Some time ago (March 27, 2009), we wrote a post describing the applicability of the federal Computer Crimes and Abuse Act, 18 U. S. C. § 1030, (the “CFAA” or the “Act”) to unfair business practices cases. The Act provides a federal remedy for anyone who intentionally accesses a protected computer without authorization, or exceeds authorized access, and obtains information or who knowingly and with intent to defraud and in furtherance of the fraud, obtains something of value, unless the only thing obtained is the use of the computer and that use is not valued at more than $5000 in a one year period. An employer owned computer is “protected” under the statute.
It is becoming increasingly common for plaintiffs to use this Act as a vehicle for obtaining access to federal courts where diversity jurisdiction does not exist. As might be expected, a split of authority exists as to whether this statute may be so used, or whether it is intended only to address actions by computer hackers. At the present time, three federal Circuit Courts of Appeals (1st, 5th and 7th), as well as a number of District courts, have adopted a broad view of the statute and allow claims where an employee permissively accesses an employer’s computer system for an improper purpose. A common example is where an employee, who has accepted a job with a competitor or who intends to start a competitive company, copies proprietary electronic data from his employer’s system for use in his new job with the competitive company.
Those courts adopting the broader view reason that once an employee decides to join a competing company or has made arrangements to form one, his loyalty is divided between his existing employer and the new one. In that circumstance, by accessing the employer’s network and copying files, the employee violates his fiduciary duty of loyalty to his employer. Such conduct satisfies the CFAA requirement that the defendant “exceeds authorized access” to the computer system.
In a recent case, the federal district court for the Southern District of New York, Starwood Hotels & Resorts Worldwide, Inc. v. Hilton Hotels Corporation et al., 09-cv-3862 (June 16, 2010) joined those courts adopting the broader view. Click here for the opinion. The facts of the case, as alleged, are extreme. But they should serve as a cautionary tale to employees who are considering joining a competitive firm and as a roadmap for employers who have been victimized by departing employees.
In this case, two of Starwood’s executive officers who worked on its luxury hotel brands were recruited to join Hilton and accepted offers of employment. Both had access to Starwood’s most confidential data and both were subject to confidentiality agreements requiring that they safeguard Starwood’s confidential information and, once their employment ended, return all such information to Starwood and not disclose it to anyone.
After signing an employment agreement with Hilton but before notifying Starwood of his intent to resign, one of the executives asked his staff to compile a significant amount of confidential information for him that he then forwarded to his personal email account. This included digital images of thousands of documents that Starwood used in designing and branding its luxury hotels. As alleged, he forwarded this information to Hilton. He also copied electronic documents to his personal laptop computer and used that information to benefit Hilton. In addition, once he joined Hilton he solicited additional confidential information from other Starwood employees who used their personal email accounts to convey Starwood’s proprietary information to their former superior.
The other executive, while still at Starwood and after engaging in discussions with Hilton representatives, allegedly acted as a corporate spy for Hilton and collected and forwarded to Hilton confidential information related to Starwood’s business and development opportunities.
Starwood knew nothing of the extent of this piracy until, in discovery, Hilton produced eight large boxes of computer hard drives, thumb and zip drives and paper records containing large quantities of Starwood documents. Indeed, the computer drives contained over 100,000 downloaded files.
At issue in the recent opinion was Hilton’s motion to dismiss the count for a violation of the CFAA because the Act was not intended to cover such conduct. The court noted at the outset that this case did not involve an employee who accessed his employer’s computer in the ordinary course of his duties and then, at some later time, used some of that information to benefit a competitor. Rather, here the information was obtained with the specific intent to use it against the employer through “trickery and deceit.” The court concluded that once the executives accepted employment with Hilton, they “no longer had Starwood’s authorization to access this information. Thus, even construing the statute narrowly to prohibit only accessing computer information without permission, Starwood’s complaint adequately alleges a claim under the CFAA.”
The court also held that Hilton could potentially be liable under the Act because, as alleged, it used one of the executives, as well as others, as corporate spies to steal Starwood’s confidential information. Finally, the court found that Starwood’s expenditure of sums to investigate the damage sustained as a result of the former employees’ actions, which exceeded $5000, met the damages requirement of the statute. Thus, Hilton’s motion to dismiss the claim was denied.
Unquestionably, these actions were extreme. But apart from the volume of electronic documents that were pilfered, the story line is not that unusual. Departing employees often take confidential information belonging to their employer for use in their new employment, thinking that it will make them more valuable to the new employer. And it is not unusual for them to contact former colleagues, once at the new employer, and ask for information they “forgot” to take with them. This case adds to the growing line of authorities that recognize that, under such circumstances, the CFAA provides a potential remedy to the former employer. Moreover, unlike in Starwood, where confidentiality agreements existed, such agreements are not an essential predicate to applicability of the statute. The common law duty of loyalty prohibits employees from using confidential information to benefit a new employer.