Search form

New Florida Law Offers Employers Leverage Against Employees’ Unauthorized Access of Data, Files

By Joseph J. Lazzarotti and Mendy Halberstam
  • August 11, 2015

Effective October 1, 2015, Florida’s Computer Abuse and Data Recovery Act (Sections 668.801- 668.805, Florida Statutes) (CADRA) provides a new remedy to employers and other businesses that suffer harm or loss due to unauthorized access to their computers or to information stored on their computers.

CADRA provides a civil cause of action for businesses actually harmed by an individual who knowingly, and with intent to cause harm, obtains information from a covered computer without authorization. In addition to monetary remedies and injunctive relief, CADRA allows a successful employer or business to recover attorney’s fees.

While criminal hacking and data breaches by third parties can occur and are the subject of extensive publicity, CADRA was passed to help businesses and employers respond to “inside jobs,” that is, unauthorized access to data by employees.

How it Works

Protection under CADRA requires the business’s computer to be a “protected computer” and access has been effectuated by someone who is not an “authorized user.” This means that a business cannot seek protection for its data if the business does not take reasonable measures on its own to protect the data.

The law comes into play only if the information taken from a “protected computer” is taken “without authorization.” While it is unclear whether an employee who has the authority to access certain data at the time the data is accessed violates CADRA if they exceed their authority, it is clear that any authorized access terminates upon cessation of employment. Moreover, the owner of the information can expressly revoke an otherwise-authorized person’s access if the employee goes outside the scope of authority.

Litigation Use

In litigation with employees, employers often discover that current or former employees retain information from the employer’s computer systems. For example, employees may email files and other company documents to their personal email addresses. In addition, employees can print from company computers sensitive or even routine documents and bring them home.

CADRA and its remedies and attorney’s fees provisions provide an opportunity for forward-thinking employers to gain leverage against their employees by counterclaiming against any employee who improperly takes employer data with them upon termination and fails to return such company data. An effective CADRA claim allows an employer to recover or offset the fees it expends seeking relief for a CADRA violation.

However, coverage under CADRA is not automatic. Employers first must put reasonable measures in place (“technological access barriers”) to restrict access to company computer data. Companies also should have clear policies spelling out what constitutes authorized access, what conduct is deemed improper and unauthorized access, and when the right to access is revoked.

Similarly, employers should monitor carefully any violation of their data access policies and make it clear that employees will be disciplined for any violations. Finally, companies should address violations in a consistent manner, and train human resources and IT personnel to spot possible violations and know how to respond when a violation occurs.

Employers should consider reviewing and revising their handbooks and policies and implement an effective data access policy and appropriate technological access barriers. Please contact a Jackson Lewis attorney if you have any questions.

©2015 Jackson Lewis P.C. This Update is provided for informational purposes only. It is not intended as legal advice nor does it create an attorney/client relationship between Jackson Lewis and any readers or recipients. Readers should consult counsel of their own choosing to discuss how these matters relate to their individual circumstances. Reproduction in whole or in part is prohibited without the express written consent of Jackson Lewis.

This Update may be considered attorney advertising in some states. Furthermore, prior results do not guarantee a similar outcome.

Jackson Lewis P.C. represents management exclusively in workplace law and related litigation. Our attorneys are available to assist employers in their compliance efforts and to represent employers in matters before state and federal courts and administrative agencies. For more information, please contact the attorney(s) listed or the Jackson Lewis attorney with whom you regularly work.

See AllRelated Articles You May Like

July 11, 2018

Fitness Industry Legal Update - Summer 2018

July 11, 2018

Social media can be a great way for companies in the fitness industry to build and engage their communities. The hazards of social media as to employees, companies, and privacy, however, should not be ignored. This is especially true if social media is key to a business’s marketing or employee-recruitment goals. In this issue, we cover... Read More

July 9, 2018

Brett Kavanaugh Nominated to U.S. Supreme Court

July 9, 2018

In the wake of Justice Anthony Kennedy’s retirement, President Donald Trump was presented with the rare opportunity to make his second U.S. Supreme Court nomination in as many years, nominating the Honorable Brett M. Kavanaugh to succeed Justice Kennedy. If confirmed by the Senate, Judge Kavanaugh would bring more than a dozen years of... Read More

April 9, 2018

State Data Breach Notification Laws: Overview of the Patchwork

April 9, 2018

The nation’s patchwork of state data breach notification laws is now complete. All 50 states, as well as the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have enacted breach notification laws requiring private organizations or government entities to notify individuals of a security breach involving their personally... Read More