What Employers Can Do to Get the Laptop Back

If a departing employee refuses to return his laptop, in many states an employer cannot deduct the value of the laptop from the final pay, or at least without employee authorization.  And the laptop itself in many cases is the least significant aspect of the loss as documents, intellectual property and confidential information most likely went with it.

The Computer Fraud and Abuse Act (CFAA) may provide some relief.  In Lasco Foods, Inc. v. Hall and Shaw Sales Marketing & Consulting, 2009 WL 151687 (E.D.Mo. 2009), the court held that the employer satisfied the "loss" and "damage" elements of the CFAA by showing that the employees at issue refused to return a computer when requested and deleted information from the computer.  Significantly, the court noted that  "loss" within the meaning of the CFAA included the cost of investigating or remedying damage to a computer, and the cost incurred because service was interrupted. In this case, the employer had to conduct a forensic investigation to determine what was lost.

Under this decision, deletion of information from a single laptop could constitute damage under the CFAA.  Notably, the court did not consider the availability of the information elsewhere, such as on the company's network, as a factor.  Moreover, the Lasco court considered withholding the laptop to be an "interruption in service" under the CFAA because the company could not use its property.  Finally, the cost of hiring an expert constituted a "loss."

Under Lasco, the CFAA can be an effective way for employers seeking to retrieve laptops and confidential or proprietary information from departed employees.  

 

Are you safe from sabotage?

 The risks of employee terminations no longer end with a signed separation agreement and release. Now employee saboteurs can cause catostrophic damage weeks or months after discharge, even after they are off-site. Computer sabotage can destroy a business.

The “Lordstown Syndrome” of Today

 In response to a rigid system of quality control imposed by General Motors at its Lordstown, Ohio plant in the 1970’s, employees who perceived their assembly line work to be dehumanizing committed acts of employee sabotage on the assembly line that resulted in the manufacture of lower quality cars. This event gave rise to what is now commonly known as the “Lordstown Syndrome,” defined as acts of sabotage committed by workers who perform dehumanizing, monotonous work. Aspects of the syndrome include high absenteeism, low productivity, sabotage and wildcat strikes.

Employees can wreck havoc in many ways – damaging supervisors’ cars or personal items; damaging company property; arson; destroying retail merchandise; interfering with deliveries; failing to perform assigned duties or performing them improperly; damaging the company’s reputation – the list is limited only by the imagination of the employee. Dependence on computers, however, has raised the stakes to an unprecedented level, and in this area computer savvy employees can destroy a business without warning. In addition to the horrendous practical and economic consequences of computer sabotage, an employer can face liability for release of the confidential information of clients and customers and for failure to protect assets under the Sarbanes Oxley Act.

 Who is the Employee Saboteur?

Generally, the employee saboteur is seeking revenge for a perceived wrong inflicted on the employee, peers, or even society as a whole. Employees subject to performance warnings, demotion, or termination can be suspects. Employees who oppose the employer’s activities on philosophical or political grounds could also seek to commit harm. Unfortunately, an employee can be laying the groundwork for an act of sabotage, perhaps as insurance against the inevitable discipline or discharge, long before the employer takes any action against the employee.  

 Computer Sabotage

Employees can intentionally misuse or exceed an authorized level of network, system or data access in an unauthorized or illegal attempt to view, disclose, retrieve, delete, change or add information to an employer’s interactive systems. Employees can use techniques such as “data diddling” (alteration of data before or during its entry into the system); “piggybacking” (accessing the system without detection); “Trojan horses” (instructions imbedded in a program that carry out unauthorized functions); “logic bombs” (special programming instructions scheduled to detonate at a specified time); and, viruses.

U.S. v. Lloyd  is an illustrative case. Omega Engineering Corp. employed Timothy Lloyd as its only computer system administrator. The government alleged that during the course of his employment Lloyd was an uncooperative, obstructionist, and belligerent employee who had engaged in verbal and physical altercations with other employees. Witnesses testified that he repeatedly elbowed, shoved and bumped colleagues in the hallways. In May, 1995, because of these interpersonal problems, Omega transferred Lloyd to a non-supervisory position. Although the company characterized the move as “lateral,” Lloyd’s supervisor testified that the removal of supervisory responsibilities actually constituted a demotion. In addition, Lloyd’s percent increase and evaluation were lower than in prior years. In June, 1996, Lloyd instituted a policy requiring all employees to “clean-up” individual computers and save files to the file servers as opposed to their own back-ups. Shortly thereafter, concerned that access to the computer network was too centralized in Lloyd, the company directed Lloyd to provide access to three other management employees, but Lloyd never did so. Following another altercation with a co-employee, Omega terminated Lloyd’s employment on July 10, 1996.

On July 31, 1996, Omega lost more than 1,200 programs, some used to manufacture Omega’s specialized products, causing Omega a 9% decrease in growth and losses of approximately $10 million. Not one individual computer had back-up and the programs on the file server were deleted and purged and could not be retrieved. 

The government alleged that Lloyd sabotaged the network of Omega by planting a time bomb prior to his termination following his transfer/demotion and less than favorable performance review and raise. The government pointed to Lloyd’s level of access to the network; advanced computer programming skills; tests of the time bomb while Lloyd was present in the office; program and commands on Lloyd’s home computer hard-drive; acceptance of another position prior to his termination from Omega; and, threatening and boastful comments Lloyd made to co-workers prior to his termination. Lloyd was convicted on one count of computer sabotage in violation of the Computer Fraud and Abuse Act. The court sentenced Lloyd to 41 months in prison and fined him $2,043, 394 in restitution damages.

 An Ounce of Prevention

 Employers must take both legal and practical steps to prevent employee sabotage before it occurs.

Legal advice:

            °           Draft and implement policies that address the use of the internet; use of computers, information networks, and systems policies; and, use of passwords. Make sure employees understand the limits of their access and the employer’s right to monitor employee use. Obtain signed acknowledgements from employees.

            °           Include computer system use and confidentiality provisions in employment and separation agreements.

             °           Enforce contracts, agreements, collective bargaining agreements, policies and rules.

 Practical protections:

            °           Carefully screen applicants, particularly for computer or technology positions. Employers should be wary of applicants with a persecution complex or cause.

            °           Justice and fair treatment are important to employees. Equitable personnel policies, evaluation processes, progressive discipline, open communication with management, and employee assistance programs can give employees a voice. Job demands should be reasonable.

            °           Increased security measures should be implemented. Employers should:

                          -           Advise employees in writing, via policy, on-screen pop-ups, and/or agreement, that the employer monitors their activities and that their privacy rights in the workplace are limited. 

                           -           Take advantage of the monitoring rights permitted them and ensure that management is vigilant about employee actions.

                            -           Limit the personal items that employees can bring into the workplace (personal laptops, camera phones). 

                            -           Monitor remote access to a company’s system.

                            -           Use and rotate confidential passwords.

                            -           Limit access to the employer’s facilities and computers.

                            -           Include in job descriptions responsibility for all information with which an employee works.

                            -           Raise the computer sophistication of supervisors and managers. The computer savvy of employees often exceeds that of management.

                            -           Decentralize data and access.

                            -           Conduct periodic audits of computer accounts.

                            -           Improve computer security.

                             -           Protect the premises from physical attacks such as fire and floods.

            °           Train employees about the company’s policies on computer usage and confidentiality.

            °           Use a termination checklist for employees, temporary employees, and contractors to ensure that procedures are in place to terminate access to the computer systems and facilities.

            °           Consider purchasing Cyber Insurance.

Responding to an act of sabotage

Once the fox is in the henhouse, there are still steps employers can take against an employee saboteur.

°           Call law enforcement where appropriate. Law enforcement authorities can retrieve stolen property from employees, such as computers, discs and information stored on personal lap-tops. While the property will remain in police custody, it will not be in the hands of the saboteur.

°           Obtain and maintain evidence in accordance with the Rules of Evidence (use chain of custody forms, authenticate senders and recipients). 

°           Use computer forensic specialists to obtain evidence.     

Employers also can pursue the following causes of action.

The Computer Fraud and Abuse Act makes it criminal to access a computer without authorization and provides civil and equitable remedies to employers. Liability can be imposed for unauthorized access where the access results in obtaining something of value; causing damage; or, obtaining information. Employers can recoup losses suffered by the misappropriation of trade secrets and other proprietary information if their losses exceed more than $5,000.00 within a year. “Loss” is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 

The Economic Espionage Act makes it a crime to steal or receive (including uploading or downloading) trade secrets. However, proof of this offense may require the employer to disclose the trade secret at issue.

Employers also may have claims under state computer laws.

Employers also can and should seek injunctive relief to prohibit the release of confidential information. Employers can enforce confidentiality agreements and other applicable restrictive covenants. Even in the absence of an employee agreement, employers can pursue claims for the breach of the duty of loyalty.

Conclusion

Employers must protect access to their assets as vigilantly as the assets themselves. Disgruntled or discharged employees pose a significant risk not only to co-employees, at times, but also to the entity itself. While legal remedies are available, they will not fix damage that is done.

This article was previously published in the Labor & Employment Law Quarterly, a publication of the New Jersey State Bar Association.

Corporate Social Responsibility and RIFs

 While some employers may be able to assert the economic downturn as a legitimate business reason for an adverse employment action or as an unforeseeable business circumstance excusing notice under WARN, others may face a heightened expectation from juries and courts to "do the right thing."  Drug companies are often challenged to forego profits in the name of corporate social responsibility when faced with demand for drugs such as Tamiflu. Will there be a similar expectation for employers to maintain employment and benefits rather than add to the swell of unemployed or uninsured? If employers may be faced with a social responsibility standard, it is even more critical that an adverse action be defensible. Employers, and those implementing the decisions, must thoroughly understand the underlying business reasons. And employers who don't "share the pain," even if complying with the letter of law, may face an unfavorable reaction to their decisions.www.leadgood.org.

For more on the idea of corporate social responsibility and ethics in business leadership, see "Is Employment a Corporate Social Responsibility?" by Jason Meyer at

Why me?

"Why me?"  It's the most basic question in challenging a RIF, but it may be harder to answer than employers think.  Poor scores or evaluations alone will not be enough.

The importance of well-reasoned RIFs is clearly demonstrated in EEOC v. Boeing Co., decided April 8, 2009.  Boeing selected two female employees, Antonia Castron and Renee Wrede,  for lay-off based on their low scores on reduction in force assessments.  The two employees then filed charges of gender discrimination with the Equal Employment Opportunity Commission (the "EEOC"), which filed suit against Boeing.   The court found that the EEOC had presented sufficient evidence to proceed with its claims based on the following:

Antonia Castron:

- Derogatory and demeaning remarks made by one supervisor, although not directed at Castron, were possible evidence of discrimination.

- Castron's former supervisor had possibly induced Castron to accept a transfer by promising that she would not be laid off during training.  However, once training was completed, her employment was terminated based on an evaluation by her new supervisor.

- The new supervisor's evaluation of Castron was suspect because he did not solicit Castron trainer's input or take into consideration her past performance.  Notably, the court considered co-worker testimony that the supervisor treated Castron unfairly.

Renee Wrede:

- One year after filing a sexual harassment claim, which Boeing substantiated, Wrede received lower scores in her RIF evaluation and was eventually terminated.

- Male employees who received lower RIF scores were not terminated, but instead found other positions in Boeing, partly due to supervisor assistance that was not extended to Wrede.

- The court noted that the fact that the same actors who ultimately downgraded Wrede's review previously gave her scores high enough to avoid a RIF could create an inference that no discrimination took place.  However, the inference in this case was weaker as applied to less overtly positive employment decisions, such as refraining from firing an employee or giving a "lukewarm" review, as compared to positive decisions such as promotion.  The court explained "[e]ven an extremely biased supervisor who would never hire or promote members of a particular protected class might still act cautiously by lowering an existing employee's scores over time."

- In some instances, the evaluators could not explain or support the downgraded scores, which were refuted by co-workers.

Employers implementing a reduction in force can learn some important lessons from this decision.  An inference of discrimination can be created  by:  a discriminatory environment based on even non-specific comments about a protected class;  assurances, such as of job security, that are later broken;  unsubstantiated negative evaluations; a disregard of co-worker assessments; and, favoritism. 

Front line supervisors must be able to substantiate their decisions objectively.  Management cannot rely on poor evaluations or RIF assessments only without testing the supervisor's decision.  Courts and juries will not accept explanations of adverse employment decisions on their face, and in the absence of credible substantiation, will attribute suspect and even discriminatory motives to employers.