When employees, especially sales people, have access to various electronic devices, databases, and documents from an organization, at what point does a company have a right under the federal Computer Fraud and Abuse Act (CFAA) to bring a case against an exiting employee for computer fraud?
The CFAA gives broad authority to employers to take action to regain the data from computers, whether it’s the employers’ or the employees’ computer. The CFAA has both civil as well as criminal penalties.
In the case of Royal Truck & Trailer Sales & Service, Inc. v. Kraft, No: 19-1235, (6th Circuit Court of Appeals, 9/9/20) Royal employed Mike Kraft and Kelly Matthews as a part of the company’s sales team. In conjunction with their employment, they received a copy of Royal’s employee handbook. With respect to the use of company equipment, the handbook prohibited a range of conduct, including: personal activities; unauthorized use, retention, or disclosure of any of Royal’s resources or property; and sending or posting trade secrets or proprietary information outside the organization. Royal also had a cell phone “GPS Tracking Policy.” In accordance with that policy, “[e]mployees may not disable or interfere with the GPS (or any other) functions on a company issued cell phone,” nor may employees “remove any software, functions or apps.”
The two abruptly resigned to go to a competitor. After they left, Royal investigated the activities of the two and found they had accessed confidential company information from their company-issued computers and cell phones and then utilized the information in violation of company policy.
Specifically, Royal discovered in the course of an investigation that Kraft forwarded from his Royal email account to his personal one quotes for two Royal customers as well as two Royal paystubs. Kraft also contacted one of Royal’s customers through Royal’s email server to ask the customer to send “all the new vendor info” to Kraft’s personal email account. With that, Kraft then deleted and reinstalled the operating system on his company-issued laptop, rendering all of its data unrecoverable. Eventually, Royal officials went to Kraft’s home and took possession of the laptop as well as Kraft’s company-issued cell phone.
Matthews did something similar. From her Royal email account, Matthews sent to Kraft’s personal email account a Royal “Salesperson Summary Report” that contained confidential and proprietary sales information. She likewise forwarded an email from her Royal account to her personal one that contained customer pricing information. And as Kraft did with his company laptop, Matthews reset her company-issued cell phone to factory settings, rendering all data on the phone unrecoverable. Matthews then returned her company-issued laptop and cell phone to Royal’s corporate headquarters and resigned, announcing her resignation more broadly through social media by sharing a link to a video of Johnny Paycheck’s hit song, “You Can Take This Job and Shove It.”
Royal engaged a forensics expert at considerable cost to reestablish what was taken and sued Kraft and Matthews under the CFAA.
To prove a case under the CFAA, Royal has to prove that: (1) Defendants intentionally accessed a computer; (2) the access was unauthorized or exceeded Defendants’ authorized access; (3) through that access, Defendants thereby obtained information from a protected computer; and (4) the conduct caused loss to one or more persons during any one-year period aggregating at least $5,000 in value. Specifically, the issue before the court was the second element: “whether Defendants’ access was unauthorized, or whether Defendants exceeded their authorized access when they sent Royal’s confidential information from their work devices to their personal email accounts.”
First, the court stated that as employees their access was authorized. So, the question became whether they exceeded their authority. The court then stated that it was not exceeded, and Royal did not contest it was. The court noted that Royal does allege that Kraft and Matthews later misused the information they accessed. Although, the Court stated that CFAA does not reach that conduct.
The court recognized that its decision is in conflict with those from the First, Fifth, Seventh, Eighth, and Eleventh Circuits, all of whom have more broadly interpreted “exceeds authorized access.” Those courts recognized that the misuse of data does rise to the level of “exceeds authorized access.” Further, the 6th Circuit danced around the issue of Kraft and Matthews deleting data from their work devices. The court stated that Royal failed to allege properly that data was deleted from a computer, and the phone was not identified as a computer.
It is likely that the Supreme Court will hear a case to better define the terms of the CFAA with the courts in conflict. Therefore, it is important that HR review their protected work devices with their legal counsel to assure that not only unauthorized access is defined to include the taking the of company data for personal use and gain (as opposed to calling it a misuse of data) but to have an expanded definition of “computer” to include cell phones and other devices with a processing unit.