Published in NH Bar News (12/15/2017)
Strong anti-hacking and privacy protections exist under federal law. Businesses and their counsel need to understand the company’s anti-hacking rights and remedies as well as the privacy limitations imposed on the business under those laws.
Four federal laws form the foundation of anti-hacking and privacy rights: the Computer Fraud and Abuse Act, 18 U.S.C. 1030 (CFAA), the Stored Communications Act, 18 U.S.C. 2701 (SCA), the Electronic Communications Privacy Act, 18 U.S.C. 2510 (ECPA), and the Defend Trade Secrets Act, 18 U.S.C. 1836 (DTSA). While these statutes have broad application, they are particularly useful in civil contexts involving anti-competitive activities, disgruntled existing and former employees, and intrusive spouses and ex-spouses.
Each statute addresses somewhat similar, but also importantly different, types of conduct. The CFAA prohibits any knowing or intentional accessing, without authorization or beyond the scope of authority, of any computer used in interstate commerce or by a financial institution or the federal government. Such protected computers including devices like servers, desktops, laptops, tablets, and cellphones. The SCA has nearly identical prohibitions protecting stored electronic communications and data, or “data at rest”, including email, text and instant messages, social media accounts, blogs and microblogs, and cloud computing and storage. The counterpart to the SCA, the ECPA, prohibits any knowing or intentional interception of electronic communications in transit, or “data in motion.” Finally, the DTSA is a close federal corollary to state Uniform Trade Secrets Acts (UTSA), prohibiting the misappropriation of trade secrets.
Anti-Competitive Conduct: Commercial espionage is a fact of modern day life, particularly from foreign actors. Such hacking can have a variety of goals, including obtaining valuable technological, corporate, and financial information, engaging in improper trading of products and securities, and perpetrating embarrassing and damaging data security breaches.
Common hacks involve penetrating a company’s firewall through brute force attacks to access servers and cloud storage (prohibited by the CFAA and SCA), using phishing to install malware and key logger applications on desktop and laptop computers in order to monitor the activity and intercept the communications of users (prohibited by the SCA and ECPA), and stealing laptops and mobile devices to access the data on those devices as well as the various accounts linked to the devices (prohibited by CFAA, SCA, and DTSA). A business experiencing such an attack should immediately retain experienced counsel and an outside computer forensic expert to halt any further intrusion, forensically image the devices affected by the attack, and collect evidence that will be critical to the case but is oftentimes short lived if not preserved immediately, such as logs from firewalls, operating systems, and executable applications, data from embedded network monitoring programs, user profiles, and deleted and residual data.
Federal anti-hacking statutes provide strong civil remedies for companies that experience such attacks, including immediate injunctive relief, as well as the seizure and impounding of the stolen information and electronic devices used to perpetrate the attacks. The federal court forum afforded by these laws similarly facilitates effective jurisdiction and discovery for cases that typically involve parties and witnesses in multiple states or countries.
Employment Situations: Disgruntled employees are one of the leading causes of data theft. A former employee who accesses a company network or electronic device lacks the authority to do so, and therefore violates the CFFA and SCA, even if the employee uses his or her former username and password that the employer may not have terminated or the login credentials of another employee. In some jurisdictions (not New Hampshire), federal courts have held that an existing employee violates the CFAA and SCA by accessing company computer systems that the employee did not routinely use or need in the course of performing his or her job duties for the employer, reasoning that such conduct exceeds the scope of the employee’s authority. Moreover, the DTSA and UTSA prohibit both existing and former employees from acquiring, using, and disclosing any trade secret that the employee obtained by improper means, including accessing systems that the employee was not authorized to access.
The SCA, ECPA, and federal case law also establish parameters for businesses that seek to monitor and review the electronic communications and data of their employees. In 2014, the U.S. Supreme Court entered the digital privacy fray in Riley v. California, by judicially recognizing that individuals have an expectation of privacy with respect to data on their cellphones:
Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans ‘the privacies of life’ .... The fact that technology now allows an individual to carry such information in his hand does not make the information any less worthy of the protection for which the Founders fought.
Businesses can – and should – dispel employees of any expectation of privacy with respect to company networks, devices, and accounts via an effective information use policy. However, a business cannot, as a matter of policy or agreement, strip its employees of their rights under the federal law. As a result, even if a business has the right to confiscate and search the company computer and cellphone used by an employee, the employer violates the SCA if it uses those devices to access the personal accounts that the employee connected to the devices, such as personal email, social media, and cloud storage accounts. A business likewise violates the ECPA by monitoring in-transit personal communications of an employee, even if the correspondence occurs using a company network or device. Businesses therefore need to be careful, and seek advice from an attorney experienced in this area of the law, when conducting investigations, surveillance, and other digital forensic activities concerning employees.
Domestic Cases: Family law is rife with instances of spouses and ex-spouses securing data about each other in a manner that violates the CFAA, SCA, and EFCA. For example, a keystroke logger installed on a computer or cellphone of a divorcing spouse and a program that intercepts email transmitted on a family router violate the ECPA. Similarly, surreptitiously accessing a divorcing spouse’s computer or email account by guessing the password or using a device that automatically connects to the account, and using a biometric identifier of the spouse or a child that exists on the other divorcing spouse’s mobile device to access the device or online accounts connected to the device, are violations of the CFAA and SCA.
Too often, a client will arrive at the office of his attorney gleefully clutching documents that he believes will be the smoking gun, not knowing that he is really holding evidence of a crime that will almost certainly be inadmissible in his domestic case. Family law practitioners need to advise their clients early on about the limitations of conducting digital espionage, understand how such evidence can be secured lawfully, and be prepared to deal (practically and ethically) with clients that nonetheless offer them such purloined materials.
Federal laws provide both powerful rights as well as strict limitations with respect to hacking and digital privacy. Businesses and their counsel need to understand the contours of these laws to effectively protect their rights and avoid costly and harmful mistakes.