every statute, the CFAA has some limits. For example, under the UTSA an injured business may recover attorney’s fees and exemplary (e.g., punitive) damages, but any award of those damages is in the discretion of the court hearing the case.
Also, the CFAA requires that the business have suffered at least $5,000 in damages. At first blush, this damage requirement may seem hard to prove when the departing employee has only copied confidential business information and not caused any computer damage.
Case law makes clear though that the costs to repair invaded computers, costs to respond to an invasion and to determine the scope of an injury and/or to prevent future injury (whether the cost of a consultant or work by an in-house IT employee) count toward the $5,000 damage floor.
The value of lost business information can also be used to shore up damages. For example, in one recent case, Four Seasons Hotels proved that downloaded hotel customer information had a value of over $2 million, in addition to nearly $30,000 in expenses to investigate and remedy the defendant’s unauthorized access.
Frederic Mendelsohn is a partner with the law firm of Burke, Warren, MacKay & Serritella, P.C., in Chicago, www.burkelaw.com. For 12 years he was general manager of the Electronic Distribution Show, and is intimately familiar with the electronic distribution industry. He may be reached at 312-840-7004 or firstname.lastname@example.org.
Departing employees can steal a business’ trade secrets to compete against their former employers. Taking trade secrets has become easier, as data can be downloaded in a handful of keystrokes. The Computer Fraud and Abuse Act can help protect you against electronic theft.
We are often consulted about how to protect confidential business information and what to do when that information is compromised.
I’ve addressed the topic in many columns, addressing the recruitment of distributor personnel and explaining the inevitable disclosure doctrine that allows courts to enjoin the inevitable disclosure of confidential business or trade secret information when an employee with such information joins a competitor.
Classically, a shrewd departing employee will take a business’ trade secrets, and seek to compete against her former employer. In the past, the departing employee might sneak into the office after hours, copy or leave with boxes of documents containing customer lists, pricing information, proprietary designs, vendor profiles, schematics and other proprietary business data.
Now, the same data can be downloaded in a handful of keystrokes, without even getting into the office. Sometimes patent, copyright and/or a state, federal or common law trade or service mark can protect proprietary information or products. If not, a business often has to look to the law of trade secrets or restrictive covenants.” The former is typically confidential business information that has value in the hands of a competitor; and the latter is often a non-compete or non-disclosure agreement that an employer seeks to enforce in court.
In the past, an injured business (without patent, copyright or other rights) would seek to obtain an injunction from the courts, by enforcing a non-compete or non-disclosure agreement and/or asserting that the stolen information is a “trade secret” under the Uniform Trade Secrets Act (UTSA), which has been adopted in almost every state.
Doing so is not always easy, however, as the law imposes strict requirements to convince a court to enjoin commercial activity and prove the existence of true “trade secrets.” Recent statutory amendments and court rulings, however, make the federal Computer Fraud and Abuse Act (CFAA) a powerful weapon in stopping trade secret theft, and soften some of the evidentiary challenges to establishing a UTSA violation.
Like the UTSA, the CFAA allows an employer whose confidential information has been taken to obtain injunctive relief and damages. Like the UTSA, a claim under the CFAA can be brought in state court, but the CFAA gives business an entr’e into federal court, where different dynamics can affect the likelihood of success in enjoining this type of anti-competitive conduct.
All that is really required for federal jurisdiction is use of a “protected computer,” which is nothing more than one connected to the Internet. Unlike the UTSA, the CFAA has several relaxed elements of proof. For example, while confidential information must be proved to be a legally protected trade secret under the UTSA, it need only be shown to be information that “resided” on a protected computer under the CFAA.
Similarly, while the UTSA requires proof of reasonable steps to protect claimed trade secrets (a factual issue in almost every trade secret case), the CFAA has no such requirement ‘ proof of unauthorized access to the protected computer is sufficient (a much easier burden).
Likewise, under the UTSA, the departing employee must be shown to have “misappropriated” confidential information, where under the CFAA, liability attaches when the information is “accessed.”
In short, while no federal statutory claim is a slam-dunk to prove, the CFAA can be used, independently and/or in conjunction with UTSA (plus other claims), to stop departing employees who clandestinely take a business’ confidential information.