Advertisement

May 20, 2013

Federal Appellate Court Limits the Computer Fraud and Abuse Act's Scope

Schiff Hardin LLP
Amy M. Rubenstein
Linda K. Stevens
Schiff Hardin LLP
Monday, April 23, 2012
Administrative & Regulatory / Communications, Media & Internet / Consumer Protection / Criminal Law / Business Crimes / Intellectual Property / Labor & Employment / Public Education & Services
9th Circuit (incl. bankruptcy)
Printer-friendly
Email this Article
Download PDF
Reprints & Permissions

In the Ninth Circuit, the Computer Fraud and Abuse Act ("CFAA") no longer provides a remedy to employers whose data is taken by disloyal employees. On April 10, 2012, the Ninth Circuit Court of Appeals held, in an en banc decision in United States v. Nosal, 2012 WL 1176119 (9th Cir. Apr. 10, 2012), that the CFAA does not "cover violations of corporate computer use restrictions or violations of a duty of loyalty." This decision conflicts with decisions from the Fifth, Seventh and Eleventh Circuits.

Background

Generally speaking, the CFAA prohibits obtaining information or data by accessing a computer "without authorization" or in "excess of authorization." 18 U.S.C. § 1030(a)(1)-(4). The CFAA provides both criminal penalties and civil remedies. Although the CFAA was originally intended to protect only government computers from attacks by outside hackers, amendments have broadened its reach. Some courts read the CFAA as prohibiting computer abuse committed by private employees and other corporate "insiders." However, a split of authority has developed regarding the CFAA's application to private employees.

That split consists of three general approaches. The Seventh Circuit has ruled that insiders, such as disloyal employees, may be unauthorized computer users who fall within the statute's ambit. The Fifth and Eleventh Circuits look to the employer's contracts and policies to determine whether a disloyal employee's computer conduct is without "authorization," and therefore prohibited by the CFAA. The Ninth Circuit has now confined the CFAA to its anti-hacking roots and applies its provisions only to non-employee outsiders. Although a number of district courts had held that the CFFA does not apply to "insiders," no circuit court had taken that view - until Nosal.

The Ninth Circuit's Ruling

In United States v. Nosal, the Ninth Circuit read the CFAA as "an anti-hacking statute" rather than as "an expansive misappropriation statute," and therefore held that "the CFAA does not extend to violations of use restrictions" found in employee policies or agreements. In Nosal, the defendant convinced his former colleagues to violate an employment policy by downloading and disclosing their employer's confidential information to help him start a competing business. The government indicted Nosal on 20 counts, including trade secret misappropriation and CFAA violations (aiding and abetting his former colleagues). Nosal moved to dismiss the CFAA counts, arguing that the CFAA targets hackers, not individuals who misuse information obtained through authorized computer access.

The Ninth Circuit agreed with Nosal, reading "exceeds authorized access" to mean hacking, not misusing or misappropriating computer information. Specifically, the court held that "'exceeds authorized access' in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use." Now, in jurisdictions governed by the Ninth Circuit (California, Nevada, Arizona, Hawaii, Washington, Alaska, Idaho, Montana and Oregon), the CFAA will not permit criminal liability under the CFAA for employees' violations of private employers' computer use policies.

What It Means

It is not yet clear whether the government will petition the Supreme Court to review the Ninth Circuit's ruling. However, in light of Nosal, employers - particularly those that are located in, or that employ people located in, the Ninth Circuit - may wish to rethink how they protect their electronic information from employee misuse or misappropriation. Furthermore, although employers located in the Ninth Circuit must rely on other tools to combat and respond to data theft by employees, the CFAA may be available to those in other jurisdictions - particularly if appropriate computer and email usage policies are in place. Such policies might be updated to clearly state, for example, that employees are not authorized to use the company's email and other computer systems to access, download or transmit company data for competitive purposes or for any other purpose contrary to the company's interest.

© 2013 Schiff Hardin LLP

About the Author

Amy M. Rubenstein
Partner

Amy M. Rubenstein handles a wide range of cases, such as general commercial and corporate disputes, reinsurance, intellectual property and federal constitutional law. 

arubenstein@schiffhardin.com
312-258-5625
www.schiffhardin.com

About the Author

Linda K. Stevens
Partner

Linda K. Stevens is an intellectual property litigator and counselor. She has extensive experience in resolving — both inside and outside of the courtroom — intellectual property and other commercial disputes. In addition to her courtroom work, Ms. Stevens has acted as general outside counsel to several intellectual property-focused clients, assisting them with all legal aspects of their business. 

lstevens@schiffhardin.com
312-258-5667
www.schiffhardin.com

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. NLR does not accept advertising from attorneys or law firms. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be an advertisement or a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.