Category Archives: Employment

CFAA violation where employee’s access to work computer violated fiduciary duty to employer

Plaintiff former employer sued defendant former employee for violation of the Computer Fraud and Abuse Act, 18 U.S.C. 1030, alleging that defendant, while still in the employ of plaintiff, accessed confidential business information and destroyed other important data. Defendant moved to dismiss the CFAA claim. The court denied the motion.

Defendant had argued that the complaint failed to establish that access to the work computer was had without authorization. He assserted that plaintiff did not allege that at any time while defendant was employed by plaintiff his access to his work-issued computer was restricted, or that plaintiff ever told him that he was no longer permitted to access the computer.

But the plaintiff had alleged that defendant’s access violated the fiduciary duty defendant owed. The court held that under Int’l Airport Ctr., L.L.C. v. Citrin, 440 F.3d 418, 420–21 (7th Cir.2006), allegations of a breach of duty are enough to properly allege that defendant lost his authorization to access his company computer.

Compare this holding (and Citrin) with the Ninth Circuit’s holding in LVRC Holdings v. Brekka.

Employee did not violate Computer Fraud and Abuse Act by checking Facebook and personal email at work

Lee v. PMSI, Inc., 2011 WL 1742028 (M.D.Fla., May 6, 2011)

Former employee sued the company she used to work for alleging pregnancy discrimination. The company countersued under the Computer Fraud and Abuse Act (“CFAA”) alleging that the former employee violated the CFAA by using her work computer to access Facebook and check her personal email. She moved to dismiss the counterclaim, and the court granted the motion. The court found that the company failed to allege that its computer system was damaged by plaintiff’s internet usage, and plaintiff was alleged only to have accessed her own information, not that of the employer.

Plaintiff failed to show that Facebook pics supported hostile workplace claim

Jabbar v. Travel Services, Inc., 2010 WL 3563112, (D.Puerto Rico September 10, 2010)

Plaintiff sued her former employer for racial discrimination. The court granted summary judgment in favor of the employer, finding there was not enough evidence to go to trial on plaintiff’s claim. Plaintiff asked the court to reconsider the judgment against her. The court held its ground.

One of the assertions that plaintiff made was that someone from work had posted a discriminatory comment on a Facebook photo taken at a company outing.

The court found there was no evidence apart from plaintiff’s own deposition testimony that the company’s official policy was to upload photos to Facebook. And there was no evidence as to who owned the Facebook account in question.

So the court found no basis to overturn its earlier determination that plaintiff failed to establish a prima facie case of employment discrimination.

Judge: the concept of internet privacy is a fallacy upon which no one should rely

People v. Klapper, — N.Y.S.2d —, 2010 WL 1704796 (N.Y.City Crim.Ct., April 28, 2010)

Let’s hope that’s an overstatement.

A recent case from a criminal court in New York dealt with whether an employer violated the state’s law prohibiting unauthorized use of a computer (Penal Law 156.05). Though the court probably came to the right decision in dismissing the case, it said some puzzling things along the way about internet privacy.

The defendant-boss was alleged to have installed keylogging software on his employee’s work-issued computer. Through those means he acquired the password for the employee’s “personal” email account, and copied some messages from that account.

The court dismissed the case, finding that the prosecution had not alleged that defendant, the computer owner, had notice of any limited access to the computer or the email account. (After all, it was the employer’s computer.) The allegations further failed to allege that the employee had installed a security device to prevent unauthorized access or use.

That last part is a bit puzzling (wouldn’t the password protection on the “personal” email account satisfy that point?). But the real puzzling part of the opinion is how the court essentially destroyed the idea that there’s any hope for an expectation of privacy in internet communications.

Here’s the first paragraph of the opinion:

In this day of wide dissemination of thoughts and messages through transmissions which are vulnerable to interception and readable by unintended parties, armed with software, spyware, viruses and cookies spreading capacity; the concept of internet privacy is a fallacy upon which no one should rely.

Apart from grossly overstating the death of a reasonable expectation of privacy in internet communications, the pronouncement was not needed to dispose of the case. The matter only dealt tangentially with whether the victim had any privacy rights violated. The real analysis was on whether the defendant had notice that access to his employee’s email account was unauthorized.

Though the court was correct on focusing its analysis on that point, i.e., whether the access was authorized, the more general obituary of internet privacy would seem to elminate the need for that proper analysis.

If there’s no internet privacy, why should we even bother to ask ourselves whether access to an account is authorized? If the concept of internet privacy is a “fallacy,” as the court declared, aren’t all our communications open for inspection and review by anyone?

Privacy photo courtesy Flickr user rpongsaj under this Creative Commons license.

Nefarious LinkedIn use finally makes it to the courts

TEKsystems, Inc. v. Hammernick, No. 10-99819 (D. Minn., Filed 3/16/2010). [Link to Complaint (PDF)]

Here is an interesting lawsuit that is bound to convince some employers that social media is causing the sky to fall (to the extent they’re not thinking that already).

Minnesota, showing roads and major bodies of water
Image via Wikipedia

An IT headhunting company that does business in the Twin Cities area of Minnesota has filed suit against a former recruiter-employee for breach of her noncompetition agreement. The complaint says that she violated that agreement when she connected on LinkedIn with 20 of the candidates her old firm was working with.

One thing that’s missing from the allegations is when the defendant made these allegedly improper LinkedIn connections. Did she already have them as connections when she left the plaintiff’s employment or did she invite them to connect after she left? The distinction seems like it would be relevant.

No doubt this case should get some attention due to the novelty of the allegations, namely, that the defendant used a social networking site to break the law. But as thinking persons, we should be careful not to sensationalize these facts. When you stop and think about it, how does the fact that the defendant may have used LinkedIn really differentiate the case from one in which she would have used a more conventional form of communication to solicit?

[Thanks to Paul Cherner at the HR Counsel blog for alerting me to this case. More coverage at the Delaware Employment Law Blog and Portfolio.com]

Emails sent through Yahoo account using work computer protected under attorney-client privilege

The New Jersey supreme court has held that emails an employee sent to her lawyer using her company-issued computer and a personal Yahoo account are protected by the attorney-client privilege.

Stengart v. Loving Care Agency, Inc., — A.2d —, 2010 WL 1189458 (N.J. March 30, 2010)

The New Jersey courts have a reputation of being protective of “informational privacy.” See, e.g., State v. Reid. A recent decision concerning employee privacy in personal emails adds to that reputation.

Plaintiff-employee used a work-issued laptop to access her Yahoo email account, through which she communicated with her lawyer about her lawsuit against the employer. During the discovery phase of that employment discrimination lawsuit, the employer used computer forensics to recover those Yahoo emails that had been copied to the computer’s temporary internet files folder.

Counsel for plaintiff demanded that the employer turn over the recovered emails, arguing that the communications were protected by the attorney-client privilege. When the employer agreed to turn them over but not discontinue use of the information garnered from them, plaintiff sought relief from the court.

The trial court denied relief and plaintiff sought review with the appellate court. That court reversed, and the employer sought review with the state’s supreme court. The supreme court upheld the appellate court’s decision, holding that the employee had a reasonable expectation of privacy in the communications.

The employer relied on a broadly-written company policy through which the employer reserved the right to review and access “all matters on the company’s media systems and services at any time.” But the court rejected those arguments.

Framework for the analysis

The supreme court considered two aspects in its analysis: (1) the adequacy of the notice provided by the company policy, and (2) the important public policy concerns raised by the attorney-client privilege.

As for the adequacy of the notice provided by the policy, the court found that because the policy did not address the use of password-protected personal email accounts, the policy was “not entirely clear.” As for the importance of the attorney-client privilege, the court lavished it with almost-sacred verbal accoutrements, calling it a “venerable privilege . . . enshrined in history and practice.”

“Intrusion upon seclusion” as source for standard

The court noted that the analysis for a reasonable expectation of privacy in dealings between two private parties was a bit different than the analysis in a Fourth Amendment case. The common law source for the standard in this context is with the tort of “intrusion upon seclusion.” Under New Jersey law, that tort is committed when one intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, in a manner that would be highly offensive to a reasonable person. (This language comes from the Restatement (Second) of Torts § 652B.)

In this situation, the court found that plaintiff had both a subjective and objective expectation that the messages would be private. Supporting her subjective belief was the fact that she used a private email account that was password protected, instead of her work email account. And she did not store her password on the computer. Her belief was objectively reasonable given the absence of any discussion about private email accounts in the company policy.

Plaintiff’s expectation of privacy was also bolstered by the fact that the email messages were not illegal, nor would they impact the performance of the employer’s computer system. And they bore all the “hallmarks” of attorney-client communications.

For all these reasons, not the least of which the priority of the courts “to keep private the very type of conversations that took place here,” the court found that the conversations were protected by the attorney-client privilege.

Probable cause existed to arrest employee for criminal data tampering

Deng v. Sears, Roebuck & Co., 552 F.3d 574 (7th Cir. January 5, 2009).

Employee Deng got a bad review from his employer Sears, Roebuck & Co. Disaffected, he took disability leave but continued to come into the office. On one of these visits, he deleted a bunch of data relating to work he had been doing. It cost Sears more than $40,000 to restore that data.

Sears called the police to report the data deletion, and Deng was arrested a year and a half later in Massachusetts (which is where he had fled). Deng was charged with violation of 720 ILCS 5/16D-3(a)(3), the Illinois law that prohibits tampering with computer files without the permission of the files’ owner. The criminal court dismissed the charges at the preliminary stage because a witness failed to appear.

Deng then filed a federal civil action against Sears for malicious prosecution. After his case was thrown out at the district court level, he sought review with the Seventh Circuit. On appeal, the court affirmed the dismissal of Deng’s suit. Among the things Deng was required to prove was that his arrest was made without probable cause. The court found that probable cause existed.

Deng had argued that he was authorized to delete the data, since statistical modelers like him were expected from time to time to free up disk space and get rid of unneeded data. One problem with this argument, however, was that Deng was on disability leave. Nothing in the record showed that the remaining Sears employees thought the data was no longer needed. After all, they spent significant sums to restore it. Moreover, because Deng was on disability leave, he had no authority to do anything with the data, let alone get rid of it. Finally, Deng’s fleeing after the troubles began was an indicator to authorities that he had done something wrong. Probable cause requires an objective analysis. Flight added to the impression that a crime had been committed.

Tennessee lawyer Jack Burgin also discusses this case at his blog Our Own Point of View.

No CFAA claim where no impairment of system or data

Andritz, Inc. v. Southern Maintenance Contractor, LLC, 2009 WL 48187 (M.D. Ga. January 7, 2008)

When defendants Pettit and Harper worked for plaintiff Andritz, Inc., they had company-issued laptops with which they accessed proprietary information. After defendants resigned, they allegedly took that proprietary information and gave it to defendant-competitor SMC.

Andritz sued in federal court, alleging violation of the Computer Fraud and Abuse Act (CFAA). Defendants moved to dismiss for failure to state a claim. The court granted the motion.

The CFAA claim failed because the plaintiff did not allege the type of “loss” or “damage” required to sustain such a claim. The loss that plaintiff alleged was that defendants took proprietary information and used it to poach customers.

But the CFAA requires there be an impairment of the computer system or data accessed. Because the plaintiff “still had access to the data just as it had before [d]efendants’ actions,” there was no violation of the CFAA.

Similar cases: Sam’s Wines & Liquors, Inc. v. Hartig and Garelli Wong & Assoc. v. Nichols.

Laptop photo courtesy Flickr user maveric2003 via this Creative Commons license.

North Carolina supreme court reverses employee hard drive removal decision

Removal of hard drive and false claim of copyright ownership in company website and catalogs were misconduct sufficient to disqualify former employee from receiving unemployment benefits.

Binney v. Banner Therapy Products, Inc., — S.E.2d —-, 2008 WL 2370887 (N.C. June 12, 2008)

I covered this case back in 2006 after the appellate court’s decision. Now the state supreme court has reached a different conclusion.

Employee Binney was fired from her job because she claimed a copyright in the company’s website and catalogs (which she had helped create) and also because she took the hard drive of her work computer home with her over the weekend without asking. After she was terminated, she sought unemployment benefits. Her employer contested the claim.

Hard drive on a wooden table

The administrative body in charge of determining unemployment benefits found that Binney was terminated for employee misconduct and therefore not entitled to receive anything. Binney appealed that decision to a trial court, which affirmed the denial. She then appealed to the state appellate court, which reversed, and found that that given Binney’s position and responsibilities in the company and the reasonableness of her conclusions as to ownership of copyright, her actions did not rise to the level of misconduct that warranted a denial of benefits. [Internet Cases coverage of that decision.]

But the state supreme court reversed the appellate court, meaning that Binney is not entitled to benefits. The supreme court concluded that the appellate court incorrectly applied the standard of review, namely, whether the decision to deny benefits was based on “any competent evidence”.

As for the alleged misconduct of taking the hard drive home, the supreme court found that although the employer had no policy on removing hard drives, that did not contradict the administrative body’s finding that the employer did not authorize the hard drive’s removal. So there was competent evidence in the record that the removal was unauthorized, and corresponding misconduct in having removed it.

And as for claiming copyright in the website and materials, the supreme court similarly found that a determination of misconduct was supported by the record. Whether Binney believed in good faith that she had a personal copyright interest in the materials was irrelevant. She never asked for nor received permission to assert a personal claim on the company’s property by including the copyright statements, so in doing so, she engaged in misconduct.

Be careful with email because your employer is “looking over your shoulder”

Workplace email policy destroyed attorney-client privilege

Scott v. Beth Israel Medical Center, — N.Y.S.2d —-, 2007 WL 3053351 (N.Y. Sup. October 17, 2007).

Dr. Scott, who used to work for Beth Israel Medical Center in New York, sued his former employer for breach of contract and a number of other different things. Before he was terminated, however, he had used his work email account to send messages to his attorneys, discussing potential litigation against Beth Israel.

When Dr. Scott found out that Beth Israel was in possession of these email messages, he asked the court to order that those messages be returned to him. He argued that they were protected from disclosure to Beth Israel under the attorney client privilege.

Beth Israel argued that they were not subject to the privilege because they were not made “in confidence.” There was an email policy in place that provided, among other things, that the computers were to be used for business purposes only, that employees had no personal right of privacy in the material they create or receive through Beth Israel’s computer systems, and that Beth Israel had the right to access and disclose material on its system.

Dr. Scott argued that New York law [CPLR 4548] protected the confidentiality. Simply stated, CPLR 4548 provides that a communication shouldn’t lose its privileged character just because it’s transmitted electronically.

The court denied Dr. Scott’s motion for a protective order, finding that the messages were not protected by the attorney client privilege.

It looked to the case of In re Asia Global Crossing, 322 B.R. 247 (S.D.N.Y. 2005) to conclude that the presence of the email policy destroyed the confidential nature of the communications. The policy banned personal use, the hospital had the right to review the email messages (despite Scott’s unsuccessful HIPAA argument), and Dr. Scott had notice of the policy.

The decision has implications for both individuals and the attorneys who represent them. Employees should be aware that when they are sending messages through their employer’s system, they may not be communicating in confidence. And attorneys sending email messages to their clients’ work email accounts, on matters not relating to the representation of the employer, must be careful not to unwittingly violate the attorney client privilege.

What’s more, although the decision is based on email communications, it could affect the results of any case involving instant messaging or text messaging through the company’s server.