Wednesday, May 11, 2011

Employees can be criminally prosecuted for misuse of computers

Employees can be criminally prosecuted for unauthorized and illegal use of computers and computer networks, but only if the employer has a strong and clear computer use policy.  A Federal court recently held that an employee can be criminally prosecuted if the employee accessed the employer’s computer system in order to defraud the employer.

In U.S. v. Nosal, No. 10--10038 (9th Cir, April 28, 2011), the 9th Circuit Court of Appeals held that employees could be prosecuted under the Federal Computer Fraud and Abuse Act (the “CFAA”).
CFAA is a statute that was originally intended to allow for the criminal prosecution of hackers. In the Nosal case, three employees used their employer's computer and obtain trade secrets from the employer. The employees then quit and started their own business using the employer's information.

The employees were prosecuted under CFAA by the U.S. Government. Their defense was that CFAA was intended to prosecute hackers who did not have authorization to enter a computer or a computer network.  They argued that they should not be criminally prosecuted because they had access to the system.  (Of course, the employer could have sued but that is less serious than a criminal prosecution).

However, the government successfully argued when the employees used their user names and passwords to access the employer's trade secrets, they exceeded their authorization and broke the law. 


The key to the case:  The employer had strong computer use and confidentiality policies.  All employees were required to sign agreements that explained what was the employer's confidential information, its sensitive nature, and clearly stated that such information was only to be used for the employer's purpose.  All of the employer's computers were restricted access and protected by passwords and user names.  So, despite their status as employees with access to the employer's computer system, the court determined that the employees were, legally, no better than hackers.


I have had several instances of business owners who have been ripped off by employees stealing confidential information.  They now have a big stick to fight back with.

Businesses should develop clear computer use policies that forbid the use of their computers for anything other than company business, protect their computers with user names and passwords, and have their employees sign well written confidentiality agreements.  The threat of criminal prosecution is much more weighty than the threat of a lawsuit and will go farther to keep this type of theft in check.

No comments:

Post a Comment