NJ: 973.376.0909 |

Theft of Computer Data And Other Cyber Attacks

Theft of Computer Data And Other Cyber Attacks

Sticky
Jul 19, 2016
0

A Survey Of Relevant Statutory Law And Some Practical Considerations

By: Kenneth L. Moskowitz, Esq. and James D. DeBartolo, Esq.

The business community and employers are under the constant threat of the conversion or corruption of their invaluable computer assets by employees, competitors and “hackers.” To address these ever-present and evolving threats, both the United States and the State of New Jersey have enacted statutes that both criminalize such conduct and provide for private causes of action that include remedies designed not only to make the victim whole, but to punish and deter such unlawful conduct. This article presents a brief survey of the relevant statutes,[1] and offers some practical risk mitigation strategies to be considered by the business owner before his or her business becomes just another victim.

A Survey of the Relevant Statutes

At the broadest level, federal criminal law prohibits the use of communication wires that are used in interstate or international commerce, including email and other electronic media, to commit fraud.[2] Since the federal wire fraud statute was enacted in 1954, more targeted laws have been enacted to criminalize malicious acts that threaten the security of a business’s computer systems and data.[3] For example, the federal Computer Fraud and Abuse Act (“CFAA”) prohibits accessing a computer without authorization, whether internally by a business’s employees or externally by “hackers.”[4] Similarly, the Stored Communications Act (“SCA”) proscribes the theft and sabotage of computer assets by the intentional and unauthorized obtaining, altering, or preventing authorized access to a wire or electronic communication.[5] And recognizing that threats to computer systems can and often do emanate from abroad, Congress enacted the Economic Espionage Act (“EEA”) which criminalizes the misappropriation of trade secrets for the benefit of foreign governments and/or entities.[6] These statutes provide for a wide range of criminal sanctions including fines of up to $20,000,000, criminal forfeiture, and prison sentences of up to twenty years.

Similarly, the State of New Jersey has enacted laws that create criminal penalties for the misappropriation, misuse and/or unauthorized destruction of computer data. The New Jersey Computer Crime Law (“CCL”) prohibits the knowing, purposeful or reckless accessing, altering, damaging, or collection of computer data without authorization.[7] The CCL also prohibits the distribution or disclosure to third parties, such as a former employee’s new employer, of data obtained in violation of the CCL.[8] These New Jersey crimes range from third degree to first degree offenses depending on the nature and severity of the wrongful act, and provide for penalties including imprisonment of up to twenty years and fines of up to $200,000.

By amending existing statutes and enacting complementary laws, the United States has also created private causes of action to provide civil remedies to victims of computer related offenses. The CFAA was amended in 1994 to provide relief to victims of the unauthorized access to their computers resulting in a “loss” of at least $5,000 in value.[9] The CFAA defines “loss” broadly to include the reasonable costs incurred by any victim as a result of a proscribed offense, including the costs incurred to investigate both the offense and the extent of the resulting damages, as well as the cost of restoring any damaged media to its condition prior to the offense.[10] While application of the CFAA’s provisions has varied across the federal circuit Courts of Appeal, the CFAA has been interpreted to require no more than proof that an employee accessed his employer’s computer data “without authorization” – i.e., in a manner that is at odds with the employer’s interests[11] – and without regard to whether the information that was accessed was “proprietary” or “confidential” in nature as would be required under other statutory and common law claims.[12] Additionally, the CFAA provides the victim with the opportunity to obtain injunctive relief to prevent a former employee or competitor from using information unlawfully obtained in operation of a competing business.[13] Finally, supplementing the criminal penalties created by the EEA, the recently enacted Defend Trade Secrets Act (“DTSA”)[14] creates a private cause of action for the misappropriation of trade secrets and allows victims access to Federal Courts without the need of establishing jurisdiction by diversity of citizenship. The DTSA also extends the statute of limitations, provides for treble damages, and includes a provision for the ex parte civil seizure in certain circumstances of property that may be used to disseminate stolen secrets.[15]

For its part, New Jersey has enacted the Computer Related Offense Act (“CROA”), which provides a civil cause of action to those individuals and entities damaged by the unauthorized accessing, altering, damaging or destruction of computer systems or the data stored thereon.[16] Among other remedies, CROA provides for potential awards of punitive damages and the attorneys’ fees expended by the aggrieved business owner in investigating and in prosecuting such claims, as well as for the opportunity to obtain injunctive relief. A plaintiff under CROA must establish that its computer data or systems were purposefully or knowingly accessed, altered or damaged without authorization and, as a result, the victim suffered “damages to its business or property.”[17] While the statute does not define “damage to business or property,” an unpublished (non-precedential) opinion issued by the New Jersey Appellate Division suggests that New Jersey courts may — in contrast to the CFAA — construe CROA’s damage requirement narrowly to require proof of some damages exclusive of the costs of the investigation and the attorney’s fees expended during the investigation and prosecution of the CROA offense.[18] CROA, however, like its federal counterpart (the CFAA), expressly covers the unauthorized conversion of any computer data, whether or not that data constitutes a “trade secret” or “proprietary” information.[19]

Like the DTSA, New Jersey’s Trade Secrets Act (“NJTSA”)[20] provides statutory remedies to the holder of a trade secret that has been misappropriated, though the NJTSA does not provide for ex parte civil seizure.[21] Under the NJTSA, victims of trade secret misappropriation may seek damages for actual loss, punitive damages in an amount not to exceed twice plaintiff’s actual damages or the amount of defendant’s unjust enrichment, injunctive relief and, in some circumstances, an award of attorney’s fees.[22]

Some Practical Considerations

The body of both Federal and State statutory law provides powerful potential remedies to protect business owners who are victims of theft or other attacks on their computer networks and data. Consideration of these statutes and the ever-present threats to a business’s computer assets should motivate business owners to reassess existing employment policies and practices, and the existing framework, if any, for mitigating risks with respect to these often invaluable assets.

First, risk mitigation should start with the completion of an audit by a qualified expert who has the experience necessary to assess the specific threat of cyber-attack that a particular business may face, and to make recommendations to mitigate those threats through appropriate prophylactic measures. In addition, business owners should give careful consideration to procuring a comprehensive cyber security insurance policy to protect their companies from the potentially enormous damages that may result from data breaches, data theft, the recovery of vandalized or corrupted data and/or resulting business interruption.[23]

It is also sound practice for an employer to publish and distribute to its employees a “Handbook” or other manual outlining the written policies that govern the operations of the company, the company’s relationship with its employees and the rules, regulations and code of conduct governing the employees’ employment with the company.[24] Among other policies that should be considered for inclusion in such Handbooks are policies defining and governing (i) the ownership of company assets, including the work-product produced by employees and the company’s computer data, (ii) the limited, authorized use of company computers and computer data, (iii) the employee’s confidentiality and non-disclosure obligations, and (iv) the return of all company property upon the termination of employment.[25] Employees should be advised in categorical terms that company computers, including desktop computers, laptop computers and/or hand-held devices supplied by the company, are to be used only for company business.[26] Employee Handbooks that clearly delineate the scope of an employee’s authorized use of the employer’s computer systems and data can often serve as a deterrent to the unauthorized use or conversion of such assets and, should litigation be necessary, would serve as important evidence in establishing that the former employee’s conduct exceeded the limited authority granted by the employer.[27]

Employers should also advise employees that the employer alone owns the “work-product” they may create or enhance for the company’s benefit during their employment, and that the employee can have no expectation of privacy with respect to the use of the company’s computers, computer data and computer network. In that regard, many employers advise their employees that their work computers may, as permitted by law, be subject to monitoring or periodic audits to ensure that the company’s computer system is not being misused for any improper or unauthorized purpose.[28] A program of monitoring the computers of those employees who are entrusted with the company’s proprietary information may reveal the unauthorized conversion and/or improper use of the company’s trade secrets and other computer data.

Beyond any periodic or random audit practice a company may implement, employers should be sensitive to “red flags” that reasonably may cause them to suspect that an employee is making preparations to leave the company to join a competitor or to start a competing business. Time and again, investigations undertaken after the departure of an employee (or a group of employees) reveal that the employee, sometimes in the months or weeks preceding his or her sudden departure — and sometimes literally on the eve of the departure — accessed the company’s computer network without authority for the unlawful purpose of taking the company’s invaluable computer data for use at his or her new job. Such data is often taken to facilitate the unfair competition to be waged by the former employee and his or her new employer.

Many business owners may be surprised to learn in the days and/or weeks following the departure of a former employee that he or she has landed with a competitor. The former employee’s computer is often a treasure trove of evidence establishing the theft of and/or a conspiracy to steal the company’s computer data, including proprietary or “trade secret” information. Accordingly, business owners should develop and implement procedures to segregate and inspect the computers of departing employees in order to ensure the preservation of all critical evidence.[29]

Diligent monitoring by a business of its employees and its precious computer assets, including sensitivity to signs that may reasonably arouse suspicions concerning an employee, can often be the difference between success or failure in litigation against the former employee and/or his new employer, including referrals made to law enforcement agencies and/or in connection with an action to obtain emergent injunctive relief. Engaging a well-qualified IT or cyber-security professional to assist in protecting against such theft and, if necessary, to confirm the conversion of the computer data and to preserve that evidence for use in court is also critical.

For more information on the subject matter of this article, please contact Kenneth L. Moskowitz @ 973-376-0909; klm@bmk-law.com.

©Copyright 2016, Brown Moskowitz & Kallen, P.C. All rights reserved. This article is for informational purposes only and is not intended to constitute, and does not constitute, legal advice.

[1] In addition to the body of statutory law surveyed herein, our federal and state courts have recognized “common law” claims in diverse circumstances to address the conversion of and/or tampering with computer assets including, without limitation, claims of misappropriation, conversion, unfair competition, breach of fiduciary duty, breach of duty of loyalty, tortious interference and conspiracy.

[2] 18 U.S.C. § 1343.

[3] See e.g., Computer Fraud and Abuse Act, 18 U.S.C. § 1030; Economic Espionage Act of 1996, 18 U.S.C. § 1831; Cyber Security Enhancement Act, 6 U.S.C. § 145; Unlawful Access to Stored Communications Act, 18 U.S.C. § 2701.

[4] 18 U.S.C. § 1030. While the CFAA does not define the term “hackers,” the generic term applies to those obtaining “unauthorized access” to computer data rather than to those who may “exceed[] authorized access.” Dresser-Rand Co. v. Jones, 957 F.Supp.2d 610, 618 (E.D.Pa. 2013). See also Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962, 965 (D.Ariz. 2008) (Hackers are “electronic trespassers.”).

[5] 18 U.S.C. § 2701. See e.g., Konop v. Hawaiian Airlines, 302 F.3d 868 (9th Cir. 2002) (company violated the SCA by improperly accessing employee’s password-protected restricted access website using a co-worker’s credentials);

[6] 18 U.S.C. § 1831. See e.g., U.S. v. Chung, 659 F.3d 815 (9th Cir. 2011) (conviction under the EEA sustained where defendant downloaded documents from employer and transmitted them to the Chinese government).

[7] N.J.S.A. 2C:20-25.

[8] N.J.S.A. 2C:20-31.

[9] 18 U.S.C. § 1030(g).

[10] 18 U.S.C. § 1030(e)(11).

[11] See e.g., Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121, 1125 (W.D. Wash. 2008).

[12] In New Jersey, whether information is characterized as “proprietary” or “confidential” depends on “the relationship of the parties at the time of disclosure[,]…the intended use of the information[,]” and “the expectations of the parties.” Communications Workers of America v. Rousseau, 417 N.J. Super. 341, 356 (App. Div. 2010) (internal citations omitted). In contrast to the CFAA, the New Jersey Trade Secrets Act, N.J.S.A. 56:15-1, et seq., protects victims against the theft of “trade secrets,” which the statute defines broadly as “information…without regard to form, including a formula, pattern, business data compilation, program, device, method, technique, design, diagram, drawing, invention, plan, procedure, prototype or process” that has economic value as a result of not being known to others who might derive economic value from its use, and that is the subject of reasonable efforts to maintain its secrecy. See also Lamorte Burns & Co. v. Walters, 167 N.J. 285 (2001) (New Jersey Supreme Court holding that the data or materials stolen must be “proprietary” for an employee to be held liable for a breach of the common law duty of loyalty.). It is also noteworthy that the New Jersey Supreme Court has construed “trade secrets” and “proprietary information” broadly to include, among other things, customer lists, merchandising plans, projections and product strategies. Lamorte Burns, 167 N.J. at 299-300.

[13] 18 U.S.C. § 1030(g).

[14] 18 U.S.C. § 1836. The DTSA was enacted in May, 2016.

[15] 18 U.S.C. § 1836(2)(b)(2)(A). Under this provision, the trade secret owner may seize the property of the alleged offender without notice to the alleged offender if the Court finds that “extraordinary circumstances” exist to justify such a seizure. The statute is newly enacted and there are no reported decisions to date. A review of the legislative history, however, reflects the Legislature’s intent that the seizure remedy would be available in the case that there is reason to believe that the “defendant is seeking to flee the country or planning on disclosing the secret to a third party immediately or is otherwise not amenable to the enforcement of the court’s orders.” S. Rep. No. 114-220, at 6 (2016).

[16] N.J.S.A. 2A:38A-1, et seq.

[17] Id.; Fairway Dodge, L.L.C. v. Decker Dodge, Inc., 191 N.J. 460, 468-470 (2007)

[18] See Spencer Sav. Bank SLA v McGrover, Unpublished. Opin. A-1899-13T3, 2015 WL 966151, at *7-8 (N.J. Super. Ct. App. Div. Mar. 5, 2015) (Though plaintiff argued that damages should include its costs of investigation and attorneys’ fees, “[b]edrock principles of statutory construction preclude such an indulgence.”). To date, CROA has been underutilized and, as a result, the case law construing the statute is very limited.

[19] N.J.S.A. 2A:38A-3.

[20] N.J.S.A. 56:15-1, et seq.

[21] Both the DTSA and the NJTSA are modeled on the Uniform Trade Secret Act (“UTSA”), which has been adopted in 48 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands. However, the protections afforded to a victim under the DTSA (now federal law) are greater than those provided for under the UTSA.

[22] N.J.S.A. 56:15-1, et seq.

[23] Companies should also establish procedures to be followed in the event of a data breach affecting their customers. Among other things, N.J.S.A. 56:8-161 requires notification to the State Police, even in advance of disclosure to the customer, of the breach of security of a customer’s personal information and any information pertaining to the breach.

[24] Of course, the development and implementation of such policies in consultation with legal counsel should be carefully considered by each employer with respect to its particular circumstances and unique needs.

[25] Many employers also ask their employees in appropriate circumstances to enter into enforceable non-competition, non-solicitation and/or non-disclosure agreements. Such agreements are designed to protect the employer’s goodwill and to protect against the conversion and exploitation of the company’s computer data and other assets by a competitor upon the termination of the employee’s employment.

[26] Additional policies should be implemented with respect to employees who may be authorized to utilize their own computers to access the company’s network to perform their employment duties.

[27] As noted, both the CFAA and CROA proscribe “unauthorized” use of computer assets. Defining the scope of an employee’s authority may become an issue in establishing liability under these statutes and under certain common law claims. To avoid any doubt or ambiguity in that regard, an employer should publish and implement policies that clearly define an employee’s limited authority to access and to use the employer’s computer systems and data.

[28] Notwithstanding this principle, an employer should be cautious when its monitoring reveals communications that the employer has reason to believe may contain privileged information, such as attorney-client communications. In Stengart v. Loving Care Agency, Inc., 201 N.J. 300 (2010), the New Jersey Supreme Court held, in considering the facts of that case, that the employee retained a reasonable expectation of privacy that her personal, password-protected email correspondence with her attorneys would remain confidential.   If an employer wishes to preserve its right to retain, review, and use an employee’s personal communications in litigation, its Employee Handbook should include a strict ban on the use of company computers for personal email, and should state clearly that employees can have no expectation of privacy in their work or personal emails, including those emails that may be protected by the attorney-client and/or other privileges. Should the employer uncover communications it believes may be privileged, it should refrain from viewing such communications unless and until permitted to do so by the Court.

[29] Employers, if they do not do so already, should also establish a procedure for conducting “exit interviews” with departing employees. The use of a check-list to confirm, among other things, the return of all company property in possession of the employee, including computers and computer data, and the termination of the departing employee’s remote access to the company’s computer network is advisable.

Comments are closed.