In a much anticipated decision, the Ninth Circuit Court of Appeals held in an en banc decision in United States v. Nosal that the Computer Fraud and Abuse Act (“CFAA”) was not intended to cover employee misappropriation of trade secrets, violations of corporate computer use policies or violations of an employee duty of loyalty. The decision, which overrules a previous Ninth Circuit panel decision in Nosal, creates a conflict with the Fifth, Seventh and Eleventh Circuits, all of which have interpreted the CFAA broadly to include such employee misconduct. As a result, we can probably expect this issue to show up on the Supreme Court’s docket sometime in the future.
In Nosal, a former employee of an executive search firm convinced some of his former colleagues who were still working for the firm to help him start a competing business. The employees used their log-in credentials to download confidential data from a company computer and then transferred it on to Nosal. Under the firm’s computer use policy, the employees had authorization to access the data, but were prohibited from disclosing it outside the firm. When his involvement in the plot was discovered, Nosal was indicted on several criminal counts, including a count alleging that he had violated the CFAA by aiding and abetting the current firm employees in “exceed[ing] their authorized access” with intent to defraud.
Nosal filed a motion to dismiss the CFAA counts in the district court, arguing that the statute targets only hackers, not individuals who access a computer with authorization but then misuse information they obtain by means of such access. After initially denying the motion, the district court reconsidered when a panel of the Ninth Circuit in LVRC Holdings LLC v. Brekka held that an employee does not exceed authorized access to a computer by accessing information unless the employee has no authority to access the information under any circumstances. On the government’s appeal, a panel of the Ninth Circuit agreed with the government and concluded that employees violate the CFAA when they obtain information from their employers’ computer but then use it for a purpose that violates the employer’s restrictions on the use of the information.
In the en banc decision, the Ninth Circuit held that the government’s interpretation of the CFAA, as adopted by the panel decision, would expand the statute’s scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. In rejecting this interpretation, Judge Kozinski, who wrote the majority decision, pondered how wide a net it would cast if exceeding the scope of an employer’s computer use policy were criminalized. For instance, the court noted that employees who used their computers to chat with friends, play games, shop, or watch sports highlights In violation of their employer’s policy would be violating federal criminal law. Judge Kozinski then went on to write:
“Employer-employee and company-consumer relationships are traditionally governed by tort and contract law; the government’s proposed interpretation of the CFAA allows private parties to manipulate their computer-use and personnel policies so as to turn these relationships into ones policed by criminal law. Significant notice problems arise if we allow criminal liability to turn on the vagaries of private policies that are lengthy, opaque, subject to change and seldom read…..Basing criminal liability on violations of private computer use policies can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved. Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak in the sports section of the New York Times to read at work, but they’d better not visit ESPN.com. And sudoku enthusiasts should stick to printed puzzles, because visiting www.dailsudoku.com from their work computers might give them more than enough time to hone their Sudoku skills behind bars.”
The dissenting judges took issue with the majority’s focus on what they described as “far-fetched hypotheticals involving neither theft nor intentional fraudulent conduct.” In Nosal, the dissent argued, the indictment alleged that Nosal and his co-conspirators knew when they accessed the employer’s computer system that they were only permitted to use it for legitimate business purposes and therefore they exceeded their authorized use of the computer when they accessed it with the intent to defraud. If true, according to the dissent, these allegations adequately state a crime under a commonsense reading of the CFAA. As for whether the CFAA can be interpreted as criminalizing the “laundry list of wacky hypotheticals” raised by the majority, the dissent urged that the court should wait for an actual case or controversy that poses those issues before deciding them.
Although Nosal was a criminal case, there is no reason to expect that the interpretation of the CFAA would be any different in a civil context. Because the Sixth Circuit and, it appears, Ohio federal courts have yet to address this issue, Ohio employers do not know yet whether the CFAA will provide a viable tool to combat employee disloyalty. Nevertheless, employers would be wise to have explicit computer use policies, procedures and practices that clearly delineate which aspects of the company’s computer system may be accessed by which employees. For instance, employers would be wise to create administrative, technical and physical safeguards that limit employees’ access to only specific parts of the computer system (e.g., customer lists only for sales staff, financial information only to the finance department.) This may enhance the potential for establishing that employees exceeded their authorized access for purposes of pursuing a CFAA remedy, but it also is a component of any strong trade secret protection program.