Monday, March 12, 2012

“Unauthorized Access” and Termination of Employment

As I’ve noted in earlier posts, 18 U.S. Code § 1030 (aka the Computer Fraud and Abuse Act) is the general federal computer crime statute.

That doesn’t mean all the federal computer crimes are defined by this statute; other statutes also define offences that are or can be committed by computer. But § 1030 is the general provision that criminalizes the basic crimes, e.g., accessing a computer without authorization, using a computer to commit fraud or extortion, using a computer to disseminate malware and/or launch a denial of service attack.

As I’ve also noted, 18 U.S. Code § 1030 also creates a civil cause of action that lets those who have been the victims of one or more of the crimes it establishes bring a civil suit seeking damages for the harm caused by those offenses. The civil cause of action is defined by 18 U.S. Code § 1030(g). This post examines an opinion a federal district court judge recently issued in such a suit: SBM Site Services, LLC v. Garrett, 2012 WL 628619 (U.S. District Court for the District of Colorado 2012).

According to the opinion, in January of 2011, SBM Site Services sued John Garrett and Crown Building Maintenance Inc. d/b/a Able Building Maintenance for violating 18 U.S. Code § 1030. SBM Site Services, LLC v. Garrett, supra. Garrett and Able filed a motion to dismiss SBM’s § 1030(g) cause of action on the premise that it failed to state a claim upon which relief can be granted, i.e., was legally insufficient. SBM Site Services, LLC v. Garrett, supra.

As Wikipedia notes, to successfully plead a cause of action, the plaintiff must plead facts that, if proven, would establish all the elements of that cause of action: “For example, assault requires intent, so if the plaintiff has failed to plead intent, the defense can seek dismissal by filing a 12(b)(6) motion.” So the Rule 12(b)(6) motion is a way of attacking the viability of a plaintiff's asserted cause of action.

As to the factual basis for this suit, the opinion explains that SBM provides facilities

support services such as janitorial, recycling, and moving services to its customers. . . . [It] maintains a `great deal’ of confidential information in an electronic database known as its `Knowledge Portal’. . . . The Knowledge Portal contains all of the forms and procedures necessary to operate SBM's business. . . . [and] confidential customer lists and confidential information pertaining to particular customers. . . .


For nearly fifteen years, Garrett was employed by SBM. . . . Garrett was the Senior Vice President -- Chief Business Development Officer and one of only five employees that reported directly to SBM's Chief Operating Officer. . . . SBM provided Garrett with access to the Knowledge Portal for purposes of performing . . . his job. . . . .


Garrett primarily worked remotely for SBM from a home office in Windsor, Colorado. . . . SBM provided Garrett with two desktop computers and two laptop computers. . . . Garrett used these SBM-provided devices to remotely access SBM's computer system, including the Knowledge Portal. . . . SBM also provided Garrett with an external drive to maintain an archive of bids, proposals, templates, and other marketing tools. . . .

SBM Site Services, LLC v. Garrett, supra.

SBM’s Employee Handbook said no employee could “`remove or make copies of any SBM records, reports or documents without prior management approval.’” SBM Site Services, LLC v. Garrett, supra. Garrett also executed a Confidentiality Agreement in which he agreed to “`hold in confidence and not disclose any’” SBM business, records, customer lists, contracts and other items. SBM Site Services, LLC v. Garrett, supra. And he executed a Non-Competition agreement in which he agreed not to participate in any business activity that competed with or was similar to SBM’s business within three years of leaving SBM. SBM Site Services, LLC v. Garrett, supra.

Able is SBM’s “direct competitor.” SBM Site Services, LLC v. Garrett, supra. In 2009,

Garrett had multiple conversations with high-ranking officers at Able. . . . [and] after one of these meetings, . . . asked, his administrative assistant, to access the Knowledge Portal and download all available files under each category. . . .Garrett later asked [her] to mail him a CD with all of these documents on it. . . .


On January 3, 2010, Garrett met with representatives from Able. . . In follow-up correspondence . . ., Able informed Garrett he would be heading up a new division—Able Building Maintenance. . . . The following day, Garrett informally informed SBM that he was resigning effective January 22. . . .


SBM informed Garrett that, upon his departure . . . he would be required to return all SBM property, including equipment, records, and confidential and/or trade secret information in any form or medium. . . . Garrett confirmed that he would return the property. . . .


On January 11, Able made a written offer of employment to Garrett. . . . [who] directed [his assistant] to contact members of the sales team and have them provide their most current customer contact information sheet. . . . Upon receipt of this information, Garrett e-mailed it to his personal e-mail account. . . . Between January 10 and January 22, [he] sent leads and other confidential information of SBM to executives at Able. . . .

SBM Site Services, LLC v. Garrett, supra.

Garrett met with SBM’s director of human resources on January 26, but “failed to return” any of SBM’s computers or the disk with the data downloaded from the Knowledge Portal. SBM Site Services, LLC v. Garrett, supra. SBM scheduled a “follow-up meeting for January 29 . . . to collect these items”, but Garrett canceled the meeting and told SBM the equipment had been shipped. SBM Site Services, LLC v. Garrett, supra.

SBM received the laptop on February 16 and “it had been encrypted with a drive-lock to prevent access.” SBM Site Services, LLC v. Garrett, supra. The opinion says Garrett “has not provided SBM with the password to access the laptop” and SBM later learned it was “`intentionally erased’”. SBM Site Services, LLC v. Garrett, supra.

As noted above, Garrett and Able move to dismiss SBM’s § 1030(g) cause of action. As I’ve noted before, in order to state such a cause of action, the plaintiff must allege that it has been damaged by the defendants’ committing one of the offenses defined by 18 U.S. Code § 1030(a).

In his opinion ruling on the motion to dismiss, the federal judge said the “pertinent” provision of 18 U.S. Code § 1030(a)(5)(C), which makes it a crime to intentionally access a protected computer without authorization and, as a result, cause damage and loss to the owner of the computer. SBM Site Services, LLC v. Garrett, supra. As I’ve noted, § 1030 defines “protected computer” broadly, so that it basically encompasses any computer used in interstate commerce and, I’m sure, encompasses the computer at issue here.

The judge then noted that for SBM to state a viable cause of action under this sub-section of § 1030, it had to allege that Garrett accessed the SBM-owned laptop without being authorized to do so. SBM Site Services, LLC v. Garrett, supra. In their motion to dismiss the defendants argued that “because Garrett was authorized to access the laptop while he was employed by [SBM], he cannot have accessed [it] without authorization.” SBM Site Services, LLC v. Garrett, supra.

In analyzing this argument, the judge noted there is a split of opinion among federal courts as to “what constitutes `unauthorized access’” for purposes of § 1030(a). SBM Site Services, LLC v. Garrett, supra. One view is that authorized access ends when the employee has decided to quit his job or otherwise is guilty of a “`breach of loyalty’” to his employer. SBM Site Services, LLC v. Garrett, supra. That view essentially links the concept of authorization to allegiance to the employer, who conferred authorization on the employee. The other view sees authorized access as ending only if and when the employer “has specifically rescinded the employee’s access to the computer”. SBM Site Services, LLC v. Garrett, supra.

The judge ultimately decided he did not need to adopt either view because both were “immaterial to this case”:

SBM informed Garrett that he was required to return all property that he had been given, including his equipment, at the time he ended his employment. . . . Thus, SBM explicitly revoked Garrett's access to the laptop as of his last day as an employee.


Garrett failed to return much of his equipment, including a laptop, on his last day and canceled a follow-up meeting SBM had scheduled to collect this equipment. . . .

Garrett retained the laptop for approximately three weeks after he terminated his employment with [SBM]. . . . When he returned the laptop . . ., it had been `intentionally erased.’ . . .


The Court finds it is reasonable to infer that Garrett accessed the laptop after his last day of employment with SBM or, stated differently, it is unreasonable to infer that Garrett retained the SBM laptop for about three weeks after his employment with SBM had terminated only to refrain from accessing said laptop during this prolonged period of time. As a consequence, the Court holds that SBM has stated a claim for violation of [18 U.S. Code § 1030].

SBM Site Services, LLC v. Garrett, supra.

The judge then elaborated a bit on his holding:

The cases cited by Defendants for the proposition that Garrett's access to the laptop was not `unauthorized’ are easily distinguishable because they involve the use (or alleged misuse) of company-provided equipment during the duration of the defendant's employment. . . .


In this case, Garrett retained [SBM’s] laptop for three weeks after his employment ended, including more than two weeks after he started his employment with Able, a direct competitor with SBM. . . .


There can be no question that . . . Garrett's access to the laptop became unauthorized when his employment ended and SBM requested return of the laptop.

SBM Site Services, LLC v. Garrett, supra.

The judge also found that SBM had stated a § 1030 cause of action against Able:

Garrett began his employment with Able on January 28, 2010. . . . At such time, Garrett became an agent of Able and Able became liable for any actions taken within the scope of his employment. . . . Garrett did not return the laptop computer to [SBM] until more than two [weeks] after he began his employment with Able. . . . It is reasonable to infer that Garrett accessed SBM's laptop during the time that he was employed with Able and in the scope of such employment. . . .

SBM Site Services, LLC v. Garrett, supra.

He therefore denied the defendants’ motion to dismiss the § 1030 claim. SBM Site Services, LLC v. Garrett, supra. That doesn’t mean SBM will win on the claim. As I noted earlier, the judge was only ruling on whether the facts alleged in SBM’s Complaint, if proven by a preponderance of the evidence, suffice to allege the § 1030 cause of action.

1 comment:

Anonymous said...

After he copied the stuff, why didn't he return it all to them prior to his leaving? He had weeks to make all the copies he needed. What a dummy.