U.S. v. Nosal: Enhancing Employers' Ability to Protect Company-Owned Information
by
The Ninth Circuit recently decided to rehear en banc the case of U.S. v. Nosal, in which the court had determined that an employee could be held criminally liable under the Computer Fraud and Abuse Act ("CFAA") for misappropriating an employer's information from a company-owned computer. See, U.S. v. Nosal, 642 F.3d 781 (9th Cir. 2011). The outcome of this rehearing is important as the case has broad implications for employers and employees alike. Essentially, the court in Nosal must determine if the CFAA criminalizes the violation of an employer's computer use policy.
The legislative history of the CFAA indicates that the act was passed to curb computer hacking. Subsection (a)(4) of 18 U.S.C. § 1030 subjects to criminal and civil liability anyone who "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value." An exception is made if the "thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period." The statute defines "protected computer" broadly, essentially including any computer that has Internet access.
Nosal was a high-level employee of Korn/Ferry International, an executive search firm. Upon his resignation, Nosal signed several agreements that, among other things, declared that he would not compete with Korn/Ferry for one year. Nevertheless, shortly after his resignation, Nosal contacted three Korn/Ferry employees in an effort to start a new, competing business.
These employees then "transferred to Nosal source lists, names, and contact information from the 'Searcher' database, a 'highly confidential and proprietary database of executives and companies' - which was considered by Korn/Ferry 'to be one of the most comprehensive databases of executive candidates in the world.'" Korn/Ferry had instituted restrictive usage policies regarding the "Searcher" database and implemented protections to prevent unauthorized access. With these restrictions, the Korn/Ferry employees at issue in Nosal were authorized to access the database. Nosal and one of his accomplices were subsequently charged criminally.
The District Court for the Northern District of California initially denied Nosal's motion to dismiss the indictment. However, the Ninth Circuit then issued its opinion in LVRC Holdings LLC v. Brekka, which held that an employee does not access a computer without authorization unless an employer takes action to remove such employee's rights to access the computer. Following Nosal's motion for reconsideration, the District Court determined that the Brekka decision required dismissal of the indictment, as Nosal's conspirators were authorized to access Korn/Ferry's "Searcher" database.
A three-judge panel of the Ninth Circuit reversed, holding that the Brekka decision actually mandated denial of Nosal's motion to dismiss. The court's decision hinged on the distinction between the statutory phrases "without authorization" and "exceeds authorized access." More specifically, the court rejected Nosal's argument that, since the employees had permission to access to the "Searcher" database, they could not have violated 18 U.S.C. § 1030. According to the court, Nosal's argument ignored the prohibition against "exceed[ing] authorized access" to the protected computers. The court expressly interpreted this phrase in the employer-employee context: "the only logical interpretation of 'exceeds authorized access' is that the employer has placed limitations on the employee's 'permission to use' the computer and the employee has violated - or 'exceeded' - those limitations." Because Korn/Ferry's use restrictions specifically prohibited disclosure of the "Searcher" database information "except for legitimate Korn/Ferry business," Nosal and his conspirators had exceeded authorized access and therefore violated 18 U.S.C. § 1030.
The Ninth Circuit has now decided to rehear the case en banc, meaning that all Ninth Circuit judges (and not just a three-judge panel) will reconsider the original arguments and either affirm or reverse the original judgment. If the Ninth Circuit affirms its original holding, employers will essentially have the power to determine the parameters of the criminal prohibitions set forth in the CFAA. Indeed, a crucial distinction between Brekka and Nosal is that the employer in Nosal had instituted "clear and conspicuous restrictions" on employees' use of its computers and databases. The result, then, is that employees' civil and criminal liability will depend in part of their adherence to the computer use and restriction policies instituted by their employers. Of course, the CFAA also allows an employer to bring a civil action against an employee for such infractions.
The court roundly rejected Nosal's argument that, under its interpretation, the CFAA will "make criminals out of millions of employees who might use their work computers for personal use, for example, to access their personal email accounts or to check the latest college basketball scores." The court held that, because 18 U.S.C. § 1030(a)(4) requires that a defendant's access be made "with an intent to defraud" and that the access must "further the intended fraud," such innocuous computer use would not become criminalized under its interpretation.
Judge Campbell dissented from the majority, however, arguing that other subsections of 18 U.S.C. § 1030 do not contain the intent requirement relied-upon by the majority. According to Judge Campbell, the absence of the intent requirement in these subsections means that, under the majority's statutory interpretation, updating fantasy football teams or Facebook statuses on company computers could be deemed a federal offense. Judge Campbell wrote that such an interpretation will lead to arbitrary enforcement of a law designed to combat computer hacking, not misappropriation of employer information.
The Ninth Circuit's resolution of these arguments remains to be seen. If the court rejects Nosal's and Judge Campbell's counter-arguments, however, and affirms its earlier decision, employers will have been granted a new tool in their efforts to protect information by controlling the access to and use of company-owned computers.
Click Here to Download Article
The publications available on this website are intended by McCarthy, Lebit, Crystal & Liffman Co. LPA to educate and inform our clients and the general public regarding important legal developments. These publications are not intended, nor should be construed to be legal advice. The publications provide general information and may not apply to your specific facts and circumstances. You should contact legal counsel relative to your individual circumstances. We invite you to contact us and welcome your calls, letters and electronic mail. Contacting us does not create an attorney-client relationship. Please do not send any confidential information to us until such time as an attorney-client relationship has been established.
