Last year we reported on the case U.S. v. Nosal, in which the U.S. Ninth Circuit Court of Appeals held that an employee may be criminally liable when he or she misuses employer data in violation of the employer's computer use policy. Reversing course, the Ninth Circuit recently reheard this case en banc and narrowed the scope of the Computer Fraud and Abuse Act (CFAA) to apply when an employee hacks into a computer, but not when an employee misuses information that employee already has authorization to access.
David Nosal, a former employee of an executive search firm, convinced some of his former colleagues to use their log-in credentials to download confidential company information, including source lists and contact information from a confidential database. The employees handed this confidential information over to Nosal. While the employees had authorization to access the information, they violated the company's policy prohibiting disclosure of confidential information.
The U.S. government charged Nosal with, among other things, violating the CFAA for aiding and abetting his former colleagues to "exceed [their] authorized access" with intent to defraud the company.
The issue in this case was the meaning of "exceeds authorized access." Nosal argued that this term refers to "hacking"—where an employee who only has access to some data on a computer "hacks" into or accesses, other data. The government argued, however, that this term also includes situations where an employee has unrestricted physical access to a computer but uses the information in an unauthorized manner.
The Ninth Circuit Court of Appeal, sitting as a panel of eleven judges, agreed with Nosal's narrow interpretation of what "exceeds authorized access" means under the CFAA. The Court characterized the intent of the law to apply to traditional computer "hackers"—those that break into data without authorization—rather than those who misappropriate data they already have access to. The Court noted that in 1984 Congress enacted the CFAA to combat the growing problem of computer hacking, rather than the more recent issue of misappropriation of data.
In reaching its conclusion, the Court also examined how the term "exceeds authorized access" appears throughout the CFAA. One section of the law makes it a crime to "exceed authorized access" of a computer connected to the Internet, whether or not there is criminal intent. The Court reasoned that if "exceeds authorized access" included misusing data that users already had authorization to access, millions of employees would find themselves in violation of this provision of the CFAA. The Court cited numerous examples of obscure private policies of large, frequently visited websites, such as Amazon, Facebook, or eBay, which users unknowingly violate without repercussion all the time. If an expansive interpretation of the CFAA applied, these website users may become criminally liable—the Court determined Congress did not intend such a scenario.
The CFAA creates a private right of action for employers. However, this ruling clarifies that employers may not invoke the CFAA when an employee misuses data that he or she has authorization to access. Nonetheless, an employer may discipline an employee for violating the employer's computer use policy. Therefore, it is important for employers to create, maintain and train employees on a comprehensive computer use policy that places clear limits on an employee's use of agency data.
The Ninth Circuit Court's narrow reading of the CFAA provision diverges from that of other circuit courts, therefore, there is a chance the U.S. Supreme Court may review this issue.