Q: One of my agency's independent contractors (ICs) has decided to leave and join another host. If, before he leaves, he copies all my agency's client contact information, travel preferences and travel records and takes it with him, can I have him prosecuted for a federal crime? Can I sue him for damages? Does it make any difference if he is an employee rather than an IC?
A: Until this month, the answer would have been that you can probably have him prosecuted under the federal Computer Fraud and Abuse Act (CFAA), which made such behavior a felony, and you could sue him for your damages under the CFAA. However, on June 3, the U.S. Supreme Court issued an opinion in Van Buren v. United States holding that there is no violation if the abuser was authorized to access the records in the first place and merely used them for an illicit purpose.
The case stemmed from the prosecution of a police officer who took a bribe to run a license plate check to see whether someone was working undercover. The lower court had convicted him for violating the CFAA because the law penalizes anyone who "exceeds authorized access" to computer files, and the appeals court agreed. The court noted that the quoted terms is defined as "to access a computer with authorization and to use such access to obtain ... information in the computer that the [accessor] is not entitled so to obtain."
Writing for the majority, Justice Amy Coney Barrett's opinion stated that this definition means that it is not illegal to access any information as long as you are authorized to access it in the first place, regardless of your motive or what you do with the information you obtain.
So, as long as you allow (or did not prohibit) ICs or employees to access your agency's client files, they do not "exceed authorized access" by accessing them and using the information to compete against you. You therefore cannot have them prosecuted under federal law or sue them under that law.
You can still try to sue them under state laws that protect trade secrets. However, such suits are very hard to win if you did not take steps to protect your client information and allowed any IC or employee to access all of it.
So, it is now more important than ever to protect client information. One step that you can take would be to have employment or IC contracts that prohibit accessing files of clients with which they do not have any contact. Although contract clauses will not stop an unscrupulous employee or IC from taking the information, it would help you successfully sue for theft of trade secrets. You could also consider password-protecting certain files and providing access only to employees who have a business need for it.
Then, once the IC or employee stops working with you, any access would "exceed authorized access" and would thus be a clear violation of the CFAA, regardless of the accessor's motive.