Ninth Circuit Narrows Computer Fraud and Abuse Act Reach

Monday, May 07, 2012

David Navetta

A7290c5bd7bc2aaa7ea2b6c957ef639b

The legal and online arenas have been abuzz the recently in response to the Ninth Circuit's issued en banc opinion in U.S v. Nosal, 2012 WL 1176119 (9th Cir. April 10, 2012), addressing the reach and scope of the oft-litigated and controversial, Computer Fraud and Abuse Act (CFAA), codified at 18 U.S.C. § 1030.

The crux of the broader interest in the case has been recent applications of the CFAA criminalizing violations of website terms of use and employer restrictions on employee computer uses, stemming in particular from what the statute’s term “exceeds authorized access” does and does not mean.

What’s the bottomline? What do you need to know about the case’s holding to apply to and recognize in your employee policies, website terms, etc.?

First, the case does not hold in my opinion, as one learned colleague has opined, that “employees are [now] free to steal from [] company computers.” Far from it. After all, as the Court noted Nosal was indicted on “twenty counts, including trade secret theft, [the ever popular count of] mail fraud, [and] conspiracy,” which charges remain pending, in addition to the now dismissed criminal violations of the CFAA.

It’s simply not accurate to state the floodgates have opened wide for employees to run riot without penalty through every database, spreadsheet and confidential piece of information their employer has on hand.

Second, the majority’s clear opinion, penned by one of the Ninth’s most colorful judges, Alex Kozinski, applies the rule of lenity to decide between the two possible readings of the applicable language, resulting in a a bright-line boundary – at least for those in the Ninth Circuit – that the CFAA does "not extend to violations of [website and company policy] use restrictions” and that the CFAA’s “exceeds authorized access” requirement is limited to “violations of restrictions on access to information, and not restrictions on its use.”

What’s peaked further attention is that the Ninth Circuit’s en banc opinion re-affirms the district court’s dismissal of the CFAA counts, replacing the previous Ninth Circuit panel’s 2-1 opinion filed nearly a year ago, which reversed the district court’s dismissal of the CFAA counts, and sets up a clear circuit split of those Courts of Appeal to have opined on the issues with the Ninth on one side and the Fifth, Seventh and Eleventh Circuits on the other side, priming the pump for potential resolution by the Supreme Court.

Until then, however, the takeaways are:

  • It should not be assumed that violations of employee handbooks, confidentiality agreements and data access restrictions as to “use” of a computer system will rise to the level of a federal crime;
  • Many other federal and state civil – and criminal – statutes provide adequate remedies in the event employees or others misappropriate company materials;
  • The CFAA is not a rubber hammer, stretching to fit the head of every nail that a plaintiff or prosecutor wants to hammer; and
  • Finally, while companies and their attorneys, certainly in Circuits outside of the Ninth will continue to press and make claims that violations of ToU’s and company policies run criminally afoul of the CFAA, they make, in my sole individual opinion expressly not reflective nor representative of the opinions of either my firm or our clients, such claims are typically contrary to the law as generally understood by the populace at large. At such, I believe they do needless violence to the fraying social contract we all abide by, as well as, the increasingly tenuous legal fiction that all of us are charged with constructive knowledge of all laws.

For those needing to “get in, get out and get on” the above capsule should be enough. But for Nosal and CFAA aficionados and fans, of which I’m one, more detailed information and a collection of Nosal-related links discussing the Ninth’s en banc opinion are available below.

Background

It’s a fair bet that you probably go to more interesting parties than I do, but when I’m "putting on the Ritz" I at least like to have the fact of any case I’ll be animatedly discussing nailed down and readily at hand. It’s a strange point of pride. So here's a basic summary of the facts of the Nosal case for your next garden party.

David Nosal was an employee with an executive search firm called Korn/Ferry until he resigned in October 2004. As part of his separation agreement, he apparently agreed to serve as an independent contractor for the company and not work for a competing firm for one year in exchange for two lump-sum payments and 12 monthly payments of $25,000 during that same period.

Not a bad gig, and simple enough, right? Well, human nature being what is it Nosal couldn't leave well enough alone and confine himself to sipping sweet adult beverages with little umbrellas in them by the pool for the next year. Instead, during the first few months of the following year he contacted three former coworkers at Korn/Ferry in the hopes of convincing them to join him in starting a competing firm.

His machinations worked, but before leaving the company, the internal trio downloaded a large amount of "highly confidential and proprietary" data from Korn/Ferry's computers, including source lists, client data, and contact information.

Fast forward to June 26, 2008 when the four men were indicted by the federal government on 20 various counts, including criminal violations of the CFAA, with the government alleging that they had exceeded their authorized access to Korn/Ferry's computers, "knowingly and with intent to defraud."

Nosal moved for dismissal on the grounds that the CFAA was intended to address computer hackers and "does not cover employees who misappropriate information or who violate contractual confidentiality agreements."

Of particular note is the fact that Nosal argued that he had not violated Section 1030(a)(4) of the CFAA, which applies to anyone who "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period." (18 USC § 1030 (a)(4)).

It was under this provision that the more serious criminal charges against the four were based– hence the strenuous challenges and appeals since. Nosal argued in response that because they had accessed the information while working for Korn/Ferry they had actual and express authorization to “access” the information. Hence the CFAA’s provisions didn’t apply regardless of whatever misuse may have followed.

On these grounds, Nosal et al. filed a motion to dismiss. The district court initially rejected the argument but nonetheless dismissed the five charges based on Section (a)(4). The government up’d the ante when it filed an interlocutory appeal to the Ninth Circuit on the basis that Nosal’s downloading of Korn/Ferry's data was a violation of Nosal’s applicable workplace computer policies and thus constituted “unauthorized access” under the CFAA.

The Ninth Circuit panel last year centered its 2-1 decision largely on whether or not Nosal and his accomplices had exceeded their authorization to use Korn/Ferry's computers, as neither party disputed that they were authorized to use the computers to some extent.

The court therefore relied heavily on earlier Circuit decisions in LVRC Holdings v. Brekka, 518 F.3d 1127 (9th Cir 2009), in which an employee had transferred work documents from his employer's computers to his personal email account and found himself sued by his employer under the CFAA for his efforts.

The court's ruling in that case strongly emphasized the difference in Section (a)(4) between "without authorization" and "exceeding authorized access", because if there were no distinction between the two, there would be no need for the latter concept; after all, if both situations were treated in the same way, then there would be no need for two different phrases, and given that a cardinal rule of judicial statutory interpretation is that no language in a statute is superfluous the two clauses must address different situations.

In light of the previous Brekka holding case, the prior Ninth Circuit panel in US v. Nosal held that an employee does "exceeding authorized access" when they use a computer in any way that violates an employer's access restrictions, including any policies governing how information on the computer may be used.

The panel elaborated on the distinctions stating "...an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has 'exceed[ed] authorized access.' On the other hand, a person who uses a computer 'without authorization' has no rights, limited or otherwise, to access the computer in question." United States v. Nosal, 642 F.3d 781 (9th Cir. 2011).

To put the original panel’s holding in stark terms, they held, essentially, that it doesn't technically matter if an employee has broken any existing laws - if the employee used the computer for anything the employer prohibited them from it constituted a violation of the CFAA. The recent en banc opinion by Chief Judge Kozinski makes much of this, providing example after example of potentially probable but unexpected scenarios that, in Judge Konzinski’s words “will earn you a handsome orange jumpsuit.”

The En Banc Opinion

The en banc ruling, of course, as highlighted in brief interprets the CFAA as not reaching violations of terms of use or company computer usage policies as criminal infractions. The concise 22-page opinion is a quick and enlightening read, and I urge you to do so, but in the interest of completeness I should recognize the points raised in dissent by Judge Silverman, joined by Judge Tallman. Essentially the dissent poo-poo’s the majorities parade of horribles, painting the majorities concerns as so many stuffed straw men, and curtly dismissing the majority’s view as:

“This case has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values. It has everything to do with stealing an employer’s valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants’ employment contracts.”

Perhaps. But the majority's scenarios are all too familiar to virtually every employee that has killed time on his company company with non-company functions. Where the dissent goes somewhat astray, in my opinion, is in stating that “[t]he majority also takes a plainly written statute and parses it in a hyper-complicated way that distorts the obvious intent of Congress.”

An objective review of CFAA caselaw clearly shows that the statute is far from "plainly written" given scattered judicial interpretations to date. Admirably in a day and age when mens rea is increasingly and disturbingly falling by the wayside in many criminal statutory applications the dissent notes that the CFAA contains a specific mens rea, and that other Circuits have interpreted the CFAA more expansively than the majority.

Finally, the dissent notes that an as-applied challenge would still be available to the targets of the parade of horribles.

As my name isn’t proceeded by the appellation Judge or Justice, my opinions are just that… opinion with no binding or authoritative effect. Still, the majority’s cabining of the CFAA – in the absence of Congressional action – has found favor with many across the blogosphere and netverse.

Want more? Here’s a good collection of links on the case and recent commentary:

The district court ruling: http://scholar.google.com/scholar_case?case=17426102904279126314&q=us+v+nosal&hl=en&as_sdt=2,7&as_vis=1

Original 9th Circuit ruling: http://www.ca9.uscourts.gov/datastore/opinions/2011/04/28/10-10038.pdf ; and Judge Trott's dissent: http://scholar.google.com/scholar_case?case=3965762782958557205&q=us+v+nosal&hl=en&as_sdt=2,7&as_vis=1

http://en.wikipedia.org/wiki/United_States_v._Nosal

http://www.chicagotribune.com/business/sns-rt-us-computerfraud-rulingbre8391bs-20120410,0,6761656.story

http://www.hahnloeser.com/tradesecretlitigator/post/2012/04/11/US-v-Nosal-Ninth-Circuit-Issues-Its-Long-Awaited-Decision-and-Limits-the-Computer-Fraud-and-Abuse-Act-to-Hacking.aspx

https://www.eff.org/press/releases/appeals-court-rules-violating-corporate-policy-not-computer-crime

http://www.fedsocblog.com/blog/ninth_circuit_narrows_reach_of_computer_fraud_law/

http://www.technolog.msnbc.msn.com/technology/technolog/court-facebooking-work-not-federal-crime-even-when-forbidden-710056

http://www.theawl.com/2012/04/the-ninth-circuit-lying-on-social-media-websites-is-common

http://www.businessweek.com/news/2012-04-10/checking-facebook-at-work-isn-t-crime-appeals-court-rules

http://www.examiner.com/business-news-in-los-angeles/going-on-facebook-at-work-is-not-a-crime

http://computerfraud.us/recent-updates/the-9th-circuit-employees-are-free-to-steal-from-the-company-computers

http://volokh.com/2012/04/10/ninth-circuit-hands-down-en-banc-decision-in-united-states-v-nosal-adopting-narrow-interpretation-of-computer-fraud-and-abuse-act/

Cross-posted from InfoLawGroup

Possibly Related Articles:
6765
Policy
General Legal
Legal Access Control Confidentiality Employees Lawsuit Policies and Procedures Computer Fraud and Abuse Act CFAA Courts
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.