In a recent case, with some rather salacious details, the Third Circuit had the opportunity to examine employee liability under the Computer Fraud and Abuse Act (CFAA). Teva received a tip from a competitor’s former employee that one of Teva’s employees was funneling confidential information to the competitor. Alarmed, Teva promptly launched an investigation. The investigation revealed that Teva’s senior director of regulatory affairs was sharing confidential documents and trade secrets with her lover, the competitor’s CEO. The senior director had uploaded at least 900 documents to her personal cloud, emailed documents to her lover, and saved documents to a USB drive. Teva terminated the senior director and brought a CFAA claim, as well as other federal and state law claims.
Weighing in on the Circuit split, the court held that an employee is liable if they access a protected computer without authorization. Since the senior director had authorization to access Teva’s computers and the confidential information, she did not violate the CFAA, regardless of whether she misused the information. The court dismissed the CFAA claim, but allowed Teva’s other claims to move forward. Teva Pharmaceuticals USA Inc. v. Barinder Sandhu et al., No. 2:17-cv-03031 (3d. Cir. January 30, 2018).
Although the employee here was an executive the employer thought it could trust, this case should motivate employers to re-evaluate employee access to confidential information and how such information is protected. The ruling should also motivate employers to review and revise their computer access policies to narrowly define the types and methods of “authorized” access.