Employees may unknowingly commit data theft in gathering evidence to support their claims.
Many clients come to us with a stack of documents to support their claims. This is almost always worrisome because those documents likely came from their employers’ computer systems. These well-meaning clients may have unknowingly undermined their own claims and subjected themselves to potential liability for data theft.
As if those potential risks are not scary enough, we have recently seen an increase in employers using the Computer Fraud and Abuse Act (CFAA) as a new way of combating employee data theft. The CFAA was originally designed to target computer hackers and other cyber-criminals but employers are now using it as a way to sue employees who download, copy, modify, or use computer files in a way that is “disloyal.”
The CFAA prohibits accessing a computer “without authorization” or obtaining information by “exceeding authorization.” Not surprisingly, courts disagree about what these terms mean. However, Seventh Circuit courts (Illinois, Indiana, and Wisconsin) have held that even if the employee has access to the files if they use the information in a way that is disloyal to their employer, that access is no longer “authorized.” This could include downloading files such as customer lists, business development materials, or other items that are valuable to the company. It can also include deleting, modifying, or encrypting files.
The leading case on the Computer Fraud and Abuse Act in the Seventh Circuit is Int’l Airport Centers, L.L.C. v. Citrin. In Citrin, an employee was issued a company laptop. The employee decided to go into business for himself, but before he did, he erased all of the data on the company laptop. The employer sued him under the CFAA. The Court of Appeals for the Seventh Circuit found that the employee’s action indeed violated the CFAA because there were against his employer’s interests.
Likewise, in a case from October of last year, Kaskaskia Engineering Group v. Reyling, an employee accessed, copied, and deleted several of his employers’ computer files before quitting his job. The Court found that the employee had violated the Act because he had acted “without authorization” to access or modify the employers’ files.
Not all taking of files will result in a federal case. Depending on what information is at issue, you may have a right to have it or obtaining it could be protected conduct under one of the employment statutes. However, discerning the difference is difficult, especially without a lawyer advising you. The safest best is to err on the side of caution and not take any files or documents without first talking with a lawyer. The legal system provides ample ways to obtain information through lawful means and it is almost always better to leave the evidence gathering to the professionals.