Nearly all employers maintain confidential or protected personal information, and many also maintain trade secrets and other confidential business information. Most of these employers also should – and typically do – enact policies to protect and limit access to such information, which their employees must follow or face discipline. Federal and state laws also exist to protect confidential information stored electronically by imposing civil and criminal penalties upon anyone who accesses, or attempts to access, confidential information without authorization.
But how, if at all, do employer policies and federal/state laws interact? Might an employee who violates an employer’s computer use policy also face criminal or civil penalties? With these questions in mind, below are some best practices for employers to consider.
Recently, the United States Court of Appeals for the Third Circuit clarified the relationship between policy violations and the Computer Fraud and Abuse Act (CFAA), the Federal Defend Trade Secrets Act (FDTSA) and the Pennsylvania Uniform Trade Secrets Act (PUTSA). Spoiler alert – violation of an internal policy will not automatically equate to a violation of state or federal law.
First, analyzing the CFAA, the Court noted that the Act was passed to “stem the tide of criminal behavior involving computers.” The CFAA imposes civil and criminal penalties upon anyone who accesses a protected computer without authorization or who exceeds their authorized access. The Court was clear that the activity prohibited by the CFAA is hacking activity; merely obtaining information, to which the employee has the means to access, for improper purposes or through improper means, is not a violation of the Act. The Court further explained, “if workplace [policy] violations were cognizable under the CFAA, an employee who sends a personal email or reads the news using their work computer would violate the CFAA.” In other words, a policy violation alone is not enough.
The Court also examined the FDTSA and the PUTSA, which protect information that satisfies four conditions: (1) the owner has taken reasonable measures to keep the information secret; (2) the information derives independent economic value from being kept secret; (3) the information is not readily ascertainable by proper means; and (4) if the information is disclosed or used, it would have economic value to those who cannot readily access it. Again, a policy violation alone will not be a breach of these Acts.
So, what are the takeaways from this case?
- Federal and state laws that prohibit hacking and protect trade secrets are not automatically violated when an employee violates an employer’s internal computer use policies.
- Federal and state laws guard against more egregious behavior than what is contemplated by most computer use policies.
- Employers have every right to enact policies to safeguard confidential information and limit access to such information. These policies act as the first line of defense to prevent more egregious conduct or data breaches. Accordingly, employers should continue to prohibit activities that fall well short of violating the law.
- As a supplement to their policies, Employers should also implement technology access controls to further safeguard confidential information and trade secrets. Such controls should, for example, keep confidential information behind firewalls and restrict employees from accessing data outside of what they need to perform their job duties. Using two-factor authentication and training employees regarding the risks and consequences of disclosing confidential information are also highly recommended.
