Proposed Cloud Computing Act of 2012 Would Aid Employers

[author: Beth P. Zoller, XpertHR Legal Editor]

Employers should be aware that the Cloud Computing Act of 2012 was recently introduced in the US Congress as an amendment to the Computer Fraud and Abuse Act (CFAA). +2012 Bill Tracking S. 3569. It would aid employers by improving enforcement of the CFAA with respect to cloud computing.

Computer Fraud and Abuse Act

By way of background, the Computer Fraud and Abuse Act (CFAA) prohibits individuals from knowingly or intentionally accessing a computer without authorization or exceeding authorization provided. It is intended to punish hackers of computer systems and others who damage computer systems and misappropriate confidential and sensitive information about clients and customers without the required approval.

Employers can use the CFAA to bring a claim against an employee for stealing the employer's confidential and sensitive information as well as interfering with or misusing the employer's computer systems.The CFAA permits employers to seek civil damages and also imposes criminal penalties on individuals who access an employer's computer files and systems without authorization in violation of the law.

Proposed Amendment

The Cloud Computing Act of 2012 designates that if the protected computer is part of a cloud computing service, each instance of unauthorized access of a cloud computing account, access in excess of authorization of a cloud computing account, or attempt or conspiracy to access a cloud computing account without authorization or in excess of authorization constitutes a separate offense.

The bill defines the term cloud computing account as information stored on a cloud computing service that requires a password or similar information to access and is attributable to an individual, which may include allowing a customer of the cloud computing service to have multiple accounts. A cloud computing service refers to a service that enables convenient, on-demand network access to a shared pool of configurable computing resources (including networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or interaction by the provider of the service.

With regard to damages, the proposed law provides that if an offense involves a protected computer that is part of a cloud computing service, the damages shall be the greater of either the value of the loss of use of the information or a minimum of $500 multiplied by the number of cloud computing accounts accessed.

Employers should be aware of this development and monitor the bill's progress. Further, if an employer seeks to pursue employees or former employees for misappropriation of proprietary or confidential information, employers should remember that they may also be able to obtain relief through not only the CFAA but also state laws regarding misappropriation of trade secrets and computer offenses.