Usually, “Identifying the Lost, Stolen, and/or Misappropriated Trade Secrets” is another vital thing any employer should do following a trade secret data breach in their business. One crucial thing that every employer should implement and adopt is structured and advanced systems for identifying, valuing, and protecting their trade secrets. Furthermore, they should find it crucial to define and know their trade secret(s), the value that those trade secrets have for their businesses, and, consequently, identify any that may have been misappropriated following a trade secret data breach. With this concluding our discussion on the three things every employer who has encountered a trade secret data breach in their business should take, we have now switched gears and focused on the benefits of bringing claims under the Computer Fraud and Abuse Act (CFAA) in this blog post and Part XVII of the series.
The Value/Benefits of Bringing Claims under the Computer Fraud and Abuse Act (CFAA)
Any employer whose computer network or system has been accessed and damaged by an authorized individual may bring a cause of action through a criminal statute known as the CFAA and pursuant to 18 U.S.C. § 1030. Through the provisions of this statute, an employer is empowered and given a chance to assert a claim against a former or current employee who has accessed a business computer(s) or network system(s) and steals or misappropriates confidential information and/or trade secrets.
However, the ability to make a successful claim depends on a number of factors, including, but not limited to, the judicial district in which an employer is located and the relevant facts of the situation. Generally, most jurisdictions require the loss caused by an employee to be valued at a minimum of $5000 for an employer to be able to assert a claim under this criminal statute. Pursuant to 18 U.S.C. § 1030(e)(11), “loss,” which includes any cost incurred, revenue lost, or other resulting damages incurred due to interrupted service(s) and all costs an employer would incur to respond to a data breach incident, assess the level of damage, and/or restore information, systems, programs, and data to their original condition before the incident took place, entails any reasonable cost to any victim.
Employers may also benefit by bringing a claim under the CFAA because, before certain courts and under some circumstances, they may be able to assert that the damages provided for under the statute should include costs associated with forensic examinations or litigation processes.
When bringing a claim under the CFAA against a former employer and/or their new employer for having stolen and/or misappropriated trade secrets, an employer should ensure that the following are included in the claim:
- A protected computer used in interstate commerce was accessed without permission by the employee
- The loss/damage caused by the employee’s misconduct amounts to at least $5,000
- The employee acted in violation of their duty of loyalty to the former employer and, by accessing the information without authorization, violated the policies set by the employer
- The employee exceeded their authorization and was definitely not authorized to access the information and computer in question-and-
- Where applicable, a forensic examiner was hired with the aim of investigating, assessing the extent of damage/loss, and attempting to recover the information and data that the employee wrongfully destroyed (if the employee attempted to disguise and conceal the misconduct by using a computer wiping or data destruction software) or accessed and stolen.
The “Scope of Liability” under the CFAA Narrowed after Van Buren v. United States Case
Federal circuits in the U.S. have, for several years, been split as to whether the CFAA could be deployed against authorized users who use any misappropriated information for unauthorized purposes or only against unauthorized users and hackers of electronic systems. For example, while they have considered actual criminal activity or true hacking to impute liability to a perpetrator, a strict approach to the CFAA has been adopted in the Second and Ninth Circuits. However, this is not applicable to employees who, by virtue of their employment, access confidential information.
On the contrary, while they have permitted employees who obtain confidential information by accessing a system without prior permission by the employer or by exceeding their “authorized access” to be sued under the CFAA, some circuits, such as the Seventh Circuit, have taken a broader approach to how the statute may be deployed. In fact, an employee who breaches the duty of loyalty is considered to have engaged in “unauthorized access” in the Seventh Circuit. While the decision has broadly impacted the deployment of the CFAA against employees by employers to defend against unauthorized access activities, the scope of liability was narrowed via the Supreme Court’s decision in the Van Buren v. United States case, particularly concerning the CFAA’s prong of “exceeds authorized access.” This goes without mentioning that after this decision, employers should not claim that an employee has violated the CFAA for accessing a computer accessible to them in an attempt to obtain information through improper motives.
In Part XVIII, we shall switch gears and hammer on what the statute of limitations of the Computer Fraud and Abuse Act (CFAA) is in our blog post titled “The Computer Fraud and Abuse Act’s Statute of Limitations.”
Until then, stay tuned for more legal guidance, training, and education. In the meantime, if you have any questions or comments, please let us know at the Contact Us page!
Always rising above the bar,
Isaac T.,
Legal Writer, Author, & Publisher.