[BreachExchange] Eleventh Circuit Upholds Company Claims Against Former Executive For Unlawful Access to Email

[Audrey McNeil]

http://www.jdsupra.com/legalnews/eleventh-circuit-
upholds-company-claims-13308/

A terminated executive who accessed co-worker emails in the process of
reporting possible company wrongdoing lost his appeal on several grounds.
In Brown Jordan Intl, Inc. v. Carmicle, the Eleventh Circuit found that the
employee violated both the Stored Communications Act (SCA) and the Computer
Fraud and Abuse Act (CFAA).

Carmicle reported to the company concerns about the preparation of a second
set of financial projections to the detriment of shareholder value.
Carmicle acknowledged that he obtained much of the information by secretly
accessing co-worker emails. He did so by using a universal password issued
as part of an email conversion after employees failed to create their own
personal password. Carmicle subsequently was terminated after an
investigator found his allegations of impropriety were without merit (among
other reasons).

The appellate court upheld the ruling that Carmicle violated the CFAA
despite his argument that Brown Jordan suffered no “loss” as required by
the law. Carmicle argued that there was no damage because the company did
not experience an “interruption of service” and there was no damage to the
computers.   However, the company maintained it suffered a loss by, among
other things, engaging an outside consultant to assess how Carmicle
accessed the emails. Based on this expense, the appellate court found the
company sustained a “loss” under CFAA. The court held that “loss” can
include the reasonable costs incurred in connection with responding to a
violation, assessing the damage done, and restoring the affected data to
the condition prior to the violation.

Finally, the court rejected Carmicle’s argument that his access was
authorized under the SCA based on a company policy stating that employees
have no expectation of privacy and that the company has the right to
monitor email communication. The Eleventh Circuit found that it would be
“unreasonable” to permit someone to exploit a generic password to access
emails without prior authorization and without any suspicion of wrongdoing.

Notwithstanding the outcome in this case, companies are reminded to take
steps to ensure privacy protocols are in place and up-to-date. In this day
and age, it is reasonable to assume that someone – whether from outside the
company or within – may seek access to your network.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170310/3096a200/attachment.html>