The cyber threat from within: the computer fraud and abuse act as a weapon against theft of confidential information by departing employees

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.lexology.com/library/detail.aspx?g=b9fa422c-cb94-49b3-9763-457c971cc33b

Almost daily, we hear about cyber attacks on big businesses and government
agencies. But the attacks are not isolated to the big entities. Your
business’s most valuable trade secret information more than likely resides
in an electronic database that is vulnerable. Yet probably the greatest
threat to that database may come from within: your own employees.

It is easy to move electronic files, and in a fluid economy in which your
employee may have an opportunity to jump ahead by joining a competitor, the
temptation to take data for use in future employment may be particularly
strong. Historically, many employers have relied on employment contracts to
protect confidential information and trade secrets. Unfortunately, too
frequently, these contracts are drafted so broadly with respect to the
sections aimed at protecting confidential information that those provisions
are of limited value at best.

The good news for employers (at least those who can bring suit in federal
courts in the Seventh Circuit) is that they have another, and arguably more
powerful, weapon against theft of trade secrets and other confidential
information. It is the Computer Fraud and Abuse Act, 18 U.S.C. § 1030
(2004) (“CFAA”).

Making a CFAA claim

The CFAA essentially punishes anyone who accesses a computer without
authorization to take various unlawful actions, such as stealing or
deleting information stored on the computer. Although the CFAA was
originally enacted to punish remote computer hackers, it is increasingly
being used by employers as a way to pursue departing employees — and their
new employers — who steal or delete information before departing or access
it after they leave.

To state a claim under the CFAA, the plaintiff-employer must show that the
departing employee accessed a “protected computer” (i.e., one that was used
to access the Internet) without authorization and took, deleted or
performed some other action with respect to information stored on that
computer. The Seventh Circuit has held that access is unauthorized for the
purposes of the CFAA if the employee acts contrary to the employer’s
interest.

For example, employers have brought suits under the CFAA against departing
employees who stole information from employer computers to use in a
competing business or who deleted incriminating information from employer
computers before departing. Remedies available to the plaintiff-employer
include injunctive relief and monetary damages, as stated in 18 U.S.C. §
1030(g).

There are several benefits of bringing a claim under the CFAA in addition
to or instead of traditional contract and trade secret theories of
recovery. First, the plaintiff-employer does not need to establish that the
stolen information constitutes a “trade secret” under applicable state law
to prevail under the CFAA. The misappropriated or deleted information may
be confidential to an employer and not be protectable as a “trade secret”
under state law, and yet the employer can still prevail under CFAA. For
example, under Illinois law, client lists and customer contact information
typically do not amount to trade secrets because the information can be
discovered from sources outside the company.

To prevail under CFAA, the employer does not need to rely on a
non-disclosure agreement to establish a claim. Employee restrictive
covenants, including non-disclosure agreements, may pose challenges to
enforcement, especially when the consideration for such agreements is
supported exclusively by at-will employment. But the duration of a
departing employee’s employment is irrelevant to CFAA claims.

Proactive protection

Technological advances have made stealing electronically stored information
easier. Fluid employee mobility has increased the frequency of theft and
deletion of information by departing employees. Forewarned is forearmed,
and employers may be able to combat theft or damage inflicted by employees
on their way out by reminding employees of the consequences of conduct that
would violate CFAA.

Employers need to take measures to cut off access to their databases and to
preserve evidence for a reasonable period of time. In other words, do not
rush to pass on the departing employee’s laptop or desktop computer — you
may corrupt evidence of the departing employee’s theft or misconduct.
Employers should be aware of all of their legal remedies, including the
CFAA, when faced with a departing employee who steals confidential
information.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!