Here at the Law Office of Vincent Miletti, Esq. and the home of the #UnusuallyMotivated movement, we take pride as a resilient and dependable legal services firm, providing such services in both a traditional and online, web-based environment. With mastered specialization in areas such as Employment and Labor Law, Intellectual Property (I.P.) (trademark, copyright, patent), Entertainment Law, and e-Commerce (Supply Chain, Distribution, Fulfillment, Standard Legal & Regulatory), we provide a range of legal services including, but not limited to traditional legal representation (litigation, mediation, arbitration, opinion letters, and advisory), non-litigated business legal representation and legal counsel, and unique, online legal services such as smart forms, mobile training, legal marketing, and development.
Still, here at Miletti Law®, we feel obligated to enlighten, educate, and create awareness about how these issues and many others affect our unusually motivated® readers and/or their businesses. Accordingly, to achieve this goal, we have committed ourselves to create authoritative, trustworthy, & distinctive content. Usually, this content is featured as videos posted on our YouTube Channel https://www.youtube.com/channel/UCtvUryqkkMAJLwrLu2BBt6w and blogs that are published on our website WWW.MILETTILAW.COM. With that, the ball is in your court and you have an effortless obligation to subscribe to the channel and sign up for the Newsletter on the website, which encompasses the best way to ensure that you stay in the loop and feel the positive impact of the knowledge bombs that we drop here!
As the authoritative force in Employment Law, it only seemed right to introduce one of the many upcoming series where we remain persistent in introducing a variety of topics, which will look to not only educate but also deliver in a sense that only Miletti Law® can. In this regard, this blog is Part XVII of our series on “Cybersecurity Measures to Protect Employers.” In Part XVI, we hammered on “Identifying the Lost, Stolen, and/or Misappropriated Trade Secrets,” another vital thing any employer should do following a trade secret data breach in their businesses. One crucial thing we mentioned is that every employer should implement and adopt structured and advanced systems for identifying, valuing, and protecting their trade secrets. Furthermore, they should find it crucial to define and know their trade secret(s), the value that those trade secrets have for their businesses, and, consequently, identify any that may have been misappropriated following a trade secret data breach. With this concluding our discussion on the three things every employer who has encountered a trade secret data breach in their businesses should take, we have now switched gears and focused on the benefits of bringing claims under the Computer Fraud and Abuse Act (CFAA) in this blog and Part XVII of the series.
The Value/Benefits of Bringing Claims under the Computer Fraud and Abuse Act (CFAA)
Any employer whose computer network or system has been accessed and damaged by an authorized individual may bring a cause of action through a criminal statute known as the CFAA and pursuant to 18 U.S.C. § 1030. Through the provisions of this statute, an employer is empowered and given a chance to assert a claim against a former or current employee who has accessed a business computer(s) or network system(s) and steals or misappropriates confidential information and/or trade secrets.
However, the ability to make a successful claim depends on a number of factors, including, but not limited to the judicial district in which an employer is located and the relevant facts of the situation. Generally, most jurisdictions require the loss caused by an employee to be valued at a minimum of $5000 for an employer to be able to assert a claim under this criminal statute. Pursuant to 18 U.S.C. § 1030(e)(11), “loss,” which includes any cost incurred, revenue lost, or other resulting damages incurred due to interrupted service(s) and all costs an employer would incur to respond to a data breach incident, assess the level of damage, and/or restore information, systems, programs, and data to their original condition before the incident took place, entails any reasonable cost to any victim.
Employers may also benefit by bringing a claim under the CFAA because before certain courts and under some circumstances, they may be able to assert that the damages provided for under the statute should include costs associated with forensic examinations or litigation processes.
When bringing a claim under the CFAA against a former employer and/or their new employer for having stolen and/or misappropriated trade secrets, an employer should ensure that the following are included in the claim:
- A protected computer used in interstate commerce was accessed without permission by the employee
- The loss/damage caused by the employee’s misconduct amounts to at least $5,000
- The employee acted in violation of their duty of loyalty to the former employer and, by accessing the information without authorization, violated the policies set by the employer
- The employee exceeded their authorization and was definitely not authorized to access the information and computer in question-and-
- Where applicable, a forensic examiner was hired with the aim of investigating, assessing the extent of damage/loss, and attempting to recover the information and data that the employee wrongfully destroyed (if the employee attempted to disguise and conceal the misconduct by using a computer wiping or data destruction software) or accessed and stolen.
The “Scope of Liability” under the CFAA Narrowed after Van Buren v. United States Case
Federal circuits in the U.S. have, for several years, been split as to whether the CFAA could be deployed against authorized users who use any misappropriated information for unauthorized purposes or only against unauthorized users and hackers of electronic systems. For example, while they have considered actual criminal activity or true hacking to impute liability to a perpetrator, a strict approach to the CFAA has been adopted in the Second and Ninth Circuits. However, this is not applicable to employees who, by virtue of their employment, access confidential information.
On the contrary, while they have permitted employees who obtain confidential information by accessing a system without prior permission by the employer or by exceeding their “authorized access” to be sued under the CFAA, some circuits, such as the Seventh Circuit, have taken a broader approach to how the statute may be deployed. In fact, an employee who breaches the duty of loyalty is considered to have engaged in “unauthorized access” in the Seventh Circuit. While the decision has broadly impacted the deployment of the CFAA against employees by employers to defend against unauthorized access activities, the scope of liability was narrowed via the Supreme Court’s decision in the Van Buren v. United States case, particularly concerning the CFAA’s prong of “exceeds authorized access.” This goes without mentioning that after this decision, employers should not claim that an employee has violated the CFAA for accessing a computer accessible to them in an attempt to obtain information though through improper motives.
In Part XVIII, we shall switch gears and hammer on what the statute of limitations of the Computer Fraud and Abuse Act (CFAA) is in our blog titled “The Computer Fraud and Abuse Act’s Statute of Limitations.”
Until then, stay tuned for more legal guidance, training, and education. In the interim, if there are any questions or comments, please let us know at the Contact Us page!
Always rising above the bar,
Isaac T.,
Legal Writer & Author.