As appeared in Law360on May 5, 2009.

Employers looking to protect their intellectual property and proprietary information, and wondering whether they can punish the departing employees that simply ignore demands to return the laptops and other transportable electronic devices that hold such property and data, may now have a newly invigorated weapon at their disposal — the federal Computer Fraud and Abuse Act ("CFAA").

That is because a recent federal district court case, Lasco Foods Inc. v. Hall and Shaw Sales, Marketing & Consulting LLC, --- F.Supp.2d , 2009 WL 151687 (E.D.Mo., 2009), found that an employer establishes the required "loss" and "damage" elements of a CFAA claim against a former employee by showing that such employees "refused to return their computers" when requested, that such employees "deleted information from their computers" and that the employer "had to perform a forensic investigation to determine what information was deleted from" these laptops. 2009 WL 151687, at *6.

Because the CFAA provides a statutory claim that applies to all electronically stored information (confidential or not), provides for federal court subject matter and allows for the recovery of a variety of damages and costs, including those related to expert fees, see, e.g., EF Cultural Travel v. Explorica Inc., 274 F.3d 577, 584 (1st Cir. 2001), employers and intellectual property owners may find it attractive.

Lasco started in a way that most employers would find familiar. Mr. Hall and Mr. Shaw were employed in sales positions by Lasco, and were afforded access to its computers, networks and information, which they utilized throughout their employment. They then left Lasco.

Lasco demanded that Mr. Shaw return to Lasco "all electronic and hard copy information in his possession belonging to Lasco," but Shaw "deleted confidential and trade secret information from Lasco's computer" and failed to return the computer for 70 days.

Lasco made a similar request to Hall, who failed to return the laptop for 38 days, and also appeared to have deleted information from it. Lasco enlisted an outside vendor to perform a forensic examination of the computers to see whether information had been deleted, and what it was.

Based on these facts, Lasco sued the new Hall/Shaw entity and Hall and Shaw individually. Lasco brought a claim under, among other theories, the CFAA, even though it was not immediately clear that there had been any damage or loss as defined by previous CFAA cases and even though there had not been any significant interruption in service in Lasco?s computer systems.

There are several aspects of the CFAA that one should understand to appreciate how it was applied in Lasco.

For instance, according to the statute, "damage" is defined as "any impairment to the integrity or availability of data, a program, a system, or information," 18 U.S.C. § 1030(e)(8), and "loss" is defined as "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment and restoring the data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred or other consequential damages incurred because of interruption of service." 18 U.S.C. § 1030(e)(11).

Moreover, "[c]ourts have consistently interpreted „loss' ... to mean a cost of investigating or remedying damage to a computer, or a cost incurred because the computer's service was interrupted." Lasco, 2009 WL 151687, at *5.

In the past, these have most frequently involved harm occasioned by introduction of viruses or other disabling mechanisms introduced into computer systems, and efforts to combat and overcome such systemic issues.

Lasco is significant because it applies the CFAA language in a very practical, commonsense and, in many ways, nontechnical manner. For instance, the Lasco Court found one alleges a sustainable CFAA claim of "damage" by showing the deletion of information from a single laptop because such deletion does impair the integrity or availability of the deleted data.

The Lasco Court found "damage" sufficiently established without any mention of whether or not copies of the very same data remained available on Lasco?s network.

Similarly, the Lasco Court found one alleges a sustainable CFAA claim of "loss" established by showing that there had been an "interruption in service" occasioned by physically withholding the laptop.

Because Lasco could not use a computer that it did not possess, the Lasco Court reached the common sense conclusion that its ability to use and control its property had been interrupted, and thus a loss occurred.

Finally, the Lasco Court found that "[t]he cost of hiring an expert to investigate the computer damage is clearly a „reasonable cost? sufficient to constitute „loss' under the CFAA." Lasco, 2009 WL 151687, at *5.

Viewed in such a way, the CFAA can provide employers and IP owners with both a leash and lash.

As a leash, it allows for control of one?s laptops and other electronic devices issued to employees. It can become a way to drag such items back into and under the control of the actual owner of that device and the information that it contains.

Because the CFAA applies to the inappropriate accessing of any electronically stored information or interruption of service rather than to the protection of any certain type of information, such a leash has the added strength of applying to all of the employer?s information on the device without any necessity that it be proven to be a trade secret or proprietary or confidential.

Consequently, because it can apply to everything electronic, the feigned ignorance of departed employees as to whether the information was confidential or protected becomes irrelevant.

As a lash, it has the value of allowing employers an affirmative claim, the threat of which can perhaps snap dilatory ex-employees into action in a way that the threat of a common law conversion claim could not, especially in those jurisdiction that would limit the conversion claim and related damages to physical property represented by the laptop itself.

James P. Flynn is a Member of the Firm at Epstein Becker Green in the Newark office.

Resources

28623_How-Employers-Can-Use-CFAA-To-Get-Back-Laptops.pdf

Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.