SECA: Protecting Sensitive Company Information
The realities of the modern workplace – with its sophisticated, transient
workforce and near-total reliance on the electronic storage, retrieval, and
manipulation of information – require prudent employers to take steps
to regulate the use of company technology by employees generally and to protect
sensitive company information accessible by employees specifically. Among the
tools available to employers to assist with the latter goal are statutes such
as the Stored Wire and Electronic Communications and Transactional Records
Access Act (SECA) and the Computer Fraud and Abuse Act (CFAA) which create
criminal and civil penalties for individuals accessing computer or electronic
information either without authorization or in excess of their authorization.
Maryland employers and their counsel need to pay special attention to this
area of law, however. Although the recent Maryland District Court decision
in International Association of Machinists and Aerospace Workers v. Werner-Masuda seems
to limit the relevance of these statutes in the employment context, the Court's
reasoning in Werner-Masuda runs contrary to the majority of federal
courts to consider the matter, and it is unlikely to be followed. Maryland
employers would therefore do well to examine precedent from other circuits
contrary to the Werner-Masuda holding in drafting materials intended
to regulate the workplace.
In a nutshell, the difference between the Court's holding in Werner-Masuda and
most other Courts to decide the applicability of the CFAA and SECA to the employment
context turns on the distinction between sabotage by an "insider" who accesses
the employer's information with the intent to use that information for an unauthorized
purpose and so-called "outside hacking"
by someone not employed by the company and having no ties to the company at
all. The defendant in Werner-Masuda was alleged to have accessed her
employer's highly-confidential membership list and provided that information
to another entity as part of a drive to recruit union members to a different
union. Because she had signed an agreement with her employer agreeing that
she had authority to access proprietary information only for the purposes
of assisting her employer, her then-former employer included in the claims
against her counts under both the SECA and CFAA.
The U.S. District Court for the District of Maryland ruled that the International
Association of Machinists had failed to state a claim under either the SECA
or the CFAA. In reaching this finding, the Court considered only the undisputed
fact that Werner-Masuda had been authorized to access the information in question
and disregarded the registration agreement Werner-Masuda had signed at the
outset of her employment, in which she agreed that her use of the information
contained in her employer's network for reasons not benefiting her employer
would be inappropriate.
The Court's opinion in Werner-Masuda is flawed in part because it
confuses the SECA and the CFAA. While no Court has ever held that the CFAA's
scope is limited to outside hackers, several well-reasoned opinions have held
that the SECA's scope is limited to outside hackers; the opinion in Werner-Masuda seems
to have conceptually combined the two statutes without recognizing that each
statute has a somewhat different scope.
Nevertheless, for the purposes of employers attempting to protect themselves
and their sensitive company data, a very important lesson can he gleaned from
the Court's holding in Werner-Masuda. The Court in Werner-Masuda stressed
that the CFAA prohibits unauthorized access only; the Court then emphasized
that what the plaintiff hoped to do was recover civilly for Werner-Masuda's use of
information that she was authorized to access. Employers hoping to find protection
under the CFAA would therefore do well to outline each employee's scope and
authority to access and use sensitive company information in a separate written
agreement signed by the employee.
It would probably not the wisest course to include such information as part
of the more general materials communicating the employer's policy on the use
of company technology. Employers might also want to consider getting the employee
to agree in advance on what types of activities would constitute unauthorized
use and access of the employer's information.
It goes without saying that any employer that lacks an official policy on
the use and abuse of company technology does so at his or her own peril. Properly
seen, agreements which define and delimit an employee's authorization to access
sensitive company information are a vital workplace policy and are in every
way as important as policies regarding inappropriate e-mail and Internet usage.
Zachary A. Kitts is an associate at the Vienna,
Virginia, firm of Tate, Bywater & Fuller, Ltd., where he focuses his practice
in the area of employment law, representing and counseling both employers