The Computer Fraud and Abuse Act CFAA is not a very widely known piece of federal legislation but could help companies that have been victims of employee or ex-employee theft of digital information.
According to an article over at Fox Rothschild LLP the CFAA can be used to help companies that have had employees or ex-employees steal or access unauthorized information.
You terminate an employee. Before you disable that employee’s login password, he downloads sensitive information to take with him. Ideally, that information is encrypted and can’t be read on any outside computer. But you never know what a capable hacker can do and once the information has been taken, the damage might be irreversible. The Computer Fraud and Abuse Act (CFAA) may be one way for employers to recover for their economic harm. Under the CFAA, an employee or former employee may be liable for obtaining information through intentional unauthorized access to the employer’s computer. Generally, if the person intends to defraud the employer and obtains any information worth $5,000 or more within a 1 year period, or causes damage or loss to the computer system, that person is liable for the employer’s economic harm.
CFAA has been successfully used in at least one case to protect an organization. And the employee or ex-employee doesn’t have to hack into the system. If they access a system where they know they should not be accessing they could face CFAA liability. CFAA is not limited to employees but also contractors and anyone else that has access to a company’s computer systems.
Recently at least one California court recognized that CFAA liability does not require circumvention of any technological barriers (i.e. hacking). CFAA liability can arise when an employee or former employee’s log-in information is still functioning, but: 1) the employee has lost permission to access the employer’s systems (i.e. his employment ended), 2) knows he does not have permission, and 3) logs in to obtain information anyway.
The best practice is to ensure that a detailed termination procedure is in place and that system access is terminated in a consistent timely manner.