) were enacted to protect U.S. businesses and individuals from computer hacking and industrial espionage. In recent years, employers and employees have attempted to use these laws to pursue claims against one another when an employment dispute involves unauthorized access to electronic communications systems. Last month, the Eleventh Circuit Court of Appeals concluded that the CFAA applies to unauthorized access to a corporate email server, even where the employer cannot demonstrate damage to its computer system or interruption of computer service.
In Brown Jordan Int’l, Inc. v. Carmicle, the defendant was an executive of one of the company’s divisions. During a computer server transfer, he used a temporary generic password provided to all employees to access and download emails of company executives and co-workers. After the company’s board of directors learned of this activity, it fired the defendant, and the company subsequently sued him for violation of both the CFAA and SCA. The defendant claimed that his actions did not violate the CFAA because that law requires the aggrieved party to have suffered some loss as a result of the alleged hacking. The Eleventh Circuit disagreed, affirming a bench verdict for the employer.
The court rejected the defendant’s argument regarding loss because the employer paid a consultant to determine the extent of the unauthorized access, and to search the system for other indications of surveillance. Even if the plaintiff suffered no interruption in the use of its system, the costs associated with responding to the offense met the statutory definition of loss. The Eleventh Circuit also rejected the defendant’s argument that he did not violate the SCA because as a member of senior management, he had authority to monitor company emails. The court stated that generic language in the company’s electronic communications policy permitting access to emails by the company did not include the exploitation of a generic password by a single member of management who did not go through any channels before engaging in this conduct.
This case demonstrates how employers can use federal anti-hacking laws to pursue claims against employees and other persons who engage in unauthorized access to their electronic communications systems. In situations where such access is suspected, employers should perform a comprehensive forensic analysis of the employee’s computer use to determine whether their system’s integrity has been compromised.