A company can recover damages from its former employee in connection with his hacking into its payroll system to inflate his pay, accessing its proprietary files without authorization and hijacking its website, a federal court ruled. Tyan, Inc. v. Yovan Garcia, Case No. CV 15-05443- MWF (JPRx) (C.D. Cali. May 2, 2017).

The Defendant worked as a patrol officer for a security company. The company noticed that its payroll system indicated that the Defendant was working substantial overtime hours that were inconsistent with his scheduled hours. Upon further investigation, the company learned that that the Defendant accessed the payroll system without authorization from the laptop in his patrol car. When the company confronted him, the Defendant claimed a competitor hacked the payroll system as a means to pay him to keep quiet about his discovery that the competitor had taken confidential information from the company. A few months later, shortly after the Defendant left the company, the company’s computer system was hacked and its website was hijacked. The company later filed suit against the Defendant alleging he was responsible for the hack and the hijacking.

Following a bench trial, the court concluded the Defendant had used an administrative password the company had not given him to inflate his hours in its payroll system. The court also found the Defendant hijacked the company’s website and posted an unflattering image of the company’s owner on the website. In addition, the court found the Defendant engaged in a conspiracy to steal confidential files from the company’s computer system by accessing it remotely without authorization and destroyed some of the company’s computer files and servers.

The court concluded that the aim of the conspiracy in which the Defendant was engaged was twofold: first, to damage his former employer in an effort to reduce its competitive advantage; and second, to obtain access to those files that gave his former employer its business advantage, and use them to solicit its clients on behalf of a company he started. The court also found that by accessing the company’s protected network to artificially inflate his hours and by participating in the conspiracy to hack the company’s systems, the Defendant was liable for violations of the Computer Fraud Abuse Act, the Stored Communications Act, the California Computer Data Access and Fraud Act, and the California Uniform Trade Secrets Act.

As a result of Defendant’s misconduct, the court awarded the company $318,661.70 in actual damages, including damages for the inflated wages the company paid the Defendant, the cost of consultant services to repair the damage from the hack, increased payroll costs for time spent by employees rebuilding records and databases destroyed in the hack, the resale value of the company’s proprietary files, and lost profits caused by the hack. The court declined to award punitive damages under the California Uniform Trade Secrets Act, but left open the possibility that the Plaintiff may recover its attorneys’ fees at a later date.

Take Away

Companies are reminded that malicious insiders, in particular disgruntled former employees, with access to areas of the system external hackers generally can’t easily access, often result in the most costly data breaches.

Steps should be taken to mitigate insider threats including:

• Limiting remote access to company systems
• Increased monitoring of company systems following a negative workplace event such as the departure of a disgruntled employee
• Changing passwords and deactivating accounts during the termination process