UPDATE: On October 27, 2011, the Ninth Circuit ordered a rehearing en banc in United States v. Nosal, see discussion here.
A panel of the U.S. Court of Appeals for the Ninth Circuit has ruled that an employee’s violation of an employer’s computer use policy can support a criminal charge of exceeding authorized access under the Computer Fraud and Abuse Act. United States v. Nosal, No. 10-10038 (9th Cir. Apr. 28, 2011). The case involved access to an employer’s computer network for the purpose of copying the employer’s proprietary information for the benefit of a competing enterprise.
In so ruling, the panel explicitly limited the applicability of the 2009 panel ruling in LVRC Holdings, LLC v Brekka, No. 07-17116 (9th Cir. Sept. 15, 2009) (see prior blog post), a case involving a civil action under the CFAA. In that case, a different panel of the Ninth Circuit upheld the district court’s holding that an employee’s disloyal act does not terminate the prior authorization by an employer to access its computer network.
An important point for employers is that the Nosal panel distinguished the prior panel opinion on the ground that in LVRC v. Brekka there was no employment agreement in place that limited the authorization of the employee to access the employer’s confidential data.
The Nosal opinion delves into the language of the CFAA, and the interpretation of the two phrases that define its scope: The Act provides that access to a computer network that is “without authorization” or that “exceeds authorized access” is subject to both criminal prosecution and a civil action, under specified circumstances. The interpretive challenge that the federal courts have struggled with is determining to what extent the Act applies where a party who has been authorized to access information on a computer system does so for a disloyal or unauthorized purpose. This is an issue that comes up routinely in cases such as Nosal and LVRC v. Brekka where an employee copies and removes an employer’s proprietary data in order to start a competing business or provide it to a competitor.
Is access for a disloyal purpose “without authorization,” or does it exceed authorized access under the CFAA?
The panel in Nosal, reversing the district court (see prior blog post on the district court ruling), held that “an employee exceeds authorized access when he or she obtains information from the computer and uses it for a purpose that violates the employer’s restrictions on the use of the information.” With respect to the disagreement in the federal circuit courts over this issue, the panel explicitly weighed in on the side of the other circuit courts that have addressed the issue, including United States v. John, 597 F.3d 263 (5th Cir. 2010), United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010), and EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001).
The panel took care to preserve the prior panel ruling in LVRC v. Brekka by distinguishing it factually: “By contrast [the employees in Nosal] were subject to a computer use policy that placed clear and conspicuous restrictions on the employees’ access both to the system in general and to the Searcher database in particular.”
Judge Campbell filed a dissenting opinion.
Given the disagreement in the federal appellate courts over the construction of the CFAA, and the prior ruling in LRVC v. Brekka, as well as Judge Campbell’s dissenting opinion, it would not be surprising to see this case remain on the Circuit docket in a rehearing en banc.