Maryland Bar Bulletin
Publications : Bar Bulletin : March 2006

Previous | Next

 Bar Bulletin Focus

Labor/Employment Law    

CFAA, SECA: Protecting Sensitive Company Information

The realities of the modern workplace – with its sophisticated, transient workforce and near-total reliance on the electronic storage, retrieval, and manipulation of information – require prudent employers to take steps to regulate the use of company technology by employees generally and to protect sensitive company information accessible by employees specifically. Among the tools available to employers to assist with the latter goal are statutes such as the Stored Wire and Electronic Communications and Transactional Records Access Act (SECA) and the Computer Fraud and Abuse Act (CFAA) which create criminal and civil penalties for individuals accessing computer or electronic information either without authorization or in excess of their authorization.

Maryland employers and their counsel need to pay special attention to this area of law, however. Although the recent Maryland District Court decision in International Association of Machinists and Aerospace Workers v. Werner-Masuda seems to limit the relevance of these statutes in the employment context, the Court's reasoning in Werner-Masuda runs contrary to the majority of federal courts to consider the matter, and it is unlikely to be followed. Maryland employers would therefore do well to examine precedent from other circuits contrary to the Werner-Masuda holding in drafting materials intended to regulate the workplace.

In a nutshell, the difference between the Court's holding in Werner-Masuda and most other Courts to decide the applicability of the CFAA and SECA to the employment context turns on the distinction between sabotage by an "insider" who accesses the employer's information with the intent to use that information for an unauthorized purpose and so-called "outside hacking" by someone not employed by the company and having no ties to the company at all. The defendant in Werner-Masuda was alleged to have accessed her employer's highly-confidential membership list and provided that information to another entity as part of a drive to recruit union members to a different union. Because she had signed an agreement with her employer agreeing that she had authority to access proprietary information only for the purposes of assisting her employer, her then-former employer included in the claims against her counts under both the SECA and CFAA.

The U.S. District Court for the District of Maryland ruled that the International Association of Machinists had failed to state a claim under either the SECA or the CFAA. In reaching this finding, the Court considered only the undisputed fact that Werner-Masuda had been authorized to access the information in question and disregarded the registration agreement Werner-Masuda had signed at the outset of her employment, in which she agreed that her use of the information contained in her employer's network for reasons not benefiting her employer would be inappropriate.

The Court's opinion in Werner-Masuda is flawed in part because it confuses the SECA and the CFAA. While no Court has ever held that the CFAA's scope is limited to outside hackers, several well-reasoned opinions have held that the SECA's scope is limited to outside hackers; the opinion in Werner-Masuda seems to have conceptually combined the two statutes without recognizing that each statute has a somewhat different scope.

Nevertheless, for the purposes of employers attempting to protect themselves and their sensitive company data, a very important lesson can he gleaned from the Court's holding in Werner-Masuda. The Court in Werner-Masuda stressed that the CFAA prohibits unauthorized access only; the Court then emphasized that what the plaintiff hoped to do was recover civilly for Werner-Masuda's use of information that she was authorized to access. Employers hoping to find protection under the CFAA would therefore do well to outline each employee's scope and authority to access and use sensitive company information in a separate written agreement signed by the employee.

It would probably not the wisest course to include such information as part of the more general materials communicating the employer's policy on the use of company technology. Employers might also want to consider getting the employee to agree in advance on what types of activities would constitute unauthorized use and access of the employer's information.

It goes without saying that any employer that lacks an official policy on the use and abuse of company technology does so at his or her own peril. Properly seen, agreements which define and delimit an employee's authorization to access sensitive company information are a vital workplace policy and are in every way as important as policies regarding inappropriate e-mail and Internet usage.

Zachary A. Kitts is an associate at the Vienna, Virginia, firm of Tate, Bywater & Fuller, Ltd., where he focuses his practice in the area of employment law, representing and counseling both employers and employees.

Previous previous

next Next

Publications : Bar Bulletin: March 2006

Back to top