The Computer Fraud and Abuse Act ("CFAA") may limit protection of company Trade Secrets
The U. S. Supreme Court recently determined that the CFAA only protects employers or businesses from internal and external hacking, but it does not apply to employees who are provided access to a computer and who view or use confidential information prohibited by company policy. [1]
Background
In the case, a former police sergeant used his patrol car computer to access a law enforcement database where he obtained information about a license plate number and sold that information for money. The sergeant was authorized by his employer to use his computer but was arrested and convicted of a felony under the CFAA. The U.S. Supreme Court reversed the 11th Circuit and other Circuits interpreting this statute by placing emphasis on the word “so” allowing persons who “so” use the computer to be able to view trade secrets and confidential information without criminal liability.[2]
So, why is this important to employers?
To be a “trade secret,” the owner must have taken measures to prevent the secret from becoming available to persons other than those selected by the owner to have access to them.[3]
Typically, employers use confidentiality agreements to protect the release, or use of confidential information. However, protected trade secrets may no longer be protected when an employee accesses a company computer with permission, but otherwise obtains or views confidential information on it, in violation of company policy, if the information is obtained without having to resort to hacking.
Companies should ensure that they have proper electronic safeguards in place, along with policies, practices, and confidentiality agreements to protect their confidential trade secret information. And companies should take appropriate steps to enforce the policies, if an employee improperly uses or discloses such information.
[1] Van Buren v. United States, 141 S.Ct. 1648 (2021).
[2] S v John, 597 F.3d 263 (5th Cir. February 9, 2010); see also International Airport Centers, LLC, v. Citrin, 440 F.3d 418 (7th Cir. March 8, 2006)(both held an employee is criminally liable by accessing and using confidential information on a company computer when there is a policy that denies the use or access of the confidential information.)
[3] Colorado Revised Statute § 7-74-102(4)