You terminate an employee. Before you disable that employee’s login password, he downloads sensitive information to take with him. Ideally, that information is encrypted and can’t be read on any outside computer. But you never know what a capable hacker can do and once the information has been taken, the damage might be irreversible. The Computer Fraud and Abuse Act (CFAA) may be one way for employers to recover for their economic harm. Under the CFAA, an employee or former employee may be liable for obtaining information through intentional unauthorized access to the employer’s computer. Generally, if the person intends to defraud the employer and obtains any information worth $5,000 or more within a 1 year period, or causes damage or loss to the computer system, that person is liable for the employer’s economic harm.
Recently at least one California court recognized that CFAA liability does not require circumvention of any technological barriers (i.e. hacking). CFAA liability can arise when an employee or former employee’s log-in information is still functioning, but: 1) the employee has lost permission to access the employer’s systems (i.e. his employment ended), 2) knows he does not have permission, and 3) logs in to obtain information anyway.
The CFAA is not limited to employees or former employees. It extends to contractors and anyone who once had authority to access the employer’s computer system but no longer has that privilege.
Takeaway: The best way to avoid employee theft of data and digital information is to have sophisticated barriers to prevent unauthorized access. It is also a good idea to terminate a former employee’s log-in rights as soon as possible after their employment ends. While prevention is key, it is not uncommon for companies to suffer data breaches at the hands of their employees. If the employer suffers such an employee theft of proprietary information, the employer can recover damages from that employee under the CFAA.
To stay up to speed in this area, check out Fox Rothschild’s Privacy Compliance and Data Security Blog.