The Computer Fraud and Abuse Act (“CFAA”) was enacted in 1986, in part, to criminalize the act of knowingly accessing a protected computer with the intent to defraud. 18 U.S.C. § 1030. The statute was intended to target computer hackers, but could it also be used to find employees criminally liable for misappropriating confidential information on their employer’s computers? That was a question recently considered by the United States Court of Appeals for the Ninth Circuit. U.S. v. Nosal, 2012 U.S. App. LEXIS 7151 (9th Cir. Cal. Apr. 10, 2012).
The plaintiff, David Nosal (“Nosal”), was formerly an employee of the executive search firm Korn/Ferry. Shortly after leaving the company, he convinced a few of his former co-workers to join him in starting a business to compete with Korn/Ferry. The employees used their log-in information to download source lists as well as names and contact information from the company’s database. The information was then transferred to Nosal. Though the employees had authorization to access the database, they violated company policy by disclosing confidential information.
The government charged Nosal with, among other charges, violating the CFAA for aiding and abetting the Korn/Ferry employees in exceeding their authorized access with an intent to defraud. See § 1030(a)(4). Nosal filed a motion to dismiss the CFAA counts, arguing that the statute only targets hackers, not those who access a computer with authorization.
His argument was initially rejected by the United States District Court for the Northern District of California which was considering Nosal. However, a subsequent Ninth Circuit opinion opted for narrow interpretation of the phrases “without authorization” and “exceeds authorized access” in the CFAA. See LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). Under this decision, “[t]here is simply no way to read [the definition of ‘exceeds authorized access’] to incorporate corporate policies governing use of information unless the word alter is interpreted to mean misappropriate,” as “[s]uch an interpretation would defy the plain meaning of the word alter, as well as common sense.” Nosal at 4. Basing its decision on LVRC, the Ninth Circuit Court of Appeals that was considering the appeal of Nosal reversed and dismissed the counts for failure to state an offense.
The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” § 1030(a)(4). The government argued that the statute’s language could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information. On the other hand, Nosal argued that the statute could refer to one who is authorized to access only certain data but instead accesses – or “hacks” – data that he is not authorized to.
The Court opted to follow Nosal’s interpretation, finding that “[t]he government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute.” Id. at 7. It found that the language “without authorization” would apply to outside hackers, while the language “exceeds authorized access” would apply to inside hackers, concluding that such an interpretation would be “a perfectly plausible construction of the statutory language that maintains the CFAA’s focus on hacking rather than turning it into a sweeping Internet-policing mandate.” Id. at 10.
“We need not decide whether Congress could base criminal liability on violations of a company or website’s computer use restrictions. Instead, we hold that the phrase ‘exceeds authorized access’ in the CFAA does not extend to violations of use restrictions. If Congress wants to incorporate misappropriation liability into the CFAA, it must speak more clearly.” Id. 24-25.
The Court’s decision suggests that the CFAA might not be the statute to look to for businesses seeking to bring legal claims against former employers.
© 2012 Nissenbaum Law Group, LLC