Federal Statute Doesn't Protect Employers from Disloyal Employees
By: Carol G. Schley, Clark Hill PLC
The Sixth Circuit Court of Appeals recently denied relief to an employer under a federal statute where two of its employees downloaded the employer’s proprietary and confidential information and forwarded it to their personal emails before they quit to work for a competitor. However, the court’s decision may not be the last word on the issue.
In Royal Truck & Trailer Sales and Service, Inc. v. Kraft, Mike Kraft and Kelly Matthews were salespersons for Royal Truck. During their employment, they both received Royal Truck’s employee handbook, which prohibited unauthorized use or disclosure of the company’s trade secrets and proprietary information. The handbook also prohibited unauthorized use, or the disabling or removing of software and functions, on company-issued equipment.
Kraft and Matthews abruptly quit their jobs with Royal Truck, and started working for one of Royal Truck’s competitors. Prior to quitting, Kraft forwarded Royal Truck’s customer information customer quotes and employee paystubs to his personal email. He also contacted one of Royal Truck’s customers and asked it to forward business information to his personal email. After doing this, he deleted and reinstalled the software on his company laptop, rendering its data unrecoverable. Upon her departure, Matthews also forwarded confidential and proprietary information belonging to Royal Truck to her personal email, including customer pricing information, and reset her company cell phone to its factory setting.
Royal Truck filed a lawsuit against Kraft and Matthews alleging various causes of action, including a claim under the federal Computer Fraud and Abuse Act (“CFAA”). CFAA provides criminal sanctions, and also a private civil cause of action, when an individual, “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains… information from any protected computer.”
Royal Truck argued that by downloading and forwarding Royal Truck’s confidential and proprietary information to their personal emails, Kraft and Matthews violated CFAA. However, the court disagreed. In making its determination, the court looked at whether Kraft and Matthews “exceed[ed] authorized access” to Royal Truck’s computer systems, and determined they did not. The court found that CFAA has a “narrow scope,” and was meant to penalize “those who breach cyber barriers without permission, rather than policing those who misuse the data they are authorized to obtain.” The court held that because Kraft and Matthews had authorization to access the information at issue, since they were still employees at the time, they did not violate CFAA, even though they allegedly misused the information, because “CFAA does not reach that conduct.” Per the court, “[h]ad Congress intended the seemingly sweeping result of effectively criminalizing violations of an employee handbook, it would have said so in clear terms.”
In reaching its decision, the court acknowledged that federal courts are split on the application of CFAA, with some courts in other circuits holding conduct like that allegedly engaged in by Kraft and Matthews would violate the statute. The court also noted that the U.S. Supreme Court recently agreed to hear a criminal case involving CFAA, which may provide clarity on its meaning, and possibly be contrary to the court’s decision in Royal Truck.
Although Royal Truck did not prevail on its CFAA claim, the court’s decision did not leave the company without recourse, as the other claims it asserted against Kraft and Matthews (including common law and statutory conversion, breach of the duty of loyalty and civil conspiracy) were remanded to state court for further consideration.
Actions by employees like those alleged in the Royal Truck case can be potentially catastrophic for employers. However, employers can help mitigate the risk and potential damage caused by rogue employees by ensuring robust policies, procedures and monitoring are in place. Consulting with legal counsel, including discussions on preventative measures, is always the best course of action.
Carol G. Schley is a member of the Detroit SHRM Legal Affairs Committee and an attorney at the law firm Clark Hill PLC. She can be reached at [email protected] or (248)530-6338.
Detroit SHRM encourages members to share these articles with others, inside and outside their organization, as long as its name and logo, and the author’s information, is included in the re-post of the article. September 2020