Tuesday, July 31, 2012

The Computer Fraud and Abuse Act and Employee Data Theft

When Congress enacted the Computer Fraud and Abuse Act in 1986, a number of us believed that employers had a powerful tool to deal with employees improperly removing key company information from electronic data storage systems for the employee's benefit. The statute, which has both civil and criminal components, makes a person liable for damages if they intentionally access a computer without authorization, or exceed authorized access to a computer, to obtain information from any protected computer; accesses a protected computer without authorization or exceed authorized access to commit fraud; or intentionally access a protected computer without authorization and recklessly cause damage or loss to the computer's owner.

CFAA cases typically arise in one of two circumstances: someone outside the company hacks into the company's servers or databases and either maliciously damages the system, or removes confidential information for use elsewhere, or an employee who has routine access to the system takes information from it to use for the benefit of a competitor, or for the employee's own use, to the detriment of his employer. While the courts have had no trouble finding that the CFAA applies to the first scenario, the courts are split on whether the statute applies to the second.

A recent decision by the Fourth Circuit provides useful guidance on the application of the CFAA to situation where an employee, who is authorized access to employer's computer system, removes proprietary information from it, shortly before he leaves the company to join a competing business. In this case, a project director for a company providing specialized welding and related services to the power generation industry was accused of systematically removing confidential and trade secret information from his employer's network by sending it via his work computer to his personal e-mail address.

Note to potential data thieves everywhere-in my experience, it is virtually impossible for the average employee to remove information from a company server in electronic form without detection. And every one of my clients performs an immediate review of all the activity on a manager's information technology account, following an abrupt and unanticipated departure.

There are two schools of thought with respect to CFAA application to this kind of situation. The first school, which is in session here in the Seventh Circuit, is that an employee who removes information from an employer's computer system, in breach of his fiduciary duty to the employer (as in our example case), cannot say that she is authorized to do so, and is therefore in violation of the statute. I like this approach, because it's logical and makes common sense. After all, no employer would say that an employee who steals its trade secrets is doing so in an authorized manner. The second school of thought takes a more literal reading of the statute, noting that an employee who can access the computer system as part of his job is "authorized", regardless of the purpose for which he does so. This more limited reading of the statute, which was articulated by the Ninth Circuit, is the one that was ultimately adopted by the Fourth Circuit in this case.

A key part of the Fourth Circuit's ruling is that the CFAA is a criminal statute, as well as a civil one. Criminal statutes are usually read very narrowly, in order to provide as much notice to the public as to what conduct is actually prohibited. The court noted that a broad reading of what is "authorized" access would theoretically criminalize conduct by any employee that was not specifically okayed by an employer. Visits to Facebook, shopping sites, personal banking sites, etc., would become criminal violations because they were not specifically authorized by an employer's policy. The court also noted that it was not necessary to find an expansive scope for the CFAA because there were numerous other state law causes of action, e.g., theft of trade secrets, breach of fiduciary duty, etc., that would encompass and protect the employer's data in this type of situation.

In short, the CFAA is not a cure-all for employee data theft. My personal opinion is that the Fourth Circuit's read on this is likely to be more persuasive with the federal district courts that confront the situation. Accordingly, companies should look to more traditional means of protecting their data under trade secret, fiduciary duty, confidentiality, and other doctrines.

Sunday, July 15, 2012

New Joint Employer Test for FLSA Cases

An interesting case from the Third Circuit raises a seldom litigated feature of the FLSA, albeit a critical one.

Unlike some other employment laws, notably Title VII, the ADEA, and the ADA, the FLSA (and its cousin, the FMLA) has a very broad definition of the term "employer." Individual supervisors can be employers under the FLSA, as can corporate entities up or down the line of the corporate entity actually employing the plaintiff.

That was the situation in this case. The Court was confronted with a type of joint employer claim in the form of a rental car company (a holding company) that used some 38 separate leasing organizations, all under the umbrella of the corporate parent. The parent provided services in the form of business guidelines, benefits plans, car rental reservation tools, insurance, technology and legal support. The business guidelines were communicated directly to the subsidiaries' employees in the form of a corporate manual. The holding company also offered HR services, including recommended pay scales and wage rates, to the subsidiaries. But the use of the services was optional to each of the subsidiaries, and the subsidiaries paid for each of the services that they used or subscribed to.

Assistant branch managers for the 38 subsidiaries sued collectively under the FLSA for overtime wages, claiming they were improperly categorized as "exempt" employees who are not entitled to overtime, and instead work on a fixed salary basis. Noteworthy is the fact that the holding company had previously recommended that the subsidiaries consider the assistant managers "exempt" and not pay them overtime. The assistant managers sued their subsidiaries and the holding company, claiming that the holding company was an employer under the FLSA. The holding company denied liability, saying that it was not an FLSA employer because it did not involve itself sufficiently in the day-to-day operations of the individual leasing companies.

The Court determined that the holding company was not an employer, based on its review of the facts, as measured against the standard the Court fashioned for this case. The factors in measuring the employer status in a joint employment circumstance are whether the alleged employer has:

Authority to hire and fire employees;
Authority to determine work rules and assignments, and set conditions of employment (e.g., compensation, benefits, hours and work schedules, including the rate and method of payment);
Day-to-day supervision of the workforce, including employee discipline; and
Control of employee records, including payroll, insurance, taxes, and the like.

While this list looks relatively straightforward, the Court said that each situation will be different, and there may be factors militating strongly one way or the other that are not contained in the formal list. One of the keys here was that the holding company sold its services, and that the policies that it did put forth were not binding on the subsidiaries. Companies should note that less entanglement in actual supervision of employees, and the use of recommended rather than mandatory policies, is a good way to maintain enough legal distance from subsidiary employees to avoid wage and hour liability. This is one of those legal areas where it would be smart to consult your employment counsel before making any final determinations.

The NFL Litigation Bonanza

The dust has settled a little following the NFLPA filing its lawsuit relating to discipline imposed on Saints players for participating in the alleged bounty system designed to knock other teams' players out of football games. So far, a couple of things are pretty clear:

--The NFLPA has a lousy case. The main thrust of the union's complaint is that it wants relief from a federal judge in the form of invalidating a process that the union itself authorized. This is a loser from the get-go in all but the most egregious situations. Basically, the union is asking to be saved from its own bad judgement in allowing the NFL to negotiate and win a provision that gives the league commissioner the power to not only impose discipline, but then rule on whether he himself was reasonable in making his decision. I don't know why anyone would think that's a good idea--most union contracts have SOME type of check and balance provision on the discretion of management. But the NFLPA allowed that process to stand, and federal courts are notoriously reluctant to mess with union agreements and disputes.

--The only way the union prevails is to show that the process was so awful and unfair that the league was not following the CBA terms when it approved the discipline handed down. That's going to be tough, because the players didn't participate in their own defense at the arbitration, and because it appears that NFL Commissioner Roger Goodell didn't do anything other than rule on what he believed was the evidence. Procedurally, there has to be more than that to sustain an arbitration challenge (Grantland has a nice analysis here).

--Notwithstanding the comment above, the union had to file its lawsuit in order to save some kind of face with its membership, and to preserve the jobs of the union leadership. After all, that $5K a year per player in dues has to go for something, right?

--The NFL isn't exactly covered in sugar here, though. The league has pretty much demonstrated that its "airtight" case against the players has a few leaks. Audio tapes that aren't clear, a failure to produce the infamous ledger of bounty payments, and a number of other shortcomings all show that there was a lot of slippage between those press releases of a fully operational payoff scheme to injure other players and reality. Maybe the players should have showed up for the hearings, after all.

--Linebacker Jonathan Vilma's defamation lawsuit, which is a separate filing from the bounty gate union suit, but is seeking much of the same relief, should probably be kicked out of court because the subject of the dispute falls under the conflict resolution provisions of the union contract. In fact, the NFL filed a grievance against Vilma basically asking that an arbitrator require Vilma to use the CBA grievance procedure instead of court. The interesting question is whether a personal claim of defamation against Goodell can be preempted by the union contract, which nominally only applies to disputes between the union and the league in the course of football business. For example, if Goodell punched Vilma, Goodell , in addition to getting a severe beatdown, would be sued directly as an individual for battery.

One thing for sure--those of us who thought there would be relative labor peace following the CBA signing last fall could not have been more wrong. And isn't it interesting to see a union defending members that were allegedly willing participants in a system that set out to deliberately injure other union members?

Thursday, July 12, 2012

Sexual Harassment and the CIA

The CIA is apparently dealing with some problematic issues involving sexual harassment, and a few of the details are leaking out of the Agency.

With respect to sexual harassment cases, at least, the Agency is probably no different from any other long hour, high stress organization. Romantic liaisons between bosses, subordinates and coworkers are also common in places like hospitals, law firms, and financial investment companies. Moreover, paramilitary organizations are usually highly male-dominated, so it's not surprising at all that the women working there might be exposed to the occasional dirty joke, explicit remark or come on. Although the article doesn't mention it, managing these cases is a real challenge in this environment because of the security clearances of the people involved and the nature of their work. In addition, internal CIA personnel matters are typically classified, meaning that much of the investigation of a complaint has to take place behind closed doors.

And whatever stresses there are at the headquarters, the situation is only exacerbated once the agents are placed into the field.

Which raises the issue of whether typical Title VII jurisprudence should even apply to this kind of employment situation.

Tuesday, July 10, 2012

New Online Guidance on the FMLA From the US Department of Labor

For those of you looking for a relatively comprehensive and updated review of FMLA entitlements (albeit from an employee perspective, of course), the DOL has put out two new online resources.

DOL's "The Employee's Guide to the Family and Medical Leave Act" is a nice, straightforward review of FMLA procedures and rights. It might be handy to have in an HR manager's toolkit for situations where something needs to be explained, or reviewed with an employee.

DOL also put on a webinar outlining these provisions, and addressing some frequently asked questions. If you have time, you can view the webinar here.

Again, note that both products are geared toward employees. But they provide a useful overview of the statute and the basic rules of engagement for FMLA situations.

Monday, July 2, 2012

Assault and Batter

This has nothing to do with employment law, but some cases are simply too good to pass up.

From Lowering the Bar comes the story of a man who was arrested for "battering" his sister in a dispute over how much maple syrup should be put on pancakes.

You can't make this stuff up.