TAKEAWAY: Do not access your former employer’s computer system without its consent after you no longer work there. New employers, do not encourage or permit your new employees to do this either.
There has been much debate over the last couple of years over whether an employee violates the Computer Fraud and Abuse Act by wrongfully accessing and obtaining information from the employer’s computer for nefarious reasons – while still being employed. This has been referred to as the “circuit split” because the circuit courts of appeal have three different approaches for determining whether this violates the CFAA, what I refer to as the Trilogy of Access Theories (see bottom of post for explanation). What is not open to debate, however, is whether a former employee violates the CFAA by wrongfully accessing its former employer’s computer system after he or she no longer works for that employer.
That is the lesson of Nouveon Technology Partners, Inc. v. McClure & Smarter Systems, LLC, 2013 WL 811102 (W.D.N.C. March 5, 2013). The basis for the Court issuing this order is not the reason I am blogging about it, rather, I am blogging about it because I think the facts of this case are something that all employers and employees need to understand and this case does a nice job of illustrating that point.
The basic facts are all too familiar. Employee decides to go work for a new company and wants to take her former employer’s confidential proprietary information and use it to work for her new employer. Where the facts differ from many of these cases is that, according to the Plaintiff’s Complaint, the employee accessed the employer’s computer system and took the information after she no longer worked for the employer. I recommend you read the Complaint because it does a nice job of laying out the investigation into the employee’s conduct and clearly distinguishes the former employee’s activities prior and subsequent to her employment ending.
The employee’s last day of employment was April 23, 2012. She was directed to return all of employer’s property in her possession and was understood she was no longer permitted to access the employer owned computer system (including the laptop that was issued to her) after her employment ended. She was to return the company issued laptop on April 23 but did not return it until later:
58. The forensic search of the laptop computer also revealed that McClure had, without NouvEON’s knowledge or approval, retained and continue to use the NouvEON-owned laptop computer in her possession through the evening of April 23, after she had officially ended her duties for NouvEON and was no longer a NouvEON employee. Throughout the evening of April 23, McClure utilized the username and password provided to her by NouvEON solely for NouvEON business to continually remotely access NouvEON’s Salesforce.com account and various folders on the laptop containing Confidential Information such as NouvEON’s recruiting candidate pipeline, information regarding sales activities, the resumes of candidates identified and interviewed by NouvEON for placement with NouvEON clients and related recruiting information.
59. As a result of further forensics analysis of the NouvEON-owned laptop used by McClure, NouvEON has now learned that after McClure became an employee of Smarter Systems, she continued to remotely access NouvEON’s Salesforce.com Database to access and misappropriate NouvEON’s Confidential Information by using a username and password issued to another employee through as late as June 7, 2012.
60. In summary, the foregoing forensic inspection of the NouvEON laptop computer used by McClure revealed for the first time that prior to and for over one month after her last day of employment with NouvEON, McClure regularly accessed and misappropriated, and likely downloaded, highly sensitive and proprietary Confidential Information belonging to NouvEON. McClure’s actions in this regard were not known by or authorized by NouvEON and are in violation of her Employee Agreement and NouvEON’s policies.
So there you have it, if you are looking for a really great way to violate the Computer Fraud and Abuse Act when leaving your job, just do what McClure did! If you have any questions or would like to talk computer fraud, data security or privacy, please feel free to give me a call (469.635.1335) or email me (firstname.lastname@example.org).