Criminal Case Highlights Need For Employer Access Policies For Computer Systems
Published by Eric A. Welter on August 9, 2011
The critical importance for employers to explicitly define and restrict the level of computer access allowed by employees is highlighted by a recent Court of Appeals decision. United States v. Nosal, 642 F.3d 781 (9th Cir. 2011). In Nosal, the Ninth Circuit Court of Appeals held that under the Computer Fraud and Abuse Act (CFAA) […]
The critical importance for employers to explicitly define and restrict the level of computer access allowed by employees is highlighted by a recent Court of Appeals decision. United States v. Nosal, 642 F.3d 781 (9th Cir. 2011). In Nosal, the Ninth Circuit Court of Appeals held that under the Computer Fraud and Abuse Act (CFAA) an employee “exceeds authorized access” when he violates the employer’s computer access restrictions. Therefore, an employee who accessed information through use of technology beyond an employer’s usage restrictions can be liable under the federal statute. More after the break.
In the case, the U.S. alleged that a former employee who became an independent contractor conspired with then-current employees to steal data. From 1996 to 2004, Nosal worked as an executive for Korn/Ferry International, an executive search firm. Nosal signed a Separation and General Release Agreement and an Independent Contractor Agreement. Pursuant to these contracts, Nosal served as an independent contractor for Korn/Ferry, and agreed not to compete with it for one year.
Shortly after leaving his employment, Nosal engaged three Korn/Ferry employees to help him start a competing business. The indictment alleges that these employees obtained trade secrets and other propriety information by using their employee user accounts to access the Korn/Ferry computer system. Specifically, the employees transferred to Nosal source lists, names and contact information from the company’s confidential and proprietary database of executives and companies.
The government filed an twenty-one count indictment against Nosal and an accomplice that included eight counts alleging violations of CFAA, §1030(a)(4). The CFAA counts were dismissed by the District Court and the government appealed.
§1030 (a)(4) subjects to punishment anyone who:
Knowingly and with intent to defraud, accesses a protected customer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.
Under the statute, the phrase “exceeds authorized access” means “to access a computer without authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Id. §1030(e)(6).
The government contended on appeal that precedent and statutory interpretation shows that an employee “exceeds authorized access” under the statute when he or she obtains information from the computer and uses it for a purpose that violates the employer’s restrictions on the use of the information. The Ninth Circuit agreed. The definition of “exceeds authorized access” hinged on the use of the word “so” in §1030. “So” in this context, the court stated means “in that manner to obtain or alter.” And, because an accessor who is not entitled to access information in a certain manner, whether someone has exceeded authorized access must be defined by those access limitations set by the employer.
LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) was relied upon by Nosal to have CFAA causes of action dismissed in the District Court. Brekka held that a person accesses a computer without authorization “when the person has not received permission to use the computer for any purpose.” Here, the Ninth Circuit clarified Brekka, finding that under the CFAA an employee accesses a computer in excess of his or her authorization when that access violates the employer’s access restrictions, which may include restrictions on the employee’s use of computer or of the information contained in that computer. An individual who is authorized to use a computer for certain purposes but goes beyond those limitations by the CFAA is some who has “exceed[ed] authorized access.”
The Court remanded and instructed to reverse the dismissal of the CFAA counts.
The employer’s computer access policy in this case actually carried more importance for the CFAA causes of action than did the non-compete and independent contractor agreements. This case is a reminder that any and each employee policy may become important and be scrutinized at any given time. Computer use policies should be updated to be specific and contain restrictions to protect the employer’s business.Topics: CFAA, HR