People sometimes ask me, “Eric, where do you get all your blog content from?” Often, like today, other blogs inspire me. So, with a big tip of the cap to Evan Brown and his post here at Evan.law, let’s talk about what you can’t do if you suspect that a former employee has misappropriated your trade secrets.
Sally is one of your top salespeople. Over the past two years, she’s been crushing it! And the company couldn’t be happier. That is until the company learns that Sally has resigned abruptly to take a job with a direct competitor.
Unfortunately for the business, Sally has no restrictive covenants. She is free to work for whomever she wants and solicit your customers. But Sally did sign a confidentiality agreement, and her fast exit has your Spidey senses tingling. That, and a tip from one of Sally’s coworkers that she has a cloud storage account that contains some of your proprietary information.
If only there were a way to access it.
Oh, but there is! Sloppy Sally left a Post-it Note on her desk with the account URL. And guess what? There’s no password protection. So, why not have a look around and see what’s up?
Based on this recent federal court decision, you may want to think twice about that.
The Computer Fraud and Abuse Act makes it unlawful in certain situations to intentionally access someone else’s computer without authorization and obtain information.
Does Sally’s faux pas (plural) — her Post-it Note and no password — provide authorization for you to access her cloud storage account?
Sorry, no. Here’s the court’s explanation, that I cleaned up a bit:
The prohibition on unauthorized access is properly understood to apply only to private information—information delineated as private through the use of a permission requirement of some sort. If anyone with a browser could access the website, it had no limitations on access. But a non-public URL did not per se render the cloud storage drive public, given that the URL was a string of many characters. What’s more, the cloud storage account was not indexed by any search engines. Therefore, it wasn’t just “anyone with a browser” who could stumble upon it on a web search—the internet denizen wishing to access it needed to obtain the exact URL into the browser. By the Court’s eye, Plaintiff alleges that the cloud storage account had limitations and thus persons attempting to access it needed authorization.
In other words, Sally’s inadvertent disclosure of the means around a limitation on access does not per se grant authorization.
Ok, so the CFAA could be in play here if you access her account and cause some damage.
What could you do instead?
Well, you can run forensics on the technology that the company provided Sally (e.g., laptop, mobile phone, tablet). You can check her company email to see if she emailed anything to herself. You can check your servers to see if Sally accessed her cloud storage account from work. You can get a formal statement from the tipster. You can interview her other colleagues. You can even ask Sally.
With evidence of foul play, you can write to Sally demanding answers. You could even sue her for breach of contract, violations of state trade secrets law, the federal Defend Trade Secrets Act, and a host of common law torts.
Then, if you haven’t done so already, update your IT policy to clarify that employees cannot store the company’s proprietary information in unauthorized locations such as personal cloud-based storage accounts. If you don’t take proactive steps to treat your confidential information as such, your employees won’t either.
And neither will courts.