Employers Beware: The Computer Fraud and Abuse Act Is a Sword with Two Edges
By now, most employers are aware of the federal Computer Fraud and Abuse Act that establishes a claim for civil damages for "intentionally access[ing] a protected computer without authorization, and as a result of such conduct, caus[ing] damage and loss." Employers increasingly have used this statute to go after employees who take the employer's proprietary information when they go to work for a competitor or who delete or destroy data kept in the employer's computer database. Although the Act has many technical requirements, most courts, with the notable exception of a recent federal appellate decision out of California, have recognized its use in these employee departure situations, and it has proven an effective litigation tool.
But just as employers can effectively use the Computer Fraud Act, so, too, might employees. As an increasingly common example, many employers now find it convenient to allow employees to use their personal laptops, tablet computers, and smart phones as "dual use" devices for the transmission and storage of company data. When the employee leaves, the employer takes advantage of readily available software to remotely "wipe" those devices to ensure that the employee does not take any company information with him or her or give it to a competitor.
But because the employer may be using software that does not discriminate between the employee's personal information and the employer's information, the employer may be wiping the employee's personal information, such as personal emails, photos, and other documents. Once the deletion occurs, this information ordinarily can no longer be retrieved.
Reading the literal language of the Computer Fraud Act, such an action would appear to give the employee a claim against the employer. This is especially the case if the employee never gave written consent to access his personal computer devices to wipe data. Additionally, the employee may also have claims under similar state computer fraud statutes or under state common law for trespass to personal property. If the employee did go to a competitor in violation of a non-compete agreement, it may give him or her a potent counterclaim. Although we are not aware of any cases where courts have ruled directly on point, the language of the federal statute would seem to apply.
So be warned. If your organization routinely remotely deletes information from a departing employee's personal computer devices, you should consider the following steps to avoid possibly violating the Computer Fraud Act:
- Before allowing employees to use dual-use devices to perform work, have them sign a written consent allowing the employer to remotely: wipe the device; monitor the device, including the data stored on and transmitted with it; install security software to manage the device and secure the data stored on it; and copy data to insure compliance with record retention obligations and litigation hold demands.
- Consider a policy of notifying an employee in writing before wiping his or her device, especially if there is a risk that personal data may also be wiped. In this way, the employee at least will have had a last clear opportunity to back up his or her personal data in the event an inadvertent wiping of personal data should occur.
- Seek security software that allows your company to create a separate, secured area on the dual-use device for the storage of company data by the employee. This software typically allows a company to issue a wipe command to only the data stored in the secured area, leaving untouched the rest of the data stored on the dual-use device.
By taking these steps, you will make it much harder, if not impossible, for the employee to bring a claim against you. But if you fail to protect yourself, you could be subjecting your organization to the sharp edge of the Computer Fraud Act.