In a closely-watched decision published April 10, 2012, the Ninth Circuit Court of Appeals, in United States v. Nosal, curtailed an employer's ability to use the federal Computer Fraud Abuse Act as a means to sue employees who have misappropriated confidential information.
The Computer Fraud and Abuse Act (CFAA) is a federal statute that, while providing criminal remedies, permits private parties to bring a civil cause of action for theft or misappropriation of electronic information, and to recover compensatory damages and obtain injunctive or equitable relief. The CFAA allows a private right of action against a person who accessed a protected computer "without authorization" or who "exceeds authorized access" to a computer knowingly and with the intent to defraud. Employers have in the past utilized the CFAA to pursue civil lawsuits against employees who steal confidential and proprietary information and establish competing businesses. Unlike trade secret misappropriation statutes, employers do not need to prove that the stolen information is a "trade secret" under the CFAA.
In United States v. Nosal, Case No. 10-10038, (9th Cir. April 10, 2012), the federal government sought to prosecute David Nosal for, among other things, violations of the CFAA. Nosal left his employer, Korn/Ferry, and then encouraged his former coworkers to download source lists, names and contact information from Nosal's old work computer for the purpose of helping Nosal establish a competing business. Nosal's former coworkers were authorized to access the source lists on the database, but the employer had a policy prohibiting the disclosure of confidential information to third parties. The government charged Nosal with aiding and abetting Korn/Ferry employees in exceeding their "authorized access" to Korn/Ferry's computers with the intent to defraud the company. The district court dismissed the CFAA charges holding that employees do not violate the CFAA unless they lack the authority to enter or use the portion of the computer network at issue. U.S. v. Nosal, No. 10-cv-4712, 011 WL 4346514 (N.D. Cal. Sept. 14, 2011).
In its ruling on April 10, 2012, the Ninth Circuit Appeals Court agreed with the District Court and interpreted the CFAA narrowly. The Ninth Circuit determined that the statute should be read restrictively and all ambiguities should be resolved in Nosal's favor, specifically since it provides for criminal penalties. Writing for the majority, Chief Judge Alex Kozinski stated that the CFAA's focus was on hacking from either internal or external sources rather than creating a general computer use or Internet-policing criminal statute. The Court articulated that any other interpretation of the CFAA would enable employers to make any access on a computer that is not specifically authorized and work related an actionable crime (e.g., checking your stock prices or reading an article).
The Court held that the CFAA's prohibition on "exceed[ing] authorized access" is limited to violations of restrictions on access to the information, and not restrictions on its use. The plain language and Congress' legislative history reveals a general purpose to punish hacking as in the circumvention of technological barriers, rather than misappropriation of trade secrets; a subject that Congress has dealt with elsewhere. Without any allegations that Nosal's co-conspirators lacked the employer's authority to access the information on Korn/Ferry's computer, Nosal could not be liable for violation of the statute.
What This Means for Employers:
Following the Ninth Circuit's en banc decision, employers in the Ninth Circuit's jurisdiction do not have a private remedy under the CFAA to pursue an action for theft of confidential information if the employee had authority to use, access, review or obtain the data, regardless if it was for a deceitful purpose. Employers must again review polices and practices to ensure that they limit information specifically to those employees who need it, and ensure that the even when access is needed, that global access is not granted but instead determined based on the specific employees' need for the information.
Employers may still pursue individuals for theft and misappropriation of information that constitutes trade secrets under federal or state law. In addition, employers may rely upon other common tort theories, such as conversion and breach of fiduciary duty, where appropriate.
There is now a clear split in the federal circuit courts of appeal (the First, Fifth, Seventh, and Eleventh Circuits have held contrary to the Ninth Circuit's recent decision). This means the issue on what constitutes "unauthorized access" under the CFAA is likely headed to the U.S. Supreme Court for an ultimate resolution.
In the meantime, employers should take steps to restrict employees from accessing confidential and proprietary data on the computer network, unless it is necessary for the employee to use that information to perform his or her job.