Companies claiming that an employee accessed their computer system, took confidential information, and later used it on a competitor’s behalf often want to sue under the federal Computer Fraud and Abuse Act. But even if CFAA covers this scenario — and there is a lot of debate over whether it does — there is another sticking point: What are the damages for an alleged violation?
A decision by the U.S. District Court for the Southern District of New York, Schatzki et al v. Weiser Capital Management (2012), illuminates this issue. The court said that the only damages recoverable are economic damages (damages that flow from an injury to the computer system itself) and not consequential damages from the alleged theft of the information, such as lost profits.
Here is the drill: Did the unlawful access damage the data or the system itself? CFAA covered. Did the unlawful access require the company to identify evidence of the breach and determine the need for remedial measures to the network? CFAA covered. Did the unlawful access require the company to hire consultants and lawyers to get the information back from the employee who allegedly took it? Not CFAA covered.
The opinion ran down these scenarios, with the last being the allegations before it. So, motion to amend complaint denied, and CFAA claim dismissed.
Wow, this is not a good decision for employers that would certainly want some additional protections from employees that grab data and run. I assume wise employers will consider having more, if not all computer using employees, to sign confidentiality and work product agreements upon hire to at least provide for a clearer path to a positive judgment via breach of contract actions.
I suspect the decision will be appealed and we shall see whether the appellant court agrees with the Southern District of New Yourk's very narrow interpretation!
Posted by: Kendall Isaac | September 27, 2012 at 01:13 PM