The latest word from the Ninth Circuit is that the Computer Fraud and Abuse Act (CFAA) does not protect employers against misappropriation by its employees and former employees of trade secrets and other confidential company information. 

In U.S. v. Nosal, David Nosal was a former employee of Korn/Ferry, an executive search firm.  Nosal decided to start his own business to compete with Korn/Ferry.  He persuaded current Korn/Ferry employees to use their log-in credentials to download, and provide to him, information kept in a confidential database on a Korn/Ferry computer.  Although the employees were authorized to access the database, Korn/Ferry policies forbid disclosing confidential information.  The federal government indicted Nosal, charging him with CFAA violations, trade secret theft, mail fraud and conspiracy.  The CFAA charges involve violations of 18 U.S.C. §1030(a)(4), “for aiding and abetting the Korn/Ferry employees in ‘exceeding their authorized access’ with intent to defraud.”  (Opinion pdf page 3).

This case turns on the meaning of “exceeds authorized access” in §1030(e)(6), the statute’s definition section.  Nosal argued that the term applies only to hacking, i.e., the actor is authorized to access only certain data or files, but accesses unauthorized data or files.  The federal government argued that the term refers to “someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information.”  (Opinion pdf page 4).  Nosal’s more narrow definition focuses on accessing unauthorized data, hacking, whereas the government definition focuses on the use to which the obtained information can be put, use restrictions.

The Ninth Circuit indicated that the government’s interpretation of the CFAA would convert an anti-hacking statute into “an expansive misappropriation statute.”

If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions – which may well include everyone who uses a computer – we would expect it to use language better suited to that purpose.

(Opinion pdf page 6).

The court thought that it was unlikely that Congress meant to criminalize conduct other than conduct which is inherently wrongful, e.g., breaking into a computer.

The Ninth Circuit was concerned about turning the CFAA into “a sweeping Internet-policing mandate.”  (Opinion pdf page 7).  The court does not want the CFAA to be used to turn violations of private computer use policies into federal criminal violations.  People who use the Internet at work to chat with friends, play games, shop or watch sports highlights should not be prosecuted for federal crimes.  Employers should not be able to use CFAA violations to fire employees they want to get rid of without following the proper procedures.

Further, violations of a website’s terms of use should not be elevated to a federal crime, especially when website owners can change the terms of use at any time and without notice to the website’s users.  The court rejected the government’s representations that such minor violations would not be prosecuted, citing U.S. v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009).  In Drew, a mother cyber-bullied her daughter’s classmate by posing as a 17 year old boy on MySpace and was prosecuted by the federal government for violating MySpace’s terms of service.  The court stated,

But we shouldn’t have to live at the mercy of our local prosecutor….And it’s not clear we can trust the government when a tempting target comes along. 

(Opinion pdf page 14).

The term “exceeds authorized access” appears in five subsections of the CFAA, §1030.  Each subsection describes a separate violation.  The government argued that the meaning of “exceeds authorized access” varies from subsection to subsection and that the court’s definition of the term in Nosal would apply only to §1030(a)(4).  The court also rejected that argument, stating “Congress obviously meant ‘exceeds authorized access’ to have the same meaning throughout section 1030.”  (Opinion pdf page 9). 

Judge Kozinski wrote the majority opinion and was joined by judges Pregerson, McKeown, Wardlaw, Gould, Paez, Clifton, Bybee and Murguia.

Judge Silverman wrote the dissent and was joined by Judge Tallman.

Dissent.  This case is not about punishing innocuous activities, but about “stealing an employer’s valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants’ employment contracts.”  (Opinion pdf page 17).

The dissent argued that §1030(a)(4) is clear and requires both mens rea (criminal intent) and the specific intent to defraud.  Only people with both of those can violate the subsection.  Innocuous violations of office policy involve neither mens rea nor the specific intent to defraud.  The dissent argued that the majority did not limit itself to deciding the case before it, as the majority should have done, but arrived at its decision after considering a broad range of fact patterns having nothing to do with this case.

We need to wait for an actual case or controversy to frame these issues, rather than posit a laundry list of wacky hypotheticals.

(Opinion pdf page 22).

This case is U.S. v. Nosal, Ninth Circuit Court of Appeals, No. 10-10038.