April 18, 2012
Intellectual Property, Internet & E-Commerce Alerts

No Criminal Liability Under CFAA for Abuse of Workplace Computer Access or Website Terms of Service
by Cyrus Wadia

Employee actions at odds with their employer’s computer use policies or websites’ terms of service are not criminal acts under the Computer Fraud and Abuse Act ("CFAA"), ruled the Ninth Circuit Court of Appeals last week. In splitting with other circuits and reversing a previous panel decision, the Ninth Circuit concluded that an ex-employee's trade secret theft did not constitute "exceed[ing] authorized access" for purposes of a CFAA violation. U.S. v. Nosal, __ F.3d __ (9th Cir. April 10, 2012).

David Nosal started an executive search business with the help of former colleagues at the firm Korn/Ferry. He allegedly solicited employees to transfer source lists, names, and contact information in violation of corporate computer use policy.  The government indicted Nosal on twenty counts including trade secret theft, mail fraud, conspiracy, and violations of the CFAA in aiding and abetting the Korn/Ferry employees in "exceed[ding their] authorized access' with intent to defraud (the CFAA makes an individual criminally liable who "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.")  

According to the Ninth Circuit, the purpose of CFAA is to exclusively punish and prohibit hacking.  The CFAA defines "to exceed authorized access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."  Here, Nosal's accomplices were already given access to the confidential information and thus the government could prosecute the access abuse based on violations of tort and contract laws, but not the CFAA. 

Chief Judge Alex Kozinski raised the spectre of common actions being criminalized with an overbroad interpretation of the CFAA: 

“Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by g-chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it’s unlikely that you’ll be prosecuted for watching Reason.TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.”

Simply put, Judge Kozinski felt that "If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions—which may well include everyone who uses a computer—we would expect it to use language better suited to that purpose."

US v. Nosal presents a circuit split with Fifth, Seventh, and Eleventh circuits reaching contrary conclusions in separate lawsuits.  This raises the possibility of a Supreme Court appeal, so employers and employees:  Stay tuned.

**Mr. Wadia recognizes Jong Cho's assistance in the preparation of this alert.

Back to Alerts