A newly filed lawsuit proves that even the most technologically sophisticated businesses and governmental entities are not immune from a costly data breach. Space Systems Loral (SSL) has sued Orbital ATK in federal court in Virginia, claiming that an Orbital employee improperly accessed and viewed SSL’s confidential satellite technology information.
SSL claims that NASA awarded it a contract relating to NASA’s “Dragonfly” project, which involves technology for in-space construction and maintenance of antenna. SSL alleges that NASA later notified it that a “data breach had occurred involving proprietary data from SSL residing on a NASA server” at the Langley Research Center. It also informed SSL that the “breach occurred because an employee of another contractor accessed the files…beyond the files the employee was authorized to view.”
SSL claims that Orbital admitted that one of its had indeed accessed the company’s trade secrets without its authorization, and that the employee had been terminated. But according to SSL, more than one Orbital employee accessed the data.
The suit claims violations of Computer Fraud and Abuse Act, the Defend Trade Secrets Act of 1916, misappropriation of trade secrets, violations of the Virginia Computer Crimes Act, conversion and unjust enrichment. The lawsuit asks for preliminary and permanent injunctions, including a request that the court order Orbital to return the information, confirm the scope of the dissemination, confirm that none of the information was or is being used by the company and refrain from using the information in any way in the future. It also requests an unspecified amount of compensatory and punitive damages.
Orbital intends to fight the allegations. A company spokesman said that the company “is committed to and adheres to industry and government best practices in governance and ethics”. The spokesman also said that, after discovering the breach, the company took multiple steps, including quarantining the data and providing NASA notification of the breach.
My guess is that Orbital will argue that it is not be responsible for the employee’s actions because it did not instruct him to access the data, did not know he was going to do so, and did not approve of or condone the action. Generally, a company is only liable for the actions an employee takes while acting in the scope of her employment. Many actions taken by employees, even if done “on the clock”, are not necessarily taken in the scope of her employment. For instance, if a salesman at a department store attacks and beats a customer, the store will have a pretty good argument that it is not liable, since the employees’ duties do not include assaulting customer, the store did not instruct/approve of/condone the action, and doing so is a violation of store policy.
The question here may be whether this was indeed a rogue employee that went off the reservation by violating company rules and standards in accessing the data. A huge issue will be whether the company expressly or impliedly authorized the act, or whether it knew or should have known that he was going to do so. SSL may try to show that Orbital somehow “ratified” the action, but the fact that Orbital terminated the employee and took other post-incident corrective actions may make that difficult. Company policies, procedures and training will become an issue.
In a future newsletter, I will talk about how companies can help prevent and defend against allegations that the acts of a rogue employee were taken in the “scope of employment.”
Another interesting question will be why NASA’s computer system allowed a user from one company to access the confidential data of another.