In today’s competitive business environment, maintaining the confidentiality of proprietary information is vital to success, if not survival. If a customer list, pricing schedule, formula or business process becomes available to competitors or others with malicious intent, the result could be disaster for a business. Unfortunately, advances in technology have made theft and/or destruction of business data easier and faster than ever before. Five years worth of painstaking and expensive research and development can be copied onto a thumb drive and secreted out the door in a matter of minutes.
To address the growing problem of computer related crime, the Georgia legislature adopted the Computer Systems Protection Act (“Act”). The Act defines and criminalizes five broad categories of computer related conduct:
- Computer Theft – Taking or copying the computer, computer network or digital data of another.
- Computer Trespass – Temporarily or permanently deleting, removing, interfering or obstructing the property or computer data from a computer or computer network of another.
- Computer Invasion of Privacy – Using a computer to examine the electronically stored personal financial information of another.
- Computer Forgery – Passing off electronic communications as though they are of another.
- Computer Password Disclosure – Intentionally revealing the computer related codes or passwords of another.
When any of these acts are perpetrated knowingly and without the authorization of the owner of the computer network or digital information in question, a crime is committed. The first four categories constitute felonies, punishable by up to 15 years in prison and with a $50,000 fine. Computer password disclosure is a misdemeanor, punishable by up to one year in jail and/or a $5,000 fine.
The Act also gives the victim of this conduct a civil cause of action against the perpetrator. In this way, the Act has become a powerful tool for businesses to obtain relief through the courts for damage caused by technically savvy competitors, hackers and current and former employees, even when law enforcement declines to get involved. In addition to authorizing the recovery of compensatory damages in the form of lost profits resulting from the digital malfeasance, the Act expressly allows the victim to recover the costs associated with any forensic investigation undertaken to discover the crime and/or the identity of the perpetrator and perhaps the reconstruction of any lost or destroyed data.
Often times, once a data breach is discovered, a reputable computer forensic technician can quickly and conclusively establish that a business’s computer network or digital information was accessed, copied or deleted. What can sometimes be more difficult to establish is that the perpetrator knowingly accessed the computer systems or digital data of another without authority. Those accused of committing these acts often claim that they were authorized to do so, or that they legitimately believed that they were.
The Act defines “without authority” to include “the use of a computer or computer network in a manner that exceeds any right or permission granted by the owner of a computer or computer network.” Thus, even if an employee has the right to access customer data as a part of her employment duties, if she were to take that data and sell it to a competitor, she would likely exceed the scope of her authorization to use that data by doing so and thus be liable (and perhaps guilty).
This is not to say that any inspection of the computer or computer records of another constitutes a violation of the Act. In one recent case, an employee was using his personal laptop computer at the office to download proprietary company information in anticipation of taking and using that data on behalf of his soon to be new employer, (and competitor of his current employer). When the employee left his desk unattended, the owner of the company inspected the laptop and discovered the surreptitious activity. The employee was fired. The employee then sued his former boss personally for computer trespass. The claim was dismissed for two reasons. First, the court determined that the company owner did not act “with the intention of” committing a violation of the Act. Instead, he merely investigated the employee’s conduct. Second, the court found that the owner’s conduct was authorized because the employee regularly used his personal computer for work and because the company’s employee manual expressly stated that the company had the right to inspect any device used by the employees in connection with their employment.
Victims of computer crimes would do well to engage both experienced counsel as well as a reputable computer forensics specialist as soon as possible to determine the scope and extent of the security breach. In addition, ongoing practices, such as password protection, establishing a written and well publicized policy against improper access and regular reminders and training on this policy are key to protecting your organization from malicious data loss and interruption.