Computer Fraud and Abuse Act Does not Protect Against Employee Violations of Company Computer Use Policies
Previously this blog outlined the various approaches Courts have taken to applying the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. 1030, to workplace misuse of employer provided computer resources.
A recent opinion from the Ninth Circuit Court of Appeals, however, seriously limits the applicability of the CFAA to the employer/employee relationship and challenges other courts to reconsider its application.
Specifically, the Ninth Circuit Court rejected the Justice Department's interpretation of the CFAA, which asserted the CFAA targets both hackers and individual employees who use a computer for an unauthorized purpose.
The case, U.S. v. Nosal (PDF) involved David Nosal who worked for Korn/Ferry International “Korn/Ferry”), an executive search firm. After leaving the company in 2004, Nosal and other Korn/Ferry employees allegedly conspired to help Nosal start a competing business, in violation of a a non-compete agreement.
Korn/Ferry eventually learned that information contained within a confidential company database had been transferred to Nosal. Korn/Ferry argued this database was one of the most comprehensive of its type in the world. Accordingly, it had taken significant measures to protect the information from improper use.
Procedural Background and the Criminal Charges
After David Nosal was indicted on 20 counts, including violations of the CFAA, his lawyers argued that the CFAA charges should be thrown out. They argued that the CFAA targets only hackers, not employees who misappropriate information or who violate contractual confidentiality agreements by using employer-owned information in a manner inconsistent with those agreements. In other words, Nosal argued the Korn/Ferry employees could not have acted without authorization, nor could they have exceeded authorized access, because they had permission to access the database and its information.
The district court initially rejected Nosal’s argument. This decision, however was reversed because the trial followed the reasoning of a subsequent CFAA opinion, that later came out (LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009)), which construed narrowly the phrases “without authorization” and “exceeds authorized access” in the CFAA. Based on Brekka, the district court concluded that “[t]here is simply no way to read [the definition of ‘exceeds authorized access’] to incorporate corporate policies governing use of information unless the word alter is interpreted to mean misappropriate,” as “[s]uch an interpretation would defy the plain meaning of the word alter, as well as common sense.”
The government appealed but lost this decision before the Ninth Circuit Court of Appeals.
The Computer Fraud and Abuse Act and the Employment Relationship
The Ninth Circuit's ruling is at odds with the Fifth, Seventh and Eleventh Circuits, all of which have adopted a broader view of the CFAA's sweep. In responding to the conflict, Judge Kozinski said those other courts "failed to consider the effect on millions of ordinary citizens" and urged them to reconsider. Judge Kozinski further noted:
Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it’s unlikely that you’ll be prosecuted for watching Reason.TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit.
Michigan Employers and the Computer Fraud and Abuse Act
For Michigan employers and employees, it is important to note that the applicable federal circuit (the Sixth Circuit Court of Appeals) has upheld the criminal conviction of a CFAA violation arising out of the employment relationship.
Specifically, an employee who stole confidential data from his employer’s computers, but that decision was limited to the issue of whether the government had offered sufficient proof that the value of the data stolen exceeded $5,000 to qualify as a 5 year felony, 18 U.S.C. § 1030 (a)(2)(C)(c)(B)(iii), and whether the district court had abused its discretion in ordering restitution in the amount of $47,565. Additionally, the former employee's conviction was based on the fact that after he had been discharged he accessed his employer's computer network and confidential files at least 21 times, including through an employer server and 19 times through the email account of another employee.
Take Away for Employers
Certainly courts continue to debate whether the CFAA should, if at all, be applied to the employer/employee relationship. Setting aside this issue, it is important for employers to protect their company and confidential information. And these steps may improve the likelihood that, if necessary, the CFAA will be available to protect competitive advantages and defend against unfair competition.
Korn/Ferry provides an overview of protective measures employers should take to protect company computers and databases. Specifically, Korn/Ferry took the following steps:
- The placement of controls on electronic access of the database and its servers;
- The creation of unique usernames and passwords for authorized users;
- A requirement that all employees sign an agreement confirming the confidential and proprietary nature of the information; and
- Having the opening screen of the database include the warning: “This product is intended to be used by Korn/Ferry employees for work on Korn/Ferry business only.”
Should the CFAA apply to the employment relationship? There are a number of reasons why the CFAA should have limited application in the employment context.