E-Mailing Work Home Can Be a Violation of Computer Fraud and Abuse Act
A law suit brought under the Computer Fraud and Abuse Act ("CFAA") against an employee who e-mailed files containing proprietary or confidential information to his home after he gave notice of resignation may proceed, ruled an Arkansas judge in
Nilfisk-Advance, Inc. v. Mitchell (2006 WL 827073 (W.D. Ark.). The plaintiff brought suit alleging that Mitchell e-mailed files containing trade secrets to his home with the intent to convey the information to Nilfisk's competitors. Mitchell moved to dismiss, arguing that he had access to the files and, accordingly, there was no cause of action under the CFAA. Judge Hendren, acknowledging the availability of a civil remedy in what is, essentially, a criminal statute, denied the motion. While it was conceded that Mitchell had authorized access, Nilfisk took the creative position that Mitchell "exceeded any authorization he had" when he e-mailed the files home "with the alleged purpose of misappropriating the information contained in them. The court agreed.
This is a decision which is bound to generate a lot of discussion. Should employees who have given notice cease to e-mail work to home computers? Intent is almost always proven circumstantially, and one of the most compelling circumstances is the temporal relationship between acts -- here the notice to resign and the e-mailing of the files. It is doubtful that this decision will have a chilling effect on telecommuters and those who work from home, as most employers would be well-advised to limit an employee's access to proprietary information once that employee has given notice. But one may also ask whether this decision will stretch the already-elastic bounds of a statute some have called "cyber-RICO." Stay tuned!
Ken Rashbaum
E-Mail From the E.U.: Safe Harbor or Binding Corporate Rules?
Welcome to eDiscovery Counsel. This blog will present discuss issues and developments in electronic document management and discovery. We’ll post information and respond to questions about document management as a business imperative, since over 90% of all business documents are in digital while approximately 20% of them are ever printed. In short, you need to know where your data and documents are in order to run your enterprise efficiently and productively. Electronic discovery issues will comprise questions raised by discovery requests from regulatory agencies as well as courts and attorneys.
We’ll also, from time to time, discuss issues pertaining to data transmission across borders. Technological advances have shrunk the work and expanded markets. As a matter of necessity, then, companies must follow suit, going into areas in which they may not be familiar with the legal and regulatory landscape. In his best-selling book
The World Is Flat (Farrar, Straus & Giroux 2005), Thomas Friedman elicits a wonderful vignette of this phenomenon. He reprints an African proverb posted on the wall of an American owned fuel pump factory in Beijing, translated into Mandarin:
Every morning in Africa, a gazelle wakes up.
It knows it must run faster than the fastest lion or it will be killed.
Every morning a lion wakes up.
It knows it must outrun the slowest gazelle or it will starve to death.
It doesn’t mater whether you are a lion or a gazelle.
When the sun comes up, you better start running.To “keep running,” one must know the landscape. Data protection rules in the European Union are more stringent than those in the U.S. In fact, E.U. provisions hold that certain data may not be transmitted from the E.U. to the U.S. unless the American Company has executed a Safe Harbor agreement, in which it agrees to abide by E.U. standards, and registers that agreement with the U.S. Department of Commerce. But national implementing legislation may add additional restrictions. How can one agreement cover the differences in privacy protection among branch facilities in several countries? Nuala O’Connor Kelly, Chief Privacy leader in the U.K. for General Electric, believes she has a better solution: Binding Corporate Rules (BCR’s). In her article
BCR’s: a model for the future Ms. Kelly explains how BCR’s can, in effect, set a company-wide global operational standard for data protection, and lays out a step-by-step approach to formulation of the BCR and obtaining necessary approvals from governmental information agencies.
I commend it to you, so you can stay upright as you keep running.