Guidelines For Computer Data Access

Employees, in the course of their employment, will often have broad access to company files.  If employees are terminated or seek other employment, such access can become problematic.  Indeed, companies store sensitive and commercially valuable information on their servers. Employee misuse of these files can substantially weaken a company’s economic viability and threaten its progress.  In a recent court decision, the United States District Court for the Northern District of California held that a former employee who accessed an employer’s servers using his login information was not liable for unlawful hacking. The court explained that the employee had not violated the Computer Fraud and Abuse Act (“CFAA”) or the California Comprehensive Computer Data Access and Fraud Act (“CDAFA”).

What is the holding in Enki Corporation v. Freedman?

According to the record, Enki Corporation had entered into a contract with Zuora to provide certain consulting and information technology services. As part of these services, Enki installed a computer resource and performance monitor on Zuora’s network. Additionally, Enki contracted with Keith Freedman, a former employee, to provide consulting services for Zuora. Enki subsequently terminated its contract with Freedman when it discovered that Freedman was speaking negatively about Enki’s services. Freedman had also accessed the monitor Enki installed on Zuora’s network using his employee login to download Enki’s proprietary information (e.g., private company files and data) from the servers. The court held that this did not violate the CFAA because Enki had failed to show that Freedman accessed the computer system without authorization. Since the CFAA is aimed at regulated access to protected data, not the misuse of such data, where employers lawfully access servers, there is no CFAA violation. As for the CDAFA claims, the court also did not find a violation because Freedman did not have to “hack” into the system because he did not have to override a computer code. He simply logged in using his employee login information.

What do the CFAA and CDAFA establish?

Congress enacted the Computer Fraud and Abuse Act as an amendment to expand the scope of computer fraud law, codified under 18 U.S.C. section 1030. Under the CFAA, access to a computer, “without authorization or exceeding authorized access” is a criminal offense.  The California Comprehensive Computer Data Access and Fraud Act, codified under Penal Code section 502, protects against “tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems.” Major violations of CDAFA may lead to fines of up to $10,000 and three years in prison. Both of these statutes allow employers to seek legal remedies against employees who misappropriate company information. However, the district court’s decision in Enki Corporation v. Freedman now shows that employees actually enjoy a higher degree of protection.

At our law firm, we help inform businesses and individuals about the various laws and regulations that apply to information technology frameworks and authorized access.  Whether you are an employee or an employer, you may contact us to discuss with an attorney how the legal standards discussed above affect you.