Georgetown Law
Technology Review

INTRODUCTION

Fraud is a seemingly easy concept to understand. By definition, it describes the actions of a person “deliberately deceiving someone else with the intent of causing damage.”1Fraud, Wex Legal Dictionary, https://www.law.cornell.edu/wex/fraud [https://perma.cc/BRN5-N5ST]. However, various jurisdictions within the United States qualify both the act of fraud and the related offenses differently.2See id. These varying perspectives alone can lend themselves to numerous regulatory interpretations, which subsequently result in varying reactions from society at large.

Despite this inherent relationship of cause and effect between state regulation and societal reaction, there is always a pivotal moment when governance meets pushback. This pressure can come from anywhere, including competing legal measures, growing social movements, contrasting business interests, or failing economies. Nevertheless, the moment inevitably arises, demanding attention, evaluation, and recourse.

In our advancing society, technology is often the catalyst for such pivotal moments. The technology of computer systems and the Internet constantly implicate new, unexplored pressures arising in our rapidly developing world. From around-the-clock communication, to social media profiles, to data-driven search results at the tap of a touchscreen, our lives have been altered in numerous ways. This makes technology an increasingly difficult problem for regulators that are trying to apply traditional legal principles to a rapidly-evolving society.

So, what happens when technological conveniences collide with our technological responsibilities in the workplace? When the tools and mechanisms necessary to earn a living are the same as those necessary to live in a modern society, it is only a matter of time until curiosity gets the best of us. The question becomes whether pure curiosity while online at work is harmless and excusable, or fraudulent and punishable. Employers and employees alike should be apprised of the potential consequences stemming from the use of technology, including its toll on employment relationships and threats of liability. These threats intensify the need for employers to act diligently from the very beginning of every employment relationship to maintain trust in employees and keep threats of fraud and implications of vicarious liability at bay.

TECHNOLOGY MEETS FRAUD

At the intersection of technology and fraud lies the Computer Fraud and Abuse Act (the “CFAA” or the “Act”).318 U.S.C. § 1030 (2012). The CFAA is not without its own controversy.4See generally, e.g., Orin S. Kerr, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596 (2003); Reid Skibell, Cybercrimes & Misdemeanors: A Reevaluation of the Computer Fraud and Abuse Act, 18 Berkeley Tech. L.J. 909 (2003); Peter A. Winn, The Guilty Eye: Unauthorized Access, Trespass and Privacy, 62 Bus. Lawyer 1395 (2007). Originally enacted in 1986, the Act amended the 1984 Comprehensive Crime Control Act, which introduced the first federal computer crime statute.5See Computer Fraud and Abuse Act of 1986, Pub. L. No. 99–474, § 2, 100 Stat. 1213 (codified as amended at 18 U.S.C. § 1030 (2012)). See also CFAA Background, Nat’l Ass’n of Criminal Def. Lawyers, https://www.nacdl.org/criminaldefense.aspx?id=34244 [https://perma.cc/3ZDE-H9RJ]. Arguably, the CFAA marked Congress’ attempt to proactively combat computer hacking and damage to sensitive information.6See CFAA Background, supra note 5. However, since its enactment, the CFAA has undergone numerous amendments, greatly expanding its scope and its potential to cause confusion.7Id. An overall lack of guidance—derived from the Act’s ambiguous nature and the absence of critical definitions—has led to first impression, exploratory decisions by courts across the nation and leaves open the possibility for many uncertainties that are not yet understood.8See id.; James G. Snell, Heather Shook, & Peter R. Vogel, Bingham McCutchen LLP, Computer Crimes: A Handbook of Civil and Criminal Issues for In-House Counsel 4–6 (2012), https://www.morganlewis.com/~/media/files/docs/archive/privacy_computer_crimes_handbook_march2012.ashx [https://perma.cc/GU9K-ZYZD] (summarizing types of claims brought under computer crimes statutes, including “business protecting customers,” “customer against business,” “competitor against competitor,” “employee against employer,” “employer against employee,” “government prosecution,” and “subpoena responses”).

FRAUD MEETS LIABILITY

In 1994, the CFAA, previously a criminal statute, was amended to allow for civil claims brought by private parties seeking damages and relief.9See Computer Abuse Amendments Act of 1994, Pub. L. No. 103–322, 108 Stat. 2097–2099 (codified as amended at 18 U.S.C. § 1030 (2012)); CFAA Background, supra note 5. Although this amendment empowered individuals who fell victim to acts of computer crime, it also produced a floodgate effect. The ambiguous nature of the text provided expansive leeway for civil complaints based on varying interpretations of computer use and misuse, as well as the threat of federal prosecution under a criminal statute. The all-inclusive quality of technology through Internet-enabled devices, combined with subsequent amendments to the Act, only further expanded its reach. The 2008 amendment marked the inclusion of any computer in or outside the United States “affecting interstate or foreign commerce or communication.”10See 18 U.S.C. § 1030(e)(2)(B); CFAA Background, supra note 5.

The controversial CFAA saga continues even today—over thirty years since its implementation and nearly ten years since its last alteration—facing a dimensional battle between the physical and virtual worlds. Like many other regulatory devices, the CFAA attempts to assert traditional, physical understandings to the constantly evolving virtual world. Although rooted in a solid foundation, the traditional reasoning leads to inconsistencies and gaps in the text. For instance, the term “authorization” sparks much debate, as it is constantly referenced throughout the Act without an explicit definition.11See generally 18 U.S.C. § 1030(e) (2012); see also Kyle W. Brenton, Trade Secret Law and the Computer Fraud and Abuse Act: Two Problems and Two Solutions, 2009 U. Ill. J.L. Tech. & Pol’y 429, 436, 452–54 (2009). This leaves the legal community endlessly exploring regulatory interpretations based on principles of contract, architecture, and societal norms.12See generally Lawrence Lessig, Code Version 2.0 (2006).

If such a complicated historical landscape perplexes the brightest legal minds of our time, the laypersons regulated by the CFAA are sure to encounter some unknowns as well. For every technological advancement that increases profitability through improved industry and business development, there is an equally powerful side-effect of liability. This is especially true in the modern workforce.

In decades past, the employer-employee relationship was somewhat simpler, without the expectations brought about by high-speed Internet access driving demands and deadlines. The speed of our lifestyles alone is cause for distraction via a digital game of solitaire or a mental timeout to browse through an online shopping mall. But involving employment computers and network connections with one’s personal downtime can have very serious consequences. The CFAA’s reach, once a purely criminal context, now encompasses civil complaints within employment relationships. If unprepared, employers and employees can find themselves in a liability battle, pointing fingers of responsibility.13See Erin M. Davis, The Doctrine of Respondeat Superior: An Application to Employers’ Liability for the Computer or Internet Crimes Committed by Their Employees, 12 Alb. L.J. Sci. & Tech. 683, 688 (2002). Like the judicial system, employment relationships must maneuver through the obstacles that arise from computer use and the CFAA’s private right of action.

LIABILITY MEETS EMPLOYMENT RELATIONSHIPS

Employment relationships describe a legal connection between workers, who perform tasks or services as requested, and overseers, who pay the workers in exchange for their performance.14See Employment Relationship, Int’l Labour Org., http://ilo.org/ifpdial/areas-of-work/labour-law/WCMS_CON_TXT_IFPDIAL_EMPREL_EN/lang–en/index.htm [https://perma.cc/XQX8-P8TP]. Although simple by definition, the specifics vary largely by industry, stability, benefits, and advancement. Across a variety of work environments, however, there is a widespread understanding of the balance of rights to obligations within the context of an employer-employee relationship.15Id.

Within an employment relationship, expectations are typically managed by reference to specified duties or obligations. In business, employees are generally expected to display seven duties towards their employers: obedience, loyalty, cooperation, care, accountability, security, and trustworthiness.16See Duties of Employees, Bus. Dictionary, http://www.businessdictionary.com/definition/duties-of-employees.html [https://perma.cc/G5Y9-GEYH]. In return, employers are generally expected to assign reasonable work, within a safe environment, for just compensation, free from threat of liability from performing the assigned tasks.17See Duties of Employers, Bus. Dictionary, http://www.businessdictionary.com/definition/duties-of-employees.html [https://perma.cc/46VC-BNGK]. If either party fails to meet their obligations, the other party has a responsibility to rectify the situation and preserve the balance of accountability based on the terms of the employment relationship. Without mindful attention to the relationship’s dynamics, both employers and employees can make themselves susceptible to liability.

In the context of employment, vicarious liability, known also by the Latin term “respondeat superior,” refers to an employer’s responsibility for an employee’s actions.18See Restatement (Second) of Agency §§ 228, 243 (1958); see also Respondeat Superior, Black’s Law Dictionary (10th ed. 2014). To prove the elements of vicarious liability, one must show: the existence of an employment agreement, that the employer exerted control over the employee, and that the employee’s actions fell within the scope of employment.19See Respondeat Superior, supra note 19.

The principle of vicarious liability has serious implications for employees’ use of employers’ information systems. Introducing employment relationships to Internet-enabled computers can result in costly damages for employers.20See, e.g., United States v. Nosal, 676 F.3d 854 (9th Cir. 2012); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001); United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); Int’l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006); Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000); United States v. John, 597 F.3d 263 (5th Cir. 2010); LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009); United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009). Combined with the Act’s ambiguous nature and the undefined concept of “authorization,” there is much debate about whether employees can use their computers, networks, and database access for reasons other than designated business affairs, and whether that access falls within their scope of employment. At present, there is a circuit split dividing the courts’ interpretation of whether such liability exists by statutory intent or design.21See Leonard A. Feiwus, Can Employers Be Vicariously Liable Under CFAA?, Law360, (Nov. 14, 2014, 12:37 PM), https://www.law360.com/articles/596016 [https://perma.cc/5QNU-V5BH]. The debate has almost exclusively focused on disgruntled former employees who leave their employment premises toting trade secrets and wiped databases nestled tightly in their banker’s boxes of personal items. Case after case has been agonizingly scrutinized, trying to force the former employees’ misbehaviors into the text of the Act.22See Snell, Shook, & Vogel, supra note 8, at 5 (noting the common nature of claims by employers against employees and internal data breach cases). But what happens when mere curiosity meets allegations of fraud?

EMPLOYMENT RELATIONSHIPS MEET COMPUTER FRAUD

Stemming from the aftermath of the Ninth Circuit’s landmark case United States v. Nosal, courts across the country faced uncertainties regarding employer responsibility and vicarious liability from CFAA claims.23See Nosal, 676 F.3d at 854. As a result, two legal theories emerged. The agency theory and the contract theory provide ammunition for the CFAA’s opposing sides amid costly claims of computer misuse and data breaches.24See Keith Richard, Comment, United States v. Nosal and the CFAA: What Does DailySudoku.com Have to Do with Computer Fraud, 48 New Eng. L. Rev. 421 (2014) (citing Orin S. Kerr, Vagueness Challenges to the Computer Fraud and Abuse Act, 94 Minn. L. Rev. 1561, 1562 (2010); Garrett D. Urban, Note, Causing Damage Without Authorization: The Limitations of Current Judicial Interpretations of Employee Authorization Under the Computer Fraud and Abuse Act, 52 Wm. & Mary L. Rev. 1369, 1372 (2011)).

The agency theory, as articulated by the Seventh Circuit, advances the argument that employees’ authorization to access computer systems and networks terminates when an employee breaches a fiduciary duty owed to the employer.25See Citrin, 440 F.3d at 420–21; Shurgard, 119 F. Supp. 2d at 1125. At the moment when “an employee’s allegiance turns against the employer, the employee’s authorization is effectively revoked.”26See Richard, supra note 24 (citing Citrin, 440 F.3d at 420 and Shurgard, 119 F. Supp. 2d at 1125). Under this theory, an employee’s scope of employment is highly scrutinized.27See Davis, supra note 13 (citing Restatement (Second) Of Agency §§ 228, 243 (1958)); see also Respondeat Superior, supra note 19. For instance, employees are provided company computers, smartphones, and wireless connections and they are expected to complete their assigned tasks. However, to truly ensure such compliance, every single keystroke requires constant observation or regular monitoring. In a perfect, controlled environment this may be a possibility. But placing such monitoring demands on employers of every shape and size can be overwhelming and overly burdensome. From a policy standpoint, these precautionary costs can reduce innovation and prevent economic growth.

Under the contract theory, supported by the First, Fifth, and Eleventh Circuits, an employee exceeds authorized access when he or she knowingly breaches either a company policy or an employment contract.28See, e.g., United States v. John, 597 F.3d 263, 272 (5th Cir. 2010); United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 581 (1st Cir. 2001). This approach requires employers to ensure their employees not only receive notice of the consequences of their unauthorized access, but also consent to the liability stemming from unauthorized computer use. Under this theory, courts hold the employment relationship itself to a higher standard than other contracts such as the acceptable use policies which typically govern employees’ workplace web-browsing. Rather, the contract theory requires conscious reflection and responsibility by employees. This approach may be less costly because it shares the burden between both employers and employees, but strict enforcement is necessary to escape claims of vicarious liability.

An important characteristic of both theories lies in the fact that employees technically had the ability, hence the authority, to access the computer system, network, or database in question; otherwise, the access would have been more explicitly denied. To actively prevent unauthorized access and claims of liability, employers should heed warnings from both theories, which prescribe the proper measures needed to dodge costly consequences. Employers must outline their expectations from the beginning of an employment relationship and must maintain enforcement without fail. By utilizing employment contracts, login protocols, and refresher acknowledgements, employers can effectively alert employees of the consequences of misuse. Further, by regularly monitoring employees’ use and appropriately reinforcing the standards of employment, employers can show their strict adherence to the principles of both agency and contract.

The CFAA’s private right of action provides an incentive for those able to prove a breakdown in the employment relationship. Disgruntled former employees already have a personal incentive to attack their former employers. At present, the burden lies more heavily on the employer to prove their standards and expectations are adequate to prevent employee misbehavior. If employers act diligently from the point of hire, or act immediately upon any sign of misuse, trust in one’s employees can remain stable and reliable, keeping threats of vicarious liability under the CFAA at a distance.

COMPUTER FRAUD FACES UNCERTAINTY

The precedent cases are serious matters, involving examples of extreme behavior, detriment to the federal government, and manipulation resulting in unfair competition. But what about lesser acts of “fraud” committed in the workplace: stray glances at trade secrets or confidential customer information? As the old saying goes, “when the cat’s away, the mice will play.” Restless employees can easily succumb to human nature, tempted into computer exploration and investigation beyond their job descriptions.

The widespread use of technology in the workplace can lead to a number of predicaments for employees with idle time or idle minds. Employees have an incredible amount of authorized access when working within the confines of their job descriptions and duties. Employees’ login credentials, knowledge of database infrastructure, and awareness of enforcement mechanisms provide a ripe situation for potential abuse or misuse. Yet only the employment relationship can decide whether an employee’s actions cross the line or fall within vicarious liability.

The growth and expansion of technology in the workplace has sparked renewed debate over the CFAA’s proper role in today’s workplace technology policies. The lens of vicarious liability continually develops through the courts’ interpretations of what or who is considered responsible for authorized computer use. Because there may be serious consequences to an employer whose technology is misused or abused, employers must be aware and active or pay the price of their curious employees.