Employers in Fifth Circuit Have Another Weapon to Stop Unauthorized Access of Proprietary Information by Employees, But Should be Careful in Exercising Damage Control

January 16, 2007 — 2,378 views  
Become a Bronze Member for monthly eNewsletter, articles, and white papers.
On November 22, 2006, the Fifth Circuit Court of Appeals decided Fiber Systems International, Inc. v. Roehrs, ruling that the Computer Fraud and Abuse Act (“CFAA”) allows an employer to bring a civil action against an employee for downloading and copying confidential or proprietary information from its computer system if it spends more than $5,000 in any year to recover the data. This case is the first reported decision by the Fifth Circuit on this issue and has armed employers with a potential weapon in fighting unauthorized access of proprietary information and theft of trade secrets by their employees. In an interesting twist, the case also serves as a reminder to employers that discussing an employee’s actions with customers during “damage control” efforts can lead to liability for defamation.

Factual and Procedural Background
Five former high-level employees were terminated in 2003 from Fiber Systems International, Inc. (“FSI”), which manufactures “harshenvironment fiber-optic connectors for military use.” Shortly after the employees departed, FSI learned the employees downloaded and copied confidential and proprietary information prior to their departure and used the information in their newly created competing companies. As a result, FSI brought a civil action under the CFAA seeking damages and injunctive relief. The employees countersued for defamation, alleging FSI made statements to two of its customers in which the employees were called “thieves” in connection with their unauthorized access of FSI’s proprietary information. The trial court dismissed FSI’s claim for injunctive relief, and a jury trial proceeded on FSI’s CFAA claim and the employees’ defamation counterclaims.

At trial, the jury determined the employees violated Section 1030(a)(4) of the CFAA, which prohibits “knowing[] . . . access [of] a protected computer without authorization” with intent to defraud if the access furthers the fraud and the accessing person “obtains anything of value.” The jury awarded FSI $36,000, which represented its costs to recover the data taken by the employees.

December 5, 2006
The jury also found, however, that FSI “maliciously accused” the employees of being thieves. The employees provided evidence that FSI told two of its customers that the employees “misappropriated” FSI’s intellectual property. These statements were deemed to impute the crime of theft, thereby relieving the employees of the burden of proving actual harm. The jury awarded the employees $5.5 million in compensatory and punitive damages. The trial court later reduced the award to $1.5 million to comply with state law damages caps. In addition, the trial court entered a take-nothing judgment on the CFAA claim, explaining Section 1030(a)(4) of the CFAA does not create a civil cause of action. Instead, the trial court read the CFAA as allowing a civil action only under Section 1030(a)(5), which prohibits damage to a protected computer through unauthorized access. FSI appealed.

CFAA Allows Civil Action for $5,000 Loss in Any Year Due to Unauthorized Access
On appeal, the Fifth Circuit reinstated the jury’s verdict on FSI’s CFAA claim. In doing so, the court ruled that the language of the CFAA allows a civil action under Section 1040(a)(4), even in the absence of damage to a computer system. So long as the employer suffers a loss of $5,000 in any given year, it can sue an employee for unauthorized fraudulent access under the CFAA. The court also explained that the $5,000 loss does not have to occur within a year of the violation but during any one-year period after the unauthorized access. Moreover, the court noted the definition of loss under the CFAA includes “cost of responding to [the unauthorized access], conducting a damage assessment, and restoring the data, program, system or information to its condition before the [unauthorized access], and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

FSI Was not Entitled to Injunctive Relief Under the CFAA
The trial court dismissed FSI’s claim for injunctive relief under the CFAA because there was no proof of “ongoing or future unauthorized access” to FSI’s computers. The Fifth Circuit explained that FSI would not be entitled to injunctive relief for a past violation of the CFAA, because the jury found the employees were falsely accused of stealing trade secrets and determined that the employees did not steal trade secrets through the acts that violated the CFAA. Consequently, injunctive relief under such statute would be improper.

Fifth Circuit Reconciles Defamation and CFAA Verdicts
FSI also argued the jury’s determination that the employees violated the CFAA through unauthorized access of its computers was inconsistent with a finding that the employees were falsely accused of stealing trade secrets.

The Fifth Circuit reconciled this apparent conflict, explaining Section 1030(a)(4) prohibits unauthorized access to further fraud and such provision does not require a finding that the employees “stole trade secrets or anything else.” The court further explained the value of the information accessed in violation of the CFAA “need not be a trade secret or even something that was stolen.” The value of the information obtained can be “temporary use or possession of the computer hardware” or other value obtained through unauthorized access, “without theft” of any particular information. Thus, the employees’ violation of Section 1030(a)(4) did not necessarily establish they were thieves or that they stole anything.

Implications for Employers
The biggest benefit of this decision is that an employer need not prove that the information accessed rises to the level of a trade secret or was legally stolen or misappropriated. Conceivably, an employer can sue an employee under the CFAA for unauthorized and fraudulent access of any information on its computer system, so long as the employer can show that it spent at least $5,000 in any year recovering the data, or merely assessing the damage, and some benefit to the employee. Employers are not hindered by the lack of a nondisclosure or similar agreement, nor do they have to worry about whether the information itself is legally or contractually protected.

The decision also provides a harsh reminder to employers not to discuss with outsiders an employee’s unauthorized access, or to be very careful when doing so. Employers certainly have the right to exercise “damage control” when an employee leaves with proprietary information and establishes a competing business.

Implying during such efforts that an employee misappropriated trade secrets, however, can be considered defamation per se, and can permit a recovery of a substantial award without proof of actual damages.

* * * * *

If you have any questions regarding this decision or its impact on your workplace, please contact A. Martin Wickliff, Jr., at (713) 750-3110 or [email protected] or Charles H. Wilson at (713) 750-3117 or [email protected] in EBG’s Houston, Texas office.

This document has been provided for informational purposes only and is not intended and should not be construed to constitute legal advice. Please consult your attorneys in connection with any fact-specific situation under federal law and the applicable state or local laws that may impose additional obligations on you and your company.

© 2006 Epstein Becker & Green, P.C.

Epstein Becker & Green P.C.