When a Former Employee Hacks Your Computers: The Computer Fraud and Abuse Act
When a company terminates an employee, there's often a formal exit process to ensure that the employee doesn't walk out the door with important company property.
For example, the company will take the employee’s key card to ensure that the employee can no longer access the building. The company will ask the employee to turn over all company electronics, such as a cell phone or tablets. Plus, the employee should be asked to return any paper files that may not be at the office.
That's a fairly typical process.
When the termination is planned in advance, HR will inform the IT department to deactivate the employee’s access to the computer system.
But what happens in a smaller company with no IT department or if the termination is sudden and someone forgets to deactivate the employee’s computer access credentials?
And what happens if that employee (let’s call him Frank) uses those credentials to log back into the system after being fired and downloads valuable client lists, even after he signed an exit document representing that he wouldn’t use any login credentials in the future?
There may be certain legal protections in that situation, such as through Frank’s non-compete agreement (prohibiting him from using company information for personal benefit) or even trade secret law.
But one other remedy is through the federal Computer Fraud and Abuse Act or CFAA. 18 U.S.C. § 1030.
Frank may have violated the statute and could face either civil or criminal penalties.
This post will examine the civil remedies in the CFAA. In part two, we will examine the criminal side of things.
Section 1030(a)(5) defines the following as wrongdoing:
Knowingly causing the transmission of information or code that causes damage to a “protected computer”
Intentionally accessing a computer without authorization and causing damage
Intentionally accessing a computer without authorization and causing any loss
Section 1030(g) sets forth the civil cause of action. It permits a civil cause of action by someone who has suffered “economic damages” The cause of action must be brought within two years of the act causing damage or the discovery of the damage.To bring a cause of action, the damage must be at least $5000.
It's easier to understand the CFAA through the case law interpreting it rather than the statute itself.
Most courts require proof of five elements for a civil cause of action under the statute.
The defendant intentionally accessed a "computer."
The access was without authorization or exceeded authorization.
The defendant obtained information through the access.
The information was from a protected computer.
The access caused a loss of at least $5000.
Let's break down each of those elements to see if Frank violated the CFAA and the company has a civil cause of action.
First, we need to show that Frank’s access was intentional. This is usually a simple matter. The company could show that Frank used his login credentials to access the computer. A forensic analysis of the company's computer system can likely reveal the IP address from which the access occurred and help prove that Frank was the person who used the credentials.
Second, the company would have to show that Frank accessed the company’s computer system without authorization. There are two possible ways to show lack of authorization, either lack of permission or misuse of authorization. The federal courts are split as to whether the “misuse” of authorization (or exceeding authorization) is actionable.
Here, Frank lacked authorization. He had been terminated from the company and had been told that he no longer had access to the company's computer system. He also signed a document confirming that fact.
A more complex situation arises when a current employee exceeds her authorization. For example, she can log in to the system, but her job does not permit her to review confidential personnel files. If she accessed those personnel files, she would be “misusing” or “exceeding” her authorization.
But that's not the situation here. We’re keeping it simple for now.
Third, the company would have to show that Frank obtained information through the access. A computer forensic expert could find out what documents were accessed using that login credential.
There would likely be no violation if Frank simply logged in and then logged right back out, maybe just testing to see if his credentials still worked. In our fact pattern, though, Frank not only viewed information (thus “obtaining” it) but he downloaded client information too.
Fourth, the company would have to prove that Frank obtained the information from a protected computer. This is a very low bar. The CFAA defines a protected computer as "a computer used in a manner that affects interstate or foreign commerce or communication." 18 U.S.C. §1030(e)(2). The courts have defined a protected computer very broadly. The DC district court has defined it as any computer "hooked up to the Internet . . . including computers that house website servers."
Given this, it’s easy to prove the defendant accessed a “protected computer”.
Finally, the company would have to show that Frank's unauthorized access caused at least $5,000 in loss. This must be economic loss.
The good news for the company is that some courts have interpreted this provision very broadly to include all losses attributable to the defendant's conduct, including expenses of hiring legal counsel and other resources or personnel hours spent on addressing the unauthorized access.
If any of you have hired a computer forensic expert (or a lawyer), then you know that $5000 is an easy threshold to meet.
The tougher question for the company is whether or not it's worthwhile to file a lawsuit based on the CFAA at all. Unless, Frank took very valuable information, then it may not be worth the effort to file a lawsuit. Instead, the company may decide to contact him to work out a solution that requires him to permanently delete the information and a representation that he will not improperly use the information.
The CFAA can be a powerful took to make sure your former employees follow the rules after they leave. But nothing is as powerful as making sure that they can’t access your computers in the first place.