Yes, an Employee Really Can Steal Your Data and Then SLAPP You for It?

Don't get SLAPPED by an employee who stole your data!Yes, in California it just happened!

The fact that this happened in California should be of no comfort to Texas businesses, however, because the Texas Anti-SLAPP law comes from California and, therefore, California jurisprudence is considered persuasive authority in Texas. This means that in the not so distant future Texas employees could steal their employers’ data and then SLAPP them for it as well. Many other states have anti-SLAPP laws that are derivative of California’s as well.

Let’s look at a case study to demonstrate what I’m talking about.

Case Study: Emanuel Medical Center, Inc. v. Dominique, 2014 WL 4239346 (Cal. App. Aug. 27, 2014)

Emanuel Medical Center, Inc. hired Susan Dominique to open and direct the cardiovascular services department of one of its California facilities. Her duties included ensuring that the department followed California law with regard to practices that affected patient care such as having a cardiac surgeon available to provide emergency cardiac care, among other things.

Dominique had numerous confrontations with the primary cardiac surgeon over this issue and claims to have personally observed numerous other violations of law and regulation during her employment with EMC.

In October 2011, EMC told Dominique that she was being investigated because of her managerial style.

On November 18, 2011, EMC told Dominique that she was being placed on administrative leave and her employment would terminate on December 9, 2011.

On November 22, 2011, she returned her EMC issued BlackBerry and laptop computer. At some point between November 18 and November 22, EMC disabled her employee’s user account that allowed her to access EMC’s database which, EMC incorrectly believed also prevented her from being able to access EMC’s e-mails.

On December 9, 2011, Dominique was officially terminated from EMC.

The Lawsuit

On March 22, 2012, Dominique sued EMC for wrongful termination.

During discovery in the lawsuit, EMC learned that Dominique continued to have access to EMC’s e-mails after the November 18, 2011, meeting, where EMC informed her of the termination of her employment in that she had forwarded approximately 110 work-related e-mails to her personal account between November 19 and 21, 2011, while on administrative leave. EMC also learned that on October 31, 2011, Dominique forwarded to her personal account approximately 81 e-mails containing hundreds of attached EMC computer files, which included EMC policies, presentations, forms and templates, employee writeups, marketing materials, and disciplinary memoranda and reports.

In October 2012, EMC filed a counterclaim against Dominique that five causes of action that were premised on her wrongfully taking for her own personal use, EMC’s data in the form of e-mails and other proprietary information.

The Anti-SLAPP Motion

In response to the counterclaim, Dominique filed an anti-SLAPP motion to dismiss these five claims based on her argument that EMC’s claims were based on the theory that Dominique “gathered evidence,” including some of her work e-mails, and showed them to an attorney in Southern California in an effort to sell her perceived claims against EMC and that such pre-lawsuit communications and the filing of her wrongful termination action were constitutionally protected activities and that EMC could not demonstrate “a probability of prevailing” on the merits of its counterclaims.

The trial court granted the anti-SLAPP motion and ordered EMC to pay $23,800 in attorneys’ fees to Dominique. EMC appealed.

The Appellate Court’s Ruling

Was taking the information a “protected activity”?

The primary issue that the appellate court faced: was it a “protected activity” for Dominique to forward to herself EMC e-mails and other information to use in preparing for litigation against EMC?

The court gave a bifurcated answer that turned on whether the information she gathered was actually provided to an attorney “in an effort to sell her perceived claims against EMC.” For information that she actually provided to an attorney “in an effort to sell her perceived claims against EMC,” the court held this was a protected activity. For information that she simply forwarded to herself, but did not provide to an attorney, it was not protected activity.

The rationale for the court’s ruling is based on a couple of principles:

  1. the anti-SLAPP law clearly protects as a “protected activity” a plaintiff’s filing a lawsuit against her employer, as the filing is an “act of communication” that is tantamount to an expression of free speech;
  2. when a plaintiff gets counter sued for engaging in an “act of communication” that is in furtherance of her “protected activity,” that action in furtherance of the protected activity is likewise protected;
  3. in this case, the counterclaimant EMC filed a declaration stating that a basis for its lawsuit was that Dominique “distributed some, if not all, of the documents to unknown parties…, potentially including attorneys in Southern California in an effort to sell her perceived claims against EMC”; and
  4. distributing information is viewed as an “act of communication,” thus, it too is a protected activity.

Essentially, what this means is the taking of the information was not a protected activity but the subsequent distribution of that information to an attorney was protected.

Could EMC prevail on the merits?

Under the anti-SLAPP law, once the movant carries its burden of proving that the claims are based on the exercise of a protected activity, the party asserting the claims has the burden of demonstrating a probability of prevailing on those claims by producing prima facie evidence to support each element necessary to prove the claims.

In this case, proof of damages was an essential element to each of EMC’s counterclaims. EMC argued that it suffered two types of damages:

  1. it was forced to report the unauthorized disclosure of the information taken by Dominique and may be subject to fines in the future; and
  2. it will be damaged by the unfair advantage Dominique’s future employer and EMC’s competitor will receive from Dominique’s possession of these materials. The court did not find either of these arguments sufficient proof of damages.

“Both of these contentions suffer from the same flaw. They do not identify damages already incurred. Instead, they identify the possibility of a future liability (i.e., fines not yet levied) and the possibility of a future loss of business. The statement that EMC “may be subject to fines” leaves open the possibility EMC may never be fine for the allegedly unlawful disclosure. Similarly, the statement that EMC “will be damaged by the unfair advantage” a future competitor “will receive” is written in the future tense and does not identify a present injury or loss.”

In a footnote number 9 to the above quoted paragraph, the court notes that “[t]he weakness in EMC’s position that it suffered damages as confirmed by its failure to provide citations to the record to support its position. Ordinarily, a party with the burden of demonstrating a probability of prevailing on the merits would include citations to its evidentiary submissions that support a particular element of its claim.” (Citations omitted). This footnote is important because, in my opinion, the court blew right past a very important aspect of EMC’s damages argument and this may explain why – perhaps the court was frustrated by EMC’s efforts to prove its damages.

EMC was a medical facility that unquestionably qualified as a “covered entity” in possession of patients’ protected health information (PHI). The court’s opinion states “EMC also alleged the e-mails were its property and contain private or confidential information about patients or employees that is protected from disclosure by statute and the California constitutional right to privacy.” If Dominique did in fact take patients’ PHI information and disclose it to anyone who was not already covered with a “business associates agreement” with EMC, such disclosure would be a data breach that would require a very costly and onerous breach notification and reporting under both California and federal law. This alone, would constitute proof of substantial damages caused by Dominique’s taking of the information, if such evidentiary proof had been provided to the court. Given the court’s footnote 9, there is at least the impression that EMC’s attorneys may not have gone through this process in a way that satisfied the court.

The Outcome

Nonetheless, because the court found EMC could not produce prima facie proof of its damages, it found that EMC failed to demonstrate a probability of prevailing on the merits, upheld the trial court’s granting of the anti-SLAPP motion, and awarded Dominique her costs on appeal.

Lessons

This opinion offers some important lessons for both employers and employees when dealing with these types of situations in California, for now, and Texas and other jurisdictions in the future.

  1. for employers, if you are going to terminate an employee, do not simply rely on terminating their access to login to the computer system, but also reacquire all devices that contain or have access to company information;
  2. for employees, if you are going to take company information (which I do not recommend), make sure you give it to an attorney in an effort to obtain representation for bringing claims against your employer;
  3. for all defendants, if you are going to file a retaliatory counterclaim against the party who sued you, make sure you have better grounds for your lawsuit than “because they sued me” and for goodness sakes, do not state in a declaration, affidavit, or court filing that the basis for the counterclaim is because the plaintiff did something “in an effort to sell her perceived claims against” you;
  4. for all would-be litigants, if you are going to file a claim against someone based upon something that could be perceived as a protected activity, make sure you already have obtained and prepared your evidence to make a prima facie showing for each element of the claims you intend to file – before you file them – and when required to respond to an anti-SLAPP motion, take it seriously and spoon feed your evidence to the court. If you do not, do not be surprised when your adversary takes your claims and SLAPPs you right back with them.

 

About the author

Shawn Tuma is a lawyer who is experienced in representing and advising clients on digital business risk which includes complex digital information law and intellectual property issues. This includes things such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act; helping companies with data security issues from assessing their data security strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. Shawn is a partner at BrittonTuma, a boutique business law firm with offices near the border of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as throughout the nation pro hac vice). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: