Social Media Activity In The Workplace And The Computer Fraud And Abuse Act

It should come as no surprise that employers are trying to assert a claim for violation of the Computer Fraud and Abuse Act (“CFAA”) based on employees accessing social networking sites such as Facebook from work computers. While one employer was unsuccessful in stating a claim, employers should not give up on opportunities to assert the CFAA as a claim in an employment related action.

The CFAA is a criminal statute that also allows for civil action claims. To state a claim, an employer has to assert the following elements: (1) an employee intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer (e.g. used in or affecting interstate commerce) [18 U.S.C. § 1030(g)]. The other essential requirement for stating a claim under this federal statute is that the employer suffers a computer related loss totaling at least $5,000 in value.

In United States v. Nosal, the Ninth Circuit held on April 28, 2011, that the government in a criminal action stated a CFAA claim against former employee David Nosal and his co-conspirators. Nosal is alleged to have started a competing business, and conspired with current employees of Korn/Ferry, a premier executive search firm, to have them copy Korn/Ferry’s confidential database of executive candidates. The Nosalcourt held that Korn/Ferry took considerable measures to protect its confidential database, including a screen notification that appeared with every login which stated in essence:

“This computer system and information it stores and processes are the property of Korn/Ferry. You need specific authority to access any Korn/Ferry system or information and to do so without the relevant authority can lead to disciplinary action or criminal prosecution…”

The Nosal Court held that “an employee ‘exceeds authorized access’ under § 1030 when he or she violates the employee’s computer access restrictions – including use restrictions.” Further, the Court held that the majority of computer crimes prohibited by the CFAA involve taking specified forbidden actions, ranging from obtaining information to damaging a computer or computer data.

In an employment case decided on May 6, 2011, Lee v. PMSI, a federal district court in Florida granted a motion to dismiss a CFAA claim because the employee’s alleged excessive use of the company computers to access Facebook and her personal email was not alleged to have caused damage to the company’s computers. The Court held that lack of productivity due to an employee accessing Facebook does not constitute damage to a computer as required by the CFAA. Further, the Court held that since the employee was only accessing her personal information through the company’s computer, PMSI could not allege that Lee accessed or damaged any PMSI information.

On the other hand, an employer may be able to state a claim under the CFAA by alleging that the employee infected the company’s computer(s) with a virus that is traceable to Facebook or another social networking site. An Internet search shows a number of viruses that have been targeted to Facebook users. For example, there was a password stealing virus which urged Facebook users to open an attachment to obtain new login credentials, which once opened downloaded several types of malicious software including a program that stole banking passwords and other sensitive information from the user’s computer. McAfee, an antivirus software maker, estimated that the virus would succeed in affecting millions of computers.

Another virus named the Koobface virus invited people to watch a funny video with an additional prompt to upgrade their Flash player. This upgrade was actually the means for unleashing the virus, which reportedly turned “victim machines into zombie computers to form botnets.” More recently, Facebook users are warning their friends not to click on invitations “to see who has been viewing you,” or to “win a free iPad,” because they are suspected to be vehicles for spreading viruses and other malware.

In other words, an employer with a clear computer use policy that prohibits use of company computers to access social networking sites for personal business may be able to state a claim under the CFAA. If the facts are there, the employer may want to allege that the computer system was damaged by a computer virus which resulted in a loss of at least $5,000 in value, and that company data was compromised. The loss provision requirement can be satisfied by costs associated with a forensic assessment of how the computer was being accessed improperly, consequential damages incurred because of interruption of service, and costs to remove the virus and remedy any damage to the computer.

Application of the CFAA to social media activity is a new area of the law with few reported cases. With Nosal, the Ninth Circuit is now in accord with other circuits. The CFAA can be applied to employees who abuse their company’s computer access rules to the detriment of the company. As a preliminary step to being able to state a claim under the CFAA, however, businesses should consult with knowledgeable legal counsel to update their computer use policies.

United States v. Borrasi: Rough Seas in the Kickback Safe Harbors

In United States v. Borrasi, the Seventh Circuit adopted the “one purpose” test under the federal Anti-Kickback Statute.  The government’s position in the case is also important for its interpretation of the scope of the employee safe harbor.  Borrasi and other recent developments reflect a narrow reading of the scope of safe harbor protection.

The U.S. Court of Appeals for the Seventh Circuit recently adopted the “one purpose” test under the federal health care criminal Anti-Kickback Statute, 42 U.S.C. § 1320-7b(b) in United States v. Borrasi, No. 09-4088 (7th Cir. May 4, 2011).  (See Seventh Circuit Adopts “One Purpose Test” Under Federal Health Care Anti-Kickback Statute for more information.) The case is also important for its treatment of the statutory exception and regulatory safe harbor for bona fide employees, and reflects an increasingly crimped reading of the scope of the safe harbors generally.  This trend may be of importance for hospital-physician integration strategies, which rely on the employee safe harbor, as well as other financial arrangements structured to comply with the safe harbors, such as so-called contractual joint ventures.

The facts alleged in United States v. Borrasi are stark.  The court’s opinion states that a psychiatric hospital paid bribes to a group of physicians in return for their referrals to the hospital.  To conceal the bribes, the physicians were “placed on the [hospital] payroll, given false titles and false job descriptions, and asked to submit false time sheets.”  There was testimony that the physicians were not expected to, and did not, perform the duties listed on their job descriptions, notwithstanding occasional attendance at various committee meetings.  There were recordings introduced of Borrasi’s conversations with the other physicians, including one in which Borrasi admitted referring patients in return for “free money” from the hospital.

In closing arguments, the government stated:

So the question you may be asking yourself is, how much of the money that Borrasi was paid constituted bribes? And how much may have been paid for legitimate services? The answer, ladies and gentlemen, is, it doesn’t matter, because paying for patients is illegal. Any amount is illegal. And thus the amount of the checks that Borrasi received that may have been allocated to some services that he performed or the peer review committee notes that the doctors that worked for him may have reviewed, don’t matter. If any portion of the checks they received was a bribe, then they broke the law.

… Moreover, if you determine that any portion of those checks that are the underlying bribe counts that we just reviewed, those six checks, were for the payment of patient referrals, then you should find the defendants guilty of the receipt.

On appeal, the defendant argued that this discussion prejudicially misstated the law, and that the district court did not cure the misconduct by striking the argument and giving an adequate curative instruction.  The court focused on the defendant’s argument that the government misstated the law because it argued that “one purpose” of the payment had to be for referrals, rather than the “primary purpose.”  As noted above, the court adopted the “one purpose” test, which has been the longstanding standard in several other circuits.

However, the court’s analysis of the applicability of the employee exception and safe harbor was less clear.  On the one hand, the court correctly noted that to convict Borrasi, the jury would need to find that some amount was paid not pursuant to a bona fide employment relationship.  However, the court concluded, quoting United States v. Greber, 760 F.2d 68, 72 (3d Cir. 1985), that “[b]ecause at least part of the payments to Borrasi were ‘intended to induce’ him to refer patients to [the hospital], ‘the statute was violated, even if the payments were also intended to compensate for professional services.’”

The citation of Greber by the court in this context is unfortunate as it involved a non-safe-harbored arrangement.  If the employment arrangements at issue in Borrasi were not bona fide, then the statutory exception and regulatory safe harbor for bona fide employment arrangements would not apply, and it would be appropriate to look at the intent of the parties, including the Greber test of whether “one purpose” was to induce referrals.  However, the reason for not being bona fide cannot be that “one purpose” of the arrangement is to induce referrals or recommendations.  If that were the case, it would call into question many common arrangements, such as commission sales arrangements with employed staff as well as physician employment arrangements that include a requirement to refer—a requirement expressly permitted under the Stark Law.

The Narrowing Scope of the Safe Harbors

Borrasi, properly read, should be limited to a holding that intent is relevant only where there is evidence that the employment arrangement is a sham and not bona fide, as was the case here. However, the government’s closing argument seemed to go further, apparently inviting a jury to “tease out” of an otherwise bona fide employment salary any portion that was paid to induce referrals, rather than first finding that the employment arrangement was not bona fide.  Taken to its logical conclusion, such a position would read into the employee exception and safe harbor a fair market value requirement, as any deviation from fair market value would presumably, in the government’s view, be evidence that the excess must be for referrals.  Yet unlike most safe harbors, the employee safe harbor does not have a fair market value requirement.  To require such a showing would appear to be contrary to law.  The government’s argument can also be read to suggest that even a fair market value employment arrangement could violate the Anti-Kickback Statute if “one purpose” were to induce referrals.  Again, if the employment arrangement is bona fide, the safe harbor should bar inquiry into the parties’ intent behind the arrangement.

Similar allegations of “sham” employment arrangements were made in the case of part-time clinical faculty cardiologists employed by University of Medicine and Dentistry of New Jersey The government alleged that the physicians performed limited duties and that the payments were in return for referrals.  Two cardiologists pled guilty to criminal embezzlement charges, while several others and the university itself entered into kickback settlements.  In March 2011, however, one of the cardiology faculty was acquitted of civil kickback charges by a federal jury.

The Office of Inspector General (OIG) has similarly advanced a theory that “contractual joint ventures” where a management company or supplier contracted with a health care provider to provide portions of a billable health service, even if structured to satisfy the relevant safe harbors, may violate the Anti-Kickback Statute.  In its Special Advisory Opinion on Contractual Joint Ventures, the OIG stated: “Some parties attempt to carve otherwise problematic contracting arrangements into several different contracts for discrete items or services … and then qualify each separate contract for protection under a ‘safe harbor.’”  The OIG theorized that such arrangements would not qualify for safe harbor protection, in part because the opportunity the health care provider has to earn a profit from billing for the health care service is separate remuneration bestowed by the management company which is unprotected by any safe harbor.  While this theory has yet to be tested in federal court, it is again suggestive of government willingness to go after what it perceives as problematic arrangements even where all elements of a safe harbor have seemingly been satisfied.

What to Do Now

Despite the above, providers are well-advised where possible to structure arrangements in compliance with a kickback safe harbor.  In the case of employment arrangements, this may include review and contemporaneous documentation of the “bona fides” of the employment arrangement, including both fair market value assessment as well as an analysis of the arrangement under the Internal Revenue Service standards for employment versus independent contractor status.

In the case of hospital-physician integration strategies, the Borrasi holding underscores the importance of careful development by management of materials to explain and justify the strategy.  For all providers, caution is advised where structuring arrangements within a safe harbor in the face of evidence of an intent to induce referrals.