Congress Considers Companion Bills That Could Have Far Reaching Consequences For Companies Facing Trade Secret Theft And/Or Computer Fraud And Abuse

A California legislator recently introduced two bills in Congress which, if passed, could have profound effects for companies seeking to pursue claims relating to trade secrets and confidential information – one bill would create a new private right of action under federal law for trade secret theft, while the other bill would appear to limit plaintiffs’ abilities to pursue existing remedies for computer fraud and abuse.

In its current form, the Economic Espionage Act allows only federal prosecutors to bring criminal trade secrets charges against persons who have stolen trade secrets. On June 20, 2013, however, Representative Zoe Lofgren (a California Democrat representing a district that includes San Jose and Silicon Valley) introduced a bill titled the “Private Right of Action Against Theft of Trade Secrets Act of 2013” (H.R. 2466) which would amend the Economic Espionage Act to add a civil remedy, by adding two new subsections to 18 U.S.C. §1832:

(c) Any person who suffers injury by reason of violation of this section may maintain a civil action against the violator to obtain appropriate compensatory damages and injunctive relief or other equitable relief. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage.

(d) For purposes of this section, the term ‘without authorization’ shall not mean independent derivation or working backwards from a lawfully obtained known product or service to divine the process which aided its development or manufacture.

If passed, this proposed amendment could result in a dramatic uptick of trade secrets lawsuits filed in federal courts. Currently, companies pursuing trade secret misappropriation claims are largely limited to state law remedies, and as a result often find themselves limited to state court.

While the Private Right of Action Against Theft of Trade Secrets Act of 2013 would provide additional ammunition against persons who steal trade secrets, a companion bill that seeks to clarify a controversial provision in the Computer Fraud and Abuse Act (“CFAA”) could restrict companies’ ability to pursue claims under the CFAA.

On the same day as the above-discussed amendment to the Economic Espionage Act was introduced, Representative Lofgren co-sponsored a bill (“Aaron’s Law Act of 2013,” H.R. 2454) that would narrow the scope of the CFAA. As stated on Rep. Lofgren’s website, this bill, among other things:

Establishes that mere breach of terms of service, employment agreements, or contracts are not automatic violations of the CFAA. By using legislative language based closely on recent important 9th and 4th Circuit Court opinions, the bill would instead define 'access without authorization' under the CFAA as gaining unauthorized access to information by circumventing technological or physical controls – such as password requirements, encryption, or locked office doors. Hack attacks such as phishing, injection of malware or keystroke loggers, denial-of-service attacks, and viruses would continue to be fully prosecutable under strong CFAA provisions this bill does not modify.

As we have blogged about previously here, here and here, when companies sue their former employees under the CFAA, the employees frequently argue that the CFAA prohibits unauthorized access to protected computers, not unauthorized use of those computers and the confidential information thereon. This issue -- the application of the CFAA to alleged employee computer abuse -- is the subject of numerous court decisions across the country, some of which interpret the CFAA’s “without authorization” language broadly, and some of which interpret it narrowly, as former employees commonly urge. The recently introduced H.R. 2454 bill, if passed, would enact as law the narrow, pro-employee view of the CFAA.

While these bills were only recently introduced and have a long way to go before they might become law, their potential consequences for employers and attorneys make them important ones to follow.
 

The "Authorized Access" Issue Under the Computer Fraud and Abuse Act

Earlier this year, Aon Risk Services Northeast Inc. (“Aon”) brought suit in the United States District Court for the Southern District of New York against Marsh USA Inc., Marsh & McLennan Companies, Inc. (together, “Marsh”), and three former employees. In its Amended Complaint, Aon asserted that the defendants transferred a “pre-packaged book of business” to Marsh, primarily by the former employees’ “illegal downloading of Aon proprietary trade secret information.” Aon asserted a claim under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. §1030, against the three former employees, and asserted nine common law claims, including misappropriation of trade secrets, breach of contract and unfair competition, under New York state law against Marsh and the former employees.

The Court issued an Order granting an application by defendants to dismiss all of the state law claims, on the grounds that they are different from and substantially predominate over Aon’s lone federal claim under the CFAA. See Aon Risk Servs. Northeast, Inc. v. Kornblau, 10 Civ. 2244 (RMB), 2010 U.S. Dist. LEXIS 38140 (S.D.N.Y. Apr. 19, 2010). The state law claims were dismissed without prejudice to their renewal in an appropriate forum. On April 23, 2010, Aon re-filed its nine state law claims in the Supreme Court of the State of New York, New York County, Index No. 601058/10.

The three former employees have now moved to dismiss the only remaining claim, under the CFAA. In their brief, they argue that the CFAA claim is deficient because they did not exceed their authorized access to Aon’s computers. The former employees state that the CFAA prohibits unauthorized access to protected computers, not unauthorized use of those computers and the confidential information thereon. This issue -- the application of the CFAA to alleged employee computer abuse -- is the subject of numerous court decisions across the country, some of which interpret the CFAA’s “without authorization” language broadly, and some of which interpret it narrowly, as the former Aon employees urge.

The procedural history of the case so far shows that Aon’s pairing of the CFAA claim with its state law claims -- the gravamen of its Complaint -- has not worked out well. If the CFAA claim was included in order to secure federal jurisdiction over the dispute, it was unsuccessful; the Court’s Order dismissing the state law claims led Aon to commence a second action in state court. While the Court has yet to rule on the former employees’ motion to dismiss the CFAA claim, Aon’s CFAA claim may lack the requisite allegations to withstand the motion to dismiss. If so, Aon’s efforts to go on the offensive against the alleged unfair competitors will result in two setbacks straight out of the gate.
 

Ninth Circuit Disagrees with Seventh Circuit Citrin Case and Holds that the Computer Fraud and Abuse Act Is Not Violated When a Disloyal Employee Accesses Electronically Stored Information for Personal Gain

This week the Ninth Circuit Court of Appeals issued a published opinion rejecting an employer’s argument that its former employee violated the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, when he emailed company client lists and financial data to himself for personal use. LVRC Holdings LLC v. Brekka, ___ F.3d ___, 2009 WL 2928952 (9th Cir. 2009).

The Seventh Circuit reached the opposite conclusion in International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), reasoning that when an employee breaches his duty of loyalty to the employer, the agency relationship terminates and the employee is no longer “authorized” to access the employer’s computer within the meaning of the CFAA.

The Ninth Circuit rejected this statutory interpretation as contrary to the rule that where a statute has both criminal and noncriminal applications, courts should interpret it consistently in both contexts and resolve ambiguity in favor of lenity, avoiding interpretations that are “surprising and novel.” Because the employee in LVRC Holdings was authorized to use the company computer and to access the information, he did not violate the statute regardless of his motivation.

The opinion suggests that the result might have been different if the employer had a policy prohibiting employees from emailing company data to their personal email accounts or requiring employees to return or destroy confidential information upon the conclusion of their employment.
 

How Employers Can Use CFAA to Get Back Laptops

Employers looking to protect their intellectual property and proprietary information, and wondering whether they can punish the departing employees that ignore demands to return laptops and other transportable electronic devices that hold such data, may now have a newly invigorated weapon at their disposal — the Computer Fraud and Abuse Act.  A recent federal district court decision found that an employer establishes the required “loss” and “damage” elements of a CFAA claim against a former employee by showing that such employees “refused to return their computers” when requested, that such employees “deleted information from their computers,” and that the employer “had to perform a forensic investigation to determine what information was deleted from” these laptops. Because the CFAA provides a statutory claim that applies to all electronically stored information (confidential or not), provides for federal court subject matter and allows for the recovery of a variety of damages and costs, including those related to expert fees, employers and intellectual property owners may find it attractive. For further details and analysis of these issues, see, by clicking here, the May 5, 2009 article by Jim Flynn appearing in IP Law 360 and Employment Law 360.