Wooden,Judge,Gavel,,Close-up,View

A significant opinion concerning computer security was one of those the United States Supreme Court (“SCOTUS”) issued during its end-of-term flurry this year.  Employers and others who permit computer access to sensitive information for business or other defined purposes may want to take note. Spoiler alert:  the opinion undercuts use of the Computer Fraud and Abuse Act of 1986 (“CFAA”), 18 U.S.C. §1030 et seq., to obtain federal jurisdiction in employer-employee disputes. (As a practical matter, the Defend Trade Secrets Act of 2016 had already filled the gap for many circumstances).

As we reported here last December shortly after the oral argument, SCOTUS accepted certiorari for Van Buren v. United States, No. 19-783, a case from the Court of Appeals for the Eleventh Circuit requiring interpretation of a specific part of the CFAA, a federal anti-hacking statute which generally prohibits obtaining or altering computer information without authorization, or by exceeding authorized access. SCOTUS has now reversed the Eleventh Circuit judgment, holding that the CFAA “covers those who obtain information from particular areas in the computer – such as files, folders, or databases – to which their computer access does not extend.  It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.”  Van Buren v. United States, 593 U.S.        , [at 1] (2021).

In other words, SCOTUS settled upon the narrower of the proffered readings of the CFAA, such that a smaller sphere of behaviors will be found to violate the statute. The decision suggests that, in order to maintain the possibility of a CFAA action, which confers federal jurisdiction, as part of its available arsenal to protect confidential information, a wise employer will review its computer use policies with special attention to which computer databases, files, and folders employees and other users are entitled, or permitted, to access for any purpose.

The critical question before SCOTUS in Van Buren was how to interpret the phrase “exceeds authorized access” in the statute, which provides for criminal penalties and/or a private right of action against someone who “intentionally accesses a computer without authorization or exceeds authorized access” and thereby causes damage. As we explained when describing the oral argument, petitioner Nathan Van Buren was a police sergeant in Cumming, Georgia, who used his valid credentials to access the patrol car computer, and, from that computer, the law enforcement database maintained by the Georgia Crime Information Center (“GCIC”), in order to obtain information about a license plate. Van Buren was led to believe that the license plate belonged to a woman in whom an acquaintance of his was romantically interested, and that the acquaintance would pay him about $5,000 to check the license plate information. There was no dispute that Van Buren was authorized to access both the computer and the database involved, and there was also no dispute that he sought the license plate information for an improper purpose, outside his job duties; that is, to find out, on behalf of another individual and for his own personal gain, whether the owner of the license plate was an undercover police officer.  Van Buren was charged with and convicted of various offenses, including violation of the CFAA, and sentenced to 18 months in prison.

Van Buren appealed the CFAA conviction, arguing, inter alia, that he did not “exceed[] authorized access” because he was authorized to access the GCIC database, even if he violated department and other policies by searching the database for personal gain rather than police business. The Eleventh Circuit Court of Appeals affirmed the conviction, based on its precedent adhering to the broader interpretation of “exceeds authorized access;” that is, as prohibiting an individual from using his or her authorized access to databases or computer folders for purposes that are not authorized. As noted here in December, the Circuits had split on whether that interpretation or the narrower view, whereby the CFAA is only violated if the user is not authorized to access the database or computer folder in the first place, was right. SCOTUS accepted certiorari to resolve the split.  SCOTUS decided, in a 6-3 decision authored by Justice Barrett, and joined by Justices Breyer, Sotomayor, Kagan, Gorsuch, and Kavanaugh, that the narrower reading is the correct one.

The term “exceeds authorized access” is defined in the CFAA to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” §1030(e)(6). (Emphasis added). Because there is no dispute that Van Buren was “authorized” to “access [the] computer” he used, or that he “obtain[ed] information,” the decision turned on whether he was “entitled so to obtain” the information.  As foreshadowed by the oral argument, the analysis turns on the meaning of the word “so” in the phrase “entitled so to obtain.”

The opinion undertook a painstaking analysis, beginning with a text-based approach. SCOTUS addressed the text of the statute from several angles.  It determined that “so,” using the dictionary definition of “the same manner as has been stated” or “the way or manner described” must have its reference within the text of the statute, rather than outside of it. The majority found that the proper antecedent to “not entitled so to obtain,” then, is via a computer the user is authorized to access. SCOTUS explained that, once having legitimately accessed a computer, the user may then go on to access areas of the computer where information is stored, such as databases, files, or folders.  The user may have permission, whether by password, policy, or otherwise, to access some areas of the computer, but not others.  The word “so” in the phrase “entitled so to obtain” accordingly refers to which of those areas the individual accesses from that authorized computer. Thus, if the user only accesses files s/he is legitimately permitted to access, s/he does not violate the statute, even if s/he then uses that information for an improper purpose, but if s/he accesses, and obtains or alters information from, unauthorized databases, files or folders, s/he runs afoul of the CFAA. For example, an employer’s computer network may have numerous databases, and may assign its employees a desktop or laptop computer from which the employees are authorized to access the network to perform their job functions. If the employees are permitted to access databases in their own departments, and are prohibited from accessing, for example, a human resources database, they violate the CFAA if they obtain or alter any information from the human resources database. If, on the other hand, there are no policies or passwords limiting the databases the employees can access, they will not violate the CFAA by accessing the human resources database, even if they use it to view other employees’ personnel files, or other information that may be considered confidential. (To be clear, this interpretation of the CFAA would not prevent termination of the employee for violating company policy by viewing confidential files).

SCOTUS thus adopted Van Buren’s interpretation of the statute and rejected the Government’s reading, which would interpret “is not entitled so to obtain” to “refer to information one was not allowed to obtain in the particular manner or circumstances in which he obtained it. Van Buren, 593 U. S. at          [p. 6] (emphasis in original). That is the understanding that Van Buren was subject to at trial: because he was only permitted by policy to use the license plate database for police business, his use of it for an unauthorized purpose was found to be a violation. SCOTUS’s decision adopting the narrower view thus overturned his conviction.

After examining the text and the arguments of the Government and of the dissent from several angles to support its reading, SCOTUS proceeded to also analyze the structure of the statute.  SCOTUS decided that the structure, as well as the purposes of the statute, like the textual analysis, also supported the narrow view. The Court explained that the phrases “without authorization” and “exceeds authorized access” are best balanced when both are evaluated using a “gates up or down” approach.  That is, the user either does, or does not, have authorization to access a particular computer, and the user does, or does not, have permissible access to a particular database, file, or folder.  Finding a CFAA violation when a person misuses data or information from a database that s/he did have permission to access, according to SCOTUS, would not afford the structure of the statute that same balance. In addition, SCOTUS found its interpretation of the CFAA best suited the anti-hacking purposes of the statute in that accessing prohibited computer files or folders is akin to internal hacking, whereas misusing information the user is authorized to access is not.

Finally, the majority discussed some of the “parade of horribles” that had been described at oral argument. Though not finding the issue determinative, calling it “extra icing on a cake already frosted,” Van Buren, 593 U.S. at       [p. 17] (citations omitted), SCOTUS noted that the Government’s reading “would attach criminal penalties to a breathtaking amount of commonplace computer activity.” Id. The Court cited sending a personal email or reading the newspaper from a work computer that is designated to be used for work purposes only, as examples of activities that could be criminalized if the broader view prevailed.

There are some key takeaways from the decision for employers and others with computer information to protect. Given the narrow reading of “exceeds authorized access,” the CFAA will not be available as a cause of action when an employee or other invited computer user misuses computer information s/he is legitimately authorized to access (as has been true in the Second, Fourth, and Ninth Circuits for some time, though not in the First, Fifth, Seventh or Eleventh Circuits). So companies will have to rely on common law and contractual protections for confidential information, the Defense of Trade Secrets Act, if applicable, company policy, and similar tools, which are not diminished by this decision, to handle employees who, for example, download files they have worked on to take to a competitor.

However, owners of sensitive and confidential information may still be guided by the decision and its reasoning to take steps that could increase options for invoking the CFAA, and could better protect their computer information more generally. For example, employers will be well-advised to carefully evaluate the permissions granted to employees, customers, or other users, for the files, folders, and databases that make up the areas of their computers or computer networks.  Perhaps not all employees need access to all databases, and if they do not “so” need access, perhaps it should be formally restricted, via explicit policy or even by password or other barrier. Though the meaning of the word “so” in the CFAA has now been settled, protection of confidential information remains an ongoing process, requiring constant vigilance.

Governor Steve Sisolak recently signed Assembly Bill 47, which amends Nevada’s statute governing noncompetition agreements (Nevada Revised Statutes 613.195).  Employers should be aware of the following changes to the law, which will go into effect on October 1, 2021.

First, under the amended Nevada statute, employers are explicitly prohibited from bringing an action to restrict a former employee from providing service to a former customer or client if:

  1. the former employee did not solicit the former customer or client;
  2. the customer or client voluntarily chose to leave and seek services from the former employee; and
  3. the former employee is otherwise complying with the limitations in the covenant as to time, geographical area and scope of activity to be restrained, other than any limitation on providing services to a former customer or client who seeks the services of the former employee without any contact instigated by the former employee.

While the current Nevada statute provides that covenants could not impose these restrictions, the explicit ban on employer lawsuits seeking to restrict employees under these circumstances is new.  If an employer restricts or attempts to restrict a former employee in this manner, the court must award reasonable attorney’s fees and costs to the employee.

Second, regardless of who brings the action, courts must now blue pencil a covenant that is “supported by valuable consideration but contains limitations as to time, geographical area or scope of activity to be restrained that are not reasonable, imposes a greater restraint than is necessary for the protection of the employer…, or imposes undue hardship on the employee.”  Prior to this amendment, courts were only required to “revise the covenant to the extent necessary and enforce the covenant as revised” if the action was brought by the employer seeking to enforce the non-compete.  Now, courts must blue pencil and enforce the covenant, rather than just declare it unlawful, even if the employee has brought the court action to challenge the non-compete.

Third, the amended law now prohibits non-competes for any “employee who is paid solely on an hourly wage basis, exclusive of any tips or gratuities.”  If a court finds that a non-compete applies to an employee “paid solely on an hourly wage basis,” the court must award the employee reasonable attorney’s fees and costs.  The court is required to award such fees and costs regardless of whether the employer brought the court action to enforce the covenant, or the employee brought the action to challenge the covenant.

Employers should review their agreements and consult with counsel to ensure that any non-compete provisions are in compliance with this amended law.

Our colleagues David S. Poppick and Carol J. Faherty have co-authored the 2021 update to “Trade Secret Laws: Connecticut,” a Q&A guide to state law on trade secrets and confidentiality for private employers in Connecticut, published by Thomson Reuters Practical Law.

Following is an excerpt (see below to download the full version in PDF format):

This Q&A addresses the state-specific definition of trade secrets and the legal requirements relating to protecting them. Federal, local, or municipal law may impose additional or different requirements. Answers to questions can be compared across several jurisdictions. …

In particular, this Q&A addresses:

  • Overview of State Trade Secret Law
  • Definition of Trade Secret
  • Reasonable Efforts to Maintain Secrecy
  • Trade Secret Misappropriation Claims
  • Defenses
  • Statute of Limitations
  • Other Related Claims
  • Remedies
  • Contractual Protections
  • Miscellaneous

Click here to download the full article in PDF format: “Trade Secret Laws: Connecticut – 2021 Update.”

We’d like to share an article we wrote recently in Law360: “Illinois Noncompete Reform Balances Employee and Biz Interests.”

Following is an excerpt (see below to download the full version in PDF format):

Over Memorial Day weekend, the Illinois Legislature accomplished something truly remarkable: a comprehensive reform of noncompete and nonsolicit law that was passed unanimously by the Illinois Senate and House of Representatives.

The reform bill is not a complete ban, as some competing bills and employee advocates originally sought. And the bill is certainly not pro-enforcement, as many employers would prefer. Instead, it is that increasingly rare political creature: a compromise.

Why Is the Illinois Compromise Significant?

Attitudes toward restrictive covenants do not fit neatly into a red or a blue political litmus test, as there are competing interests recognized by persons on both sides of the political aisle. On the one hand, post-employment restrictive covenants are one of the most effective tools to protect confidential information, customer relationships, and a business’s investment in itself and its employees.

Businesses in both red and blue states see the same color when it comes to protecting these interests: green. On the other hand, post-employment restrictive covenants impede employee mobility, and thereby clash with fundamental notions of individual liberty. …

Download the full article in PDF format: “Illinois Noncompete Reform Balances Employee and Biz Interests.”

Oregon’s Senate Bill 169, signed May 21, 2021 strengthens Oregon’s existing restrictions on noncompete agreements.  Unlike Oregon’s 2019 law which imposed new notice requirements on employers seeking to enter into enforceable noncompetes, Senate Bill 169’s changes are more subtle though just as impactful.

Previously, noncompete agreements which failed to comply with Oregon’s statutory requirements were “voidable.”  Senate Bill 169 declares noncompliant noncompetes entered into after January 1, 2022 “void” ab initio.  This seemingly minor change may carry significant legal consequence if it ends up reducing the circumstances in which a former employer can sue for tortious interference.

Other changes in Senate Bill 169 include a reduction in the maximum enforceable length of a noncompete from 18 months to 12 months and a new formula for determining the minimum compensation an employee must be paid to be subject to a noncompete.  Previously, Oregon employers could only bind employees earning at least the median family income for a four-person family as determined by the most recent available census information to be bound by a noncompete.  Under Senate Bill 169, employees must make at least $100,533.00 in 2021 dollars adjusted for inflation to be subject to a noncompete.

Significantly, SB 169 maintains Oregon’s “garden leave” option to enforce otherwise noncompliant noncompetes.  This permits employers to enforce otherwise unenforceable noncompetes for up to a year provided  the agreement provides in writing that the former employee will be paid the greater of at least 50% of their gross annual base salary and commissions at the time of termination or 50% of $100,533.00 in 2021 dollars adjusted for inflation.

Senate Bill 169 applies to agreements entered into on or after January 1, 2022.  Employers should take steps to ensure that their restrictive covenants for Oregon employees comply with Senate Bill 169 in advance of this effective date.

As reported here and here, in December 2019 and January 2020, the United States Department of Justice brought its first criminal charges against employers who entered into “naked” wage fixing agreements and no-poach (e.g., non-solicitation and/or non-hire)  agreements with competitors. According to DOJ’s 2016 Antitrust Guidance for HR Professionals, such agreements are “naked,” and, therefore, illegal per se, because they are “separate from or not reasonably related to a larger legitimate collaboration between competitors.”  Although DOJ recognized that such agreements may not be illegal per se when made in furtherance of legitimate joint ventures or business, it provided scant guidance on what it would deem to be a legitimate joint venture or collaboration.  The Pennsylvania Supreme Court recently addressed the issue in Pittsburgh Logistics Systems v. Beemac Trucking, 2021 WL 1676399, at *1 (Pa. Apr. 29, 2021).  Relying in part on DOJ’s Guidance, the Court found that the no-poach agreement was unenforceable because it was overbroad and contrary to public policy.

Plaintiff, a third party logistics provider, sought to enforce a no-poach agreement that prohibited defendant, who supplied trucking services to plaintiff, from hiring or soliciting any of plaintiff’s employees.  The Supreme Court found that the no-poach agreement was ancillary to the services agreement between plaintiff and defendant.  Therefore, it reviewed the agreement  under the “rule of reason,” test included in the Restatement (Second) of Contracts, which requires that the restraint be no greater than necessary to protect the plaintiff’s legitimate business interest and that the plaintiff’s need not be outweighed by the hardship to the defendant and the likely injury to the public.  The Supreme Court found that this test was consistent with DOJ’s Guidance, but concluded that the no-poach restraint was unreasonable.

Although the Supreme Court acknowledged that the plaintiff “had a legitimate business interest in preventing its business partners from poaching” its employees, it found that the no-poach agreement was overbroad because it prohibited defendant from hiring plaintiff’s employees for two years after the collaboration ended, regardless of whether they had ever worked with defendant.  The Court also found that the agreement was likely to harm the public by: (1) impairing the mobility of plaintiff’s employees, who were not parties to the contract; (2) depriving several named individual defendants of their livelihood; and (3) undermining overall competition in the labor market for the shipping and logistics industry, which would suppress wages and harm the publicly generally.  Along the way, the Court recognized that DOJ has “taken a strong stand against no-hire restrictions,” and that fourteen states had recently reached a settlement agreement requiring four national franchisors to cease using no-poach agreements restricting employee mobility.

The Supreme Court’s decision reflects increasing skepticism toward no-poach agreements.  Indeed, as reported here, President Biden has indicated that he favors eliminating non-compete and no-poach agreements that suppress wages, and state legislatures and law enforcement authorities seem to be ready to regulate this area.  As reported here,  New York is considering legislation that would prohibit no-poach clauses in franchise agreements and would create a private right of action for any employee subject to such an agreement, along with potential punitive damages and attorney’s fees.  Similarly, in 2019, Maine enacted a law prohibiting no-poach agreements between employers.

Notwithstanding these developments, employers who are involved in legitimate joint ventures can still take steps to protect their legitimate interest in ensuring effective business collaborations while protecting their trade secrets, good will and work force.   The Pittsburgh Logistics case provides important guideposts for business involved in legitimate joint ventures.  First, like non-solicitation clauses in agreements with employees, the restraints in no-poach agreements between partners should be no greater than necessary.  Thus, no-poach agreements between business partners should either end when the joint venture or collaboration ends or reflect the geographic and temporal limits recognized as enforceable in employment agreements in the relevant jurisdiction.  Second, businesses should consider requiring employees to agree to refrain from seeking positions with any business partner for whom they have worked while they are employed or for a reasonable period after their employment ends.  Indeed, the Pennsylvania Supreme Court found it significant that the employees were not aware of the no-poach agreement between the business partners and were not parties to the agreement, thus raising the question if the outcome would have been different had the plaintiff included a similar restriction in its employment agreements.

As shown by the DOJ’s recent criminal enforcement actions and the Pittsburgh Logistics case, the law in this area is rapidly developing.  However, each situation is unique and there is no one-size-fits-all approach to navigating this thicket.  Employers who wish to protect their work forces to ensure effective collaborations should review both their agreements with their business partners and their employees to ensure that their agreements can withstand scrutiny.

As readers of this blog know, no-poach and wage-fixing agreements are a current hot topic for both civil and criminal enforcement by the Antitrust Division of the Department of Justice.

Our colleague, Stuart M. Gerson has authored a helpful summary of recent history and what’s at stake regarding this topic, in an article published in Bloomberg Law: “No-Poaching Agreements, Wage-Fixing & Antitrust Prosecution.”

The following is an excerpt:

Especially in difficult economic times, companies look for stability and predictability. Hence, while intent upon avoiding litigation charging wage fixing or its close cousin, no-poach agreements, experience suggests that there are companies that might be considering various ways to exchange information related to employment that can be used for “bench marking.”

Such efforts are intended to be lawful means to create and share data that are updated from time to time and that reflect prevailing levels and standards by which companies might be able to intuit what their competitors are doing and therefore can establish market rates and practices which presumably the individual members of the group might adopt.

Although such companies might be concerned only about information exchanges, and not agreements to fix wages or avoid poaching of competitors’ employees, the potential enforcement stance of the Department of Justice simply does not allow for this simplification.

Click here to download the full article in PDF format.

New Jersey may be poised to become the latest state to adopt strict procedural and substantive requirements on post-employment non-compete agreements. Assembly Bill No. 1650, if passed, would substantially overhaul New Jersey’s laws regarding post-employment non-compete agreements by, among other things, limiting the types of employees against whom a non-compete agreement is enforceable, as well as limiting the time, scope and geographic region of a non-compete agreement. Assembly Bill No. 1650 still permits post-employment non-compete agreements so long as the agreements are “not broader than necessary to protect the legitimate business interests of the employer.” The bill suggests that employers should first determine if an alternative agreement, such as a non-solicitation agreement with respect to hiring the employer’s employees or transacting business with the employer’s customers, clients, referral sources or vendors, would instead be sufficient to protect the employer’s legitimate business interests.

If passed in its current form, the bill would exclude ten categories of individuals from being subject to non-compete agreements, including employees classified as nonexempt under the Fair Labor Standards Act of 1938, employees that have been terminated without a determination of misconduct or laid off by action of the employer, and employees whose period of service to an employer is less than one year. Notably, the bill limits the length of non-compete agreements to a one-year period and requires that geographic restrictions be “reasonable” and “limited to the geographic areas in which the employee provided services or had a material presence or influence during the two years preceding the date of termination of employment, and shall not prohibit an employee from seeking employment in other states.” The bill also requires that all non-compete agreements have a garden leave period during which employers must continue to pay an employee their full salary and make benefit contributions on the employee’s behalf during the period of time covered by the non-compete agreement.

Additionally, the bill requires specific notices be provided to prospective and current employees within specified time frames prior to entering into a non-compete agreement. Employers would also be required to notify employees in writing no later than 10 days after the termination of the employment relationship of its intent to enforce the agreement. The failure to provide this notice would automatically void the agreement. However, this notice provision would not apply if the employee has been terminated for misconduct.

If the bill passes in its current form, employers would not be able to use a choice of law provision to avoid the bill’s requirements. Choice of law provisions would be forbidden if the employee is either a resident of or employed in New Jersey for at least thirty days immediately preceding their termination of employment and at the time their employment is terminated. Employers would also be required to post a copy of the summary of the bill’s requirements in a “prominent place in the work area.”

The bill also provides an employee subject to a non-compete agreement the right to commence a civil action against the employer or another person for violating the bill within two years of the later of: (1) when the prohibited agreement was signed; (2) when the employee learns of the prohibited agreement; (3) when the employment relationship is terminated; or (4) when the employer takes steps to enforce the agreement. Courts would have jurisdiction to void the agreement and award any additional appropriate relief.

On February 24, 2021, A1650 received enough votes to clear the Assembly Labor Committee. The bill is currently awaiting a vote before the General Assembly. If enacted, the legislation would take effect immediately, but would not apply retroactively to any agreement in effect on or before the date of enactment.

We’re pleased to present the 2021 update to “Hiring from a Competitor: Practical Tips to Minimize Litigation Risk,” published by Thomson Reuters Practical Law.

Following is an excerpt – see below to download the full version:

A Practice Note describing the steps an employer can take to minimize litigation risk when hiring from a competitor. This Note discusses potential statutory and common law claims when hiring from a competitor, the need to identify any existing contractual restrictions a potential new hire may have, how to avoid potential issues during the recruitment process, ensuring the new hire is a “good leaver” during the resignation process, responding to cease and desist letters, and potential pre-litigation settlement concepts. The Note is jurisdiction neutral.

Click here to download the full Practice Note in PDF format.

Last week, the New York State Senate advanced two bills seeking to ban both “no-poach” clauses in franchise agreements and “no-rehire” clauses, which are commonly used in settlement agreements.

The first of these bills, known as the End Employer Collusion Act (Bill S562), prohibits no-poach agreements between franchisors and franchisees.  Such agreements restrict franchisees from soliciting or hiring current or former employees of the franchisor or other franchisees.  The End Employer Collusion Act would also provide a private right of action for any person denied employment on account of a no–poach agreement, and would allow for the recovery of actual and punitive damages, as well as costs and attorneys’ fees.  The New York legislature is not the first to target no-poach clauses in franchise agreements; Washington passed legislation banning such clauses nearly two years ago.  In addition, prior to taking office, in his Plan for Strengthening Worker Organizing, Collective Bargaining, and Unions, President Biden indicated that he would like to see federal legislation in this area, and that he intends to work with Congress to “outright ban all no-poaching agreements.”

The second bill, S766, would prohibit employers from inserting no-rehire clauses in settlement agreements with employees or independent contractors.  Such clauses bar employees from applying for or accepting future employment with the employer, or its related entities, and were originally designed to protect an employer from retaliation claims in the event that the employee reapplied for his or her prior job and was not hired.  The proposed legislation would void settlement agreements containing no-rehire clauses.  However, the employer’s obligations under the settlement agreement, including payments to the employee, would remain intact, creating the possibility for an employee to sue the employer again after having received a settlement payment.  While the justification for the bill states, “[t]he bill would not, however, prohibit any termination of employment mutually agreed upon as part of a settlement, nor would it automatically force a defendant employer to rehire an employee who had previously settled a case against the employer,” it could expose employers to increased risk of multiple litigations with the same employee.

Both bills are ones to watch.