A panel of the U.S. Court of Appeals for the Ninth Circuit has ruled that an employee’s violation of an employer’s computer use policy can support a criminal charge of exceeding authorized access under the Computer Fraud and Abuse Act. United States v. Nosal, No. 10-10038 (9th Cir. Apr. 28, 2011). The case involved access to an employer’s computer network for the purpose of copying the employer’s proprietary information for the benefit of a competing enterprise.

In so ruling, the panel explicitly limited the applicability of the 2009 panel ruling in LVRC Holdings, LLC v Brekka, No. 07-17116 (9th Cir. Sept. 15, 2009) (see prior blog post), a case involving a civil action under the CFAA. In that case, a different panel of the Ninth Circuit upheld the district court’s holding that an employee’s disloyal act does not terminate the prior authorization by an employer to access its computer network.

An important point for employers is that the Nosal panel distinguished the prior panel opinion on the ground that in LVRC v. Brekka there was no employment agreement in place that limited the authorization of the employee to access the employer’s confidential data.

The Nosal opinion delves into the language of the CFAA, and the interpretation of the two phrases that define its scope: The Act provides that access to a computer network that is “without authorization” or that “exceeds authorized access” is subject to both criminal prosecution and a civil action, under specified circumstances. The interpretive challenge that the federal courts have struggled with is determining to what extent the Act applies where a party who has been authorized to access information on a computer system does so for a disloyal or unauthorized purpose. This is an issue that comes up routinely in cases such as Nosal and LVRC v. Brekka where an employee copies and removes an employer’s proprietary data in order to start a competing business or provide it to a competitor.

Is access for a disloyal purpose “without authorization,” or does it exceed authorized access under the CFAA?

The panel in Nosal, reversing the district court (see prior blog post on the district court ruling), held that “an employee exceeds authorized access when he or she obtains information from the computer and uses it for a purpose that violates the employer’s restrictions on the use of the information.”  With respect to the disagreement in the federal circuit courts over this issue, the panel explicitly weighed in on the side of the other circuit courts that have addressed the issue, including United States v. John, 597 F.3d 263 (5th Cir. 2010), United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010), and EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001).

The panel took care to preserve the prior panel ruling in LVRC v. Brekka by distinguishing it factually: “By contrast [the employees in Nosal] were subject to a computer use policy that placed clear and conspicuous restrictions on the employees’ access both to the system in general and to the Searcher database in particular.”

Judge Campbell filed a dissenting opinion.

Given the disagreement in the federal appellate courts over the construction of the CFAA, and the prior ruling in LRVC v. Brekka, as well as Judge Campbell’s dissenting opinion, it would not be surprising to see this case remain on the Circuit docket in a rehearing en banc.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jeffrey Neuburger Jeffrey Neuburger

Jeffrey Neuburger is co-head of Proskauer’s Technology, Media & Telecommunications Group, head of the Firm’s Blockchain Group and a member of the Firm’s Privacy & Cybersecurity Group.

Jeff’s practice focuses on technology, media and intellectual property-related transactions, counseling and dispute resolution. That expertise…

Jeffrey Neuburger is co-head of Proskauer’s Technology, Media & Telecommunications Group, head of the Firm’s Blockchain Group and a member of the Firm’s Privacy & Cybersecurity Group.

Jeff’s practice focuses on technology, media and intellectual property-related transactions, counseling and dispute resolution. That expertise, combined with his professional experience at General Electric and academic experience in computer science, makes him a leader in the field.

As one of the architects of the technology law discipline, Jeff continues to lead on a range of business-critical transactions involving the use of emerging technology and distribution methods. For example, Jeff has become one of the foremost private practice lawyers in the country for the implementation of blockchain-based technology solutions, helping clients in a wide variety of industries capture the business opportunities presented by the rapid evolution of blockchain. He is a member of the New York State Bar Association’s Task Force on Emerging Digital Finance and Currency.

Jeff counsels on a variety of e-commerce, social media and advertising matters; represents many organizations in large infrastructure-related projects, such as outsourcing, technology acquisitions, cloud computing initiatives and related services agreements; advises on the implementation of biometric technology; and represents clients on a wide range of data aggregation, privacy and data security matters. In addition, Jeff assists clients on a wide range of issues related to intellectual property and publishing matters in the context of both technology-based applications and traditional media.