The Computer Fraud and Abuse Act (“CFAA”) is a federal statute that that can be used to protect your company’s proprietary information from theft or disclosure by current and former employees in addition to the federal Defend Trade Secrets Act and parallel state statutes.
CFAA claims have the advantage of being easier to prove than trade secret misappropriation claims. The CFAA can apply to unauthorized access, theft, or destruction of a wide range of computerized company information beyond trade secrets.
The CFAA applies when there has been: 1) unauthorized access of a protected computer; 2) by a person intending to obtain information, facilitate a fraud, or damage the computer or its data; 3) causing loss exceeding $5,000 or more.
Civil CFAA claims have a two-year statute of limitations period, and federal courts have not settled whether the clock starts running when the injury occurs, when the injury is discovered, or when both the injury and identity of the actor are discovered. It would be prudent to file the claim as soon as possible.
The federal circuits are split on the definition of “without authorization.” The 4th and 9th circuits would require an employee’s authorization to be revoked and won’t apply the CFAA to instances where an employee abuses otherwise legitimate access to company files. The broader position adopted by the other circuits holds employees can be liable for later misuse of computerized information under general principles of agency law, and a breach can occur when an employee accesses a computer for a purpose contrary to their employer’s interests. Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000); NCMIC Finance Corp. v. Artino, 638 F. Supp.2d 1042, 1057 (S.D. Iowa 2009). Some courts also hold that a breach of a contract regulating a person’s access to a computer also constitutes “unauthorized access.”
Congress expanded the definition of protected computers to those “used in interstate or foreign commerce or communications” in 1996, so just about any company computer will qualify. Loss includes “reasonable cost to any victim,” including costs of responding, damage assessments, and restoration of the data or system along with any lost revenue, costs, or other damages caused by an interruption in service.
Advantages of CFAA claims over trade secret claims include:
- Plaintiffs do not need to show the information taken or disclosed was a “trade secret” or reasonably protected from disclosure, which can be a time consuming and expensive process.
- The CFAA is primarily a criminal statute, and there is an underlying threat of criminal penalty for the same civil conduct that may facilitate early settlement.
- The injury occurs when the information is accessed or taken, and there is no need to show the information was later given to a competitor.
- Because of the fewer proof requirements, the CFAA may provide a quicker means to obtain preliminary injunctions preventing further use or disclosure of company information.
The chief disadvantage of the CFAA compared to trade secret statutes is that damages are more limited. The CFAA allows for compensatory and injunctive relief, but in many circumstances recovery will be limited to economic damages. In contrast, the Defend Trade Secrets Act and state statutes allow for possible injunctions, royalties, damages for loss, unjust enrichment, and in some cases exemplary damages. As such, it makes the most sense to use a CFAA claim as a supplemental claim in a trade secret misappropriation case. But where a defecting employee takes company information, the information does not qualify as a trade secret, and that information could still be used to harm your business, your company may still be able to protect itself and seek relief using the CFAA instead.
For additional information on Cyber Law issues, contact one of our experienced Sioux City attorneys, Sioux Falls attorneys, or Omaha attorneys. For more articles like the one above, check out our Cyber Lawyer blog!