Given all the recent headlines about data theft as well as a resurgence of interest in the Computer Fraud and Abuse Act (CFAA), a December 18, 2020 ruling from a federal trial court in Colorado may be of interest to our readers. MCS Safety Solutions, LLC v. Trivent Safety Consulting, LLC, No. 19-cv-00938-MEH (D. Colo. Dec. 18, 2020) (2020 WL 7425874).
Both plaintiff and defendant companies provide loss control and risk management services related to construction and manufacturing, although the defendant company is the newer entrant. The matter began in 2016, when a trainer at a construction company left to work for the plaintiff company.
The plaintiff company did not require the trainer to sign an employment agreement, a non-disclosure agreement, or any contract; nor did the plaintiff have any employee handbook or policies regarding confidential or proprietary information. The plaintiff gave the trainer administrative access to the plaintiff’s website and social media in order for him to help with the accounts and marketing.
In September 2018, the trainer and a few other employees of the plaintiff company filed articles of incorporation for the defendant company, and they established a domain name, email address, and social media accounts for the new company as well. The individuals copied personal documents from their work computers and deleted personal emails from their work accounts.
On November 1, 2018, the individual defendants gave notice that they were leaving the plaintiff. The plaintiff company terminated their email access the same day. After arriving home, the trainer logged into the plaintiff company’s website and social media accounts, removed the defendants’ biographies, and changed the passwords to “password.” On November 10, the trainer removed himself as the administrator for the plaintiff’s professional social media account.
On November 12, the plaintiff engaged its IT service provider to restore its email accounts, website, and servers to the condition prior to the defendants’ departure, for a total cost of $1,267.50. The plaintiff also hired a forensic firm to discover the deleted emails, for a total bill of $3,403.73.
On November 16, the plaintiff filed a complaint with the police department for theft of property. On November 29, the plaintiff filed a supplemental police report for theft and unauthorized website access.
Although the parties had several claims pending in their motions for summary judgment, this post will focus only on the plaintiff’s CFAA claim relating to the trainer’s access to the online website management system and the deleted data. In order to maintain a claim under 18 U.S.C. § 1030(a)(5), the plaintiff had to show that the trainer:
(2) Accessed a protected computer
(3) Without, or exceeding, authorization
(4) Recklessly causing damage; and
(5) Resulting in a loss of $5,000 in value in a one-year period.
The trainer conceded that he had accessed plaintiff’s website and social media pages after his job ended, for the purpose of changing his password and administrator credentials. The plaintiff’s claim failed because it could not meet elements (4) and (5): the plaintiff could not show the trainer’s actions caused damage or a loss of $5,000 or more. (If you check the math above, you will see that the amount the plaintiff spent on its investigation was less than $5,000.) Consequently, the court granted the defendant’s motion for summary judgment on this claim.
(Readers interested in the CFAA may be aware that the U.S. Supreme Court heard arguments on November 30, 2020 in a case relating to the scope of “exceeding authorized access” requirement of CFAA in Van Buren v. United States (No. 18-12024).)
Does your company have protocols relating to social media accounts when anyone with “write” or “administrative” access leaves? Do your company have policies on the topic? Is it covered in your employee handbook? If you’re not sure, now would be a good time to find out and fill in any gaps.