One big IT security risk companies face is that departing employees will take confidential documents with them. In one recent lawsuit, a company tried to take legal action against an ex-employee who did just that.
Mike Miller worked as a project director for WEC Carolina Energy Solutions, Inc., until he resigned. A few weeks after he left, he pitched a proposal to a WEC customer on behalf of his new employer, a competitor of WEC.
The customer ultimately chose to do business with Miller’s new company. According to WEC, Miller made his presentation using trade secrets and other confidential documents that were downloaded from WEC’s servers while Miller still worked there. According to the company, Miller downloaded the files and sent them to his personal email address.
WEC took Miller to court, claiming he violated the Computer Fraud and Abuse Act, which prohibits people from “intentionally access[ing] a computer without authorization” or “exceed[ing] authorization” in accessing information. According to WEC, even though Miller had authorization to download the data while he worked there, he exceeded his authorization when he sent the documents to a personal email account and used them to make a presentation to a competing company. Those actions violated WEC’s policies, as the company stated in its lawsuit.
However, the court threw out the case. According to the judge, the Computer Fraud and Abuse Act simply prevents people from viewing or downloading data that they don’t have authorization to access — it doesn’t regulate they how use that data after they access it.
In this case, Miller was authorized to access the confidential documents at the time they were downloaded. While sending them to a personal email account may have violated company policy, it wasn’t a violation of the law (Cite: WEC Carolina Energy Solutions v. Miller).
Limits of the Computer Fraud and Abuse Act
Companies in other cases have tried to use the Computer Fraud and Abuse Act to take action against ex-employees that have taken confidential information with them after they resigned. However, as this case shows, it often doesn’t work.
While the law might be used against an inside hacker that breaks into a system without authorization, it probably won’t do any good in situations involving employees who misuse information they’re allowed to access. In those cases, companies will have to rely on confidentiality agreements or other contracts employees have signed.