Proposed cybersecurity legislation would protect employers from information theft by departing employees, if a policy prohibits such conduct
Congress appears receptive to passing toughened cybersecurity legislation this session. (Politico) One early proposal would help employers protect themselves from departing employees who access their work computer system and download confidential, proprietary information for future use at a new competing employer.
The federal Computer Fraud and Abuse Act (“CFAA”) creates a cause of action against a person who, knowingly and with intent to defraud, accesses a protected computer without authorization, or “exceeds authorized access,” and by means of such conduct, furthers the intended fraud. Courts have disagreed on whether the “exceeds authorized access” provision covers employees who access a work computer, which they have permission to use, to download confidential information for future improper use. Associate Deputy Attorney General James Baker from the Justice Department testified last week that the DOJ favors legislation that would unambiguously prohibit such conduct, if it violates clearly defined workplace rules or a contractual agreement with the employer prohibiting such actions.
“Employers should be able to set and communicate access restrictions to employees and contractors with the confidence that the law will protect them when their employees or contractors exceed these restrictions to access data for a wrongful purpose,” reasoned Baker.
The proposed legislation also would make CFAA offenses predicate offenses under RICO. Because both RICO and the CFAA contain civil components, the new legislation could create expanded causes of action for employers against departing employees who steal confidential, proprietary information. Obviously, it is too early to predict if this toughened cybersecurity legislation will be passed, but we will continue to monitor and report developments.