About a year ago, a disgruntled systems engineer for government contractor Federated IT was sentenced to two years in prison for illegally accessing his former employer’s network systems, stealing critical servers and information, and causing a loss valued at over $1.1 million. In a civil lawsuit against his girlfriend and arising out of much of the same conduct, a former project manager at the same company has been held in default and ordered to pay over $150,000 in damages for breach of fiduciary duty, conversion, and conspiracy.
The facts of the case, which are assumed to be true by virtue of the fact the defendant was held in default for violating a court order, are as follows. Federated IT provides cyber security, information technology, and analytic and operations support services, and managed a contract with the U.S. Army Office of the Chief of Chaplains. Ashley Arrington was a project manager for the Army contract and a direct supervisor of Barrence Anthony, the engineer currently serving a two-year prison sentence. Arrington and Anthony were romantically involved but did not notify Federated IT about the relationship. At some point during Anthony’s tenure, he began to behave insubordinately and failed to show up for work, eventually leading to his termination. He decided to go out with a bang. Among other spiteful acts he was accused of before and after he left, Federated IT alleged he:
- deactivated all administrator accounts except his own and refused to share the master password with his replacement
- changed the responsible-party contact information on Federated IT’s Amazon Web Services account to “Anthony Enterprises”
- modified Federated IT’s Help Desk email address to redirect emails to his personal email account
- deleted files from a SharePoint project folder, including encryption keys, account information, and network diagram files
- wiped the hard drive on his work laptop
- made unauthorized copies of the Army’s servers which contained their Financial Management System
- attempted thousands of “brute force cyberattacks” against the Chief of Chaplains’ web application system, which necessitated a shutdown of one of Federated IT’s servers.
What did Arrington (the girlfriend and supervisor) have to do with all this? She helped. Because Arrington and Anthony had been keeping their relationship under wraps, Federated IT had included Arrington on confidential, “For Official Use Only” government communications concerning Anthony’s actions. She forwarded those emails to her personal email account, then, in an attempt to avoid detection, deleted them from her “sent” folder at work and emptied her deleted items folder. The emails contained highly senstive company information that would have enabled Anthony to continue his conduct as well as determine what evidence his former employer was collecting about his activities.
Federated IT sued Arrington and basically threw the kitchen sink at her, alleging claims for (1) violation of the Computer Fraud and Abuse Act; (2) violation of the Virginia Computer Crimes Act; (3) misappropriation of a trade secret under the Defense of Trade Secrets Act; (4) misappropriation of a trade secret under the Virginia Uniform Trade Secrets Act; (5) breach of fiduciary duty; (6) tortious interference with existing contract; (7) conversion; (8) breach of contract; (9) conspiracy; and (10) statutory business conspiracy. Some of the claims were successful; others weren’t.
Federated IT apparently abandoned the trade-secret counts as well as the breach-of-contract count, but it sought a default judgment on the remaining 7 claims. The magistrate judge, and later the district judge who agreed with the magistrate judge’s findings in all respects, held as follows:
Counts 1 and 2 (the computer crimes):
Federated IT could not recover under these statutes because it did not establish that Arrington did not have authorization to access the information that she sent to her personal email account. These statutes generally require that the defendant accessed information without authority or by exceeding their authority. In this situation, Arrington was authorized to view the information; she just wasn’t authorized to forwarded to her personal email account.
Count 5 (breach of fiduciary duty):
This was probably the most obvious claim to bring on the facts of this case. Federated IT could recover damages on this claim because Arrington owed a fiduciary duty to her employer but nonetheless sent herself confidential company information and went to great lengths to conceal this breach of duty, resulting in damages to her employer.
Count 6 (tortious interference):
Federated IT failed to establish a valid tortious-interference claim because its complaint did not allege that any contract was actually breached or terminated as a result of Arrington’s actions.
Count 7 (conversion):
Another winner. Federated IT did establish that Arrington wrongfully converted its property by exerting wrongful control over its confidential, proprietary information, including privileged information about the investigation into Anthony’s actions. Virginia courts have recognized conversion claims in “cases where intangible property rights arise from or are merged with a document” (see United Leasing Corp. v. Thrift Ins. Corp., 247 Va. 299, 304 (1994)), including the removal of confidential information from an employer, so the facts of this case supported such a claim.
Counts 9 and 10 (the conspiracy claims):
The facts also supported claims for civil and statutory conspiracy. Arrington sent information to her personal email account that was used to assist Anthony in his efforts to sabotage Federated IT’s computer system. That was enough.
The court entered judgment in favor of Federated IT in the amount of $151,513.35, consisting of $124,195.35 in compensatory damages ($15,972.60 for Arrington’s prorated salary during the period in which she abandoned her fiduciary duties, $19,281.37 to cover half of the costs incurred by Federated IT’s Incident Response Team, and $6,144.48 for half of the legal expenses incurred in recovering the registration of Federated IT’s domain name, all trebled in accordance with the Virginia business-conspiracy statute), plus $27,318.00 in attorney’s fees and costs.