The decision (linked as PDF here) says in part:
"The district court relied on our decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), ... - that an employee exceeds authorized access when he or she obtains information from the computer and uses it for a purpose that violates the employer’s restrictions on the use of the information.
We have jurisdiction under 18 U.S.C. § 3731, and we agree with the government."
This is interesting because, previous to this point, when an employee made use of information (such as customer lists, sales leads, etc.) or software, documentation, data or other content provided by their employer the employee could utilize that software for their own purposes and the business had little ability to stop them.
Sure it was wrong, but if the employee was remote or acted surreptitiously there was little you could do practically to stop it.
Any business owner knows the story. You have a remote or traveling employee with a laptop. That laptop contains your proprietary business software (sales data, sales leads, show leads, whatever) which the employee is authorized for use in making sales calls, as a demonstration system or to perform work. Then the employee is terminated. Suddenly you find that the employee has not returned that software and information to you. Or you find email trails of surreptitious acts, unauthorized purchases, and other anecdotal evidence your property has been misused.
What control did you have over that property, software or data?
Very little with an unscrupulous employee.
Even with written documentation such as email or other evidence that your software or data is being misused there was little you could do.
This opinion, however, changes all of that.
Now this type of unscrupulous activity is placed on par with "hacking" - such as stealing credit card numbers.
The opinion relates to the Computer Fraud and Abuse Act (see this link) adopted in 1986.
Today this means that anyone engaged in the use of software (or the accessing of data) which they have been provided via some work-related association for any purpose outside the express use permitted by the employer is guilty of a Federal cyber crime, the punishment for which can be severe: “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.”
As a business owner with remote employees this has always been an issue. You issue some employee a computer and/or software to use, for example, for sales related activities such as demos and so on. Later you find that the employee was off trying to use that very same software and/or computer to better their own personal life at your expense.
Well now its a Federal crime.
A crime with severe penalties.
An when you examine the statute you see that it would also cover things like email servers, remote databases, internal FTP sites, and so so on that are part of work related activities. This is because they are computer systems and are limited and restricted by the business.
Fortunately the commission of criminal acts by an employee supersedes any type of agreement you might have made with that employee regarding previous working arrangements. Agreements and other activities used to cover up or hide such acts could also be considered conspiracy - especially if their intention was to prevent the discovery of such acts. And certainly reporting crimes to the authorities cannot be limited by agreements either.
This opinion says it all...
No comments:
Post a Comment