24 MARCH / APRIL 2022 HUMAN RESOURCES Debra A. Mastrian Partner SmithAmundsen LLC dmastrian@salawus.com SmithAmundsen LLC is a Diamond Associate Member of the Indiana Bankers Association. Inside Threats to Company Information In today’s digital age, employers store immense amounts of valuable information, including confidential and proprietary information, on their computer systems, cloud servers or through other online data storage solutions. Data breaches from outside threats are top of mind. The news is filled with stories about the latest ransomware attack or phishing scam. Protecting against those external threats is critical, but employers must also safeguard against inside threats. Inside threats typically arise from disgruntled or terminated employees, employees moving to competitors, or untrustworthy vendors or contractors. Last summer, the U.S. Supreme Court handed down its first pivotal decision regarding the Computer Fraud and Abuse Act, Van Buren v. United States. In doing so, the Supreme Court took a narrow view of the CFAA and limited one of the avenues for employers seeking redress against employees who misused company computers. The Court concluded that the CFAA does not provide a remedy when a person who was authorized to access the company’s database misused their access for an improper purpose. By way of background, the CFAA was enacted in 1986 to help combat against computer attacks. Initially, the Act provided criminal penalties, but was later amended to provide civil remedies. The Act prohibited unauthorized access with the intent to defraud; computer access without authorization; altering, damaging or destroying information; as well as trafficking in computer passwords. As technology and hackers’ strategies advanced, the Act was expanded to cover additional types of data breaches, including a person who “exceeds authorized access.” * This amendment opened the door for employers to bring claims against employees (typically departing employees) who accessed company servers and stole, misappropriated or otherwise misused data. Courts were split on whether such claims were covered by the Act. The Seventh Circuit Court of Appeals (which includes Indiana in its territory) adopted a broad interpretation, finding that the Act covered instances in which a person who had authorized access misused the company information. Other federal circuits adopted narrower interpretations. In Van Buren, the Court limited the scope of CFAA coverage, ruling that both “unauthorized access” and “exceeds authorized access” require proof that the alleged wrongdoer obtained the data from areas that were otherwise off-limits. Thus, if an employer grants an employee access to an area, the employee cannot be held liable under the CFAA for misusing the information from that area. The Court did not address or explain what steps a company must take in order to establish an area as off-limits (e.g., whether an employer must use a code-based or other technological method for limiting access).
RkJQdWJsaXNoZXIy MTg3NDExNQ==