Employers in Fifth Circuit Have Another Weapon to Stop Unauthorized Access of Proprietary Information by Employees, But Should be Careful in Exercising Damage ControlJanuary 16, 2007 — 2,246 views
Factual and Procedural Background
Five former high-level employees were terminated in 2003 from Fiber Systems International, Inc. (“FSI”), which manufactures “harshenvironment fiber-optic connectors for military use.” Shortly after the employees departed, FSI learned the employees downloaded and copied confidential and proprietary information prior to their departure and used the information in their newly created competing companies. As a result, FSI brought a civil action under the CFAA seeking damages and injunctive relief. The employees countersued for defamation, alleging FSI made statements to two of its customers in which the employees were called “thieves” in connection with their unauthorized access of FSI’s proprietary information. The trial court dismissed FSI’s claim for injunctive relief, and a jury trial proceeded on FSI’s CFAA claim and the employees’ defamation counterclaims.
At trial, the jury determined the employees violated Section 1030(a)(4) of the CFAA, which prohibits “knowing . . . access [of] a protected computer without authorization” with intent to defraud if the access furthers the fraud and the accessing person “obtains anything of value.” The jury awarded FSI $36,000, which represented its costs to recover the data taken by the employees.
December 5, 2006
The jury also found, however, that FSI “maliciously accused” the employees of being thieves. The employees provided evidence that FSI told two of its customers that the employees “misappropriated” FSI’s intellectual property. These statements were deemed to impute the crime of theft, thereby relieving the employees of the burden of proving actual harm. The jury awarded the employees $5.5 million in compensatory and punitive damages. The trial court later reduced the award to $1.5 million to comply with state law damages caps. In addition, the trial court entered a take-nothing judgment on the CFAA claim, explaining Section 1030(a)(4) of the CFAA does not create a civil cause of action. Instead, the trial court read the CFAA as allowing a civil action only under Section 1030(a)(5), which prohibits damage to a protected computer through unauthorized access. FSI appealed.
CFAA Allows Civil Action for $5,000 Loss in Any Year Due to Unauthorized Access
On appeal, the Fifth Circuit reinstated the jury’s verdict on FSI’s CFAA claim. In doing so, the court ruled that the language of the CFAA allows a civil action under Section 1040(a)(4), even in the absence of damage to a computer system. So long as the employer suffers a loss of $5,000 in any given year, it can sue an employee for unauthorized fraudulent access under the CFAA. The court also explained that the $5,000 loss does not have to occur within a year of the violation but during any one-year period after the unauthorized access. Moreover, the court noted the definition of loss under the CFAA includes “cost of responding to [the unauthorized access], conducting a damage assessment, and restoring the data, program, system or information to its condition before the [unauthorized access], and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”
FSI Was not Entitled to Injunctive Relief Under the CFAA
The trial court dismissed FSI’s claim for injunctive relief under the CFAA because there was no proof of “ongoing or future unauthorized access” to FSI’s computers. The Fifth Circuit explained that FSI would not be entitled to injunctive relief for a past violation of the CFAA, because the jury found the employees were falsely accused of stealing trade secrets and determined that the employees did not steal trade secrets through the acts that violated the CFAA. Consequently, injunctive relief under such statute would be improper.
Fifth Circuit Reconciles Defamation and CFAA Verdicts
FSI also argued the jury’s determination that the employees violated the CFAA through unauthorized access of its computers was inconsistent with a finding that the employees were falsely accused of stealing trade secrets.
Implications for Employers
The biggest benefit of this decision is that an employer need not prove that the information accessed rises to the level of a trade secret or was legally stolen or misappropriated. Conceivably, an employer can sue an employee under the CFAA for unauthorized and fraudulent access of any information on its computer system, so long as the employer can show that it spent at least $5,000 in any year recovering the data, or merely assessing the damage, and some benefit to the employee. Employers are not hindered by the lack of a nondisclosure or similar agreement, nor do they have to worry about whether the information itself is legally or contractually protected.
The decision also provides a harsh reminder to employers not to discuss with outsiders an employee’s unauthorized access, or to be very careful when doing so. Employers certainly have the right to exercise “damage control” when an employee leaves with proprietary information and establishes a competing business.
Implying during such efforts that an employee misappropriated trade secrets, however, can be considered defamation per se, and can permit a recovery of a substantial award without proof of actual damages.
* * * * *
If you have any questions regarding this decision or its impact on your workplace, please contact A. Martin Wickliff, Jr., at (713) 750-3110 or [email protected] or Charles H. Wilson at (713) 750-3117 or [email protected] in EBG’s Houston, Texas office.This document has been provided for informational purposes only and is not intended and should not be construed to constitute legal advice. Please consult your attorneys in connection with any fact-specific situation under federal law and the applicable state or local laws that may impose additional obligations on you and your company.
© 2006 Epstein Becker & Green, P.C.
Epstein Becker & Green P.C.