GA’s Computer Systems Protection Act: What it Means for Employers

Posted by Benjamin I. Fink on

Recently, a divided Georgia Supreme Court reversed the conviction of an employee accused of engaging in computer trespass in violation of the Georgia Computer Systems Protection Act (GCSPA) by copying his employer’s data.[1] This blog discusses the potential implications of a recent case, Kinslow v. State, when departing employees misappropriate information using a computer.

Georgia Follows the Supreme Court’s Lead
Under the GCSPA:
“[a]ny person who uses a computer or computer network with knowledge that such use is without authority and with the intention of . . . [o]bstructing, interrupting, or in any way interfering with the use of a computer program or data” is guilty of computer trespass.[2]

In Kinslow, the Georgia Supreme Court held that Kinslow, an IT worker, did not commit computer trespass under the GCSPA by:
“alter[ing] his employer’s computer network settings so that e-mail messages meant for Kinslow’s boss would also be copied and forwarded to Kinslow’s personal e-mail account.”

The court found that forwarding and copying emails to an additional recipient did not constitute adequate interference under the GCPSA, reasoning that creating an additional flow of data is not equivalent to blocking or hindering the flow of data as required under the statute.[3]

The Georgia Supreme Court’s decision in Kinslow came a few weeks after the United States Supreme Court narrowly interpreted the Computer Fraud and Abuse Act (CFAA), a federal statute that similarly proscribes certain computer-related activity.[4]

In Van Buren, the Supreme Court addressed a longstanding circuit split regarding when an employee “exceeds authorized access” under the CFAA.[5]

Van Buren overturned the Eleventh Circuit’s broad interpretation of the CFAA’s application and instead adopted a narrower view consistent with the Ninth Circuit.[6] Specifically, the Court determined that an employee:
“‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him[;]” an employee obtaining information with authorized access, even if accompanied by an improper motive, is not covered.[7]

Thus, under Van Buren, an employee who takes proprietary information or trade secrets using a computer can only be prosecuted under the CFAA in certain circumstances.

Georgia Computer Systems Protection Act: What Does This Mean for Employees?
To date, there has been an  overwhelming prevalence of computers and electronic devices in the workplace and throughout our society (far more than when the GCSPA was enacted). Perhaps this prevalence is why the Georgia Supreme Court in Kinslow chose to construe the “computer trespass” provision of the GCSPA in a narrow manner.

If the GCSPA (and CFAA) were interpreted broadly, for instance, criminal penalties could theoretically attach to any employee who sends a personal email or checks the weather on their work computer. In turn, “millions of otherwise law-abiding citizens [would be] criminals[,]”[8] even absent motive or intent to steal an employer’s data, information, or trade secrets.

Additionally, because working remotely and using company computers outside the office has become the “new normal” in our post COVID world, a broad interpretation of the CFAA or the GCSPA risks unintended consequences for employees regularly accessing the internet via their work computers.

Employer Takeaway: Don’t Assume Your Trade Secrets are Still Protected
For employers, it remains to be seen whether Kinslow impacts their ability to use the GCSPA as a remedy when an employee misappropriates information involving computers.

Kinslow only address “computer trespass” under the GCSPA. Other prongs of the GCSPA, such as the “computer theft” provision, are often asserted when an employer makes a claim under the GCSPA against a departing employee. Employers also continue to have other remedies, including under the Georgia Trade Secrets Act and for breach of any contractual provisions, that the employee’s computer misconduct violates.

Of course, actions that may constitute a violation under the GCSPA can be difficult to spot and wrongdoers may avoid detection if employers are not diligently protecting and monitoring their sensitive information.[9] As a result, additional protections that hinder an employee’s ability or limit their authority to alter network settings to copy or otherwise reproduce data should be incorporated into your company’s security policies; access restrictions may not be enough.

With the Georgia Computer Systems Protection Act, it is now even more important for Georgia employers to understand the scope of their employee’s authorized access to information, identify trade secrets at risk and take action to protect against misappropriation of their data.

If you are an employer in need of legal advice regarding the security of your company’s trade secrets, please do not hesitate to contact us.

—–

Thank you to our summer associate, Olivia Landrum, for contributing to this article.


[1] Kinslow v. State, S20G1001, 2021 WL 2518617 (Ga. June 21, 2021).

[2] O.C.G.A. § 16-9-93(b)(2).

[3] Kinslow, 2021 WL 2518617, at *1, *3

[4] Van Buren v. United States, 141 S. Ct. 1648, 1654 (2021).

[5] Van Buren, 141 S. Ct. at 1654.

[6] Id. at 1662.

[7] Id. at 1652.

[8] Id. at 1661.

[9] Kinslow, 2021 WL 2518617, at *9 (Melton, C.J., dissenting).