A recent 6th U.S. Circuit Court of Appeals case from Michigan emphasizes the importance of creating and implementing computer and data privacy policies as well as monitoring employee use of digital data. The facts reveal that two employees of a Michigan truck and trailer company were part of the sales team for Royal Truck & Trailer Sales and Service, Inc. (the company). The employees were made aware of the company’s policy concerning the use of computer equipment. Specifically, the employees received a copy of the company’s employee handbook which prohibited the unauthorized use, retention or disclosure of the company’s resources or property. The policy clearly included prohibition of sending or posting trade secrets or proprietary information outside of the organization. The employees were also made aware of the company’s cellphone policy which prohibited the employees from disabling or interfering with the GPS tracking system or any other function on the company issued cellphone. The cellphone policy also included prohibition against employees removing any software, functions or applications.
The two employees abruptly resigned one day from the company to accept employment with a direct competitor in the Detroit area. The company was concerned that confidential information might have been compromised so it launched an investigation. The company discovered that the two employees sent confidential customer information from company email accounts to personal email accounts. The employees, while employed with the company, also contacted company clients through the company email server requesting the clients to send information to their personal email accounts. The employees then deleted and reinstalled the operating systems on their company issued laptop computers. This rendered some of the laptop’s data unrecoverable. Also, the company issued cellphones were reset to factory settings rendering much of the data unrecoverable. Upon receiving the results of the investigation, the company immediately went to the employees’ residences and secured possession of the laptop computers and the company issued cellphones. The company hired a forensics expert who was able to restore some of the deleted data on the electronic devices.
The company took legal action against the two former employees in federal court alleged violation of the Computer Fraud and Abuse Act (CFAA) as well as Michigan law. The federal district court dismissed the lawsuit finding that the employees did not exceed authorized access as those terms are used under the CFAA. On appeal, the 6th Circuit reviewed the elements necessary to establish a violation of the CFAA which are:
- The employees intentionally accessed a computer.
- The access was unauthorized or exceeded the authorized access.
- Through that access, the employees thereby obtained information from a protected computer.
- The conducted cause loss aggregating at least $5,000 in value.
The court noted that the term “access” is synonymous with initial entry and such initial entry must result in obtaining data. The purpose of the CFAA is to prevent and protect the consequences of “hacking” rather than the misuse of corporate information. The employees were authorized to “access” the data on the electronic devices. Therefore, there was no violation of the law under the CFAA.
The egregious actions of the two employees of Royal Truck and Trailer might violate other laws but not the CFAA. Nevertheless, this case exemplifies the importance of developing and enforcing policies which protect confidential information including trade secrets, client lists, and pricing information. Such policies must be clearly communicated to employees with documentation that the policies were reviewed with the employees. In our “digital age”, and especially when so many employees having been working remotely during the COVID-19 pandemic, computer policies are critical to the ongoing success of companies.
Please contact a member of our Labor and Employment Section with questions or comments.