Washington College of Law
Volume 62, Issue 5

NOTE: Reining in the Rogue Employee: The Fourth Circuit Limits Employee Liability Under the CFAA

By Danielle E. Sunberg  | 62 Am. U. L. Rev. 1417 (2013) 

 On January 2, 2013, the Supreme Court dismissed the petition for writ of certiorari in WEC Carolina Energy Solutions LLC v. Miller, leaving unresolved the vexing question of employee liability under the Computer Fraud and Abuse Act (CFAA). The case involved Mike Miller, former Project Director for WEC Carolina Energy Solutions (WEC), who used WEC’s proprietary information to benefit a competing business. WEC permitted Miller to access the company’s confidential and trade secret documents stored on his employer-provided laptop computer. On April 30, 2010, only twenty days after resigning from his position with WEC, Miller used the confidential information to make a pitch to a potential

client on behalf of a competitor, Arc Energy Services, Inc. (Arc). Arc won the client’s business, and WEC sued Miller and another participating colleague, asserting nine state-law charges as well as several violations of the CFAA. 

The CFAA, codified at 18 U.S.C. § 1030, is the nation’s first and leading cybercrime statute. The statute grants employers a private right of action to hold employees liable for accessing a company computer “without authorization” or for “exceeding authorized access.” Penalizing this conduct grows more imperative: a 2009 study conducted by the Ponemon Institute revealed that six out of every ten departing employees steal company data and described this figure as a growing problem of “malicious insiders.” Unsurprisingly, following this expansion in the computerprotection statute, employers have increasingly used the CFAA as a means to hold rogue employees accountable for using information obtained from a company computer in a manner that conflicts with the employer’s interests. 

NOTE: FTC v. LabMD: FTC Jurisdiction over Information Privacy is "Plausible," But How Far Can it Go?

By Peter S. Frecehette | 62 Am. U. L. Rev. 1401 (2013) 

Companies in nearly every industry collect, store, and use personal information from consumers. Recently, company databases have become the target of increasingly sophisticated attacks aimed atstealing this information. Data breaches occur with such regularity that the Federal Bureau of Investigation (FBI) has separated companies into two categories: “those that have been hacked, and those that will be.” The Federal Trade Commission (FTC) plays a large role in the cybersecurity world by enforcing specific statutes and, more generally, utilizing its authority under the Federal Trade Commission Act (FTC Act) to penalize companies that allow data breaches. Recently, however, businesses have begun to push back, contesting the FTC’s authority to police information security.

COMMENT: Identity Crisis: Seeking a Unified Approach to Plaintiff Standing for Data Security Breaches of Sensitive Personal Information

By Miles L. Galbraith  | 62 Am. U. L. Rev. 1365 (2013) 

Today, information is largely stored and transmitted electronically, raising novel concerns about data privacy and security. This data frequently includes sensitive personally identifiable information that is vulnerable to theft and exposure through illegal hacking. A breach of this data leaves victims at a heightened risk of future identity theft. Victims seeking to recover damages related to emotional distress or money spent protecting their identities and finances are often denied Article III standing to pursue a claim against the entity charged with protecting that data. While the U.S. Court of Appeals for the Seventh Circuit in Pisciotta v. Old National Bancorp and the U.S. Court of Appeals for the Ninth Circuit in Krottner v. Starbucks Corp. recognized standing even when harm was limited to the increased risk of identity theft, the U.S. Court of Appeals for the Third Circuit in Reilly v. Ceridian Corp. split with its sister courts and denied standing for data breach victims, citing a lack of injury-in-fact. 

TRANSCRIPT: "America the Virtual: Security, Privacy, and Interoperability in an Interconnected World

By Ivan K. Fong & David G. Delaney | 62 Am. U. L. Rev. 1131 (2013)

It is no exaggeration to state that our nation faces significant and increasing cyberthreats from a range of individual, organized, and state actors. Recent headlines remind us, for example, that malicious actors can easily render tens of thousands of computers inoperable, as was done to Saudi Aramco in August of this year; that distributed denial of service attacks can significantly degrade web services, as was done to several major U.S. banks last month; and that hackers can penetrate the networks of companies operating natural-gas pipelines. 

The statistics on cybercrime, data breaches, and loss of personal information are sobering. This year the global cost of cybercrime has been estimated at $110 billion. Between ninety-five and ninety-eight percent of records lost through data breaches contain personal information—that is, data such as names, addresses, e-mails, or social security numbers. In fiscal year 2011, the Secret Service prevented $1.6 billion in potential losses through its cybercrime investigations. And just last year, the United States Computer Emergency Readiness Team, which is DHS’s 24-hour cyber-watch and warning center, responded to more than 106,000 incident reports and released more than 5000 actionable cybersecurity alerts and information products to our public and private sector partners. In short, the threats to our cybersecurity are real, they are serious, and they are urgent.

Toward Cyberpeace: Managing Cyberattacks Through Polycentric Governance

By Scott J. Shackelford | 62 Am. U. L. Rev. 1273 (2013)

Views range widely about the seriousness of cyberattacks and the likelihood of cyberwar. But even framing cyberattacks within the context of a loaded category like war can be an oversimplification that shifts focus away from enhancing cybersecurity against the full range of threats now facing companies, countries, and the international community. Current methods are proving ineffective at managing cyberattacks, and, as cybersecurity legislation is being debated in the U.S. Congress and around the world, the time is ripe for a fresh look at this critical topic. This Article searches for alternative avenues to foster cyberpeace by applying a novel conceptual framework termed polycentric governance.

<< Start < Prev 1 2 Next > End >>

Page 1 of 2