Violations of the Computer Fraud and Abuse Act are increasingly being alleged by employers in lawsuits against former employees, but with a split in the district of Massachusetts, the ability of a business to hold fraud charges over a defector’s head in federal court may depend on which judge is assigned the case.
“That seems to be the direction some employers are moving in order to get a strategic advantage over the employee,” Boston lawyer Jonathon D. Friedmann said of the increasing assertion of CFAA claims, which he opposes. “That’s a big hammer that a former employer can hold over their head.”
The law, which prohibits unauthorized access to electronic information with the intent to defraud, includes both criminal and civil causes of action.
The federal circuits are split on whether to interpret the measure narrowly so that it prohibits only “hacking” and other access achieved by circumventing technological barriers and restrictions, or broadly so that it would encompass, for example, the behavior of an employee who has log-in credentials or is otherwise authorized to access information but then misuses it, or who continues to use his authorization to access information after acquiring an interest adverse to the employer, such as a new job.
U.S. District Court Judge Nathaniel M. Gorton adopted the broader interpretation in a 2009 decision in Guest-Tek Interactive Entertainment Inc. v. Pullen, inviting employers to add CFAA claims to lawsuits against former employees if possible.
Andrea C. Kramer, an employment lawyer at Hirsch, Roberts, Weinstein in Boston, said the benefits are twofold: “One is it gets you into federal court where it moves faster and you have one dedicated judge. Secondly, it gets you increased damages,” she said.
Those damages can include reimbursement for a forensic review of a computer to determine what a former employee might have copied or deleted on his way out the door. That is an expense the employer might incur anyway to build a case around other claims such as violation of a non-competition agreement, but otherwise would have to absorb as a cost of litigation.
“The CFAA becomes a powerful tool both for building the case and for leveraging a settlement that may include monetary damages,” Kramer said.
The act also can help achieve a common goal for employers in non-competition cases: isolating the former employee from his new employer.
Whereas a new employer might agree to indemnify an employee it hires from a competitor on breach of contract claims, it might back away in the face of a federal fraud charge.
“If I was representing an employee and the claim was raised, I would be worried because it’s also a criminal offense,” said Christopher J. Marino of Davis, Malm & D’Agostine in Boston, who represented the plaintiff in the since-settled Guest-Tek case. “Anybody can be sued for breach of contract, but when you’re sued for a federal crime, that elevates things a little bit.”
The straight and narrow
Some lawyers, including Friedmann, oppose the broad interpretation and believe that, in most cases, it is inappropriate for employees to be threatened with fines, imprisonment of up to five years, and forfeiture of all their gains for something potentially as innocuous as transferring calendars, contacts and emails to a personal device before leaving a job.
Such lawyers were given ammunition when U.S. District Court Judge Timothy S. Hillman brought the circuit split down to the District Court level by ruling that a narrow construction of the term “authorization,” as used in the CFAA, is “preferable” in a decision this year in the case Advanced Micro Devices Inc. v. Feldstein.
“[I]f this court were to adopt a broad interpretation of the term of art ‘access that exceeds the scope of authorization’ then arguably any violation of a contractual obligation regarding computer use becomes a federal tort,” Hillman wrote. “It is obviously absurd to impose criminal liability for checking personal email at the workplace, or some similarly innocuous violation of an employee computer use agreement. Nor is it acceptable to rely solely upon prosecutorial discretion to refrain from prosecuting trivial offenses.”
Hillman went on to say that, “[a]s between a broad definition that pulls trivial contractual violations into the realm of federal … penalties, and a narrow one that forces the victims of misappropriation and/or breach of contract to seek justice under state, rather than federal law, the prudent choice is clearly the narrower definition.”
The split among Massachusetts’ federal judges was acknowledged in a decision last month by U.S. Magistrate Chief Judge Leo T. Sorokin in MOCA Systems Inc. v. Bernier, et al., but Sorokin was not forced to confront the issue as he determined the allegations in the case would suffice under either a broad or narrow standard on a motion to dismiss.
Friedmann, who represents the defendants in MOCA, had urged Sorokin to adopt Hillman’s reasoning. He also believes the CFAA is overused in employment lawsuits in general.
The measure “was enacted to prevent hacking, and it really has its roots as a criminal statute, not a civil one,” the Rudolph Friedmann lawyer said. “Rather than turn the mundane, garden-variety, employer-employee suit into a federal, potentially criminal act, you should take a narrow approach.”
Friedmann said the burden should be on employers to revoke employees’ access when their relationship comes to an end. He also said allowing employers to bring CFAA claims — which require just $5,000 in damages — against former employees gives them an unfair and inappropriate strategic advantage at a time when the employee is in a vulnerable position as a new hire with a different company.
“The cost of the forensic analysis itself can bring you across the $5,000 threshold,” Friedmann said. “The person can find [himself] looking down the barrel of a federal lawsuit. It casts the employee, from the very start, in such a bad light for doing something truly mundane. Are you going to hire somebody who has been charged with computer fraud?”
Marino agreed with Hillman’s finding that the broad interpretation of the CFAA “may open up the floodgates to the federal court,” but said there is nothing in the law to justify a narrower reading.
Kramer, who represents MOCA Systems, said she shares Friedmann’s concerns about the law being abused, having represented a former employee who was “bullied” with a CFAA claim for the information the employee had on a portable flash drive.
“Beating somebody up for something trivial is not what the statute is for,” Kramer said. “You need to show it was done with the intention to defraud somebody.”
Kramer added that former employers are increasingly using the statute “to sue employees sometimes frivolously and sometimes with merit. We need to figure out a way to sort those out and police it.”