CAN YOU RELY ON YOUR CORPORATE COMPUTER POLICIES TO SUE EX-EMPLOYEES WHO STEAL COMPANY DATA?

Two recent district court opinions add to the caselaw providing judicial guidance on how employers might update their corporate computer policies to be able to sue ex-employees for stealing company data based on the Computer Fraud and Abuse Act (“CFAA”), the federal computer crime statute. Title 18, U.S.C. §1030. This is a particularly significant problem when employees leave their current jobs to join competitors and attempt to gain an unfair advantage by stealing data from the company computers prior to their departure. 4 of the 7 sections of the CFAA that are the basis for a civil cause of action require that the employer prove that the employee’s access to the company computer was “without authorization or exceeds authorized access.”

One way the courts permit an employer to establish lack of authorized access is by showing that the employee violated a company policy defining the scope of the employee’s permission to access the company computers. Courts have sanctioned the use of corporate computer policies to prove unauthorized access because the “CFAA...is primarily a statute imposing limits on access and enhancing control by information providers.” EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003). Thus, a company “can easily spell out explicitly what is forbidden,” through employee agreements, policies and access-limiting technology.