The Consumer Fraud and Abuse Act -- Does It Apply To An Employee's Personal Computer?

Posted on November 28, 2011 by Jason C. Gavejian

Many employers often question what recourse is available when faced with the destruction or alteration of company data by former employees.  This question is made more complicated when employees use their own personal computer for work. In addressing this issue, the U.S. District Court for the Northern District of Illinois, Eastern division held that an employee's use of her personal computer to delete e-mails on her employer's computer servers may support an unauthorized access claim under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”).  

Plaintiffs, a group of real estate companies, allege that several of their former employees, on company resources and company time, founded a competing business and stole customers.  Plaintiffs claim that one of the defendants told the others to delete e-mails related to their “scheme”, and then delete them again from the “deleted items” folder.  This “hard delete” made the files hard to retrieve.  

Defendants sought to dismiss the CFAA claims.  Specifically, defendants claimed that “unauthorized access” is impossible because the individual defendant had used her own personal computer for work, and plaintiffs thus lost nothing when she left with it.  Although defendants cited to no cases, some District Courts (Keystone Fruit Marketing, Inc. v. Brownfieldhave concluded that using one’s personal computer will not support a CFAA unauthorized access claim.  Here, the Court found that the CFAA appears to prohibit damaging (not accessing) a computer without authorization and the definition of “protected computer” does not specify whose computer it must be. While the Court ultimately dismissed plaintiffs’ claim as not sufficiently alleged, the Court did rule that plaintiffs may be able to make out a claim against the individual defendant by showing that she impermissibly destroyed files or other data belonging to them. 

Companies must be aware of jurisdictional nuances as they strive to protect themselves.  Stay tuned as we address similar issues in an upcoming series of posts! 

Tags: , , , , , , , , , , , , , ,

The Commercial Privacy Bill of Rights Act

Posted on April 13, 2011 by Jason C. Gavejian

Two Senators who clearly did not let the potential government work stoppage affect them, formally introduced the Commercial Privacy Bill of Rights Act of 2011 on April 12.  In a bipartisan effort, Senators John Kerry (D-Mass.) and John McCain (R-Arizona) introduced the legislation which sets forth privacy rules governing businesses that collect, use, or share personal data.

Under the bill, the Federal Trade Commission is given rulemaking and enforcement power.  Additionally, the bill would require covered entities to implement comprehensive privacy by design programs and provide clear disclosures of their data-collection practices.  Further, the FTC would be given authority to approve nongovernmental organizations to oversee safe harbor programs for firms that complied with approved self-regulatory schemes.

While passage of national privacy legislation has proven difficult in the past, companies must remain aware of these legislative updates, especially when they are of a bi-partisan nature.

 

Tags: , , , , , , , , , , , , ,

Data Security, Destruction and Encryption Leads the Way for States in 2010

Posted on January 26, 2010 by Jason C. Gavejian

Less than one month into 2010 the trend to address data security, destruction, and encryption has continued among state lawmakers. Specifically, Florida, Michigan, Kentucky, Kansas, Pennsylvania, and New York all have introduced, reintroduced, or amended legislation of this kind. 

  • The Florida and Michigan laws would amend personal data destruction rules for companies.
  • The New York law would mandate data security and encryption measures.
  • The Kentucky bill would require government agencies to protect all personal data under the Gramm-Leach-Bliley Act.
  • The Michigan bill includes a state version of the Federal Trade Commission's Red Flags Rule and would require creditors in the state to implement programs aimed at spotting “red flags” of possible identity theft and put in place mitigation measures. Michigan is also considering a number of other measures. 
  • The Kansas law would require state agencies to engage in periodic network security reviews.
  • The Pennsylvania bill would require public agencies to notify state residents of a breach of their personal information within seven days of the discovery of the breach.

While 5 states remain without data breach notice bills (Alabama, Kentucky, Mississippi, New Mexico, and South Dakota), Congress is considering legislation, the Data Accountability and Trust Act (DATA) (H.R. 2221), that would preempt all state notification laws and instead establish a national breach notice standard.

As we have previously mentioned, we anticipate data privacy and security legislation and case law to be at the forefront of legal issues in 2010. Employers should begin by reading the Data Security Primer and consider implementing comprehensive data security policies and procedures that would allow them to comply with the various state laws that may impact their business. 

While we have highlighted the main points of each of the proposed laws, a more detailed analysis of the laws put forth in Michigan, Florida, and New York is set forth below. 

Michigan

The new Michigan data destruction bill would ease existing personal data disposal requirements outlined in the state's Identity Theft Protection Act mandating that companies and agencies removing information from a database destroy only “unencrypted, unredacted personal information” and only such personal information related to state residents.

Another bill would require businesses with 50 or more employees that are “engaged in extending credit in the form of covered accounts to residents of this state” to implement and identity theft mitigation programs similar to those required under the federal Fair and Accurate Credit Reporting Act Red Flags Rule.   Companies that have complied with the federal Red Flags Rule would be exempt from the state law.

Michigan is also considering various other measures which would establish an Identity Theft Commission; make technical changes to the law; add misleading a law enforcement or court official about one's identity to the list of violations of the law; and authorize the state attorney general to seek civil fines of up to $10,000 per incident for identity thieves.

Michigan is also considering a bill which would make businesses and agencies that adopt comprehensive data security safeguards to protect personal data in any form immune from civil liability for damages due to data breaches. The proposed law would provide breach liability immunity in an effort to encourage entities to adopt such safeguards.

Florida

Florida has introduced bills (S.B. 586 and H.B. 279) which would require companies to follow federal guidelines when disposing of personal data. The bills would require businesses and government agencies to follow the “Guidelines for Media Sanitization” set by the National Institute of Standards and Technology to make all personal data disposed of by companies and agencies inaccessible. In addition, state agencies would also be required to submit samples of allegedly sanitized storage media to an independent third party vendor to verify the destruction of the personal data. 

New York

A New York data security bill would establish a general encryption standard as a safe harbor for entities seeking to avoid giving breach notice to individuals under the state's data breach notice law. The bill, would also require businesses and state agencies to: Implement and maintain reasonable security safeguards, appropriate to the nature of the information, to prevent unauthorized access to or unauthorized destruction, use, modification, or disclosure of the private information.

Unlike the data security regulations issued under Massachusetts breach notification law, the N.Y. bill does not authorize the promulgation of rules, but rather sets out the encryption standard in the text of the proposed law.The bill would also mandate notification of certain breaches to the state attorney general. Another New York bill would provide tax breaks for businesses that invest in data security.
Tags: , , , , , , , , , , , , , ,

Do You Know How to Take Out the Trash?

Posted on November 9, 2009 by Jason C. Gavejian

Joining the growing number of states which have enacted laws regulating the destruction of records to prevent possible identity theft, the Rhode Island Legislature passed H. 5092 on October 29, 2009. The bill requires businesses and government agencies to completely destroy records containing personal information, or render the personal information unusable, before disposing of records whether in electronic and paper form. Not surprisingly, H. 5092 comes on the heels of Texas’s Attorney General settling related violations for nearly $1,000,000 with Select Medical, and over $600,000 with Radio Shack.

As with most legislation of this nature, including the FTC’s data disposal rule, the law provides two means by which covered entities may destroy records: either by modifying the personal data to make it entirely unreadable or indecipherable through any means, or by taking reasonable steps to shred, erase, or otherwise destroy records. The bill also exempts certain covered entities whose destruction practices are covered by federal law or who contract with data disposal firms (who would be subject to the data disposal law). The need for such measures is further underlined by the overzealous office workers who used documents containing personal information as “confetti” during the New York Yankees World Series parade. 

Underlying the consequential nature of proper destruction, this bill permits individuals to sue to recover actual damages, and permits the state attorney general to seek fines or sue on behalf of individuals, with each record not properly disposed of being counted as a separate violation.

Tags: , , , , , , , ,