Connecticut Business Litigation Blog : Connecticut Business Lawyer & Attorney : N. Kane Bennett : Raymond & Bennett Law Firm : Hartford, Middletown, Glastonbury

In Connecticut, a person commits a computer crime if there is any violation of the provisions in Connecticut General Statutes 53a-251.  This is Connecticut's computer crime statute.   The statute defines criminal conduct under the following categories:

• Unauthorized access to a computer system
• Theft of computer services
• Interruption of computer services
• Misuse of computer system information
• Destruction of computer equipment

The computer crime statute itself does not provide for a civil cause of action.  Instead, a victim of a computer crime may rely on Connecticut General Statutes 52-570b, which permits a civil lawsuit for computer-related offenses. The statute provides a basis for a lawsuit for "an aggrieved person who has reason to believe that any other person has been engaged, is engaged or is about to engage in" conduct that violates the computer crime statute. 

As part of a computer crime lawsuit, a business may seek a temporary or permanent injunction, restitution, actual damages, unjust enrichment, an order to appoint a receiver who may take property into his possession, or any other equitable relief.  Punitive damages may be available if there is a showing of malicious or willful conduct. Further, a victim of computer crime may obtain an award of attorney's fees and costs.

One of the more common types of computer crime or cyber attack is an insider attack with unauthorized access to a computer network.  A common example is a disgruntled employee or vendor with some level of access to the computer network of a business that turns into unauthorized use or damaging conduct. The cyber attack might involve theft of confidential or proprietary information, installing a virus or malicious code to infect the system, or theft and disclosure of information to third parties. 

The most common defense raised to computer crime charges is "authorized access."  The statute exempts conduct that might qualify as improper, but was undertaken with a reasonable belief that it was authorized.  As such, the issue of authorization becomes a critical element in these cases.  Courts might look to the policies and practices of a business with respect to access and security to determine if a reasonable belief defense exists.  Courts will also look to the nature of the conduct to determine if a reasonable belief defense is legitimate under the circumstances of the case.

Responding quickly to a computer crime or cyber attack is important.  A business that is the victim of a computer crime or cyber attack should consider involving an attorney as part of the response team depending on the severity of the incident.  The attorney can assess whether a business that is victim of a computer crime can bring a lawsuit to recover damages or possibly make a claim for losses to an insurance company.  An attorney can  also assist with critical decision making regarding notification to outside parties in the case of a security breach or data loss.  An attorney can further assist with determining the need for involvement of an appropriate forensic expert to preserve and develop critical electronic evidence of the cyber attack. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Previously, I have posted about non-compete agreements and the duty of loyalty for employees.  Many times, businesses do not have written contracts to protect confidential and proprietary information from not only competitors and vendors, but also their own employees.  Without a contract, the common law of Connecticut concerning breach of fiduciary duty is one of the ways attorneys can seek to protect business clients against improper use of confidential information.

Another method for attorneys to seek to protect their clients' confidential information stored on a computer system or network is through the federal Computer Fraud and Abuse Act (CFAA).  The CFAA is largely a criminal statute, but is being used more frequently in civil cases on behalf of businesses faced with loss or theft of confidential and proprietary information and trade secrets.   The CFAA, 18 U.S.C. 1030, essentially provides for civil liability for unauthorized access to protected computers with intent to defraud or cause damage.  There are civil enforcement provisions that allow private actions for recoverable loss related to prohibited conduct if a series of factors can be proved in court.

Recently, Peter J. Toren wrote an excellent article in the New York Law Journal  where he detailed methods in which the CFAA might be useful for attorneys to protect client trade secrets and other confidential information.   Peter listed the six factors necessary for proof of damages.  Peter also noted some of the limitations of the CFAA when it comes to employee theft of trade secrets and described the narrow and broad views taken by different courts when interpreting improper access of a protected computer without authorization. Peter further provides some useful tips for businesses on how to construct a policy in light of the different court interpretations of improper access. 

Lee Berlik, publisher of the Virginia Business Litigation Blog, also has a recent post about the series of hurdles necessary for attorneys to prove loss or damages under the CFAA.  Lee's post describes a threshold of $5,000 in value that must fit into the categories of potential loss defined in the CFAA.  Similar to Peter's article, Lee also describes how a case was unsuccessful in court because of insufficient facts to show loss under the CFAA.

In Connecticut federal courts, the reported cases under CFAA, largely have been unsuccessful for a variety of reasons, many of which Peter's article details.  Some cases were dismissed for failing to meet damages thresholds (Register.com v. Verio, 356 F.3d 393 (2004)) , while another case was dismissed because the facts were insufficient for unauthorized access (Cenveo, Inc. v. Rao, 659 F. Supp. 2d 312 2009)).   However, in a recent case, in the federal district court, Judge Vanessa Bryant issued an order of sanctions and for production of electronic devices for forensic inspection in a case based, in part, and the CFAA. (Genworth Financial Wealth Mngmt. Inc., v. McMullan). 

The takeaway here is that the CFAA provides another potential basis for a business to protect its confidential and proprietary information when the information resides on a computer system or network.  Of course, there are a series of factors that must be met before liability can be established.  Some of these factors may not apply and eliminate the CFAA as a method of recovery as we have seen in several reported cases.  However, the CFAA should be considered and evaluated in any case involving unauthorized access of confidential information through a computer system as it provides an additional basis for potential recovery.  Also, advanced planning with sound internal policies might provide a business with a better chance of success under the CFAA.

I will do a post soon on another statute, Connecticut's Computer Crime Act, that may provide additional remedies for improper access of a computer system or network.

• Email This
• Print
• Comments
• Trackbacks
• Share Link