Data Protection

A recent case in the Federal District Court for the Northern District of California highlights two important emerging issues in the data protection arena.  The first issue is the concern of data breaches by employees and ex-employees.  The second issue is the understanding of the legal complexities in interpreting applicable statutes.

            In Nexsales Corp. v. Salebuild, Inc., 2012 U.S. Dist. LEXIS 7890, Nexsales alleged that Salebuild illegally accessed Nexsales’ databases over 3000 times in order to download information.  Included in Nexsales claims was an alleged violation of the Computer Fraud  and Abuse Act, and a violation of the Stored Wire and Electronic Communications Transactions Records Act.

            The Computer Fraud and Abuse Act prohibits intentional access of a computer without authorization, or exceeding authorized access.  The Stored Communications Act prohibits anyone from intentionally accessing without authorization a facility through which an electronic communication system is provided, or intentionally exceeding authorization to access that facility.  In this case, Nexsales alleged that Salebuild intentionally accessed Nexsales password protected computer server by using a confidential login and password that did not belong to them.  Despite knowing that they did not have such authorization, Salebuild allegedly accessed Nexsales computer network facility.  Nexsales then apparently contradicted itself, by alleging that some of the persons who accessed the data, were actually Nexsales own employees who exceeded their authority.

            Salebuild filed a motion to dismiss, which was granted.  The Court found that Nexsales’ complaint did not contain enough factual information to support its claims.  This case will most likely continue as the Judge authorized Nexsales to file an Amended Complaint containing the necessary factual information.

            When becoming involved in data breach litigation it is important to fully understand the applicable statutes and know what facts are pertinent in order to successfully bring, or defend, such a lawsuit.  Perhaps in future rulings in this case, we will also learn more facts behind the allegation that Nexsales’ own employees accessed data without authorization.  Unauthorized access of data by employees and ex-employees is a problem that is occurring more and more frequently.  Unfortunately, some employers are not timely instituting security policies and procedures to reduce this risk.