Computer Fraud and Abuse Act Construed Narrowly Against Employer

October 20, 2009

Consider this common enough scenario:  a senior executive, having resolved to shortly leave his current employer to establish a potentially competing business, uses his employer’s e-mail system to send confidential company documents and data to his personal e-mail account.  Has the executive accessed his employer’s computer resources without authorization and thereby violated a key provision of the federal Computer Fraud and Abuse Act (the “CFAA”)?  According to the Ninth Circuit’s recent decision in LVRC Holdings v. Brekka, No. 07-17116 (9th Cir. Sept. 15, 2009), in the absence of a written agreement with the employee or a computer use policy clearly prohibiting such activity, merely acting contrary to an employer’s interest is insufficient to justify an unauthorized access claim for liability under the CFAA.

LVRC Holdings found itself in the above scenario when it learned that its former employee, Brekka, had sent sensitive company materials to his personal e-mail account prior to his resignation.  Interestingly, before any thought of leaving had arisen, Brekka routinely sent company materials to his personal e-mail account with his employer’s tacit consent.  LVRC only sought to hold Brekka liable for unauthorized access to a protected computer once Brekka decided to start a competing business while still employed by LVRC.  LVRC contended that under those circumstances Brekka was no longer authorized to access the company’s e-mail or other computer resources.

The district court and the Ninth Circuit believed that LVRC’s approach to the CFAA was inconsistent with the idea that as both a civil and civil statute, the CFAA’s prohibitions should be read liberally by analyzing any ambiguities in favor of the defendant under the rule of lenity.  The history of the CFAA as a means of addressing concerns over third party hacking into a company’s computer systems also supported the view that an employee exceeding his authority was not the type of harm the “without authorization” prong of the CFAA sought to address.

In addition, while a claim might have been sustained under a separate part of the CFAA dealing with liability for exceeding one’s authority, such a claim requires convincing proof, and the failure of LVRC to have even adopted an acceptable use policy for company computer resources or to produce acceptable evidence of access after Brekka’s resignation doomed LVRC’s claim.

Among other important lessons, this case highlights the need for employers to have either written agreements with their employees on acceptable computer use practices or at least a well publicized company policy statement to the same effect.

Link to Decision:  http://www.ca9.uscourts.gov/datastore/opinions/2009/09/15/07-17116.pdf


Final Countdown to Red Flag Rules?

October 18, 2009

Unless the Federal Trade Commission (“FTC”) postpones the effective date for its so-called Red Flag Rules, as it has done three times before, these new rules aimed at minimizing the risk of identity theft are scheduled to be applicable to many businesses as of November 1, 2009.  These Rules require financial institutions and other “creditors” to develop and implement a written identity theft prevention program to provide for the identification, detection and response to patterns, practices or activities that constitute warning signs or “red flags” of identity theft.

Scope of the Rules

The FTC, along with the major federal banking regulatory agencies, adopted these rules in late 2007 under the Fair and Accurate Credit Transactions Act of 2003 to require an additional layer of protection around sensitive information that might be used to perpetrate identity theft.  Originally scheduled to come into effect on November 1, 2008, the FTC delayed their implementation principally to allow smaller businesses to prepare for compliance.  The Rules are applicable to financial institutions and any entity that is considered to be a “creditor”, and require adoption of a written identity theft protection with respect to “covered accounts”.

 A “creditor” is any entity that regularly extends, renews or continues credit or arranges the same.  Virtually every business that does not get paid at the tie it renders services or sells goods is considered to be a creditor for purposes of the Rules.  A “covered account” is an account used primarily for personal, family or household purposes, and that involves multiple payments or transactions, as well as any other account for which there is a reasonably foreseeable risk to customers of identity theft.

Program Requirements

The written plan must be approved by an organization’s Board of Directors (or its equivalent) and must include procedures for the identification, detection and response of suspected red flag activity.  Such activity could include notices or alerts from credit reporting agencies, an unusual pattern of account transactions or inquiries, use of improper account documents, returned mail, suspicious changes of contact information or other account data or signs of unauthorized account access.  The plan must also be reviewed and updated periodically.

Because of the wide variety and size of businesses that are covered creditor entities a one size fits all approach will not work to ensure compliance.  Accordingly, the FTC specifies that each creditor must adopt and implement an identity theft prevention program that fits its particular business.  Thus, a business that has a limited number of covered accounts or does not permit routine online access to such accounts might be able to have a much simpler plan than a business typified by numerous primarily online accounts.  To assist creditors in developing and maintaining a red flag compliance program, a set of guidelines, which includes an extensive illustrative list of potential red flags, accompanies the Rules 

Failure to Comply

While there is no private right of action for failure by a creditor entity to implement an identity theft prevention program, the FTC (and the applicable bank regulatory agency, in the case of a covered financial institution) has authority to seek civil and monetary penalties for each violation of the Rules

Link to Final Red Flag Rules:  http://ftc.gov/os/fedreg/2007/november/071109redflags.pdf