Q: One of our employees has left
and gone to work for a competitor. He has apparently accessed our
computers via a remote connection, copied pending reservations and
profiles, transmitted corporate client information to our
competitor via e-mail and deleted some of our database needed for
management information reports. We had no employment contract with
our ex-employee, and we have never taken steps to protect our trade
secrets. Is there anything we can do now?
A: Traditionally, you could have gone through
the difficult and expensive process of suing the ex-employee and
your competitor for theft of your property. However, such suits
were fairly rare, because you had to prove exactly what was stolen
and how much the property was worth, and because it was hard to get
a court injunction to stop further theft.
For GDS data, your case would have been hopeless because you do
not own the data in the GDS vendors system. So you could not sue
for theft of data you do not own, by definition.
However, in the last few years, federal courts have allowed
employers to bring suits against former employees and competitors
under the federal Computer Fraud and Abuse Act. This 1984 law was
originally just a criminal law. In 1994, 1996 and 2001, it was
beefed up to allow an employer whose computer was accessed without
authorization to sue for any losses caused by the unauthorized
access itself.
Employers need only show that someone had unauthorized access to
the employers computer and that the access caused at least a $5,000
loss, which, according to the law, can be any reasonable cost to
any victim, including the cost of ... conducting a damage
assessment and restoring the data, program, system or information
... and any revenue lost or cost incurred ... because of
interruption of service.
So if you lost a corporate client because you could not provide
management information reports after your database was deleted, or
if you hired a forensic consultant for $5,000 to find out what was
deleted, what was transmitted and how to prevent unauthorized
access in the future, you have enough to sue your former employee
and your competitor under the Computer Fraud and Abuse Act.
Because the focus is not on the type of data stolen but rather
on the unauthorized access itself, you do not have to prove that
the information was confidential or proprietary. You do not even
have to prove that your competitor authorized the theft, as your
competitor will be automatically liable for the acts of its own
employees.
Significantly, courts have recently held that, even if the
ex-employee still had his user name and password for remote access,
his access was still unauthorized within the meaning of the
Computer Fraud and Abuse Act if he was acting on behalf of the
competitor. Even a current employee who sends your data to a
competitor has unauthorized access if he does it to benefit your
competitor, according to a precedent.
For travel agencies, the Computer Fraud and Abuse Act has
special significance: Since you do not have to own the data
accessed, you can sue for the ex-employees access to GDS data,
including profiles and pending reservations. You can sue even if
you forgot to delete the ex-employees GDS sign-in or change your
remote-access password, as often happens.
Mark Pestronk is a Washington-based attorney specializing in
travel law.