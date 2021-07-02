Because of the recent U.S. Supreme Court decision in Van Buren v. United States, which I wrote about a few weeks ago, the federal Computer Fraud and Abuse Act (CFAA) has become less protective of employers’ rights to be free from theft or sabotage by employees and others with access to those systems. The Court ruled that Section 1030 of the CFAA does not apply to individuals who had legitimate access to an employer’s computer systems but then misused the systems in some way. It adopted a “gates-up-or-down” approach.
The Supreme Court ruled that Section 1030 is so broadly written that it has been used well beyond its main purpose, which is to prohibit and punish illegal hacking of computer networks. As explained by the Court, “If the ‘exceeds authorized access’ clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals,” reasoning that an employee who does something as innocuous as sending a personal e-mail or reading the news on her work computer has violated the CFAA. Therefore, the Court held that individuals “exceed authorized access” only when they access computers with authorization but then obtain information located in particular areas of the computer – such as files, folders, or databases – that are off-limits to them.
Clearly, Van Buren narrows the grounds upon which an organization may civilly or criminally enforce its data access and use policies. Although it was a criminal case, Van Buren has clear implications for employers who learn that their employees (oftentimes, departing employees) have accessed company servers and downloaded confidential information for their own purposes. So what should employers do now?
Employers should have invention assignment/confidentiality agreements, non-disclosure agreements, and non-compete agreements containing express prohibitions on unauthorized use and disclosure in place, but must review them to ensure that they’re in step with the current laws. Even better, employers should take steps to prevent an unauthorized access issue from arising in the first place. This can be accomplished in a number of ways:
• Undertake data mapping to determine where sensitive data, customer lists, intellectual property, and trade secrets reside on the network – and restrict access to them by adopting the security measure of “least privilege” and giving access to more sensitive information or trade secrets only to those employees who truly need such access.
• Review data use policies and contractual agreements to identify the “insiders” who may have access to corporate networks, including employees, contractors, vendors, or others. Review all contractor and vendor agreements in place with regard to access granted, and implement technological restrictions in addition to the contractual.
• Review the external entry points to your digital infrastructure and consider whether additional measures are necessary, such as switching to a more restrictive access or monitoring the efforts of data scrapers in order to potentially revoke their authorizations.
Tammy C. Woolley is Senior Counsel at the Opelika, Alabama, office of Constangy, Brooks, Smith & Prophete, LLP, and can be contacted at twoolley@constangy.com. She thanks her Partners for their blog on this issue.