INSIGHTS

LEGAL AFFAIRS

Protecting sensitive info

How the CFAA applies to theft, misuse of confidential company information
INTERVIEWED BY ADAM BURROUGHS

he high-profile arrest of computer programmer Aaron Swartz for illegally downloading millions of academic journal articles resulted in federal charges against him for violations of the Computer Fraud and Abuse Act (CFAA), which highlighted its use as a broad tool to combat hacking. However, varied interpretations of the CFAA have left businesses guessing when it comes to deciding how best to pursue employees who have used their access to steal and misuse confidential information. Currently, the law can be applied differently depending on your location. A decision in the U.S. Circuit Court of Appeals for the 9th Circuit makes it more difficult to use the law against current employees who have used their access to obtain information for the purpose of misuse. In contrast, courts in other parts of the country have adopted relatively broad readings of the statute, making it a more viable tool in those jurisdictions, says Travis P. Brennan, a litigation attorney with Stradling Yocca Carlson & Rauth. Smart Business spoke with Brennan about the CFAA and protecting sensitive information. What is the CFAA and how is it applied by businesses? The CFAA is a federal, primarily criminal, statute, though it does provide for civil remedies for private plaintiffs when someone accesses a computer without authorization or exceeds authorized access to obtain information. One of the questions presented in several cases involving the statute is: If an individual is authorized to access a companys computer network, does that person exceed authorized access by obtaining information to use for

TRAVIS P. BRENNAN Litigation attorney Stradling Yocca Carlson & Rauth (949) 725-4271 tbrennan@sycr.com SOCIAL MEDIA: To learn more about Travis P. Brennan, visit www.linkedin.com/in/travisbrennan.

Insights Legal Affairs is brought to you by Stradling Yocca Carlson & Rauth

unauthorized or competitive purposes? Some courts have said yes, which turns the statute into a tool to help police improper use of company information, in addition to a tool to help protect against outside hacking. What are the benefits and limitations of this act? Filing a claim under the CFAA gets the case into federal court, which is more often better equipped to handle complex disputes. Plaintiffs also arent required to prove the information accessed rises to the level of a trade secret. However, the remedies under the CFAA are limited. A private plaintiff has to show it suffered a loss of more than $5,000, and in most instances the recoverable loss is limited to the cost of investigating the unauthorized computer access and fixing related data disruption. Thats important to think about when considering if this is a tool that would bring a tangible benefit. How does United States v. Nosal affect the use of the CFAA? That case makes it more difficult to use the CFAA against current employees. The 9th Circuit affirmed a narrower interpretation, in April 2012, when it dismissed criminal counts against employees who accessed information through company-issued passwords while still employed. The

court reasoned that the phrase exceeds authorized access is limited to violations of access, not restrictions on use. Other counts in the case dealt with access by outsiders using stolen passwords to obtain information. Some of those counts proceeded to trial and resulted in a recent conviction. What other tools can companies use to protect their sensitive information? State law governs the protection of trade secrets and other sensitive information. Most states have adopted some form of the Uniform Trade Secrets Act through which companies can get damages and other relief if they can show information taken contained trade secrets. Ultimately, it behooves companies to limit or segregate access to sensitive information and have employees sign clear, written policies. If the agreements are violated, there are contractual remedies, as long as you can show harm from the breach. While the CFAA is worth keeping an eye on, particularly in light of divergent court rulings, in instances where companies have information misappropriated, the first place to look for a remedy is through state law, such as those that govern trade secrets or the relationship between employers and employees.

2013 Smart Business Network Inc. Reprinted from the June 2013 issue of Smart Business Orange County.