This is a case that may have important implications for the availability of a federal cause of action for data theft cases and also unauthorized access to Web sites and other online services; it could easily end up in the Supreme Court. But it can also serve as a useful lesson to employers that while a carefully drafted computer use policy is essential to the protection of digital assets, it is only one element of a digital asset protection strategy that should be focused, in the first instance, on physical, technological, and business-rule controls over data access.

The Computer Fraud and Abuse Act was enacted in 1984, and at the age of only 28, it’s showing its age. This is the latest example of a “technology statute” being applied to issues that were not even conceived of when the statute was enacted. The Act was drafted in a time when personal computer use was just beginning even in the business environment, and the primary model for computing was a mainframe or a minicomputer with tightly controlled, password protected access. The Act was directed at classical “hacking” activities, in which and individual’s access permission, and therefore what was “unauthorized” or exceeded authorized access, was much more readily determined. Both the criminal and civil provisions were routinely applied in hacking cases that arose in that environment. But the language of the Act is susceptible to broader application, and it has been brought to bear in many contexts beyond the hacking scenario.

One example is trade secret disputes involving misappropriation of proprietary information by insiders such as employees, where plaintiffs have leveraged state law trade secret and misappropriation claims into federal court by pleading violation of the Act. Some courts have resisted the application of the CFAA in such cases, finding that the Act does not extend to misuse or misappropriation of information, only to its unauthorized procurement or alteration. Other courts approved the broad application of the Act; most significantly, the Seventh Circuit in International Airport Centers v. Citrin (7th Cir.2006), which held that a breach of an employee’s duty of loyalty to the employer could give rise to a CFAA cause of action.

Outside the employer-employee context, courts have struggled with how to apply the Act in today’s intensely internetworked computing environment in which access rights to a computer network, i.e., a Web site or online database, may be defined in a clickwrap terms of use, or even in a Web wrap agreement. Complicating the picture is the fact that liberal application of the Act in a civil case can be applied in a CFAA prosecution and result in the criminalization of a broad swath of conduct. Perhaps the most extreme example is the federal prosecution in the so-called MySpace suicide case, in which CFAA charges were brought in the Central District of California against a woman who posted messages on the social networking site under a false identity. In United States v. Drew, the jury acquitted the woman on the felony CFAA charges and the District Court ultimately dismissed the remaining misdemeanor CFAA charges because the statute as interpreted by the Government was overly broad and vague. The court pointed out that under the Government’s theory of the case, the woman’s violation of the MySpace terms of use rendered her access to the site “unauthorized” within the meaning of the CFAA, and merely accessing a page on the site violated the Act.

This last concern, potential over-application of the Act, informs the perspective brought to the Nosal case by Judge Kozinski, who wrote the majority opinion. The ruling is replete with quotable quotes; in these passages, Judge Kozinski focuses on the potential for overbroad and arbitrary application of the CFAA:

In the case of the CFAA, the broadest provision is subsection 1030(a)(2)(C), which makes it a crime to exceed authorized access of a computer connected to the Internet without any culpable intent. Were we to adopt the government’s proposed interpretation, millions of unsuspecting individuals would find that they are engaging in criminal conduct.

Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it’s unlikely that you’ll be prosecuted for watching Reason.TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.

***

Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak the sports section of the New York Times to read at work, but they’d better not visit ESPN.com. And Sudoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their Sudoku skills behind bars.

The two-judge dissent, written by Judge Silverman, countered Judge Kozinski’s concerns with the comment that the case “has nothing to do with playing Sudoku, checking email, fibbing on dating sites,” and suggested that overly broad applications of the Act could be met with as-applied challenges.

Whether or not the Nosal ruling survives possible further appellate review, the lesson that employers and Web site operators might take from this ruling, is that well-drafted computer use policies or terms of use are only one part of a well-crafted and implemented plan for the protection of proprietary data and digital assets. Technical controls on access and robust security procedures are the first line of defense. A situation necessitating legal action, whether it is brought under the CFAA or any other law, means that a good part of the battle against misappropriation may have already been lost.

As we wrote last April, the panel in Nosal ruled that an employee exceeds authorized access within the meaning of the CFAA “when he or she obtains information from the computer and uses it for a purpose that violates the employer’s restrictions on the use of the information.”  The Nosal ruling narrowly interpreted a prior Ninth Circuit panel opinion in a civil action under the CFAA, LVRC Holdings, LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). (See prior blog post here.) There, a different panel ruled that under the plain language of the CFAA, an act of disloyalty to an employer, e.g., access to a employer’s network for purposes of providing data to a competitor, does not render the employee’s access unauthorized within the meaning of the CFAA. 

The key distinction that the panel in Nosal made from the facts of LVRC v. Brekka, was the existence in Nosal of “a computer use policy that placed clear and conspicuous restrictions on the employees’ access” both to employer’s computer system in general and to specific data in question. No such agreement was in place in LVRC v. Brekka.

The implications of the issues in LVRC v. Brekka and Nosal go beyond the employer-employee context. In its Amicus Brief filed urging the Ninth Circuit to rehear the Nosal case en banc, the Electronic Frontier Foundation argued that the panel opinion in Nosal would criminalize routine, mundane acts committed by Internet users that were deemed to violate provisions in broadly written Internet Terms of Service.

It is important to note that other federal courts of appeal have upheld broad readings of the CFAA in the employee-employer context. In the civil context, see, e.g., International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006); and in the criminal context, see, e.g., United States v. John, 597 F.3d 263 (5th Cir. 2010), United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010).

Oral argument in the rehearing en banc is scheduled for some time in the week of December 12, 2011.

***

A panel of the U.S. Court of Appeals for the Ninth Circuit has ruled that an employee’s violation of an employer’s computer use policy can support a criminal charge of exceeding authorized access under the Computer Fraud and Abuse Act. United States v. Nosal, No. 10-10038 (9th Cir. Apr. 28, 2011). The case involved access to an employer’s computer network for the purpose of copying the employer’s proprietary information for the benefit of a competing enterprise.  

In so ruling, the panel explicitly limited the applicability of the 2009 panel ruling in LVRC Holdings, LLC v Brekka, No. 07-17116 (9th Cir. Sept. 15, 2009) (see prior blog post), a case involving a civil action under the CFAA. In that case, a different panel of the Ninth Circuit upheld the district court’s holding that an employee’s disloyal act does not terminate the prior authorization by an employer to access its computer network.

An important point for employers is that the Nosal panel distinguished the prior panel opinion on the ground that in LVRC v. Brekka there was no employment agreement in place that limited the authorization of the employee to access the employer’s confidential data.

The Nosal opinion delves into the language of the CFAA, and the interpretation of the two phrases that define its scope: The Act provides that access to a computer network that is “without authorization” or that “exceeds authorized access” is subject to both criminal prosecution and a civil action, under specified circumstances. The interpretive challenge that the federal courts have struggled with is determining to what extent the Act applies where a party who has been authorized to access information on a computer system does so for a disloyal or unauthorized purpose. This is an issue that comes up routinely in cases such as Nosal and LVRC v. Brekka where an employee copies and removes an employer’s proprietary data in order to start a competing business or provide it to a competitor.  

Is access for a disloyal purpose “without authorization,” or does it exceed authorized access under the CFAA?

The panel in Nosal, reversing the district court (see prior blog post on the district court ruling), held that “an employee exceeds authorized access when he or she obtains information from the computer and uses it for a purpose that violates the employer’s restrictions on the use of the information.”  With respect to the disagreement in the federal circuit courts over this issue, the panel explicitly weighed in on the side of the other circuit courts that have addressed the issue, including United States v. John, 597 F.3d 263 (5th Cir. 2010), United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010), and EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001).

The panel took care to preserve the prior panel ruling in LVRC v. Brekka by distinguishing it factually: “By contrast [the employees in Nosal] were subject to a computer use policy that placed clear and conspicuous restrictions on the employees’ access both to the system in general and to the Searcher database in particular.”

Judge Campbell filed a dissenting opinion.

Given the disagreement in the federal appellate courts over the construction of the CFAA, and the prior ruling in LRVC v. Brekka, as well as Judge Campbell’s dissenting opinion, it would not be surprising to see this case remain on the Circuit docket in a rehearing en banc.

********

The debate over the applicability of the Computer Fraud and Abuse Act in cases of alleged employee disloyalty has yielded quite a few rulings over the last several years, and generated a circuit split last September with the Ninth Circuit decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). In that civil action alleging employee theft and misappropriation of trade secrets, the appeals court rejected an expansive interpretation of the CFAA, concluding that an employee’s authorization to access an employer’s computer network is not automatically revoked when the employee is acting in a manner that is disloyal to the employer’s interest. The Ninth Circuit explicitly rejected the contrary reasoning of the Seventh Circuit in International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006). In the Citrin case, Judge Posner authored a panel ruling that under common law agency principles, an employee who breaches the duty of loyalty to an employer thereby lacks authorization within the meaning of the CFAA.

The battleground in those two cases was whether a former employer could bring a civil action under the CFAA against former employees who accessed the employer’s computer network, while still employed, for disloyal purposes. The prize in these and many other such cases is the opportunity for the employer to pursue what what would have otherwise likely been largely a matter of state law in federal court. But the CFAA is primarily a criminal statute, and expansive interpretation could (and has) resulted in federal criminal prosecutions in what have been typically state law cases.

However, the Ninth Circuit’s narrower construction in LVRC v. Brekka ruling has now been applied in  one of those criminal cases, resulting in the dismissal of some but not all of the CFAA charges against one defendant in United States v. Nosal, 3:08-cr-00237-MHP(N.D. Cal. Jan. 6, 2009)

David Nosal was a former employee of an executive search firm. He is accused in a multi-count indictment of having conspired with other employees of the firm to misappropriate the firm’s trade secrets in order to use the information to start a rival search firm. According to the indictment, the other employees used their accounts and passwords on Nosal’s behalf, without authorization and in excess of their authorization, to access and copy proprietary information to be used in connection with the establishment of the new firm. Last spring, Nosal sought dismissal of the CFAA charges on the ground that the statute does not cover misuse or misappropriation of information obtained with permission, but Judge Patel of the Northern District of California, in a ruling prior to LVRC v. Brekka, lined up with the Seventh Circuit position on the issue. She declined to dismiss the charges, ruling that the indictment sufficiently alleged that Nosal’s co-conspirators engaged in "knowing access of electronic records for uses outside their intended purpose," and that access was "not only purposeful, but also with the intent to defraud, and that confidential and proprietary information was both taken and used to further the intended fraud, i.e., to advance Nosal’’s own executive search activities, to the detriment of" the former employer.

After LVRC v. Brekka was decided, Nosal moved for reconsideration of Judge Patel’s prior ruling, and this time Judge Patel ruled that the government could not establish either that Nosal’s access to the employer’s computer (via the acts of his alleged co-conspirators) was "without authorization" or that it "exceeded authorized access." The government apparently conceded that the allegation that the access was "without authorization" could not survive LVRC v. Brekka, but dug in its heels and argued that it could still be argued that the employees’ conduct "exceeded authorized access," based upon their disloyal purpose.

Judge Patel pointed out that while the opinion in LVRC v. Brekka focused on the term "without authorization," the logic of the opinion equally applied to the term "exceeds authorized access." She reasoned that under LVRC v. Brekka, "intent and authorization are independent elements of the CFAA," and that the employee’s intent in accessing an employer’s computer "is irrelevant in determining whether an individual has permission or is authorized to access the computer." She also rejected the argument that the employees exceeded their authorized access based on language in the employer’s confidentiality and computer use policies. While there was some language in the Ninth Circuit ruling suggesting that an employer might be able to rely upon such language in defining authorized access, that language could not survive an examination of the statutory definition:

An individual only "exceeds authorized access" if he has permission to access a portion of the computer system but uses that access to "obtain or alter information in the computer that [he or she] is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6) (emphasis added). There is simply no way to read that definition to incorporate corporate policies governing use of information unless the word alter is interpreted to mean misappropriate. Such an interpretation would defy the plain meaning of the word alter, as well as common sense. A person does not necessarily alter information on a computer when they access it with a nefarious intent. Furthermore, the government’s proposed interpretation of "exceeds authorized access" would create an uncomfortable dissonance within section 1030(a)(4). Pursuant to the government’s reading of the statute, an individual’s intent would be irrelevant in determining whether that person accessed a computer "without authorization," but as long as the company had policies governing the use of the information stored in its computer system, that same individual’s intent could be dispositive in determining whether they "exceed[ed] authorized access."

Nosal still isn’t off the hook on this indictment by any means. Judge Patel refused to dismiss several CFAA charges based on alleged access by Nosal’s co-conspirators after they left the employer. And, although mail fraud charges were dismissed, there are also remaining federal trade secret theft and misappropriation charges, as well as conspiracy charges.

The implications of the Nosal case for exceedingly broad interpretation of the CFAA were noticed early in the game by Prof. Orin Kerr, a well-recognized authority on this subject, who was prominently on the team that successfully represented Lori Drew in the so-called MySpace suicide case, which also involved an expansive government interpretation of the CFAA in a criminal prosecution. Prof. Kerr blogged about the government’s legal theory in Nosal that "an employer who uses an employer’s computer with a bad motive is a criminal"prior to Judge Patel’s first ruling on the issue. Prof. Kerr has also authored a recent article on the topic of CFAA application in criminal cases, a must-read for anyone interested in or concerned about this topic.

The question of what effect an employee’s disloyalty has on authorization to access an employer’s computer has arisen in numerous cases in which employers have added civil claims under the CFAA in actions brought against employees alleged to have misappropriated of trade secrets. A typical scenario in which such a claim would be made is where, before departing for a new job, the employee is alleged to have copied or transmitted an employer’s computer files for the benefit of a new employer.
 
Often, what is at stake in such cases is the employer’s ability to maintain an action in federal court. A dispute over misappropriation of trade secrets is likely to involve only state law issues, and unless there is diversity of the parties, there is no basis for jurisdiction in a federal court. But, of course, federal courts have jurisdiction over a CFAA claim, and the trade secret misappropriation claims are then swept into federal court along with the CFAA claim as pendent state law claims.
 
The Seventh Circuit opinion in International Airport Centers v. Citrin is the ruling that is cited by employers seeking to press CFAA claims in such cases. In that case the circuit, in an opinion written by Judge Posner, ruled that under common law agency principles, an employee who breaches the duty of loyalty to an employer thereby becomes “unauthorized” to access the employer’s computer, at least for the purpose of furthering an act of disloyalty to the employer. In LVRC Holdings, LLC v Brekka, the Ninth Circuit ruled to the contrary, finding that under the plain meaning of the language of the CFAA, acts of disloyalty on the part of an employee do not render the employee’s access to the employer’s computer unauthorized within the meaning of the statute.
 
In LVRC, the Ninth Circuit panel concluded that under the “ordinary, contemporary, common meaning” of the statutory terms, “an employer gives an employee ‘authorization’ to access a computer when the employer gives the employee permission to use it.” The court found that there is no statutory language to support the contention that authorization terminates when an employee determines to act contrary to the interest of an employer. The court looked to the term "“exceeds authorized access,"” and concluded that the definition of that term made it clear that Congress had no intent to include in the statute any implicit, rather than explicit, limitation on the term “authorization.” It is an employer’s act of allowing or terminating an employer’s authorization to access a computer that determines whether the employee’s access is “authorized” within the meaning of the statute, not the employee’s disloyal act. The court reasoned:

 Section 1030(e)(6) provides: “the term ‘exceeds authorized access’ means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). As this definition makes clear, an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has “exceed[ed] authorized access.” On the other hand, a person who uses a computer “without authorization” has no rights, limited or otherwise, to access the computer in question. In other words, for purposes of the CFAA, when an employer authorizes an employee to use a company computer subject to certain limitations, the employee remains authorized to use the computer even if the employee violates those limitations. It is the employer’s decision to allow or to terminate an employee’s authorization to access a computer that determines whether the employee is with or “without authorization.”

The Ninth Circuit rejected the Seventh Circuit’s reasoning in International Airport Centers, LLC v. Citrin, concluding that relying on whether an employee’s “mental state changed from loyal employee to disloyal competitor” to determine whether the statute had been violated would be problematic in the criminal law context. The statute should be interpreted consistently in civil and criminal contexts, the court reasoned. Relying on the employee’s mental state with respect to disloyalty to determine whether the statute had been violated would run afoul of the proscription against “interpreting criminal statutes in surprising and novel ways that impose unexpected burdens on defendants.”
 
In this respect, the ruling echoes (but does not cite) the recent district court opinion in United States v. Drew, No. CR 08-0582-GW (C.D. Cal. Aug. 28, 2009) (the MySpace "cyberbullying" criminal prosecution). There, the court dismissed a misdemeanor charge of violating the CFAA that was predicated on a user’s alleged violation of the MySpace Terms of Service, finding that it would run afoul of the void for vagueness doctrine because “individuals of ‘common intelligence’” arguably would not be on notice that a breach of the terms of a service contract could become a crime under the CFAA.  
 
And conversely, the Ninth Circuit ruling appears to contradict the recent opinion in United States v. Nosal, 2009 U.S. Dist. LEXIS 31423 (N.D. Cal. Apr. 13, 2009), in which the district court declined to dismiss an indictment charging a violation of 18 U.S.C. § 1030(a)(4). The indictment alleged that the statute was violated when a former employee accessed an employer’’s computer network to copy proprietary information for use in a competitive enterprise. The court found that the statutory element of “intent to defraud” in subsection 1030(a)(4) could be found in the employee’’s “knowing access of electronic records for uses outside their intended purpose.” The court in Nosal also rejected the defendant’’s argument that because subsection 1030(a)(4) had never been addressed in the criminal context the indictment should be dismissed under the rule of lenity. Citing International Airport Centers, LLC v. Citrin and a number of opinions following it, the court found that there was “ample authority” in civil cases construing this section to conclude that the CFAA was violated by the ‘access to the employer’s confidential and proprietary information to advance his own competitive enterprise.
 
No doubt more will be heard on this issue in the Ninth Circuit, and other courts as well. And eventually, perhaps, the U.S. Supreme Court.