Defending The Digital Workplace

An publication

Archive for the ‘Trade Secret’ Category

Willie Sutton & Misappropriation of Business Assets – “That’s Where the Money Is”

corporate-theft-masked-thiefWillie Sutton, the infamous bank robber, when asked why he robbed banks is credited with responding “Because that’s where the money is.” In today’s market place, the money is in a company’s information, e.g., customer lists, pricing, methodology, know-how, research, development, and related proprietary and confidential information. And like the banks in Mr. Sutton’s day, companies are increasingly finding they are being robbed of their information by unscrupulous departing employees and competitors. For example, in a recent BusinessWeek article (BW, Feb. 16, 2009), To Catch a Corporate Thief, an employee resigned, but reported his company issued laptop stolen. It turned out this employee had been poached by the former employer’s competitor and the stolen laptop was actually the get-away-car for business methodologies, system designs, customer lists, and related proprietary information.

While there are a number of measures companies can take to prevent or otherwise minimize business theft/unfair competition (For a great summary of  non-compete considerations click here, Eight Ways to Lose a Non-compete Case), companies that fail to take such steps are left with the unsatisfactory choice of litigation or waiting for a “thank you” card from the benefactor of the competitive advantages you’ve bankrolled over the years. In regard to litigation, companies have in recent years relied upon the Computer Fraud and Abuse Act  (CFAA) to combat the theft of business information. See Adding to the Playbook.

The CFAA creates civil liability under specified conditions. For employers bringing suit against wrongful conduct by former employees, the relevant conditions are generally where someone:

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains-

(C) information from any protected computer if the conduct involved an interstate or foreign communication; [or]

(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value …; [or]

(5)(A)(ii) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage FN2;
(iii) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage.

18 U.S.C. § 1030(a)(2), (4), (5)(A)(ii) and (iii); see also § 1030(g) (providing for civil liability for violations involving certain conduct, including conduct causing a loss of at least $5,000 in value). Thus, paragraphs (a)(2) and (a)(4) apply only if the defendant accesses the computer “without authorization” or “exceeds authorized access,” while paragraph (a)(5)(A)(ii) or (iii) applies only if the defendant accesses the computer “without authorization.”

There are two schools of judicial thought as to what “without authorization” or “exceeds authorized access” means.

The first approach focuses on the defendant’s intent or use of the information in finding liability under the CFAA. See, e.g., International Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir.2006); Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121, 1124 (W.D.Wash.2000). In Shurgard, the court, in concluding that the plaintiff had stated a claim under paragraph (a)(2)(C) of the CFAA, held that the plaintiff’s former employees had acted without authorization when they obtained information from the plaintiff’s computers because, under agency law,  the  employee’s authorization terminated when he allegedly became an agent of the defendant competitor during the act. See Shurgard, 119 F.Supp.2d at 1124. In Citrin, the court similarly held that the defendant’s authorization to access the plaintiff’s computer files had terminated when he violated his duty of loyalty to his employer imposed by agency law. See Citrin, 440 F.3d at 420-21.

In contrast, a number of courts have rejected the Shurgard and Citrin courts’ reliance on agency law in applying the authorization provisions of the CFAA. These courts generally find that a “without authorization” violation under the CFAA only occurs when initial access is not permitted and an “exceeding authorized access” violation occurs only when the defendant has permission to access the computer in the first place, but then accesses certain information to which he is not entitled. See Condux Int’l, Inc. v. Haugum, (D. Minn. Dec.15, 2008); Black & Decker (US), Inc. v. Smith, 568 F. Supp.2d 929, 933-36 (W.D.Tenn.2008); Shamock Foods Co. v. Gast, 535 F.Supp.2d 962, 963-68 (D.Ariz.2008); Diamond Power Int’l, Inc. v. Davidson, 540 F.Supp.2d 1322, 1341-43 (N.D.Ga.2007); Brett Senior & Assocs., P.C. v. Fitzgerald, 2007 WL 2043377, at *3-4 (E.D.Pa. July 13, 2007); Lockheed Martin Corp. v. Speed, 2006 WL 2683058, at *4-7 (M.D.Fla. Aug.1, 2006); International Ass’n of Machinists & Aerospace Workers v. Werner-Masuda, 390 F.Supp.2d 479, 498-99 (D.Md.2005).

So what is the take-away for employers?

Returning to Mr. Sutton, he packed a gun — either a pistol or a Thompson sub-machine gun — when he robbed financial institutions, noting, “You can’t rob a bank on charm and personality.” Mr. Sutton, however, reportedly never carried a loaded gun because somebody might get hurt. In contrast (and metaphorically speaking) companies cannot afford to shoot blanks when it comes to protecting business critical information. At the outset, proper and reasonable measures should be implemented for protecting such information. For examples and considerations, click here. However, if when these measures are not sufficient to prevent the theft of business assets, the CFAA is a great resource to have as backup. And even where courts have taken a narrower view of its applicability, proper planning in advance of litigation can provide a solid factual basis for a CFAA claim – just don’t plan on relying on charm and personality: It didn’t work for Willie Sutton (he spent half his life in prison) and it probably won’t work for your company and (certainly not) your attorney.

Telecommuting & The Digital Workplace

In martial arts, everything starts with position. You can’t execute or defend against a technique without it. And maintaining position is one of the most important keys to success in sparring, competitions, and street fights (who better to know about street fights than a white-collar suburban lawyer who is extremely averse to getting hit?). But maintaining position is not about using force to statically holding an opponent in place. Instead, especially in certain  styles, e.g., jiu jitsu and aikido, a martial artist wants to be able to gain a strategic position, adjust to the situation, and steadily advance for better position while holding onto prior gains (this almost sounds like good business advice). Obtaining positional control or defending against it starts with the fundamentals.

For employers, the Digital Workplace has extended the physical “position” of the work site. A recent survey found that the number of Americans whose employer allows them to work remotely at least one day per month increased 63 %, from 7.6 million in 2004 to 12.4 million in 2006. The total number of teleworkers (both employed and self-employed) working remotely at least one day per month has risen from 26.1 million in 2005 to 28.7 million in 2006. And it is estimated that this number will increase to 100 million U.S. workers by 2010.

Technology has changed the position of the traditional workplace.
Technology has changed the position of the traditional workplace.

Telecommuting may or may not make business sense. But telecommuting does not change the fundamentals of the employee-employer relationship, or basic risk assessment. And before making a commitment and a corresponding investment in transitioning to a telecommuting plan, employers should consider the following points:

  1. Meeting business and regulatory requirements: Telecommuting places a significant amount of responsibility on the employee to maintain productivity. And how this will be measured should be made clear. Also, employers still must comply with state and federal record keeping requirements for remote employees. For example, under the Fair Labor Standards Act (FLSA) employers must record hours worked by a non-exempt employee. The other side of this compensation coin is the possibility for a remote employee to pad his or her time records. These issues, to some degree, may be easily addressed through technology e.g., employee logs in and out of the company network (I would recommend against Web cameras: When I work at home, it isn’t a pretty sight seeing me work in my boxers). Employers also need to address fulfilling record retention requirements for off-site documents. This is especially important in the context of litigation and preservation obligations. See Using Ancient Chinese Martial Arts to Control Litigation Costs and Risks.
  2. Suitable Work Environment: Obviously employers must apply an even-handed telecommuting program to its employees to avoid discrimination charges. But even without a telecommuting program, telecommuting may be a reasonable accommodation under the Americans with Disabilities Act (ADA). See Equal Employment Opportunity Commission (EEOC): “May permitting an employee to work at home be a reasonable accommodation, even if the employer has no telework program? Yes”). Additionally, if a telecommuting program is implemented and if essential job functions can be performed remotely, does the employer now have to make modifications to an employee’s remote office to perform these essential job functions? The EEOC has taken the position that it will apply the same hardship analysis for on-site accommodations. See the October 17, 2002 revision to EEOC Notice No. 915.0021. It is also worth noting that the Occupational Safety and Health Administration originally issued an advisory opinion that asserted, “The OSH Act applies to work performed by an employee in any workplace within the United States, including a workplace located in the employee’s home.” After severe criticism, this opinion was later retracted and eventually reversed (with respect to home offices but not home work sites). See OSHA’s Policies and Procedures for Employee Worksites. But, worker’s compensation laws may still apply to remote offices.
  3. Insuring the Remote Office: Employers should also ensure that worker’s compensation insurance coverage includes remote employees. The same holds true for other insurance coverages, including personal injury, property loss, or professional liability coverage.
  4. Protecting Business Assets – External Risks: There are a number of risks to company assets maintained in remote work sites. These include outside threats such as viruses, physical disasters, and data breaches (either through technological means or physically stealing the storage container holding the data). These risks can significantly reduced by setting up remote access to the employer’s network so that information is only maintained on the employer’s network and not the remote office and by automatically syncing laptops with the network.
  5. Protecting Business Assets – Internal Risks: Telecommuting also opens up employers to internal threats because it may be more difficult to manage business information and other proprietary information that is created and stored remotely. For example, remote employees may maintain separate files for clients,  customer lists, pricing, sales data, profit-margin data, engineering drawings, etc. And retrieving this information from a remote office is likely to be more difficult than from an on-site office. For these reasons, it is highly recommended that all remote work either be done on an employer owned laptop or through a direct connection to the network. Please take my word: It is a technological head ache ripe with legitimate privacy concerns for both the employer and employee when (not if) the retrieval and search of information from an employee’s home PC or laptop becomes an issue.

Assuming there was a business justification for considering a telecommuting policy in the first place, the preceding legal and business concerns should not put an end to the discussion. Instead, employers — knowing the legal issues — can position themselves to reduce these concerns. And the starting point for this position is a written telecommuting policy, which should be made part of the employee handbook. The points that should be addressed in  the telecommuting policy include:

  • Job classifications eligible to telecommute (remember – neutral, non-discriminatory determinations);
  • Employer expectations and requirements, e.g., job duties, hours employee is expected to work, recording hours (for non-exempt FLSA employees, don’t forget to address tracking cel/Blackberry usage), virus software updates, backing up company information stored/created remotely, protecting employer’s confidential information, especially information relating to customers and consumers,  the physical location of where work will be performed,
  • Under what circumstances, if any, the employer may visit the remote office;
  • The duration of the telecommuting assignment or provisions for cancelling it;
  • What equipment and reimbursement, if any, the employer will provide (as noted above, keep business info on business equipment). This should also include those relics called paper, pens, envelopes, etc.;
  • Provisions concerning the employee’s agreement to keep all employer provided equipment in good working order and returning it to the same condition;
  • A provision providing that the employee agrees that access to the employer’s network and all information owned by the employer will not be misappropriated by the employee and will not be used for the employee’s own personal benefit. Also, if a telecommuting employee’s employment status  changes, don’t forget to change the locks to the network (you may laugh, but it happens); and
  • Specifying the applicable jurisdiction, which is especially important in the context of telecommuting and an ever flattening global economy.

There are a number of reasons why expanding the “position” of your workplace in today’s global economy may or may not make sense. If it does fit into your business strategy, then the starting point for reducing risks and maximizing returns is implementing a written policy addressing the fundamental aspects of the telecommuting relationship. This policy, of course, should be done in consultation with competent legal counsel (sorry: my legal malpractice carrier makes me provide these reminders).

I’m interested in your experience with telecommuting and suggestions you may have. Thanks.


Get every new post delivered to your Inbox.