Category Archives: Noncompete/Trade Secret

February 26, 2013

Who Owns Your Employees’ LinkedIn Profiles? The Answer Might Surprise You.

By Mark B. Wiletsky

If your employees use LinkedIn to establish and maintain contacts for business purposes (such as sales), what happens to those accounts—and contacts—when the employee quits or is fired?  Can an employer who has access to an employee’s LinkedIn profile change her password and replace information in her profile following her termination?  No, says at least one federal judge in Pennsylvania recently, though that case is not yet over.  As explained below, employers should be careful before assuming that they own their employees’ LinkedIn profiles. 

Employer Access to High Level Executive Profiles

Edcomm, Inc., a banking education company, strongly urged its employees to create LinkedIn accounts using their company email addresses as a business networking tool.  It had employee policies governing online postings and specified that if employees identified themselves as an Edcomm employee, they needed to use a specific template that contained pre-approved content about the company and referred to the company’s website.  The company provided a photographer to take professional photos for employee use on their LinkedIn accounts.  It also allowed some Edcomm employees to access, develop and administer the LinkedIn accounts of senior management, such as responding to invitations, inviting new contacts and researching good news stories to include on their LinkedIn pages.

After being acquired by another company, Edcomm, Inc. terminated its company president and founder, Linda Eagle, as well as several other top executives. After her termination, Edcomm locked Eagle out of her LinkedIn profile by changing her password.  It then changed the information on the profile to that of the new acting CEO.

Company Argues LinkedIn Account was Akin to a Client List

Eagle sued Edcomm alleging numerous violations of state and federal law, including invasion of privacy by misappropriation of identity, misappropriation of publicity, identity theft and conversion.  Edcomm argued that the LinkedIn accounts were used to contact new clients and promote the company’s services.  As such, the company claimed that its take over of Eagle’s account was similar to the company keeping possession of a client list after an employee is terminated. 

The Judge didn’t buy it.  At a recent hearing, Judge Ronald Buckwalter stated that Edcomm likely had no right to change Eagle’s LinkedIn password and change her profile information.  He noted that the company had no internal policy that would hand over ownership of employee profiles when employees left the company and that the LinkedIn accounts belonged to the individual employees. 

Be Prepared For An Employee’s Departure

Although it is wise to implement a social media policy to address employee use of company information on personal or company-sponsored social media accounts, you need to be wary of who owns the rights to such information.  First, as indicated in the Edcomm case above, you risk potential invasion of privacy and other claims.  Second, the employee might have rights to the account independent of the employer, as established in an agreement between the service provider and the employee.  At a minimum, consider implementing specific policies that address these issues up front, and consider what services your employees are using to establish and maintain connections with clients.  The fact that contacts are connected through LinkedIn, Facebook, or some other social media site can significantly impact an argument that such contacts are protectable trade secrets.  Lastly, don’t forget that forcing access to employees’ social media can be risky.  Four states have enacted legislation to prohibit or restrict employers from asking for social media access and many other states are currently debating similar restrictions.

July 30, 2012

Court Narrows CFAA

By Mark Wiletsky

In today’s digitized workplace, it is easier than ever for employees to steal information.  Whether through a thumb drive, external hard drive, e-mail, or other means, employees can easily transfer reams of information in mere seconds, often without detection until it is too late.  Because such information is often incredibly valuable–and potentially harmful when improperly used by a competitor or another–organizations sometimes are forced to sue an employee and/or the employee's new employer for misappropriating such information.  At times, law enforcement may be involved.  But often, it is up to the employer to initiate a civil action.

Although a variety of claims may be asserted in such circumstances, employers sometimes turned to the Computer Fraud and Abuse Act (or CFAA) for relief.  The CFAA is a federal statute that provides civil and criminal penalties when an employee, among other things, intentionally accesses a computer without authorization, or exceeds authorized access to a computer and obtains anything of value or causes damage.  On its face, the statute appears to prohibit an employee from using his or her access to a computer to misappropriate his employer’s trade secrets or other confidential information.  A recent decision by the Fourth Circuit Court of Appeals, however, concluded otherwise. 

In WEC Carolina Energy Solutions LLC v. Miller, the employee (Miller) allegedly downloaded WEC’s proprietary information, at the direction of a competitor, and then used the information to help the competitor solicit a customer.  WEC sued Miller under a variety of theories, including conversion, tortious interference with contractual relations, civil conspiracy, misappropriation of trade secrets—and violation of the CFAA.  The district court dismissed the CFAA claim and remanded the remaining claims to state court.  On appeal, the Fourth Circuit affirmed the dismissal of the CFAA claim.

Because the CFAA contains criminal penalties, the Fourth Circuit adopted a narrow interpretation of the CFAA.  It distinguished situations in which an employee exceeds his access to information—which may violate the CFAA—from those in which the employee merely uses his authorized access to misappropriate information.  For example, an employee “accesses a computer ‘without authorization’ when he gains admission to a computer without approval” and he “‘exceeds authorized access’ when he has approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access.”  In WEC, the court concluded that Miller had authorization to access to the information at issue, despite WEC’s policies preventing the improper use of such information.  Thus, even though Miller had no authority to download and/or transfer it for another’s use, he was not liable under the CFAA.  The court noted that a contrary interpretation could result in criminalizing otherwise innocent conduct, such as when an employee violates a policy against downloading information so that he can work at home.

Interestingly, the Fourth Circuit sided with the Ninth Circuit on this issue, adding to the Circuit split.  The Seventh Circuit previously reached a contrary result.  It held that an employee may be liable under the CFAA when he accesses a computer or information on a computer in a way that is adverse to his employer, as doing so terminates his agency relationship and any authority he otherwise has to access such information.  Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006). 

The Fourth Circuit’s narrow interpretation of the CFAA, if adopted by other courts or, eventually, by the Supreme Court, is disappointing to those who seek to hold rogue employees accountable for misappropriating confidential or proprietary information.  The CFAA allows employers access to federal courts in these types of situations, which at times may be the preferred venue, and contains other stiff penalties.  Still, and as noted in WEC, employers have other options at their disposal, including a variety of state law claims that can be very effective. 

Practical Tips 

Even though the Fourth Circuit held that Miller did not violate the CFAA by his actions, it is a good idea to review and potentially update your computer use policies, especially if you have not done so in a while.  Technology changes so rapidly that policies may be out-of-date soon after they are issued.  At a minimum, be clear about the confidential and sensitive nature of information available on your systems, and permissible uses of such systems.  If employees have limited access to certain databases or areas, be sure to emphasize such limitations and the potential penalties for violating those limitations.  Also, don’t forget to remind employees that they have no expectation of privacy when using or accessing your organization’s computer resources.  You may not always be able to prevent an employee from misappropriating confidential or proprietary information, but strong policies and practices are a good deterrent and a strong tool to use if you have to sue an individual who engaged in such conduct.