The recent media attention surrounding high-profile data breaches has most companies concerned about external threats rather than internal ones, when perhaps the greatest cyber threat to most companies comes from within. The FBI reports that the incidence of employee hacking is on the rise. Disgruntled employees, recently terminated employees, and employees seeking to create or go to work for a competing venture are hacking into their employers’ computer systems and stealing trade secrets, confidential information, and other valuable data. The results of such internal hacking can be devastating. Is your organization prepared for this threat?
A variety of legal options are available to a company that is the victim of employee hacking, but perhaps none is more important than seeking immediate injunctive relief to stop the employee and any persons acting in concert with him from accessing the company’s computer system, using or disseminating the company’s data, and altering or destroying information stored on the company’s system. In order to obtain an injunction, the company must act quickly and present evidence that the employee has acted unlawfully and that his conduct poses an immediate threat of irreparable harm to the company.
The first step in seeking redress for an employee’s hacking is to establish that the hacking occurred. Ideally, the company has someone within its IT department who can attest to the “who, when, and what” of the data breach. In other circumstances, the company may need to rely upon outside experts or consultants to establish the breach. A company is wise to invest in a skilled information technology expert who is familiar with the company’s data map and systems before an employee data breach ever occurs.
The next step is establishing a legal basis for a claim against the employee. A variety of claims may be available, including claims for misappropriation of trade secrets. One of the most powerful weapons for the employer, however, is the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. The CFAA is a federal criminal statute that has been significantly expanded to allow a private business to obtain injunctive relief and maintain a civil action for damages when an employee gains unauthorized access to its computer. The CFAA is a powerful tool not only because it provides for criminal liability, but also because it provides a civil remedy when the employee engages in dishonest methods to obtain the employer’s information, even without proof that the information taken was a trade secret or actually used by the employee. Under the CFAA, the employee’s conduct is actionable if his access to the computer was unauthorized, or if he used his authorized access to obtain or alter information that he was not entitled to obtain or alter.
Setting the legal requirements aside, whether seeking to establish employee liability under the CFAA or some other legal theory, the court as a practical matter will likely focus on what steps the company has taken to safeguard its data and restrict employee access to that data. If the company does not deem its data sufficiently important to warrant protection, the court may be disinclined to award injunctive relief.
The court will likely focus on the following: Does the company have policies and procedures in place that outline what information an employee is authorized to access? Does the company have BYOD (“bring your own device”) procedures? Does the company enforce those policies and procedures? Has the company set up firewalls that restrict employee access to certain data? Does the company revoke an employee’s computer access when the employee is terminated?
Critically important is whether the employer has entered into agreements with the employee with regard to the protection of confidential information and the ownership of inventions and other ideas created by the employee while on the job. Agreements of this type are not only important in establishing that the employee’s conduct was wrongful, but also in providing a basis for the recovery of attorney’s fees in many jurisdictions as part of a breach of contract claim.
Addressing these issues before an incident occurs can result in great cost savings to the company. Not only can the company increase its chances of prevailing against an errant employee, but also significantly reduce the risk of employee hacking in the first instance.
Cheryl Diaz has over two decades of experience in commercial litigation and dispute resolution. Her clients have run the gamut from Fortune 500 companies to start-up companies and individuals, and to business in many diverse industries, including banking and financial services, commercial real estate, construction, energy, restaurant and hospitality, and product manufacturing and distribution.