Legal Report August 2011
U.S. JUDICIAL DECISIONS
COMPUTER POLICIES. An employee can be prosecuted under federal computer crimes laws for accessing a proprietary database for the purpose of defrauding his company. Though the federal law was designed to prevent hacking, it also applies to theft of proprietary information in some cases, according to a federal appeals court.
David Nosal began working for Korn/Ferry, an international executive search firm, in 1996. When Nosal left the company in 2004, he signed an agreement to serve as an independent contractor for Korn/Ferry for one year and to refrain from competing with the company during that time. He was compensated at a rate of $25,000 a month for that year.
However, shortly after leaving the company, Nosal convinced three employees at the firm to obtain information from the Korn/Ferry database. They planned to use the information to start a business to compete with Korn/Ferry. The database was highly protected by the company and contained names and information on executives and companies worldwide.
The company protected the database through electronic passwords and physical access control to the servers. All employees with access to the database signed an agreement to keep the information secret and were informed that violations would be met with both disciplinary action and criminal prosecution. Each report generated from the database had “proprietary and confidential” printed on each page.
Korn/Ferry became aware of Nosal’s activities and reported the violation to the police. Prosecutors charged Nosal and one of his accomplices with violation of the Computer Fraud and Abuse Act (CFAA).
Attorneys for Nosal moved to dismiss the charges, arguing that the CFAA was designed to prevent hacking and did not apply to misappropriation of confidential information. The U.S. District Court for the Northern District of California agreed with Nosal, finding that because the conspirators had authority to access the database for legitimate business, they could not be prosecuted under the CFAA.
In making its decision, the court relied on a prior case (LVRC Holdings v. Brekka, U.S. Court of Appeals for the Ninth Circuit, 2009) in which the court ruled that an employee who had access to a computer network did not violate the CFAA when he e-mailed confidential documents to himself from the corporate network after he had resigned. (See “Legal Report,” February 2010, for full coverage of the case.)
The U.S. Court of Appeals for the Ninth Circuit disagreed with the lower court, finding that the facts in the current case did not match those in Brekka. The company did not have written policies prohibiting e-mailing documents in Brekka, noted the court. Therefore, the employee in that case had not violated any access restrictions, and it was the company’s responsibility to ensure that employees did not have access to the computer network after they resigned.
In the current case, ruled the court, Korn/ Ferry placed “clear and conspicuous restrictions” on employee access to the computer system in general and to the database specifically. Nosal not only violated those restrictions, noted the court, he violated them with an intent to defraud the company. (U.S. v. Nosal, U.S. Court of Appeals for the Ninth Circuit, No. 10-10038, 2011)
PRIVACY. The Department of Homeland Security (DHS) may not exempt itself from violations of the federal Privacy Act, according to a federal appeals court. The case stemmed from an incident in 2006 where Julia Shearson and her four-year-old daughter were detained as they tried to enter the United States from Canada. Shearson was handcuffed at gunpoint and separated from her daughter. After being questioned for several hours, Shearson was reunited with her daughter. Shearson’s name had erroneously appeared on a federal database as “armed and dangerous.”
Shearson sued DHS under the Privacy Act, claiming that the agency was responsible for the false information in its database. The DHS claimed it had exempted itself from lawsuits based on inaccurate computer data. The U.S. Court of Appeals for the Sixth Circuit found in favor of Shearson, sending the case to trial on its merits. The appellate court ruled that the DHS could not exempt itself because the Privacy Act clearly states that the government must provide civil remedies for failure to keep accurate records. (Shearson v. U.S. Department of Homeland Security, U.S. Court of Appeals for the Sixth Circuit, No. 08-4582, 2011)
U.S. REGULATORY ISSUES
WHISTLEBLOWERS. The Securities and Exchange Commission (SEC) has issued a final rule on the whistleblower program created under the Dodd-Frank Act. The act provides informants with a percentage of monetary sanctions of more than $1 million obtained from their information. The new rule sets out how the program will be administered.
The rule stresses the value of internal compliance programs, and to encourage whistleblowers to report concerns to their companies before turning to the SEC, those who do that will be entitled to a larger percentage of the monetary sanction; those who interfere with an internal program will see a decreased award. An employee who makes an internal report up to 120 days before making a report to the SEC will get credit for any information reported directly by the company to the SEC. The rule notes that these actions are designed to encourage companies to strengthen their internal programs because whistleblowers are now more likely to use them.
The rule also sets out the criteria that govern when a whistleblower will get an award. The information must be original, given voluntarily, and result in successful enforcement.
Under the rule, companies are prohibited from retaliating against an employee who reports possible violations. Employees may pursue retaliation claims in federal court.
Rep. Michael Grimm (R-NY) has introduced legislation (H.R. 2483) that would make it mandatory for employees to first report violations to their employers in order to receive monetary awards. The legislation would also require that the SEC notify companies of whistleblower reports and allow the companies 30 days to conduct their own internal investigation before proceeding with a government analysis. Before the measure was introduced, Grimm sought input from members of the House Financial Services Committee’s Subcommittee on Capital Markets and Government Sponsored Enterprises.
U.S. CONGRESSIONAL LEGISLATION
GOVERNMENT FACILITIES. A bill (S. 772) designed to strengthen security at federally owned buildings has been approved by the Senate Homeland Security and Governmental Affairs Committee. The bill must now be taken up by the full Senate.
The bill seeks to improve security at buildings operated by the Federal Protective Service (FPS). The FPS employs approximately 15,000 contract security guards to protect the facilities, staff, and guests. However, according to remarks made by Sen. Joseph Lieberman (I-CT) when he introduced the bill, the FPS ran into budgetary trouble when it was folded into DHS in 2003. The deficiencies, said Lieberman, have led to understaffing and poor training for security guards.
S. 772 would authorize and fund 146 additional security and support personnel. Guards would undergo additional training, and facilities would undergo risk assessments to help focus resources. Both overt and covert testing would be conducted to ensure that guards are performing to expectations.
FPS would be required to report back to Congress on methods used to prevent and detect explosives in federal facilities and DHS would have to establish standards for the explosives detection technology used at building checkpoints. Reports would also be required on the retention rates of contract guards and the feasibility of federalizing contract guards.
CORRUPTION. A bill (S. 401) introduced by Sen. Patrick Leahy (D-VT) would revise the criminal code to strengthen penalties for bribery and corruption convictions.
The bill would expand mail and wire fraud statutes to cover offenses involving anything of value, including intangible rights and licenses, for example, not just monetary goods. The measure reduces the threshold amount for theft or bribery involving federally assisted programs from $5,000 to $1,000 and increases the maximum prison term for such offenses from 10 to 15 years. The maximum term of imprisonment for theft and embezzlement of federal money, property, or records would be increased from 10 to 15 years, and prison terms for bribery offenses would go from 15 to 20 years.
The measure would also modify elements relating to the crime of bribery of public officials and witnesses to prohibit public officials from accepting anything of value, other than what is permitted by rule or regulation. The bill would expand the definition of “official act” to include any conduct that falls within the range of the official duties of a public official.
S. 401 has one cosponsor and has been referred to the Senate Judiciary Committee. Leahy is chairman of the committee.
STATE LEGISLATION
Arizona
EMPLOYMENT. A new law (formerly H.B. 2541) recently approved in Arizona clarifies how employers can interact with workers who use medical marijuana. The law protects employers who take good faith actions based on a perception that an employee is impaired in the workplace. The law also allows employers to monitor employees using medical marijuana to ensure that they are performing duties effectively.
Employers are protected from litigation if they prohibit medical marijuana users from performing “safety sensitive” duties. Employers have latitude in establishing what is considered a safety-sensitive position, but examples include any job that can affect the health or safety of others. Operating a motor vehicle, operating machinery or power tools, and repairing or monitoring certain equipment are all considered safety-sensitive positions under the law.
Georgia
IMMIGRATION. Georgia Governor Nathan Deal has signed a bill (H.B. 87) into law that will require employers in the state to take steps to ensure that they aren’t hiring illegal immigrants. Employers with more than 10 employees are required to use the federal government’s E-Verify system to determine whether a prospective employee is in the United States illegally. Other aspects of the law are identical to Arizona’s controversial law, which is currently under judicial review. Critics of the law expect that there will be legal challenges to the law before it goes into effect in January 2012.
This column should not be construed as legal or legislative advice.
