May 12, 2015
Nelson Levine v. Lewis Brisbois Just Settled: Firm Laptops and the Computer Fraud and Abuse Act – Lessons from A Recently Resolved Attorney Departure Case
As many attorneys who follow partner departures and lateral moves know, in 2014 a group of attorneys at Nelson Levine De Luca & Hamilton, LLC (“Nelson Levine”) in Montgomery County, Pennsylvania, left the firm to join Lewis Brisbois Bisgaard & Smith LLP (“Lewis Brisbois”), a California limited liability partnership. This departure resulted in litigation that serves as a primer on the Computer Fraud and Abuse Act, underscoring the importance of adding firm-issued laptops and the handling of other technology (often accessing confidential information) that attorneys regularly use, to the growing list of topics that firms and departing attorneys should address as part of the firm’s policies and procedures and in advance of any separation.
It is rare for a partnership dispute to result in a federal case, much less one alleging violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the “CFAA”). Yet, the CFAA was a hotly contested issue in Nelson Levine De Luca & Hamilton, LLC v. Lewis Brisbois Bisgaard & Smith LLP, pending in United States District Court, Central District of California, Case No. CV 14-3994-FMO-SHx. While the CFAA originated as a criminal statute for the protection of government computers, it has been expanded over time to include a private right of action and to include in its definition of “protected computer” any computer “which is used in or affecting interstate or foreign commerce or communication,” i.e. almost all computers accessing the internet or being used for emails across state lines. Damages and injunctive relief can be imposed under the CFAA, among other things, if one:
- “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer;” 18 U.S.C. § 1030(a)(2)(C); or
- “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;” 18 U.S.C. § 1030(a)(4)
In its Complaint, Nelson Levine alleged that five of the departing attorneys took laptops with them that were previously issued for the performance of Nelson Levine client work. [Docket No. 1, ¶ 3]. Per pleadings filed by the parties, the departing attorneys used the laptops for client work for about 15 days after their Nelson Levine departure and then returned the laptops, with all the data on the laptops removed and stored on “duplicate, identical, redundant forensic-quality disk images,” which are “exact copies” of the data once on the laptops. [Docket No. 59, ¶¶ 2-3].
Nelson Levine alleged in its Complaint that the data on the laptops “likely include[d] privileged information, trade secrets, and confidential client information of Nelson Levine” and that the one partner who was included in the laptop-using group of departing attorneys “had access to proprietary information related to firm management.” [Docket No. 1, ¶ 3]. In motion practice, Nelson Levine argued it satisfied the elements of the CFAA because the departing attorneys “intentionally accessed” the laptops, and the data contained on them, without Nelson Levine’s permission and that this unauthorized access “was intentional and carried out with the intent to defraud,” which under the CFAA carries a lower burden of proof than common law fraud. [Docket No. 6-2, page 14:9-22]. As to damages, Nelson Levine alleged an amount in excess of the CFAA threshold ($5,000 in any 1-year period) and that its damages included the value of the data, loss of competitive advantage and prospective work, legal fees and costs to protect the data and comply with applicable privacy laws. [Docket No. 1, ¶ 34].
Lewis Brisbois’ pleadings told a different story, arguing that this action is about client representation, not laptops, and that, as a threshold matter, the CFAA was not violated because the requisite intent was lacking:
In this instant action, the Departing Attorneys did not access the Laptops with any intent of wrongdoing. Ultimately when Nelson Levine terminated [the Practice Group Leader of Nelson Levine’s Data Privacy Group] and orchestrated the exodus of the Data Privacy Group, Nelson Levine failed to anticipate that their clients would be left without effective counsel. Consequently, Departing Attorneys had a choice: (1) to abandon the data privacy group clients who were now abruptly defenseless, or (2) to continue serving the data privacy group clients and protect the clients’ interests to the best of their ability. When confronted with this Hobson’s choice, they made the only reasonable and rational choice to protect the clients’ interests. For a period of approximately 15 days, the lawyers worked wherever they could and admittedly used the Laptops in serving their clients.
[Docket No. 13, pages 15:26-16:9]. Lewis Brisbois further argued that the laptop data was accessed at the direction of a client and that such access was necessary for effective representation of that client, especially since the departing lawyers no longer had access to the Nelson Levine network or email servers. [Docket No. 13, page 16:9-25].
The parties were eventually able to settle their dispute, and on May 12, 2015, filed a Stipulation of Voluntary Dismissal with Prejudice with the Court. While this case will not make any contribution to published decisional law regarding law firm departures, the parties’ pleadings and the nature of the dispute contains helpful lessons. While only the parties to this litigation know the full story and why the particular sequence and timing of events may or may have not been necessary, for everyone else, this case is a warning of the potential dangers of acting without a transition plan fully in place. If possible, departing attorneys should plan for a worst-case scenario and act to protect the interests of their clients first and foremost. This case also illustrates the complexity of a firm’s and attorney’s competing rights and obligations in the context of a departure. Given the myriad of issues raised by lawyers having access to client information on laptops and other portable devices, law firms should not only address the handling of such information as part of the firm’s policies and procedures, but should have in place a specific protocol for addressing these issues any time an attorney or group of attorneys departs from the firm.
(Editor’s note: Rebecca Epstein, a Senior Consulting Attorney in the Firm’s San Francisco office, contributed to this article.)