A California legislator recently introduced two bills in Congress which, if passed, could have profound effects for companies seeking to pursue claims relating to trade secrets and confidential information – one bill would create a new private right of action under federal law for trade secret theft, while the other bill would appear to limit plaintiffs’ abilities to pursue existing remedies for computer fraud and abuse.
In its current form, the Economic Espionage Act allows only federal prosecutors to bring criminal trade secrets charges against persons who have stolen trade secrets. On June 20, 2013, however, Representative Zoe Lofgren (a California Democrat representing a district that includes San Jose and Silicon Valley) introduced a bill titled the “Private Right of Action Against Theft of Trade Secrets Act of 2013” (H.R. 2466) which would amend the Economic Espionage Act to add a civil remedy, by adding two new subsections to 18 U.S.C. §1832:
(c) Any person who suffers injury by reason of violation of this section may maintain a civil action against the violator to obtain appropriate compensatory damages and injunctive relief or other equitable relief. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage.
(d) For purposes of this section, the term ‘without authorization’ shall not mean independent derivation or working backwards from a lawfully obtained known product or service to divine the process which aided its development or manufacture.
If passed, this proposed amendment could result in a dramatic uptick of trade secrets lawsuits filed in federal courts. Currently, companies pursuing trade secret misappropriation claims are largely limited to state law remedies, and as a result often find themselves limited to state court.
While the Private Right of Action Against Theft of Trade Secrets Act of 2013 would provide additional ammunition against persons who steal trade secrets, a companion bill that seeks to clarify a controversial provision in the Computer Fraud and Abuse Act (“CFAA”) could restrict companies’ ability to pursue claims under the CFAA.
On the same day as the above-discussed amendment to the Economic Espionage Act was introduced, Representative Lofgren co-sponsored a bill (“Aaron’s Law Act of 2013,” H.R. 2454) that would narrow the scope of the CFAA. As stated on Rep. Lofgren’s website, this bill, among other things:
Establishes that mere breach of terms of service, employment agreements, or contracts are not automatic violations of the CFAA. By using legislative language based closely on recent important 9th and 4th Circuit Court opinions, the bill would instead define ‘access without authorization’ under the CFAA as gaining unauthorized access to information by circumventing technological or physical controls – such as password requirements, encryption, or locked office doors. Hack attacks such as phishing, injection of malware or keystroke loggers, denial-of-service attacks, and viruses would continue to be fully prosecutable under strong CFAA provisions this bill does not modify.
As we have blogged about previously here, here and here, when companies sue their former employees under the CFAA, the employees frequently argue that the CFAA prohibits unauthorized access to protected computers, not unauthorized use of those computers and the confidential information thereon. This issue — the application of the CFAA to alleged employee computer abuse — is the subject of numerous court decisions across the country, some of which interpret the CFAA’s “without authorization” language broadly, and some of which interpret it narrowly, as former employees commonly urge. The recently introduced H.R. 2454 bill, if passed, would enact as law the narrow, pro-employee view of the CFAA.
While these bills were only recently introduced and have a long way to go before they might become law, their potential consequences for employers and attorneys make them important ones to follow.