In TripleTree, LLC v. Walcker, the employer sued its former employee under the federal Computer Fraud and Abuse Act (“CFAA”) based on the employee’s accessing certain confidential and proprietary information on the company’s database. The employer’s forensic examination of the employee’s computer proved that, in the week leading up to his resignation, the employee accessed sensitive files unrelated to his job, deleted hundreds of files, tried to connect a hard-drive to his work computer, accessed his personal email account from the employer’s secure database, and had his BlackBerry configured to access the employer’s data only four days before his resignation. The CFAA subjects a person who “intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains . . . information from a protected computer” to fines and imprisonment, and establishes a civil remedy for the victim. The employer argued that the employee’s eleventh-hour access was unlawful because the employee manual restricted such access. The trial court disagreed, holding that the handbook proscribed improper uses of data, but not improper access to it. Put simply, TripleTree’s claim failed because the manual did not actually prevent the employee from accessing the information, regardless of how he might have chosen to use the information. This is a critical distinction under the CFAA, because it was amended to make clear that it only regulates improper access of data, not improper use.
The tip to be drawn from this case? Make sure your confidentiality policies specify what access is permitted and what is not, and include a specific trigger that instructs employees that as soon as they accept employment from another employer, they forfeit all rights of access to your confidential data. It’s worth a try in order to gain a step up on computer fraud under the CFAA.