What to Do When a Departing Employee Downloads Information

14 June 2021 Labor & Employment Law Perspectives Blog
Author(s): Bennett L. Epstein

The day after an employee’s last workday, you get around to checking his email and learn that he has downloaded and transmitted company and client documents to his personal cloud storage account.  What weapons do you have in your legal quiver to compel the employee to return or delete those documents?  Until recently, employment and data security lawyers would tell you that the employee is at risk of violating the federal Computer Fraud and Abuse Act (CFAA), which provides both criminal penalties and a civil cause of action.  Among other things, the CFAA prohibits persons who are authorized to access computer files from exceeding their authority.  It appears that your former employee clearly exceeded his authority when he downloaded documents on the way out the door.  However, the U.S. Supreme Court begs to differ.

In a case decided last week (Van Buren v. United States), the Court held that persons who were authorized to access computer files do not necessarily violate the CFAA by accessing the information for a purpose that exceeds their authority.  In that case, the Court decided that a police officer who was permitted to access the department’s data files for law enforcement purposes did not violate the CFAA when he received $6,000 from an undercover police officer to check whether another person was also an undercover police officer.  The majority of the justices expressed concern that broad application of the CFAA could lead zealous law enforcement officers to prosecute otherwise law-abiding citizens who make trivial personal use of computer data which they were otherwise authorized to access.

While the Van Buren case was decided in the context of a criminal appeal, limitations imposed by the Court also significantly reduce the scope of the CFAA in a civil case.  No longer will employers confidently be able to rely on the CFAA when suing employees who misappropriate trade secrets or proprietary information to which they have access, by downloading them from the company’s server. 

However, rest assured that companies are not left without recourse.  There are other actions to be taken, provided that companies take the appropriate precautions.  Companies should enter into agreements requiring employees to return or delete company information upon demand or upon termination of employment.  They also should require employees to sign a confidentiality or nondisclosure agreement upon the commencement of employment.  HR departments should regularly audit personnel files to make sure that each employee who has access to company information has a signed nondisclosure agreement in his file.  An even better practice is to require employees to install software on their cell phones enabling the employer to delete company information remotely. 

In addition to confidentiality and deletion of information agreements, companies should have policies and agreements clearly defining what areas of the computer system particular employees are authorized to access. Remember – the Van Buren decision applies to circumstances in which an employee is otherwise authorized to access certain information; when an employee does not have such access, CFAA remedies may still apply.

At exit interviews, HR should require employees to sign a form confirming that they did not take any company information and that they have deleted or returned any information that they legitimately have on personal data storage devices or in their cloud accounts.  By taking such steps, employers can enforce contractual rights.

Even in the absence of a confidentiality agreement or a computer usage policy, most states have enacted the Uniform Trade Secrets Act, which provides claims and remedies for the misappropriation of trade secrets.  In 2016, Congress enacted the Defend Trade Secrets Act, which for the first time created a federal claim against persons who misappropriate trade secrets, provided that the company maintains policies and agreements required by the statute.

While the Supreme Court significantly limited the use of the CFAA as a means of punishing employees who wrongfully use their employer’s computer systems to take information which they are not authorized to take, many potential claims remain.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services