What Employers Can Do to Get the Laptop Back

If a departing employee refuses to return his laptop, in many states an employer cannot deduct the value of the laptop from the final pay, or at least without employee authorization.  And the laptop itself in many cases is the least significant aspect of the loss as documents, intellectual property and confidential information most likely went with it.

The Computer Fraud and Abuse Act (CFAA) may provide some relief.  In Lasco Foods, Inc. v. Hall and Shaw Sales Marketing & Consulting, 2009 WL 151687 (E.D.Mo. 2009), the court held that the employer satisfied the "loss" and "damage" elements of the CFAA by showing that the employees at issue refused to return a computer when requested and deleted information from the computer.  Significantly, the court noted that  "loss" within the meaning of the CFAA included the cost of investigating or remedying damage to a computer, and the cost incurred because service was interrupted. In this case, the employer had to conduct a forensic investigation to determine what was lost.

Under this decision, deletion of information from a single laptop could constitute damage under the CFAA.  Notably, the court did not consider the availability of the information elsewhere, such as on the company's network, as a factor.  Moreover, the Lasco court considered withholding the laptop to be an "interruption in service" under the CFAA because the company could not use its property.  Finally, the cost of hiring an expert constituted a "loss."

Under Lasco, the CFAA can be an effective way for employers seeking to retrieve laptops and confidential or proprietary information from departed employees.  

 

Are you safe from sabotage?

 The risks of employee terminations no longer end with a signed separation agreement and release. Now employee saboteurs can cause catostrophic damage weeks or months after discharge, even after they are off-site. Computer sabotage can destroy a business.

The “Lordstown Syndrome” of Today

 In response to a rigid system of quality control imposed by General Motors at its Lordstown, Ohio plant in the 1970’s, employees who perceived their assembly line work to be dehumanizing committed acts of employee sabotage on the assembly line that resulted in the manufacture of lower quality cars. This event gave rise to what is now commonly known as the “Lordstown Syndrome,” defined as acts of sabotage committed by workers who perform dehumanizing, monotonous work. Aspects of the syndrome include high absenteeism, low productivity, sabotage and wildcat strikes.

Employees can wreck havoc in many ways – damaging supervisors’ cars or personal items; damaging company property; arson; destroying retail merchandise; interfering with deliveries; failing to perform assigned duties or performing them improperly; damaging the company’s reputation – the list is limited only by the imagination of the employee. Dependence on computers, however, has raised the stakes to an unprecedented level, and in this area computer savvy employees can destroy a business without warning. In addition to the horrendous practical and economic consequences of computer sabotage, an employer can face liability for release of the confidential information of clients and customers and for failure to protect assets under the Sarbanes Oxley Act.

 Who is the Employee Saboteur?

Generally, the employee saboteur is seeking revenge for a perceived wrong inflicted on the employee, peers, or even society as a whole. Employees subject to performance warnings, demotion, or termination can be suspects. Employees who oppose the employer’s activities on philosophical or political grounds could also seek to commit harm. Unfortunately, an employee can be laying the groundwork for an act of sabotage, perhaps as insurance against the inevitable discipline or discharge, long before the employer takes any action against the employee.  

 Computer Sabotage

Employees can intentionally misuse or exceed an authorized level of network, system or data access in an unauthorized or illegal attempt to view, disclose, retrieve, delete, change or add information to an employer’s interactive systems. Employees can use techniques such as “data diddling” (alteration of data before or during its entry into the system); “piggybacking” (accessing the system without detection); “Trojan horses” (instructions imbedded in a program that carry out unauthorized functions); “logic bombs” (special programming instructions scheduled to detonate at a specified time); and, viruses.

U.S. v. Lloyd  is an illustrative case. Omega Engineering Corp. employed Timothy Lloyd as its only computer system administrator. The government alleged that during the course of his employment Lloyd was an uncooperative, obstructionist, and belligerent employee who had engaged in verbal and physical altercations with other employees. Witnesses testified that he repeatedly elbowed, shoved and bumped colleagues in the hallways. In May, 1995, because of these interpersonal problems, Omega transferred Lloyd to a non-supervisory position. Although the company characterized the move as “lateral,” Lloyd’s supervisor testified that the removal of supervisory responsibilities actually constituted a demotion. In addition, Lloyd’s percent increase and evaluation were lower than in prior years. In June, 1996, Lloyd instituted a policy requiring all employees to “clean-up” individual computers and save files to the file servers as opposed to their own back-ups. Shortly thereafter, concerned that access to the computer network was too centralized in Lloyd, the company directed Lloyd to provide access to three other management employees, but Lloyd never did so. Following another altercation with a co-employee, Omega terminated Lloyd’s employment on July 10, 1996.

On July 31, 1996, Omega lost more than 1,200 programs, some used to manufacture Omega’s specialized products, causing Omega a 9% decrease in growth and losses of approximately $10 million. Not one individual computer had back-up and the programs on the file server were deleted and purged and could not be retrieved. 

The government alleged that Lloyd sabotaged the network of Omega by planting a time bomb prior to his termination following his transfer/demotion and less than favorable performance review and raise. The government pointed to Lloyd’s level of access to the network; advanced computer programming skills; tests of the time bomb while Lloyd was present in the office; program and commands on Lloyd’s home computer hard-drive; acceptance of another position prior to his termination from Omega; and, threatening and boastful comments Lloyd made to co-workers prior to his termination. Lloyd was convicted on one count of computer sabotage in violation of the Computer Fraud and Abuse Act. The court sentenced Lloyd to 41 months in prison and fined him $2,043, 394 in restitution damages.

 An Ounce of Prevention

 Employers must take both legal and practical steps to prevent employee sabotage before it occurs.

Legal advice:

            °           Draft and implement policies that address the use of the internet; use of computers, information networks, and systems policies; and, use of passwords. Make sure employees understand the limits of their access and the employer’s right to monitor employee use. Obtain signed acknowledgements from employees.

            °           Include computer system use and confidentiality provisions in employment and separation agreements.

             °           Enforce contracts, agreements, collective bargaining agreements, policies and rules.

 Practical protections:

            °           Carefully screen applicants, particularly for computer or technology positions. Employers should be wary of applicants with a persecution complex or cause.

            °           Justice and fair treatment are important to employees. Equitable personnel policies, evaluation processes, progressive discipline, open communication with management, and employee assistance programs can give employees a voice. Job demands should be reasonable.

            °           Increased security measures should be implemented. Employers should:

                          -           Advise employees in writing, via policy, on-screen pop-ups, and/or agreement, that the employer monitors their activities and that their privacy rights in the workplace are limited. 

                           -           Take advantage of the monitoring rights permitted them and ensure that management is vigilant about employee actions.

                            -           Limit the personal items that employees can bring into the workplace (personal laptops, camera phones). 

                            -           Monitor remote access to a company’s system.

                            -           Use and rotate confidential passwords.

                            -           Limit access to the employer’s facilities and computers.

                            -           Include in job descriptions responsibility for all information with which an employee works.

                            -           Raise the computer sophistication of supervisors and managers. The computer savvy of employees often exceeds that of management.

                            -           Decentralize data and access.

                            -           Conduct periodic audits of computer accounts.

                            -           Improve computer security.

                             -           Protect the premises from physical attacks such as fire and floods.

            °           Train employees about the company’s policies on computer usage and confidentiality.

            °           Use a termination checklist for employees, temporary employees, and contractors to ensure that procedures are in place to terminate access to the computer systems and facilities.

            °           Consider purchasing Cyber Insurance.

Responding to an act of sabotage

Once the fox is in the henhouse, there are still steps employers can take against an employee saboteur.

°           Call law enforcement where appropriate. Law enforcement authorities can retrieve stolen property from employees, such as computers, discs and information stored on personal lap-tops. While the property will remain in police custody, it will not be in the hands of the saboteur.

°           Obtain and maintain evidence in accordance with the Rules of Evidence (use chain of custody forms, authenticate senders and recipients). 

°           Use computer forensic specialists to obtain evidence.     

Employers also can pursue the following causes of action.

The Computer Fraud and Abuse Act makes it criminal to access a computer without authorization and provides civil and equitable remedies to employers. Liability can be imposed for unauthorized access where the access results in obtaining something of value; causing damage; or, obtaining information. Employers can recoup losses suffered by the misappropriation of trade secrets and other proprietary information if their losses exceed more than $5,000.00 within a year. “Loss” is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 

The Economic Espionage Act makes it a crime to steal or receive (including uploading or downloading) trade secrets. However, proof of this offense may require the employer to disclose the trade secret at issue.

Employers also may have claims under state computer laws.

Employers also can and should seek injunctive relief to prohibit the release of confidential information. Employers can enforce confidentiality agreements and other applicable restrictive covenants. Even in the absence of an employee agreement, employers can pursue claims for the breach of the duty of loyalty.

Conclusion

Employers must protect access to their assets as vigilantly as the assets themselves. Disgruntled or discharged employees pose a significant risk not only to co-employees, at times, but also to the entity itself. While legal remedies are available, they will not fix damage that is done.

This article was previously published in the Labor & Employment Law Quarterly, a publication of the New Jersey State Bar Association.