E-Commerce Law Week, Issue 419

Is Employee Access to a Company Computer a License to Steal?
If an employee walks off with sensitive company data downloaded from the corporate network, can the company sue him under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030? So far, the courts are split. Several district courts and the Seventh Circuit (International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006)) have ruled that such employees have exceeded their authorized access to the company computers and thus can be held liable under the CFAA. But earlier this month, a district court in Florida reached the opposite conclusion. In Lockheed Martin Corp. v. Speed, the court ruled that employees who used their access to corporate computers to download trade secrets and then share them with the company's competitors cannot be said to have accessed this proprietary information "without authorization" or in excess of their authorization for purposes of the CFAA. The court also found that an employee's subsequent misuse of corporate data has no bearing on whether the employee's access was authorized. Given the continuing uncertainty over the meaning of "authorization," companies may want to protect themselves by setting clearer limits on employees' use of company computers.

Court's Ruling on Damages Under Stored Communications Act Could Increase ISP Liability
For electronic communications service providers, the Stored Communications Act (SCA) (18 U.S.C. § 2701 et seq.) can be a double-edged sword. On the one hand, its cause of action against anyone who "intentionally accesses [stored electronic communications] without authorization" can help them recover damages from someone who hacks into their system. On the other hand, the liability it creates for providers who inappropriately divulge stored communications, communications records, or subscriber information can prove costly.  Either way, electronic communications providers could be significantly affected by a recent federal court ruling (In Re: Hawaiian Airlines, Inc.) that the SCA allows recovery of statutory damages even without a showing of "actual damage" to the plaintiff, and permits statutory damages to be multiplied by the number of violations.

FFIEC Releases FAQ on Authentication Requirements
Last October, the Federal Financial Institutions Examination Council (FFIEC) issued new Guidance, entitled Authentication in an Internet Banking Environment, intended to help financial institutions and their technology service providers determine when a PIN or password is not enough to protect their customers' Internet-based transactions. Citing mounting "incidents of fraud, including identity theft" and an increasingly demanding legal environment, the Guidance warned that single-factor authentication is inadequate for high-risk transactions and suggested that financial institutions consider using new USB "token" and biometric technologies to augment their current password or PIN-based approaches. On August 15, the FFIEC released a set of Frequently Asked Questions (FAQ) addressing concerns and questions raised by financial institutions and service providers in the months since the Guidance was issued. One of the main points of clarification is that multifactor authentication is not required for high-risk transactions, as long as some other method of risk mitigation is used to supplement single-factor authentication.

Questions and comments about E-Commerce Law Week are always welcome. Please send your feedback to Sally Albertazzie.