Willie Sutton, the infamous bank robber, when asked why he robbed banks is credited with responding "Because that's where the money is." In today's market place, the money is in a company's information, e.g., customer lists, pricing, methodology, know-how, research, development, and related proprietary and confidential information. And like the banks in Mr. Sutton's day, companies are increasingly finding they are being robbed of their information by unscrupulous departing employees and competitors. For example, in a recent BusinessWeek article (BW, Feb. 16, 2009), To Catch a Corporate Thief, an employee resigned, but reported his company issued laptop stolen. It turned out this employee had been poached by the former employer's competitor and the stolen laptop was actually the get-away-car for business methodologies, system designs, customer lists, and related proprietary information.
While there are a number of measures companies can take to prevent or otherwise minimize business theft/unfair competition (For a great summary of non-compete considerations click here, Eight Ways to Lost a Non-compete Case), companies that fail to take such steps are left with the unsatisfactory choice of litigation or waiting for a "thank you" card from the benefactor of the competitive advantages you've bankrolled over the years. In regard to litigation, companies have in recent years relied upon the Computer Fraud and Abuse Act (CFAA) to combat the theft of business information. See Adding to the Playbook.
The CFAA creates civil liability under specified conditions. For employers bringing suit against former employees engaged in wrongful conduct, the relevant conditions are generally where someone:
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains- ...
(C) information from any protected computer if the conduct involved an interstate or foreign communication; [or] ...
(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value ...; [or]
(5)(A)(ii) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage FN2; or
(iii) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage.
18 U.S.C. § 1030(a)(2), (4), (5)(A)(ii) and (iii); see also § 1030(g) (providing for civil liability for violations involving certain conduct, including conduct causing a loss of at least $5,000 in value). Thus, paragraphs (a)(2) and (a)(4) apply only if the defendant accesses the computer "without authorization" or "exceeds authorized access," while paragraph (a)(5)(A)(ii) or (iii) applies only if the defendant accesses the computer "without authorization."
There are two schools of judicial thought as to what "without authorization" or "exceeds authorized access" means.
The first approach focuses on the defendant's intent or use of the information in finding liability under the CFAA. See, e.g., International Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir.2006); Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121, 1124 (W.D.Wash.2000). In Shurgard, the court, in concluding that the plaintiff had stated a claim under paragraph (a)(2)(C) of the CFAA, held that the plaintiff's former employees had acted without authorization when they obtained information from the plaintiff's computers because, under agency law, the employee's authorization terminated when he allegedly became an agent of the defendant competitor during the act. See Shurgard, 119 F.Supp.2d at 1124. In Citrin, the court similarly held that the defendant's authorization to access the plaintiff's computer files had terminated when he violated his duty of loyalty to his employer imposed by agency law. See Citrin, 440 F.3d at 420-21.
In contrast, under the second approach a number of courts have rejected the Shurgard and Citrin courts' reliance on agency law in applying the authorization provisions of the CFAA. These courts generally find that a "without authorization" violation under the CFAA only occurs when initial access is not permitted and an "exceeding authorized access" violation occurs only when the defendant has permission to access the computer in the first place, but then accesses certain information to which he is not entitled. See Condux Int'l, Inc. v. Haugum, (D. Minn. Dec.15, 2008); Black & Decker (US), Inc. v. Smith, 568 F. Supp.2d 929, 933-36 (W.D.Tenn.2008); Shamock Foods Co. v. Gast, 535 F.Supp.2d 962, 963-68 (D.Ariz.2008); Diamond Power Int'l, Inc. v. Davidson, 540 F.Supp.2d 1322, 1341-43 (N.D.Ga.2007); Brett Senior & Assocs., P.C. v. Fitzgerald, 2007 WL 2043377, at *3-4 (E.D.Pa. July 13, 2007); Lockheed Martin Corp. v. Speed, 2006 WL 2683058, at *4-7 (M.D.Fla. Aug.1, 2006); International Ass'n of Machinists & Aerospace Workers v. Werner-Masuda, 390 F.Supp.2d 479, 498-99 (D.Md.2005).
So what is the take-away for employers?
Returning to Mr. Sutton, he packed a gun -- either a pistol or a Thompson sub-machine gun -- when he robbed financial institutions, noting, "You can't rob a bank on charm and personality." Mr. Sutton, however, reportedly never carried a loaded gun because somebody might get hurt. In contrast (and metaphorically speaking) companies cannot afford to shoot blanks when it comes to protecting business critical information. At the outset, proper and reasonable measures should be implemented for protecting such information. For examples and considerations, click here. However, if when these measures are not sufficient to prevent the theft of business assets, the CFAA is a great resource to have as backup. And even where courts have taken a narrower view of its applicability, proper planning in advance of litigation can provide a solid factual basis for a CFAA claim - just don't plan on relying on charm and personality: It didn't work for Willie Sutton (he spent half his life in prison) and it probably won't work for your company and (certainly not) your attorney.
Jason M. Shinn
Lipson Neilson Cole