Password Sharing and the Computer Fraud and Abuse Act, Revisited

I was reading Eric Ostroff's fine post discussing customer lists as trade secrets, in the context of a recent case involving Farmers Insurance Exchange and several of its former agents, Farmers Ins. Exch. v. Steele Ins. Agency, 2013 U.S. Dist. LEXIS 70098 (E.D. Cal. May 16, 2013).

The trade secret at issue in that case involved an electronic compilation of data about insurance customers. Farmers maintains that compilation for its captive agents through something called an "Agency Dashboard." In the captive insurance setting, the insurer normally owns proprietary rights to its customer information. This is in stark contrast to the independent agency system, where the agents themselves retain rights to such data.

Eric does a nice job summarizing the steps Farmers takes to protect its customer data, including the requirement that agents log in with passwords each time they gain access to the database. They must, as Eric points out, acknowledge Farmers' proprietary rights upon entry to Farmers' dashboard system.

Full disclosure, now.

I litigated several matters against Farmers Insurance over the years. And I am well-familiar with the way in which Farmers pursues trade secrets cases against ex-agents, and all too familiar with the Agency Dashboard, what it looks like, and how it works.

So I won't summarize what Eric wrote, but instead I want to highlight a fact that came up in the case and try to apply a claim Farmers hasn't (yet?) pursued.

Yes, I am talking about our old pal, the Computer Fraud and Abuse Act.

At least two of the defendants in the Farmers' case used passwords that did not belong to them to access Agency Dashboard.

One of the defendants was an office employee (seemingly a customer service agent) who used another Farmers agent's password to download reports out of Agency Dashboard. That agent, apparently not complicit, had severe health problems.

Another defendant was the son of a Farmers agent (again, it didn't appear the agent was complicit) and used his father's Farmers password to log in to Agency Dashboard. Though not crystal clear from the record, the defendant then presumably used proprietary data from the dashboard to switch customers away from Farmers. Neither of those defendants had password credentials of his or her own.

This case comes at an interesting time. John Marsh, Russell Beck, and I just recorded another episode of the Fairly Competing podcast (which will be available Tuesday morning), and we discussed the latest chapter in United States v. Nosal. The factual matrix in that case (also from California) involved something very similar to what I've just described: gaining access to a protected computer system through password sharing. (For my prior post discussing Nosal in the District Court, click here.)

That is: X uses Y's password to log in to a protected database, when X can't otherwise gain access through credentials assigned to him.

As the Nosal jury found, this conduct violated the CFAA because the individual is gaining access to a protected computer without authorization. A password is the quintessential access barrier, familiar to everyone.

The Farmers case was teed up for a preliminary injunction around the time the Nosal verdict came down, and there isn't much precedent available for extending the CFAA to the password-sharing paradigm. In fact, given the Ninth Circuit's rather narrow interpretation of the CFAA, it's to be expected that attorneys would pull back on civil claims under this statute.

But it appears that the agents who accessed Agency Dashboard without proper password credentials may have violated the CFAA, at least under the statutory interpretation applied by the District Court in Nosal. The case under the CFAA may be stronger than that against Nosal, because there's no indication Nosal himself accessed the database with someone else's password. He was just directing traffic.

I still have not reconciled, personally, whether the CFAA should be extended to this fact pattern, though I think it probably should. I have great reservations about the CFAA for many reasons. And given the Ninth Circuit's narrow construction of the CFAA, it is possible we'll get further guidance on whether password sharing implicates a statutory violation when Nosal II is decided.

Episode 8 of Fairly Competing: Has the Time Come to Add a Federal Civil Trade Secrets Claim?

Now available is Episode 8 of the Fairly Competing podcast: Has the Time Come to Add a Federal Civil Trade Secrets Claim?

In this episode, John Marsh, Russell Beck, and I discuss the proposals to add a federal cause of action for trade secrets theft.

We address the pros and cons of the proposed legislation known as PATSIA - Protecting American Trade Secrets and Innovation Act of 2012. John, Russell, and I also weigh other options to create a federal civil remedy compared to the PATSIA framework and discuss the policy rationales behind federalizing trade secrets claims in civil litigation.

You can listen to the podcast by clicking on the link below, visiting the official podcast website, or subscribing to Fairly Competing on iTunes.

Listen to this episode

Proposed Non-Compete Legislation in Connecticut Follows Legislative Trend

So far, 2013 has been active for proposed non-compete legislation.

At the beginning of any calendar year, it's not surprising to see a number of bills introduced in state assemblies or legislatures - many of which have no chance of becoming law. This year, bills impacting non-compete agreements have been proposed in Minnesota, Massachusetts, Maryland, and Illinois. We've also seen the momentum build in various states concerning restrictions on employer access to social media passwords. And very recently, Texas enacted what many believe to be a business-friendly version of the Uniform Trade Secrets Act.

Following this trend, the Connecticut House of Representatives Bill No. 693 - regulating non-compete agreements - reported favorably out of the Judiciary Committee. A copy of the bill file is embedded below, but I'll summarize it briefly.

There are two chief elements to the law:

1. It would codify the common law, in essence allowing non-competes to be enforced if reasonable as to time, territory, and scope of activity.
2. The procedural change requires employers to provide at least ten days prior notice to the employee to get a legal review of the non-compete.
3. The law allows for, but does not require, equitable modification by the court of an overbroad agreement.
4. It only applies to agreements "entered into, renewed or extended" on after October 1, 2013.

A couple of open questions - big surprise - remain:

1. The law does not mention anything about what an employer must show in terms of a legitimate business interest supporting the covenant, though that is something every employer must be prepared to demonstrate.
2. It likely does not apply to confidentiality agreements.
3. It is not clear whether it applies to non-solicitation agreements.
4. It is limited to employment agreements, not those between businesses (or businesses and independent contractors).

My favorite aspect of the proposed bill is the proviso that states a person harmed by a violation of the law "may bring a civil action" to recover damages, costs, and fees. This is meaningless because anyone "may bring a civil action" for just about anything. They just might not be successful. The law, though, does not require an award of attorneys' fees for a successful enforcement of, or challenge to, the underlying covenant.

Finally, I am not sure why the Judiciary Committee felt it necessary to have the law apply to agreements "extended" on or after October 1, 2013. Arguably, any non-compete that is currently in effect is "extended" past the effective date of the statute. I would hope courts wouldn't construe this provision in an absurd way, as that could have the unintended consequence of invalidating agreements entered into previously in full compliance with common law.

Connecticut House Bill 693 by Ken Vanko

You Can't Reverse Blue-Pencil a Non-Compete

By now, I hope readers of this blog would be aware that the title of this post simply reinforces the obvious.

For background, the "blue-pencil" rule is intended to allow a court to enforce the reasonable parts of non-competition agreements, while deleting those portions that render the covenant overbroad. Its cousin, the "equitable modification" rule gives a little more discretion to a trial court judge, such that he or she can make substantive changes to the clause (as opposed to deletions) when narrowing it up.

What neither rule allows is expansion of the covenant to include a broader range of competitive activity. Lawyers and clients need to understand, though, that judges are generalists and aren't as accustomed to examining this issues with the kind of depth that nerds like me are. So they make mistakes.

A perfect illustration comes from the Appellate Court of Illinois, which issued an opinion this week that addressed this reverse blue-penciling issue. The non-solicitation covenant at issue in that case was similar to what many provide: the employee (a physician) could not "solicit, divert or take away business or patronage" of the medical practice for three years following termination of employment.

The case, which is embedded below, is yet another primer on "How Not to Leave Your Employer" and follows the same basic fact pattern as I've written about on prior occasions. The trial court in Chicago issued a preliminary injunction which enforced the agreement and restrained the defendants (including one not bound to any non-compete) from "treating any current or former patients of" the medical practice.

This is more extensive than the terms of the non-solicitation covenant because "treating" is broader than the operative triggering language in the contract - "solicit, divert or take away." The Appellate Court held such an expansion of the terms was improper given the relatively clear language of the contract.

Counsel drafting non-solicitation covenants should always consider whether the terms are broad enough to include "passive" solicitation (that is, a client approaches the ex-employee) as opposed to mere "active" solicitation (affirmative efforts to lure clients away). Because it is almost impossible for an employer to assess objectively the difference between the two (it only knows the client has left), there are few business reasons why a non-solicitation covenant should be drafted to exclude passive solicitation.

Northwest Podiatry v. Ochwat - Opinion

Episode 7 of Fairly Competing: Trade Secrets, Whistleblowers, and the First Amendment

Episode 7 of the Fairly Competing podcast, Trade Secrets, Whistleblowers and the First Amendment, is now available for listeners and subscribers.

In this episode, John Marsh, Russell Beck, and I discuss the special problems posed when companies pursue trade secrets claims against whistleblowers.

We also discuss First Amendment concerns posed by these suits, state SLAPP statutes, and a recent case involving Anheuser-Busch that encompassess many of these interesting issues.

You can listen to the podcast by clicking on the link below, visiting the official podcast website, or subscribing to Fairly Competing on iTunes.

Listen to this episode

Supreme Court of Georgia Rejects Independent Claim for "Inevitable Disclosure"

The "inevitable disclosure" doctrine is one of the most discussed, controversial topics in unfair competition law. The commentary among academics and bloggers reminds me of the ongoing debate over the proper scope of the Computer Fraud and Abuse Act.

All but two states have adopted some version of the Uniform Trade Secrets Act, but there is little uniformity when it comes to applying the inevitable disclosure doctrine. Reduced to its essentials, the doctrine allows a plaintiff to substitute the concept of "inevitable disclosure" for actual or threatened misappropriation.

The Supreme Court of Georgia is the latest to weigh in on the application of the doctrine and held in Holton v. Physician Oncology Svcs, LP that a plaintiff cannot maintain an independent claim for misappropriation by relying solely on the idea of inevitable disclosure. The Court did not address whether:

1. the doctrine can be applied to support a claim for "threatened" misappropriation of trade secrets (which is contemplated by the very text of all trade secrets statutes); or
2. the doctrine can be applied to support a protectable interest as part of a non-competition covenant.

Companies seeking to assert trade secrets claims should, for the most part, do all they can to avoid pleading inevitable disclosure. From my perspective, it's a theory of last resort in that actual or threatened misappropriation (even if the threat is indirect or implied) is a far easier concept to present, particularly when requesting a disfavored remedy like an immediate injunction. Eric Ostroff essentially notes the same in his blog post discussing Holton.

The reluctance to invoke inevitable disclosure is not as pronounced when a company is seeking to enforce a non-compete. The theory of inevitable disclosure is much more appealing when it's used demonstrate that an actual, protectable interest supports the contractual restraint. Non-compete law is more objective and forward-looking. Because parties have contracted in advance for a certain type of restriction, it makes little sense for a company to have to wait for actual misappropriation of company secrets to enforce the agreement in court.

Fracking and Trade Secrets: An Introduction

This is the first in a multi-part installment on the impact of trade secrets law on hydraulic fracturing.

Fracking.

If you've read the newspaper over the past year or so, fracking suddenly has become a household term. Hydraulic fracturing, or "fracking," involves the injection of highly pressurized fluids into rock layers to release petroleum or natural gas. Though fracking has been around for decades, it has received a great deal of press and legislative attention for two primary reasons.

First, some states - most prominently, North Dakota - have seen a rejuvenation of their economies and manufacturing base, spurred on by fracking and its correspondent increase in energy production. Some studies, in fact, show the United States may overtake Saudi Arabia as the world's leading oil producer by the end of this President's term.

Second, fracking has received scrutiny from conservationist and environmental groups that are concerned over the public health risks associated with fracking. In particular, these groups have expressed concerns over the depletion of water supplies attendant with fracking, as well as the release into local aquifers of the additives contained in fracturing fluids.

At this point, you may be asking: what on earth this post has to do with competition law?

The answer's fairly simple.

Oil and gas producers largely believe their fluid compositions (or hydraulic fracturing chemicals) are trade secrets.

But state laws require producers to disclose these compositions as part of the permitting process. If publicly filed, those fluid compositions then can be obtained through freedom of information laws.

Unless...they're trade secrets.

This tension between commerce and conservation has spawned recent litigation in Wyoming and Pennsylvania. The legal issues here and elsewhere involve a collision of many different public and private concerns, including:

• What oil and gas producers must show a state administrative agency to assert trade secret protection over fluid compositions;
• The ability of interest groups to challenge administrative decisions over trade secret protection;
• Provisions in some state laws that require oil and gas companies to provide chemical composition data (despite its trade secret protection) to third-party medical providers;
• Medical providers' objections on First Amendment grounds to being forced to sign confidentiality agreements as a condition of receiving this chemical composition data; and
• The omnipresent risk that a disaffected employee - that is, a "whistleblower" - might disclose such trade secret information to a government agency or in the course of a retaliatory discharge lawsuit.

In future posts, I'll be discussing all of these topics. Fracking law, as it affects trade secrets, is potentially an explosive area of litigation for the foreseeable future.

Settlements Redux: A Brief Follow-Up From My Bankruptcy Post

I received a number of e-mails on my three-part series on settlements, which ran over the past few weeks.

Of those e-mails, several dealt with a topic I raised in Part 3 - accounting for the possibility of a settling defendant's bankruptcy. So I felt it was appropriate to answer those questions in a follow-up post.

As I noted in Part 3, a plaintiff settling a competition dispute may be able to litigate, or relitigate, a claim during the course of an adversary proceeding if the defendant files for bankruptcy.

An exception to the general rule of dischargeability is the "fiduciary defalcation" provision contained in Section 523(a)(4) of the Bankruptcy Code. That generally holds that a debt is non-dischargeable when a debtor breaches a duty while acting in a fiduciary capacity.

Because all adversary claims are governed by the Bankruptcy Code, federal law will apply. And federal courts' interpretation of what qualifies for the "fiduciary defalcation" exception to dischargeability is not on all-fours with state law concepts familiar to many readers, such as the common law fiduciary duty of loyalty, rectitute, candor, and good faith.

Let's take a hypothetical and assume a fact pattern we've discussed on this blog before. If a corporate officer sets up a competing business while still employed, this almost certainly would constitute a breach of fiduciary duty under state law. That does not mean that debts arising out of that breach automatically are non-dischargeable under Section 523(a)(4).

Bankruptcy courts generally provide that the debt is non-dischargeable only if the debtor is acting in a fiduciary capacity with respect to the particular conduct giving rise to the debt.

So under the hypothetical I just outlined, the corporate officer may or may not have his debt discharged.

If, for instance, he simply starts a new business, moonlights, and then funnels new customers to his separate entity, any damages for which he's liable under the common law likely would be dischargeable. (I say "likely" because court decisions aren't totally consistent.)

However, if the officer swaps out an order intended for his current employer and runs that through a competing business - essentially the equivalent of a conversion or civil theft - then the company stands a much better chance of claiming that the debt is non-dischargeable.

This is a fine distinction to make, and courts do come out different ways on this.

The 523(a)(4) exception really is intended to provide a remedy for embezzlement or insider corporate theft, such as when a controller - say, in Dixon, Illinois - loots the company till.

Applying the exception to a garden-variety competition case founded on breach of fiduciary duty often yields few clear answers.

When a Restriction on Soliciting "Prospective" Customers Is Unreasonable (and How to Fix It)

One of the most common drafting errors in non-solicitation covenants - clauses that limit customers to whom competitive services may be offered - is the reach to whom it applies.

In concept, the idea of a customer non-solicitation covenant is not that offensive to most judges. Companies often make convincing, successful arguments that covenants of this kind are narrowly crafted to protect their interest in maintaining business relationships with accounts that generate an ongoing stream of revenue. And, generally speaking, they reflect a careful balance between a company's interest and that which an individual has in maintaining the right to earn a living.

But companies run into trouble when the covenant stretches too far in protecting both former clients and prospective clients. Courts correctly reason that such covenants go beyond what is necessary to protect companies from unfair competition, principally because past and prospective customers aren't contributing to existing goodwill.

Cases reflecting this principal are widely available, with one of the most recent being Newport Capital Group, LLC v. Loehwing, 2013 U.S. Dist. LEXIS 44479 (D.N.J. Mar. 28, 2013). That New Jersey case appears to be the first in that state to take a relatively bright-line approach to barring restrictions on an ex-employee's ability to service prospective customers.

What are the common problems associated with broad, customer-based restrictions? Here are the two most common:

1. The definition of "prospective" customer is perverse. Sometimes agreements define customer in such a way that it's impossible for the employee to even know who is off-limits. If, for instance, "prospective customer" includes any "individual identified by the company's employees as a potential client," it would be impossible to subject this restriction to verification.

2. "Prospective" customers is not defined at all. Most well-drafted non-solicitation covenants contain a definition of the key, triggering term - such as "Restricted Customer" or "Active Account." But many don't, and these agreements often cause judges to scratch their heads. If the term "prospective customer" is entirely undefined, it could mean that particular employee's prospect, another employee's prospect, or some prospect generally available to the market as a whole. Such a shifting, malleable definition causes the parties to interpret the agreement in such a way as to favor their position. Generally, ambiguities go in favor oft the party being restricted.

It's hard to create bright-line rules and there may be situations when companies can define "prospective" customers in a way to make it reasonable. They could limit the definition to:

1. Those prospects with whom the employee, or someone under employee's direct management, had been actively making a proposal at the time of his departure.

2. Those prospects identified on certain confidential lists of customers developed and maintained by the company and to which the employee had regular access.

3. Prospects for which the company's confidential information was used to solicit competitive products or services on behalf of a third-party.

It's entirely possible even these limiting definitions won't do. But they're certainly a good start in extending a non-solicitation covenant into otherwise forbidden terrain.

New Jersey Non-Compete Bill Follows Maryland Lead - And Then Takes It a Step Further

In January, I discussed Maryland's proposed Senate Bill 51, which (if passed) would ban certain non-compete agreements if an employee was deemed eligible to receive unemployment benefits.

I offered my take on why this bill was fatally flawed. This is nothing more than another example of intrusive legislative meddling with absolutely no concern for the unintended consequences likely to result in day-to-day practice.

At least three Assemblymen from New Jersey have taken an even further step, proposing A3970, a bill that would ban a broader range of business protection covenants when an individual is deemed eligible for benefits under the state's unemployment compensation law. Incredibly, the proposed bill is not limited to general market-based non-competes, but also extends to any kind of non-solicitation covenant and even non-disclosure agreements.

New Jersey's unemployment compensation law is very similar to those in other states, in that an employee is generally not eligible to receive UC benefits if she voluntarily quits her job or is terminated for misconduct. Some states - like Maryland - have broader definitions concerning eligibility. "Misconduct" is very fact-specific and could, in many cases, cover the type of pre-termination conduct (e.g., theft of data, solicitation of accounts) that gives rise to competition suits.

For more on A3970, read the fine post from Seyfarth Shaw here and an interesting online article from NJBIZ.com here. The latter post discusses the exact point that I made in January when discussing the proposed Maryland legislation: the bill encourages companies to fight unemployment claims when they otherwise wouldn't. This is the law of unintended consequences at work.