U.S. Supreme Court takes pass on CFAA lawsuit; uncertainty remains
In 1st Circuit, ‘ball in employer’s court’
By Correy E. Stephenson
|The U.S. Supreme Court’s denial of certiorari in a Computer Fraud and Abuse Act case leaves employment lawyers in the 1st Circuit and beyond with continuing uncertainty.Employers frequently add a CFAA claim to suits against former employees that take confidential information from company computer systems.
But federal courts across the country have split on just how broadly the act should be interpreted.
The CFAA provides for criminal and civil penalties against an employee who “knowingly and with the intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.”
The 1st U.S. Circuit Court of Appeals has granted employers the right to sue under the act when employees have authorized access but use it for non-job-related purposes, while others, such as the 9th Circuit, have narrowly interpreted the law to require an actual hacking of the computer system.
Raising the hopes of employment lawyers nationwide, a 4th Circuit case sought certiorari before the Supreme Court, hoping to end the circuit split.
But in January, the justices denied review, leaving employment lawyers with continuing uncertainty.
“This is a big deal for employment lawyers,” said Brian P. Bialas of Foley Hoag in Boston.
Until the Supreme Court agrees to decide the issue, Bialas added, “the ball is definitely in the employer’s court in the 1st Circuit.”
Circuit split widens
For multiple reasons, the CFAA is a valuable tool for attorneys representing employers. In addition to establishing federal jurisdiction, the CFAA lets victorious plaintiffs recover damages such as the cost of hiring a computer forensic firm to investigate the employee’s activities, Bialas said.
And the act provides for injunctive relief, which can allow employers to stop a former worker from taking information to a new employer or using it for his own benefit.
The law comes into play when an employee leaves a job or is terminated and attempts to take information with him.
While an employee typically is authorized to access company documents on an internal document management system, “if she does so not in the course of her employment but rather for the purpose of viewing information that might be helpful for her next employer or some other improper purpose, then [the CFAA] can be triggered,” said John R. Bauer, a partner at Robinson & Cole in Boston.
For example, Bauer said, an employer would consider financial information, a formula or a client list confidential.
“Even though the person has literal authorized access to the documents, the access is used not for the purpose of fulfilling job responsibilities,” he said, adding that an alleged breach of the company’s computer use policy can — in some jurisdictions — provide the basis for a CFAA claim.
In the 1st Circuit, an employer has been allowed to bring suit against a former employee for accessing data in violation of a confidentiality agreement. The decision in EF Cultural Travel BV v. Explorica stands with similar decisions from the 5th, 8th and 11th circuits, where courts have also allowed employers to allege violations of the CFAA when the employee breached a confidentiality or computer use agreement.
A case from the 9th Circuit stands in stark contrast.
In an en banc decision issued last year, a criminal action against an employee who had authorization to access his employer’s database but used his log-in credentials to download source lists, names and contact information to start his own business was dismissed.
Even though the employee in U.S. v. Nosal violated a company policy that prohibited the disclosure of confidential information, the panel held that the statute did not apply. The CFAA requires unauthorized access to computer data or computer hacking, the 9th Circuit said.
Last July, the 4th Circuit agreed, holding in WEC Carolina Energy Solutions LLC v. Miller that the CFAA does not impose liability on authorized workers who breach computer user policies.
Noting the widening circuit split, the company petitioned the high court for review, which was declined by the justices in January.
Employers: Establish a policy
The Supreme Court’s denial of cert leaves attorneys representing employers in Massachusetts standing on solid ground.
To protect a company, make sure to have a data or computer use policy in place, Bialas advised, and “include a provision about confidentiality to use as a basis for a CFAA claim.”
However, the jurisdictional split “creates a problem for employers who have employees in multiple states,” Bauer said.
The employer “might be able to bring an action against an employee in one state but can’t take action against an employee in another state for doing the exact same thing,” he said.
For now, employees — and their new employers — face potential lawsuits with the existing 1st Circuit CFAA caselaw.
But attorneys agreed that the circuit split will be resolved, whether by the Supreme Court or via an update to the legislation.
The CFAA has received the attention of federal lawmakers recently after the suicide of Aaron Swartz, a computer prodigy who had been criminally charged under the law. With the statute under consideration, a tweak to clarify the breadth of its application in civil employment suits is possible, Bialas noted.
If not, “the Supreme Court would certainly be the easiest way for a lot of people to get some clarity,” he added hopefully.
Merchants who accept credit cards have a duty to protect customer information, not only by law (see, e.g., 201 CMR 17.00), but also because the credit card companies tell them so. The Payment Card Industry Security Standards Council was created by Visa, MasterCard and American Express to tell merchants precisely what they are supposed to do to protect consumers. Merchants must follow the Payment Card Industry Data Security Standard (PCI DSS) or risk fines or losing the ability to process credit cards. This past November, and then again in February, the Council issued guidelines to help merchants (and some third-party service providers) comply with PCI DSS when they perform assessments of risks to cardholder information within their systems, deal with cloud service providers, and accept payments using mobile devices.
On November 16, 2012, the Council issued its guidelines to help organizations perform risk assessments that comply with PCI DSS. According to BNA, some of the Council’s key recommendations include encouraging them to:
- implement risk assessment methodologies that suit the culture and requirements of the particular organization; and
- utilize continuous discovery processes that allow organizations to discover threats and mitigate them in a proactive and timely fashion.
The Council also emphasized that risk assessments should not replace the requirements of PCI DSS.
Cloud Service Providers
The Council also has published guidelines for dealing with cloud service providers. Because many organizations entrust cardholder information to cloud service providers (like Google), the Council emphasized that compliance with PCI DSS is a shared responsibility between the organization and the cloud service provider. The more aspects of a business a third party manages for that business, the more responsibility that third party has for maintaining PCI DSS protections. Significantly, the guidelines suggest that organizations and cloud service providers clearly set out security responsibilities in contracts between them to avoid misunderstandings.
The Council also has offered best practices for accepting credit card payments on mobile devices. Mobile devices are not designed to accept sensitive financial information, and are therefore particularly vulnerable. For this reason, the Council provided recommendations to ensure the security of mobile devices used to process payments. The Council did not recommend that merchants allow “bring your own device” policies, where an employee brings a device to work that the employee (who is not the merchant) owns and controls, because the merchant does not have control over the content and configuration of the device. With the increasing popularity of Square, merchant vigilance to strict standards in this area is only going to become more important.
* * *
Above all, the Council’s guidelines show just how seriously the credit card industry considers the protection of cardholder information at each step of the payment process, from the initial purchase through to the storage of the information. Yet some security threats to cardholder information, including a basic one that I wrote about here, remain unaddressed, so the credit card industry still has some work to do.
On February 12, 2013, President Obama signed an executive order entitled “Improving Critical Infrastructure Cybersecurity.” The Order has two key components.
First, the Attorney General, the Secretary of Homeland Security and the Director of National Intelligence must ensure timely production of unclassified reports of cyber threats and must rapidly disseminate the reports to the targeted entities.
Second, the National Institute of Standards and Technology (“NIST”), which is part of the Commerce Department, must develop a Cybersecurity Framework. The Cybersecurity Framework will be a set of standards, methodologies and procedures to help owners and operators of critical infrastructure to reduce cyber risks. NIST must consult with other agencies and stakeholders and must incorporate voluntary consensus standards and industry best practices.
In conjunction with the Department of Homeland Security (“DHS”), sector-specific agencies must develop a program to support the private sector in adopting the Cybersecurity Framework. DHS must coordinate and recommend to the President a set of incentives to encourage industry adoption.
The President also issued the Policy Directive on Critical Infrastructure Security and Resilience. Under the Policy Directive, DHS and sector-specific agencies must assess the Nation’s critical infrastructure and assist the owners and operators in strengthening their cyber security.
The Executive Order and Policy Directive were issued after Congress failed to pass numerous cybersecurity bills in 2012, including a proposal by the White House. In September, the White House said that it would consider issuing an executive order if Congress remained deadlocked. The White House noted that the executive branch is “hamstrung by outdated and inadequate statutory authorities,” and in President Obama’s State of the Union Address, he called on Congress to “pass legislation to give our government a greater capacity to secure our networks and deter attacks.”
Yesterday President Obama signed an executive order directing federal agencies to develop voluntary best cyber security practices for key industry sectors and to create a system for broader public-private information sharing, and today administration officials have been speaking at an event highlighting the order. The Order places primary responsibility for managing cyber security in the hands of the Department of Homeland Security. Under the Order, the government will also be identifying baseline data and systems requirements for the government to allow the exchange of information and intelligence, and will be producing and disseminating unclassified cyber threat reports. The Order also seeks to increase information sharing within the government and with the private sector, looking for options to improve the public-private partnership in both physical and cyber space and to streamline the process of information sharing.
Deputy Attorney General James Cole, speaking at today’s event, emphasized that this would be done without violating the Administration’s commitment to protecting privacy and civil liberties. He mentioned that each federal department and agency is required to develop and implement privacy and civil liberties safeguards in connection with their cyber space activities, and must also assess the safeguards and their implementation, with the results of the assessment sent to the DHS Chief Privacy Officer and Officer for Civil Rights and Civil Liberties to be included in a public report.
Keep watch here for further analysis of the Executive Order and industry reactions to it.
In a recent article, the Washington Post reported that “The Pentagon has approved a major expansion of its cybersecurity force over the next several years, increasing its size more than fivefold to bolster the nation’s ability to defend critical computer systems and conduct offensive computer operations against foreign adversaries.”
The Pentagon’s plan would create three types of forces under the Cyber Command:
- “national mission forces” to protect computer systems that undergird electrical grids, power plants and other infrastructure deemed critical to national and economic security;
- “combat mission forces” to help commanders abroad plan and execute attacks or other offensive operations; and
- “cyber protection forces” to fortify the Defense Department’s networks.
The first of these categories is the one I find most interesting, as it most closely relates to daily life and work in this country. It also raises the interesting question as to which businesses are deemed to be critial infrastructure. While electric grids seem obvious, what about electronic health records? Or Google? Cloud storage? And would you want your company to be designated as critical, if there is increased government oversight as a result?