By retaining a lawyer to defend you against an employer who alleges a CFAA violation, you can prevent the financial loss associated with losing such a case, and keep your career options open by preventing a black mark on your employment record.
As with all legal claims, deadlines are crucial. The statute of limitations for an employer to bring a claim under the CFAA is two years. However, if you believe your employer is likely to bring suit against you earlier, you may need to start planning to defend yourself sooner.
What computer fraud laws can my employer use against me?
The Computer fraud and abuse act (CFAA) was originally enacted in 1984 as a criminal statute to protect data on federal computers and deter hackers. Over time, the scope of the CFAA evolved to include a private right of action for any person who suffers damage or loss because of a violation of the CFAA. Employers have increasingly taken advantage of the CFAA’s civil remedies to obtain both injunctive and monetary relief against employees, making the federal statute a strong tool against employees especially in the context of non-compete and trade secrets litigation.
What are the elements of a CFAA claim?
To establish a civil action against an employee under the CFAA, an employer must prove that the employee:
- intentionally accessed a “protected computer,”
- “without authorization,” and as a result
- caused damage or loss of at least $5,000.
The employer cannot bring a civil action against an employee however, if the alleged misconduct does not involve conduct prohibited by the Act. Violations include but are not limited to:
- damage to a protected computer that results in a loss of at least $5,000;
- the impairment of a medical examination, diagnosis, treatment or care of an individual;
- physical injury to a person; and
- threats to public health or safety.
What is a “protected computer” under the CFAA?
A “protected computer” is defined broadly to include any computer that is “used in interstate or foreign commerce or communication.” This includes any computer connected to the internet.
Did the employee have authorization to access the protected computer?
The key element for an employer to prove in a CFAA claim is the employee’s unauthorized access of the employer’s computer system. Accordingly, the employer does not have a cause of action under the CFAA if access to the part of the employer’s computer system that the employee allegedly accessed was never revoked. Additionally, courts are likely to dismiss a CFAA claim where an employee’s counsel can prove that the alleged “access” was harmless, was not for an improper purpose, or that the employee accessed the former employer’s computer system for legitimate, work related reasons.
What constitutes loss or damage under the CFAA?
A CFAA claim is actionable only where the employee’s conduct resulted in $5,000 of damage or loss to the employer. Examples of damage or loss under the CFAA include:
- loss of business;
- loss of goodwill;
- the cost of diagnostic measures;
- the impairment to the integrity or availability of data, a program, or information;
- misappropriation of trade secrets; and
- the cost of restoring computer data, fixing actual damages to a computer system, or modifying a computer system to preclude further data transfer.
Failure of proof on this element is fatal to an employer’s CFAA cause of action.
What is the statute of limitations?
The CFAA provides a two-year statute of limitations for bringing a claim under the Act. The limitations period begins to run on the date of the alleged violation.
What can an employee do to avoid CFAA liability?
A departing employee should return all equipment to the employer that was provided to her during the course of her employment. Additionally, an employee should refrain from deleting or downloading any information from the employer’s computer system to a personal disk, email, or thumb drive without the employer’s consent.