Amid the flurry of recent news about computer hacking and data breaches, a recent lawsuit quietly wound its way up to the steps of the United States Supreme Court. In that case, a former employee left his employer to open a competing business. After he left, he asked his assistant at his old firm to lend her login credentials to him so that he could access his former employer’s database. He then used her password to log into his old firm’s database. His former employer launched an investigation and reported him to the authorities.
The federal government charged the former employee with various crimes, including violations of the Computer Fraud and Abuse Act (CFAA). The CFAA makes it a crime to access a computer “without authorization” or “exceeding authorized access.” Therefore, the question in that case was: did the fact that the assistant allowed the former employee to use her login credentials constitute valid “authorization,” or, did her permission not matter because the true owner of the database (i.e., the former employer) did not authorize this type of access? A jury convicted the former employee, finding that he violated the CFAA even though he accessed a computer using an authorized person’s login credentials (i.e., his former assistant’s password).
The Supreme Court recently refused to hear the former employee’s appeal of his conviction, which leaves open substantial questions for employers, such as whether they have (or should have) policies in place to handle password-sharing, computer-sharing, or the sharing of handheld electronic devices among employees. Such day-to-day innocuous activities, such as giving your assistant your password in order to print an email, for example, may technically violate the CFAA, especially if your employer prohibits password sharing. Therefore, employers should take a look at their current technology policies and consider whether they need to update them to clarify the employer’s expectations with respect to the privacy of passwords, sharing of accounts, or sharing of devices. Otherwise, employees might unwittingly be exposing themselves to criminal prosecution under CFAA. For more information on this important issue for your organization and other business or employment law matters, contact PLDO Partner Brian J. Lamoureux at 401-824-5100 or [email protected] We welcome your comments, questions and suggestions.