If former users stole data, why did the court give them a pass?

A recent lawsuit shows that when it comes to protecting your systems, IT might not receive much help through legal avenues. In this case, former employees stole data, but the lawsuit against them had to be thrown out because it relies on a very old law.

First, the facts: Carnegie Strategic Designs LLC, an engineering firm, had four employees leave to work for one of its competitors. After these employees left, they logged into Carnegie’s password-protected systems to copy and steal protected data, according to the lawsuit.

The company estimated they took data valued at approximately $10,000,000, including:

  • trade secrets
  • client information
  • vendor and customer contacts
  • engineering drawings, and
  • client project data.

The lawsuit

Accessing this was in direct violation of the company’s policies that all of its employees received and signed off on.

Carnegie also spent nearly $5,000 on the investigation and forensics to discover the data theft. It sued to get some of that money back.

In order to sue, the company had to rely on the Computer Fraud and Abuse Act (CFAA) – a law written in 1986, two years before the “world wide web” came to be. It argued that the defendants “lost all authority to access [the company’s] password-protected computer system” when they quit.

And that’s where the case started to fall apart.

CFAA is tricky

The CFAA is an anti-hacking law. In order to successfully sue, it requires plaintiffs show:

  • they suffered damage or loss, and
  • the hackers “exceeded their authorized access” to systems.

The first part was easy enough: The company was able to show it lost at least $5,000 investigating the data theft.

But the court refused to accept the company’s argument that the ex-employees “exceeded authorized access” to data. Here was their reason why (it’s a bit complicated, but stick with us, we’ll explain):

Here, plaintiff admits that each defendant was permitted to access its computer system and network and was permitted to access the data at issue. Compl. [ECF No. 1] at ¶ 15. Plaintiff does not allege that defendants “hacked into” a computer or the files that they were not otherwise permitted to access. Rather, the crux of plaintiff’s argument is that rejected by the Consulting Professional court — that defendants lost the right to access such information when they did so for their own or a third parties benefit, and to the detriment of plaintiff. Such a finding is contrary to the plain language of the statute that governs “access” and not “use.”

Essentially, the court said the employees were at one time given permission by the company to access the data. So even if they accessed it for all the wrong reasons and after they left the company, that’s not the same as hacking. It’s not about how the data is used, it’s whether they were allowed to access it.

The case was thrown out.

Protect yourself

Carnegie didn’t have much choice but to use the CFAA to try to collect damages. Even though technology moves at break-neck speed, laws are slower than molasses. That’s why a 27-year-old law is being used for a very modern problem.

Don’t count on any new tech-savvy laws being passed, either. Congress isn’t exactly champing at the bit to move legislation these days.

And even though this company had a very clear policy that workers couldn’t access data after leaving the company, that wasn’t enough to save it.

So where does that leave you? IT must have robust protections to keep its data from being accessed by former employees. Make sure:

  • You’re kept informed of personnel decisions. If employees leave the company, you need to be one of the first people to know. Talk to HR to make sure you’re included in their procedures for cutting ties with employees.
  • Shared accounts and passwords are banned. If employees share usernames and passwords, there’s nothing to stop a fired, retired or outgoing employee from logging back in and taking data. One username per account needs to be the rule.
  • Access is monitored. Check in occasionally to see who is accessing data. If files are being copied, viewed or printed at odd hours or from unrecognized locations, that’s a serious red flag.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy