Ninth Circuit Will Rehear Important Employee Data Theft Case under the Computer Fraud and Abuse Act

Posted on November 1, 2011 by Jeff Neuburger

On October 27, 2011, the United States Court of Appeals for the Ninth Circuit agreed to rehear the  appeal in United States v. Nosal, 642 F.3d 781 (9th Cir. Apr. 28, 2011). Nosal involves a prosecution under the Computer Fraud and Abuse Act for alleged employee theft of confidential data from an employer’s network for the benefit of a competitor. The circumstances under which an insider with a disloyal purpose, such as an employee who has permission to use the employer’s network resources, can be charged either civilly or criminally under the CFAA with unauthorized access to a network, or access exceeding authorization, has been the subject of disagreement in the federal courts.

As we wrote last April, the panel in Nosal ruled that an employee exceeds authorized access within the meaning of the CFAA “when he or she obtains information from the computer and uses it for a purpose that violates the employer’s restrictions on the use of the information.”  The Nosal ruling narrowly interpreted a prior Ninth Circuit panel opinion in a civil action under the CFAA, LVRC Holdings, LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). (See prior blog post here.) There, a different panel ruled that under the plain language of the CFAA, an act of disloyalty to an employer, e.g., access to a employer’s network for purposes of providing data to a competitor, does not render the employee’s access unauthorized within the meaning of the CFAA. 

The key distinction that the panel in Nosal made from the facts of LVRC v. Brekka, was the existence in Nosal of “a computer use policy that placed clear and conspicuous restrictions on the employees’ access” both to employer’s computer system in general and to specific data in question. No such agreement was in place in LVRC v. Brekka.

The implications of the issues in LVRC v. Brekka and Nosal go beyond the employer-employee context. In its Amicus Brief filed urging the Ninth Circuit to rehear the Nosal case en banc, the Electronic Frontier Foundation argued that the panel opinion in Nosal would criminalize routine, mundane acts committed by Internet users that were deemed to violate provisions in broadly written Internet Terms of Service.

It is important to note that other federal courts of appeal have upheld broad readings of the CFAA in the employee-employer context. In the civil context, see, e.g., International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006); and in the criminal context, see, e.g., United States v. John, 597 F.3d 263 (5th Cir. 2010), United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010).

Oral argument in the rehearing en banc is scheduled for some time in the week of December 12, 2011.

Tags:

Ninth Circuit Panel Says Employee Violation of Employer Computer Use Policy Can Support CFAA Criminal Charge

Posted on April 29, 2011 by Jeff Neuburger

UPDATE: On October 27, 2011, the Ninth Circuit ordered a rehearing en banc in United States v. Nosal, see discussion here.

***

A panel of the U.S. Court of Appeals for the Ninth Circuit has ruled that an employee’s violation of an employer's computer use policy can support a criminal charge of exceeding authorized access under the Computer Fraud and Abuse Act. United States v. Nosal, No. 10-10038 (9th Cir. Apr. 28, 2011). The case involved access to an employer’s computer network for the purpose of copying the employer’s proprietary information for the benefit of a competing enterprise.  

In so ruling, the panel explicitly limited the applicability of the 2009 panel ruling in LVRC Holdings, LLC v Brekka, No. 07-17116 (9th Cir. Sept. 15, 2009) (see prior blog post), a case involving a civil action under the CFAA. In that case, a different panel of the Ninth Circuit upheld the district court's holding that an employee’s disloyal act does not terminate the prior authorization by an employer to access its computer network.

An important point for employers is that the Nosal panel distinguished the prior panel opinion on the ground that in LVRC v. Brekka there was no employment agreement in place that limited the authorization of the employee to access the employer’s confidential data.

The Nosal opinion delves into the language of the CFAA, and the interpretation of the two phrases that define its scope: The Act provides that access to a computer network that is “without authorization” or that “exceeds authorized access” is subject to both criminal prosecution and a civil action, under specified circumstances. The interpretive challenge that the federal courts have struggled with is determining to what extent the Act applies where a party who has been authorized to access information on a computer system does so for a disloyal or unauthorized purpose. This is an issue that comes up routinely in cases such as Nosal and LVRC v. Brekka where an employee copies and removes an employer’s proprietary data in order to start a competing business or provide it to a competitor.  

Is access for a disloyal purpose “without authorization,” or does it exceed authorized access under the CFAA?

The panel in Nosal, reversing the district court (see prior blog post on the district court ruling), held that “an employee exceeds authorized access when he or she obtains information from the computer and uses it for a purpose that violates the employer’s restrictions on the use of the information.”  With respect to the disagreement in the federal circuit courts over this issue, the panel explicitly weighed in on the side of the other circuit courts that have addressed the issue, including United States v. John, 597 F.3d 263 (5th Cir. 2010), United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010), and EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001).

The panel took care to preserve the prior panel ruling in LVRC v. Brekka by distinguishing it factually: “By contrast [the employees in Nosal] were subject to a computer use policy that placed clear and conspicuous restrictions on the employees’ access both to the system in general and to the Searcher database in particular.”

Judge Campbell filed a dissenting opinion.

Given the disagreement in the federal appellate courts over the construction of the CFAA, and the prior ruling in LRVC v. Brekka, as well as Judge Campbell’s dissenting opinion, it would not be surprising to see this case remain on the Circuit docket in a rehearing en banc.

Tags:

Applying 9th Circuit LVRC v. Brekka Ruling, District Court Dismisses Most CFAA Criminal Charges in United States v. Nosal

Posted on January 29, 2010 by Jeff Neuburger

UPDATE: As discussed in this blog post, a panel of the U.S. Court of Appeals for the Ninth Circuit overruled the district court in United States v. Nosal (9th Cir. Apr. 28, 2011).

********

The debate over the applicability of the Computer Fraud and Abuse Act in cases of alleged employee disloyalty has yielded quite a few rulings over the last several years, and generated a circuit split last September with the Ninth Circuit decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). In that civil action alleging employee theft and misappropriation of trade secrets, the appeals court rejected an expansive interpretation of the CFAA, concluding that an employee's authorization to access an employer's computer network is not automatically revoked when the employee is acting in a manner that is disloyal to the employer's interest. The Ninth Circuit explicitly rejected the contrary reasoning of the Seventh Circuit in International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006). In the Citrin case, Judge Posner authored a panel ruling that under common law agency principles, an employee who breaches the duty of loyalty to an employer thereby lacks authorization within the meaning of the CFAA.

The battleground in those two cases was whether a former employer could bring a civil action under the CFAA against former employees who accessed the employer's computer network, while still employed, for disloyal purposes. The prize in these and many other such cases is the opportunity for the employer to pursue what what would have otherwise likely been largely a matter of state law in federal court. But the CFAA is primarily a criminal statute, and expansive interpretation could (and has) resulted in federal criminal prosecutions in what have been typically state law cases.

However, the Ninth Circuit's narrower construction in LVRC v. Brekka ruling has now been applied in  one of those criminal cases, resulting in the dismissal of some but not all of the CFAA charges against one defendant in United States v. Nosal, 3:08-cr-00237-MHP(N.D. Cal. Jan. 6, 2009)

Continue Reading...
Tags: , ,

Citing Plain Language of the Computer Fraud and Abuse Act, Ninth Circuit Rules Employee's Disloyal Act Does Not Terminate Authorization to Access Employer's Computer

Posted on September 15, 2009 by Jeff Neuburger

The federal Computer Fraud and Abuse Act, 18 U.S.C. §1030, criminalizes access to a computer that is either “"without authorization"” or that "“exceed[s] authorized access,"” and provides a civil right of action for violations as well. In the last several years, a split has developed in the federal courts on the question of whether an employee's access to an employer's computer, even if it was “authorized” in the ordinary course of business, ceases to be authorized if the purpose if the access is to further an act that is disloyal to the employer. The Ninth Circuit has now weighed in on the issue in an opinion rendered today in LVRC Holdings, LLC v Brekka, No. 07-17116 (9th Cir. Sept. 15, 2009), and has taken a position diametrically opposed to that of  an influential Seventh Circuit opinion, International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006).

 

Continue Reading...
Tags: ,