The Ninth Circuit, sitting en banc, has upheld a district court’s dismissal of criminal charges under the Computer Fraud and Abuse Act that were predicated on misappropriation of proprietary documents in violation of the employer’s computer use policy. United States v. Nosal, No. 10-10038, 2012 U.S. App. LEXIS 7151 (9th Cir. Apr. 10, 2012). The ruling reinstates a split in the circuit courts on the question of when an employee’s access to an employer’s proprietary documents can trigger a cause of action under the CFAA. The Ninth Circuit ruled that when an employer has given employees access to such documents, they do not exceed their authorization to access those documents (and thus violate the CFAA) when they misappropriate those documents for the benefit of a competitor.
This is a case that may have important implications for the availability of a federal cause of action for data theft cases and also unauthorized access to Web sites and other online services; it could easily end up in the Supreme Court. But it can also serve as a useful lesson to employers that while a carefully drafted computer use policy is essential to the protection of digital assets, it is only one element of a digital asset protection strategy that should be focused, in the first instance, on physical, technological, and business-rule controls over data access.
The Computer Fraud and Abuse Act was enacted in 1984, and at the age of only 28, it’s showing its age. This is the latest example of a “technology statute” being applied to issues that were not even conceived of when the statute was enacted. The Act was drafted in a time when personal computer use was just beginning even in the business environment, and the primary model for computing was a mainframe or a minicomputer with tightly controlled, password protected access. The Act was directed at classical “hacking” activities, in which and individual’s access permission, and therefore what was “unauthorized” or exceeded authorized access, was much more readily determined. Both the criminal and civil provisions were routinely applied in hacking cases that arose in that environment. But the language of the Act is susceptible to broader application, and it has been brought to bear in many contexts beyond the hacking scenario.
One example is trade secret disputes involving misappropriation of proprietary information by insiders such as employees, where plaintiffs have leveraged state law trade secret and misappropriation claims into federal court by pleading violation of the Act. Some courts have resisted the application of the CFAA in such cases, finding that the Act does not extend to misuse or misappropriation of information, only to its unauthorized procurement or alteration. Other courts approved the broad application of the Act; most significantly, the Seventh Circuit in International Airport Centers v. Citrin (7th Cir.2006), which held that a breach of an employee’s duty of loyalty to the employer could give rise to a CFAA cause of action.
Outside the employer-employee context, courts have struggled with how to apply the Act in today’s intensely internetworked computing environment in which access rights to a computer network, i.e., a Web site or online database, may be defined in a clickwrap terms of use, or even in a Web wrap agreement. Complicating the picture is the fact that liberal application of the Act in a civil case can be applied in a CFAA prosecution and result in the criminalization of a broad swath of conduct. Perhaps the most extreme example is the federal prosecution in the so-called MySpace suicide case, in which CFAA charges were brought in the Central District of California against a woman who posted messages on the social networking site under a false identity. In United States v. Drew, the jury acquitted the woman on the felony CFAA charges and the District Court ultimately dismissed the remaining misdemeanor CFAA charges because the statute as interpreted by the Government was overly broad and vague. The court pointed out that under the Government’s theory of the case, the woman’s violation of the MySpace terms of use rendered her access to the site “unauthorized” within the meaning of the CFAA, and merely accessing a page on the site violated the Act.
This last concern, potential over-application of the Act, informs the perspective brought to the Nosal case by Judge Kozinski, who wrote the majority opinion. The ruling is replete with quotable quotes; in these passages, Judge Kozinski focuses on the potential for overbroad and arbitrary application of the CFAA:
In the case of the CFAA, the broadest provision is subsection 1030(a)(2)(C), which makes it a crime to exceed authorized access of a computer connected to the Internet without any culpable intent. Were we to adopt the government’s proposed interpretation, millions of unsuspecting individuals would find that they are engaging in criminal conduct.
Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it’s unlikely that you’ll be prosecuted for watching Reason.TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.
***
Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak the sports section of the New York Times to read at work, but they’d better not visit ESPN.com. And Sudoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their Sudoku skills behind bars.
The two-judge dissent, written by Judge Silverman, countered Judge Kozinski’s concerns with the comment that the case “has nothing to do with playing Sudoku, checking email, fibbing on dating sites,” and suggested that overly broad applications of the Act could be met with as-applied challenges.
Whether or not the Nosal ruling survives possible further appellate review, the lesson that employers and Web site operators might take from this ruling, is that well-drafted computer use policies or terms of use are only one part of a well-crafted and implemented plan for the protection of proprietary data and digital assets. Technical controls on access and robust security procedures are the first line of defense. A situation necessitating legal action, whether it is brought under the CFAA or any other law, means that a good part of the battle against misappropriation may have already been lost.