On Tuesday, April 10, 2012, a Ninth Circuit en banc panel released its highly anticipated decision in United States v. Nosal and affirmed the judgment of the district court dismissing criminal counts against a former employee of a headhunter firm accused of violating the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq. by conspiring with employees of the former employer to log on to the employer’s confidential database and send proprietary files to a competitor.
The opinion, authored by Chief Judge Alex Kozinski, and supported by a majority of the 11-judge court, made the following general statements in its introduction:
Computers have become an indispensable part of our daily lives. We use them for work; we use them for play. Some times we use them for play at work. Many employers have adopted policies prohibiting the use of work computers for nonbusiness purposes. Does an employee who violates such a policy commit a federal crime? How about someone who violates the terms of service of a social networking website?
This depends on how broadly we read the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030.
The Court then went on to reject the federal government’s interpretation of the CFAA, finding that the statute was meant to punish hacking, not misappropriation of trade secrets. To find otherwise, Judge Kozinski reasoned would ”criminalize any unauthorized use of information obtained from a computer” and “make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.”
“Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by g-chatting with friends, playing games, shopping or watching sports highlights,” Kozinski wrote. “Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it’s unlikely that you’ll be prosecuted for watching Reason.TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.”
The Court acknowledged that the Eleventh, Fifth, and Seventh Circuits permit employers to pursue CFAA claims against employees who violate computer use policies or violate duties of loyalty to their employer.
The Court reasoned though:
“We remain unpersuaded by the decisions of our sister circuits that interpret the CFAA broadly to cover violations of corporate computer use restrictions or violations of a duty of loyalty. See United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); United States v. John, 597 F.3d 263 (5th Cir. 2010); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006). These courts looked only at the culpable behavior of the defendants before them, and failed to consider the effect on millions of ordinary citizens caused by the statute’s unitary definition of “exceeds authorized access.” They therefore failed to apply the long-standing principle that we must construe ambiguous criminal statutes narrowly so as to avoid “making criminal law in Congress’s stead.” United States v. Santos, 553 U.S. 507, 514 (2008).
We therefore respectfully decline to follow our sister circuits and urge them to reconsider instead. For our part, we continue to follow in the path blazed by Brekka, 581 F.3d 1127, and the growing number of courts that have reached the same conclusion.
The Ninth Circuit concluded that because Nosal’s accomplices had permission to access the company database and obtain the information contained within, the government’s charges fail to meet the element of “without authorization, or exceeds authorized access” under 18 U.S.C. § 1030(a)(4).
Because Nosal’s alleged accomplices had permission to access the company database, they did not “exceed authorized access” under the CFAA, the Court held. “The government assures us that, whatever the scope of the CFAA, it won’t prosecute minor violations,” Kozinski added. “But we shouldn’t have to live at the mercy of our local prosecutor.”
In a powerful dissent, Judge Barry Silverman wrote:
This case has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values. It has everything to do with stealing an employer’s valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants’ employment contracts. The indictment here charged that Nosal and his co-conspirators knowingly exceeded the access to a protected company computer they were given by an executive search firm that employed them; that they did so with the intent to defraud; and further, that they stole the victim’s valuable proprietary information by means of that fraudulent conduct in order to profit from using it. In ridiculing scenarios not remotely presented by this case, the majority does a good job of knocking down straw men — far-fetched hypotheticals involving neither theft nor intentional fraudulent conduct, but innocuous violations of office policy.
The majority also takes a plainly written statute and parses it in a hyper-complicated way that distorts the obvious intent of Congress. No other circuit that has considered this statute finds the problems that the majority does. (emphasis added)
It remains to be seen whether the federal government will seek Supreme Court review. There is clearly a circuit split on this important issue. While purportedly committing a federal crime by violating a company’s computer policies by playing sudoku or watching March Madness seems laughable, the majority’s decision leaves employers in the Ninth Circuit, and particularly California, with less options than those in other circuits that recognize CFAA claims (both civil and criminal) for wrongful access of company computers to steal company data for competitive purposes. We will provide additional insight on the implications of the Court’s decision in later posts. As a preliminary matter, companies operating in the Ninth Circuit should reevaluate the scope of access that they provide their employees on their computer systems and limit access to highly valuable information to only those who need to know.