Sign Up
Stay current with GH&R Newsletters. Click here to sign up.
E-Commerce News
Employer Entitled to CDA Immunity; Company Rules May Set Scope Of Authorized Use Under Computer Fraud and Abuse
March 27, 2007
EMPLOYER ENTITLED TO CDA IMMUNITYA California Appellate court recently held that an employer who provides internet access to employees qualifies for immunity as the provider of an “interactive computer service” under Section 230 of the Communications Decency Act (“CDA”). The holding appears to be the first of its kind, and further extends the scope of the CDA's already broad immunity provision.
The case arose when Cameron Moore, an employee of Agilent Tech Inc., sent a large number of harassing e-mail messages to plaintiffs, Michelangelo Delfino and Mary Day. The plaintiffs claimed that Agilent was negligent in failing to prevent or stop the messaging. Agilent filed a motion for summary judgment contending that it was entitled to § 230 immunity. Agilent contended that it’s only relationship to the messages was the fact that they went out over the Agilent computer system. As such, Agilent argued that it was an “interactive computer service” provider.
Under § 230, an interactive computer service provider is not deemed a publisher, and therefore, not liable, for information content provided by third parties. While the CDA had been applied to any number of more traditional internet service providers, such as AOL, no case had ever applied § 230 to an employer provided system. Despite the lack of precedent, the California court agreed with a number of commentators who contend that the policy purposes of § 230 –- the promotion of uninhibited of internet speech and the protection of providers who take steps to correct offensive speech – apply to employer provided systems just as much as they do to more traditional ISP’s.
Once it found that § 230 would generally apply, the court had no trouble applying it to the facts before it. Because Agilent’s system “enable[d] computer access by multiple users [i.e., Agilent’s employees] to a computer server” it qualified as an interactive computer service provider. Since the plaintiffs sought to impose liability on Agilent based on the content of Moore’s messages, the plaintiffs clearly sought to treat Agilent as the “publisher” of the information. Finally, there was no dispute that Moore (whose Yahoo screen name, by the way, was “crack_smoking_jesus” – bet he was a lot fun at office parties) provided the content. This collection of facts easily satisfied the requirements for application of § 230 liability.
The court found that the employee, Moore, provided the content of the messages because they were not in any way related to Agilent’s business. The case may have come out differently had the messages been related. A corporation can only act through its employees. If employees post messages in the course of their employment, then in that instance the corporation is the content provider, and § 230 probably wouldn’t apply.
Agilent provides some comfort to employers who simply cannot monitor every email message and internet posting that employees send out. But while the holding is welcome, it may be limited to those instances where the messages are purely personal. And, of course, the other lesson is to be very wary of any employee whose screen name includes the adjective “crack_smoking.”
COMPANY RULES MAY SET SCOPE OF AUTHORIZED USE UNDER COMPUTER FRAUD AND ABUSE ACT
The federal Computer Fraud and Abuse Act (“CFAA”) is a criminal statute that permits the United States to prosecute persons who steal or destroy computer data. But the CFAA also provides a civil remedy that allows victims to compel return of the stolen information and to recover compensatory damages. An important provision of the CFAA prohibits any “unauthorized use” of a computer system, as well as a use that exceeds authorization.
Several courts have ruled that “unauthorized use” includes a use that violates rules established by the owner of the computer system. For example, courts have applied the CFAA against former employees who have taken information (or failed to return information) to their former employer upon termination. Where the CFAA applies, the company needn’t establish that the information constitutes a “trade secret” in order to obtain injunctive relief, as it might under traditional common law.
Unauthorized use may apply to situations beyond the employment setting. A company may establish rules for downloading information from its Web site. If it does, and a visitor violates the rules in the course of downloading information, that visitor may be liable under the CFAA. Again, the information needn’t qualify as a “trade secret” to invoke the protection of the CFAA.
To better utilize the CFAA, a company should clearly articulate rules of data access that spell out exactly what is permitted and what is prohibited. It should also secure agreement to the rules from the employee or Web site visitor. Obtaining a signed acknowledgement from employees is probably the most effective method, but if that is not feasible, the employee handbook should state that adherence to the data authorization policy is a condition of employment. To obtain acknowledgement from Web site users, terms of use, and a click acknowledgement should work.
By recognizing that company policy may establish the bounds of use, the courts have in effect allowed to private parties to dictate what constitutes a violation of the CFAA. It’s a tool that savvy companies should employ!
This Newsletter is a periodic publication of Graydon Head & Ritchey LLP and should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general information purposes only, and you are urged to consult your own advisor concerning your situation and any specific legal question you may have.