When Disgruntled Employees Attack

The Computer Fraud and Abuse Act and the Problem of Authorized Access

Computers, laptops, and computer networks are powerful tools to improve employee productivity.  Given the global reach of the internet, an employee can access the employer’s network—including its confidential information and trade secrets—to work from virtually anywhere.

But what happens if an employee entrusted with critical information becomes disgruntled and decides to trash his employer’s data system on his way out?  What happens when the employee uses the opportunity to steal sensitive trade secret data while impairing the integrity of the original?  One potential option for an employer may be the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, et seq.  Although the CFAA is primarily a criminal statute, it allows for a private cause of action when, among other conduct, someone “intentionally accesses a protected computer without authorization,” and causes damage to the integrity or availability of data. 18 U.S.C. § 1030(a)(5)(A)(ii); (iii) (emphasis added).

However, the problem is that the individuals most likely to access a company’s computers or networks are its employees (as opposed to hackers), and they have at least some authority to access the materials.  Does the CFAA apply to their conduct?

This problem has led the Courts to a split as to how to handle the access “without authorization” provision in the CFAA.  Some courts have taken the position that if an employee had some authority to access files, a cause of action cannot stand.  However, other courts have taken the opposite view.

In Lockheed Martin Corporation v. Speed, 2006 U.S. Dist. LEXIS 53108 (M.D. Fla. Aug. 1, 2006) (“Speed”), the United States District Court for the Middle District of Florida recently held that an employer could not bring a claim under the CFAA when a disgruntled employee, just days before resigning, copied 200 confidential trade secret documents and took those documents to a competitor.   In considering the CFAA, the Court focused on whether the employee lacked authorization to access the information. The Court held that based on the plain language of the statute, the company could not bring suit because the employee actually had authority to access the documents at the time and was not exceeding the scope of his authority, even though he was acting against the interests of the employer.

In contrast, the Seventh Circuit Court of Appeals (which covers Illinois, Indiana, and Wisconsin) takes a different view of the term “without authorization” under the CFAA.  See, International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006) (“Citrin”).  In Citrin, the employer provided a laptop to an employee, who later decided to quit and go into business for himself, in competition with his employer.  Before returning the laptop, the employee used a secure-erasure program to wipe the computer clean of all trade secrets (for which the company lacked duplicates) and all data that would have informed his employer of his misdeeds.  Id. at 419. 

The Seventh Circuit held that even though the company authorized the employee to access the computer and the data, as a matter of agency law he lacked authorization to destroy data.  The Court noted that under agency law, an employee owes a duty of loyalty to his employer, but the “authority of the agent terminates if, without knowledge of the [employer], [the employee] acquires adverse interests[.]”  Id. at 420-21.  Thus, the Seventh Circuit held that when the employee accessed the computer in order to destroy data, he lacked authorization because his breach of his duty of loyalty terminated his agency relationship “and with it his authority to access the laptop.”   Id. at 420.    

Ultimately, whether the Computer Fraud and Abuse act may provide a remedy where a disgruntled employee sabotages or steals sensitive data may depend on the scope of the employment agreement.  Just as employers should take care to spell out the protection of their trade secrets in an employment contract, the development of case law on the CFAA suggests the importance of explicitly spelling out the scope of an employee’s authority to access its computers and networks, and when that authority ceases.

The Computer Fraud and Abuse Act, is one of several causes of action an employer can use to protective itself against disgruntled employees.  Querrey & Harrow is experience in litigating these cases, and in advising employers how to protect themselves.  

* * *

Brandon Lemley is an associate in Querrey & Harrow’s Chicago office and practices in all areas of litigation, and in particular in litigation involving technology issues.  If you have any questions regarding this article or your company’s rights under the CFAA, please contact Brandon Lemley at, or via 312-540-7548.