Felony CFAA Conviction for Accessing Former Employer’s Data via Backdoor Upheld on Appeal

former employee = current data thiefAn employee, after leaving a company, is no longer authorized to continue accessing its data–regardless of what steps the company took. This is, and always has been, a no-no. But, not everyone seems to realize it.

The United States Court of Appeals for the Fourth Circuit recently affirmed a Computer Fraud and Abuse Act conviction for a man who used a backdoor into his former employer’s computer system to continue accessing data after he went to a competitor. The fact that his former employer had not changed his password did not dissuade the court.

The district court proceeding

The United States Court of Appeals for the Fourth Circuit, on Christmas Eve 2014, handed down the unpublished opinion United States v. Steele, 2014 WL 7331679 (4th Cir. Dec. 24, 2014). In Steele, the Court upheld the jury conviction for two misdemeanor and twelve felony counts for violating the unauthorized access prong of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030(a)(2)(C).

Steele, while not establishing new law, does illustrates an important distinction in employee computer and data misuse cases: misuse by current employees versus former employees. The notorious Circuit Split involves misuse by current employees but, when it comes to former employees, the law is clear. When the employment relationship terminates, so too does the now-former employee’s authorization to access the computer system and data.

Robert Steele worked as vice president of business development and also the backup systems administrator for Platinum Solutions, Inc. His role as a systems administrator gave him access to the company’s server, which allowed him to monitor email accounts and employee passwords. Platinum was eventually sold and became SRA and Steele resigned to go work for a competitor who also provided contract IT services to government defense agencies.

For nine months after his resignation from SRA, Steele continued to log in to the company’s computer server using a “backdoor” account he had used during his employment. Using this, he accessed the server almost 80,000 times during which he proceeded to access and download documents and emails related to the company’s contract bids–bids that were competitive to his new employer and, therefore, confidential trade secrets.

A jury convicted Steele for fourteen violations of the CFAA; he received a 48 month prison sentence and was ordered to pay $50,000 in fines, $1,200 in fees, and $335,977.68 in restitution. Steele appealed.

The court of appeals opinion

Of his grounds for appeal, the most relevant is Steele’s argument that his post-termination accesses of the servers were not “without authorization.” Steele argued that because the company did not change the password to this “backdoor” account following his resignation, he continued to have authorization to use the account to access the servers. He based this argument on the Fourth Circuit’s opinion in WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012).

In WEC Carolina, the Court dealt with the Circuit Split issue of a current employee using his employer’s computer system to obtain information that he then used for improper purposes and whether such use is in “excess of authorization” under § 1030(a)(2). The WEC Carolina Court adopted the narrow view which holds that § 1030(a)(2) prohibits a current employee from unlawfully accessing a protected computer but not from misusing information that he obtained while lawfully accessing the computer.

The Steele Court explained how this distinction applies to this case:

Importantly, this split focuses on employees who are authorized to access their employer’s computers but use the information they retrieve for an improper purpose. Steele’s case is distinguishable for one obvious reason: he was not an employee of SRA at the time the indictment alleges he improperly accessed the company’s server. In WEC Carolina, authorization did not hinge on employment status because that issue was not in dispute. Here, by contrast, the fact that Steele no longer worked for SRA when he accessed its server logically suggests that the authorization he enjoyed during his employment no longer existed.

* * *

Common sense aside, the evidence provides ample support for the jury’s verdict. SRA took steps to revoke Steele’s access to company information, including collecting Steele’s company-issued laptop, denying him physical access to the company’s offices, and generally terminating his main system access. And Steele himself recognized that his resignation effectively terminated any authority he had to access SRA’s server, promising in his resignation letter that he would not attempt to access the system thereafter. Just because SRA neglected to change a password on Steele’s backdoor account does not mean SRA intended for Steele to have continued access to its information.

As the Steele Court hinted, common sense or basic ethics, however one looks at it, should have been enough to tell Steele that after leaving SRA, he was no longer authorized to continue accessing its data. It wasn’t enough. Now he has 48 months to think about where he went wrong as well as how he is going to come up with nearly $400,000.


Shawn Tuma is a cybersecurity lawyer business leaders trust to help solve problems with cutting-edge issues involving computer fraud, cybersecurity, privacy and intellectual property law. He is a partner at Scheef & Stone, LLP, a full service commercial law firm in Texas that represents businesses of all sizes across the United States.


So, your business has never had a data breach? Have you ever had an employee leave?

i quitTAKEAWAY: Businesses must protect their data from being taken by anyone who is not authorized to have it — insiders and outsiders alike. If their data is taken in a way that is unauthorized, it is a data breach. When a former employee leaves with a thumb drive, Gmail inbox, or Dropbox of your businesses’ data, that person is then an unauthorized person in possession of your businesses’ data and that is a [YOU FILL IN THE BLANK].

The Problem

Businesses lose employees everyday for various reasons. When an employee is leaving it is not uncommon for them to think something like this:

  • “I did a really great job on that project, that’s really my work, not Tyrannaco’s.”
  • “I brought those customers to Tyrannaco, they are really my customers.”
  • “I did such a great job on that proposal that I am going to keep a copy for a form in case I ever need to do one again.”
  • “The stupid management at Tyrannaco never recognized the value of what I brought to the table — I need to let these people know that I was really the one doing all of the work.”
  • “I always keep a copy of everything I do, that way if it gets lost, I always have a backup copy.”

… and with those rationalizations, and infinitely more, we all know what happens next. The employee decides to keep their own copy of your businesses’ data, including all of the sensitive private information that your businesses’ customers have entrusted to you for your safekeeping. And then the employee decides to open their own business or go to work for one of your competitors and guess what they’ll bring with them …

Let’s summarize: Your customers entrusted your business with their sensitive information, which was taken from your business and is now in the hands of someone else. You, my friend, have been breached!

Now the next section tells you why you should care. I’ll leave it at that, you get the point.

Overview of Texas’ Data Breach Notification Law

Texas’ data breach notification law is titled “Notification Required Following Breach of Security of Computerized Data” and is found at Section 521.053 of the Texas Business and Commerce Code. The main body of the law provides as follows:

(b)  A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  The disclosure shall be made as quickly as possible, except as provided by Subsection (d) or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

What is a “breach of system security”?

The law defines “breach of system security” as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.”

What is “sensitive personal information”?

The law has a fairly detailed definition of “sensitive personal information” that should be read carefully. A couple of general points will provide an overview of what is and is not protected:

  • Information that is lawfully made available to the public from a federal, state, or local governmental body is not considered sensitive personal information
  • Sensitive personal information does include “an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name in the items are not encrypted:” Social Security number, driver’s license number or other government issued identification number, account or card numbers in combination with the required access or security codes
  • Also included is information that at that identifies an individual and is related to their health condition, provision of healthcare, or payment for healthcare

Who does the law apply to?

The law applies to any person (which includes entities) who conducts business in Texas and owns or licenses computerized data that includes sensitive personal information.

Who must be notified?

The law requires notification to “any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” This is an incredibly broad class of individuals that is certainly not limited to only Texas citizens and, quite possibly, is not even limited to citizens of the United States.

When must the notification be given?

The notification must be given as quickly as possible after it has been determined that an individual’s sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. However, the notification may be delayed as necessary to determine the scope of the breach and restore the reasonable integrity of the data system or at the request of law enforcement to avoid compromising an investigation.

What is the penalty for failure notify?

Section 151.151 of the law provides for a penalty for failing to comply with this notification requirement is a civil penalty of up to $100.00 per individual per day for the delayed time but is not to exceed $250,000 for a single breach.

Any more questions?

When leaving your job, make sure you do this if you really want to violate the Computer Fraud and Abuse Act!

TAKEAWAY: Do not access your former employer’s computer system without its consent after you no longer work there. New employers, do not encourage or permit your new employees to do this either.

There has been much debate over the last couple of years over whether an employee violates the Computer Fraud and Abuse Act by wrongfully accessing and obtaining information from the employer’s computer for nefarious reasons – while still being employed. This has been referred to as the “circuit split” because the circuit courts of appeal have three different approaches for determining whether this violates the CFAA, what I refer to as the Trilogy of Access Theories (see bottom of post for explanation). What is not open to debate, however, is whether a former employee violates the CFAA by wrongfully accessing its former employer’s computer system after he or she no longer works for that employer.

That is the lesson of Nouveon Technology Partners, Inc. v. McClure & Smarter Systems, LLC, 2013 WL 811102 (W.D.N.C. March 5, 2013). The basis for the Court issuing this order is not the reason I am blogging about it, rather, I am blogging about it because I think the facts of this case are something that all employers and employees need to understand and this case does a nice job of illustrating that point.

The basic facts are all too familiar. Employee decides to go work for a new company and wants to take her former employer’s confidential proprietary information and use it to work for her new employer. Where the facts differ from many of these cases is that, according to the Plaintiff’s Complaint, the employee accessed the employer’s computer system and took the information after she no longer worked for the employer. I recommend you read the Complaint because it does a nice job of laying out the investigation into the employee’s conduct and clearly distinguishes the former employee’s activities prior and subsequent to her employment ending.

The employee’s last day of employment was April 23, 2012. She was directed to return all of employer’s property in her possession and was understood she was no longer permitted to access the employer owned computer system (including the laptop that was issued to her) after her employment ended. She was to return the company issued laptop on April 23 but did not return it until later:

58.   The forensic search of the laptop computer also revealed that McClure had, without NouvEON’s knowledge or approval, retained and continue to use the NouvEON-owned laptop computer in her possession through the evening of April 23, after she had officially ended her duties for NouvEON and was no longer a NouvEON employee. Throughout the evening of April 23, McClure utilized the username and password provided to her by NouvEON solely for NouvEON business to continually remotely access NouvEON’s Salesforce.com account and various folders on the laptop containing Confidential Information such as NouvEON’s recruiting candidate pipeline, information regarding sales activities, the resumes of candidates identified and interviewed by NouvEON for placement with NouvEON clients and related recruiting information.

59.   As a result of further forensics analysis of the NouvEON-owned laptop used by McClure, NouvEON has now learned that after McClure became an employee of Smarter Systems, she continued to remotely access NouvEON’s Salesforce.com Database to access and misappropriate NouvEON’s Confidential Information by using a username and password issued to another employee through as late as June 7, 2012.

60.   In summary, the foregoing forensic inspection of the NouvEON laptop computer used by McClure revealed for the first time that prior to and for over one month after her last day of employment with NouvEON, McClure regularly accessed and misappropriated, and likely downloaded, highly sensitive and proprietary Confidential Information belonging to NouvEON. McClure’s actions in this regard were not known by or authorized by NouvEON and are in violation of her Employee Agreement and NouvEON’s policies.

So there you have it, if you are looking for a really great way to violate the Computer Fraud and Abuse Act when leaving your job, just do what McClure did! If you have any questions or would like to talk computer fraud, data security or privacy, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com).

What is the Proper Jurisdiction for an International Computer Fraud Lawsuit?

The proper jurisdiction for suing someone for engaging in computer fraud from a foreign country, directed at a company in the United States, is the place where the wrongfully accessed computer server is located if the defendant knew the location of the computer server.

Jurisdiction for Computer FraudThis issue was analyzed by the United States Court of Appeals for the Second Circuit in its opinion in MacDermid, Inc. v. Deiter, 2012 WL 6684580 (2nd Cir. Dec. 26, 2012). MacDermid is a company located in Connecticut. Deiter was an employee of MacDermid who worked remotely from Canada. Deiter learned she was about to be terminated but, before she was actually terminated, she used her MacDermid email account to forward to her personal email account MacDermid’s confidential and proprietary data files from its computer servers. The computer servers were located in Waterbury, Connecticut. Deiter was fully aware of the location of the computer servers and this fact proved to be important in the court’s rationale for its decision.

MacDermid sued Deiter in the United States District Court for the District of Connecticut for a state law claims of misuse of a computer and misappropriation of trade secrets. MacDermid did not sue under the Computer Fraud and Abuse Act. (To be candid, when I first read this case, it was because my friend Michael Maslanka forwarded it to me which reminded me that I wanted figure out why there was no CFAA claim — I still do not know the answer!) Jurisdiction was based on diversity of citizenship and the Connecticut long-arm statute. Deiter filed a 12(b)(6) Motion to Dismiss claiming Connecticut did not have personal jurisdiction over her. The District Court agreed and dismissed the case. On appeal, the Second Circuit determined there was personal jurisdiction over Deiter in Connecticut based on its long-arm statute and the fact that Deiter knew MacDermid’s computer servers — which she knowingly accessed — were located in Connecticut.

The Long-Arm Statute

The Connecticut long-arm statute permits the exercise of jurisdiction over anyone who uses a computer or a computer network located within the state. While Deiter was not present in Connecticut when she sent the offending emails, the way the computer system operated, in order to use her MacDermid email account and obtain the confidential and proprietary data, she had to access computer servers located in MacDermid’s offices in Connecticut. The computer servers are encompassed within the definition of computers under the long-arm statute, thus, her access and use of those computers by remote means constituted a use of the computer within the state.

Due Process

After determining the long-arm statute encompassed Deiter’s activities, the court next examined whether the exercise of jurisdiction over Deiter would comport with due process. This required looking at Deiter’s minimum contacts with Connecticut to determine whether the maintenance of the suit would offend traditional notions of fair play and substantial justice. This step is satisfied if the defendant purposefully directed her activities at residents of the forum state and the arising injuries relate to those activities. Where a defendant knows computer servers are located in a forum state and intentionally commits computer fraud against those servers, the defendant meets this purposeful availment requirement: “Deiter purposefully availed herself of the privilege of conducting activities within Connecticut because she was aware ‘of the centralization and housing of the companies’ e-mail system and the storage of confidential, proprietary information and trade secrets’ in Waterbury, Connecticut, and she used that email system and its Connecticut servers in retrieving and emailing confidential files.” The court’s rationale made it clear that Deiter’s knowledge of the location of the computer servers was the linchpin of this decision.

Reasonableness of Exercising Jurisdiction

Satisfied that due process permitted the exercise of jurisdiction, the court then looked to whether the exercise of jurisdiction was reasonable. It looked to the five Asahi Metal Factors and determined that under those factors it was reasonable, primarily because the burden for Deiter to travel there was not too great and both Connecticut and MacDermid had significant interests in resolving the matter in Connecticut. “Further, efficiency and social policies against computer-based theft are generally best served by adjudication in the state from which computer files have been misappropriated.” I agree.

The rule of this case is that the proper jurisdiction for suing someone for computer fraud from a foreign country, directed at companies in the United States, is the place where the wrongfully accessed computer server is located if the person knows the location of the computer server. But, what is the takeaway?

Takeaway: If your company has people accessing its computer system from international locations, make sure they know and understand where the computer server is located. So, how about you just put this information in your company’s computer use policy!

If you or anyone you know need assistance in dealing with possible claims of computer fraud or just want to talk about the law in general, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com) and I will be more than happy to talk with you!

-Shawn E. Tuma

Social Media Law: Video Presentation for Social Media Breakfast

The full video of my recent presentation on social media law is now available!

On August 30, 2012, I made a presentation to Social Media Breakfast Dallas titled Social Media Law: It is Real and, Yes, It Can Impact Your Business. The presentation was about social media law and how it relates to businesses using social media. The presentation was professionally videoed by Jason (@jcroftmagic) and the great people at Magic Production Group (@magicprogroup) and they did a fantastic job on the production! The full video presentation is embedded on both Vimeo and YouTube below and you can also access it by clicking on the links for Vimeo and YouTube. As always, please feel free to contact me if you would like to discuss these issues any further! Shawn Tuma: @shawnetuma / stuma@brittontuma.com / 214.726.2808.

<p><a href=”http://vimeo.com/49071894″>Shawn Tuma – Social Media Law</a> from <a href=”http://vimeo.com/magicvideoinc”>Magic Production Group</a> on <a href=”http://vimeo.com”>Vimeo</a&gt;.</p>

Business Situational Awareness & Social Media

Weapon loadout of the AH-64 Apache

Image via Wikipedia

How can your employees’ social media usage be compromising your businesses’ assets?

I have said it before: business and warfare are one in the same. The objectives are the same and the tactics are the same. Both require an understanding of situational awareness.

What is situational awareness?

Situational Awareness is the ability to identify, process, and comprehend the critical elements of information about what is happening to the team with regards to the mission. More simply, it’s knowing what is going on around you

That’s the military definition and it works just fine for the business world: knowing what is going on around you. Knowing the definition is one thing, but understanding how to apply it is quite different. Do your employees — or even you — appreciate the many ways that using social media can compromise your businesses’ assets because of a lack of awareness of what is going on around you?

An example of how a lack of social media situational awareness in the military led to the destruction of 4 $20 million AH-64 Apache helicopters — on a base in Iraq!

In 2007, a fleet of new Apache attack helicopters arrived on base in Iraq and one of the soldiers took a picture of them that was then shared through social media. (See U.S. Army Warns That Social Media Can Kill. Literally.) The picture contained a geo-tag that embeded the latitude and longitude coordinates of the helicopter right in the photo. The enemy was monitoring the Internet and discovered the photo, pulled the coordinates from the photo, and used them to conduct a mortar attach that destroyed 4 of the Apache helicopters valued at $20 million each. Yep — that was essentially an $80 million photo! Ooops.

Now let’s think about how these principles can apply to your business.

  • Have your employees listed their customer contacts — those “trade secrets” that you pay to much to protect — on their LinkedIn contacts?
  • How about your prospects — those that you are hoping to snag away from your competitors — has anyone in your organization recently “added” or “followed” them?
  • That new strategic location you’re planning to open — do you think anyone noticed that 4-Square check-in or found the geo-tag coordinates from the pic from the inside?
  • That new strategic alliance your company is secretly developing … was it really a good idea for your receptionist to tweet “nice to meet you” to them after they left your office?

Please feel free to continue the list. You get the picture. Do you still believe that your competitors are not monitoring your and your employees’ social media?

I love social media and I think it is an amazing thing that holds an amazing amount of promise for virtually every kind of business. I want to see businesses use it more — I want to see you use it more. You know this. You also know, by now,  that I’m a social media lawyer who practices social media law — I try to help you and your business plan for as many things as we can and put them into policies to help protect your business from known and unknown risks. So what, right? Would I have ever imagined that one picture would result in 4 destroyed Apache helicopters? Maybe, maybe not. Who knows.

We can’t anticipate everything and we can’t put every potential risk into a policy. It’s just not possible. But, what we can do is teach our people to think — to understand their situational awareness — and to appreciate the fact that for everything they (we) are putting on the Internet, potentially someone who we wouldn’t want to read it is reading it and, if they have a chance, will use it to harm our interests or further their own. The best protection for you and your employees: (1) know what is going on around you; and (2) think before you post.