9th Cir: Access of Computer in Violation of Employer’s Use Policy Violates Computer Fraud and Abuse Act — US v. Nosal
[Post by Venkat Balasubramani]
US v. Nosal, 10-10038 (9th Cir.; Apr. 28, 2011)
The Ninth Circuit reversed the district court’s dismissal of an indictment under the Computer Fraud and Abuse Act, holding that an employee’s access of an employer’s protected computer in violation of the employer’s “use policy” violates 18 U.S.C. 1030(a)(4).
Background: Nosal, the defendant, worked for Korn/Ferry International, an executive search firm. He left the firm in October 2004 and signed a separation agreement under which he agreed to help Korn/Ferry as a consultant. After leaving employment with Korn/Ferry, Nosal allegedly engaged three Korn/Ferry employees to help him start a competing business:
[t]he indictment alleges that these employees obtained trade secrets and other proprietary information by using their user accounts to access the Korn/Ferry computer system. Specifically, the employees transferred to Nosal source lists, names, and contact information from the ‘Searcher’ database – ‘a highly confidential and proprietary database of executives and companies’ – which was considered by Korn/Ferry ‘to be one of the most comprehensive databases of executive candidates in the world.’
The indictment indicates that Korn/Ferry took certain steps to secure its “highly confidential’ database, and among other things, required its employees to enter into agreements which “restricted the use and disclosure of all [confidential] information, except for legitimate Korn/Ferry business.”
LVRC Holdings v. Brekka: The district court, relying on LVRC Holdings LLC v. Brekka, dismissed, on the basis that the cooperating Korn/Ferry employees had authorization to access the confidential database for legitimate Korn/Ferry business, and therefore, their access of the database was not “without authorization.” In Brekka, an LVRC sued an ex-employee under the Computer Fraud and Abuse Act, alleging that the ex-employee accessed LVRC’s computer’s without access when the employee emailed himself documents. The employee was authorized to access the documents in question, but accessed them for his own purposes, rather than in furtherance of LVRC’s goals. The court rejected LVRC’s claims, holding that “access without authorization” means access of a computer that was never authorized, or where access was expressly revoked – i.e., access of information that the employee is authorized to access, but accesses for a purpose contrary to the employer’s purpose does not constitute access “without authorization.” In a footnote, the court also rejected LVRC’s “implicit” argument that Brekka “exceeded the scope of authorization” on the basis that the statute defines “exceeding the scope of authorized access” as the access of a computer that the person has permission to access, but where the person accesses information that the person is not entitled to access.
The Ninth Circuit’s Opinion in Nosal: The Ninth Circuit does a 180 from Brekka and holds that an employee who accesses a protected computer in violation of the employer’s use restrictions “exceeds authorized access” for purposes of the CFAA:
as long as the employee has knowledge of the employer’s limitations on that authorization, the employee ‘exceeds authorized access’ when the employee violates those limitations. It is as simple as that.
The court distinguishes Brekka and states that while in Brekka there was no express policy in place (and the employer relied on state law duties of loyalty), in Nosal, the Korn/Ferry employees “were subject to a computer use policy that placed clear and conspicuous restrictions on the employees’ access both to the system in general and to the . . . database in particular.”
Judge Campbell dissented, arguing that the majority’s interpretation would:
make criminals out of millions of employees who might use their work computers for personal use, for example, to access their personal email or to check the latest basketball scores.
Judge Campbell points out that this case is analogous to US v. Drew case, where the court rejected the government’s interpretation that a violation of a website terms of service could support a criminal violation of the CFAA. Judge Campbell also points out that although section 1030(a)(4) requires an intent to defraud, section 1030(a)(2)(C) also contains identical “exceeds authorized access” language but does not contain an intent requirement.
Nosal bolsters employer claims based on the Computer Fraud and Abuse Act, but it raises the same issues that the Lori Drew prosecution raised. The legal theory behind both prosecutions will render criminal harmless activity that many engage in on a daily basis. Under the prosecution’s theory in Drew, a website terms of service would turn everyday web surfing which is in technical violation of a terms of service into a federal crime. People violate terms of service of websites they access every day. Similarly, employees access their employer’s computers in technical violation of acceptable use policies all the time. If an employer’s policy says that you can only use the computer for work purposes, and you access espn.com, this is a technical violation of the policy, and under the court’s interpretation of the statute, a federal crime.
What’s surprising in all of this is that this looks like it should be a run of the mill trade secrets case brought by an employer, who has ample tools available other than the Computer Fraud and Abuse Act to deal with this situation. Instead, it’s a federal criminal indictment which drastically expands the scope of Computer Fraud and Abuse Act liability.
[It's worth adding that other federal appeals courts have taken the same approach that the Ninth Circuit took in this case.]
Threat Level: “Appeals Court: No Hacking Required to Be Prosecuted as a Hacker”
Posts on US v. Drew: