The Federal Computer Fraud and Abuse Act is Back in Play for Employer Suits Against Dishonest Employees in the Ninth Circuit

Posted on May 2, 2011 by Robert Milligan

By Scott Schaefers and Robert Milligan

On April 28, 2011, the Ninth Circuit Court of Appeals held in an important decision upholding legal protections for employer data that employees may be held liable under the federal Computer Fraud and Abuse Act (18 U.S.C. 1030 et seq.) in cases where employees steal or remove electronic files or data in violation of their employers' written computer-use restrictions.

In U.S. v. Nosal (9th Cir. No. 10-10038), the Ninth Circuit held that a former employee "exceeds authorized access" to data on his employer's computer system under the CFAA where the employee takes actions on the computer that are prohibited by his employer's written policies and procedures concerning acceptable use (e.g. prohibitions against copying or e-mailing files to compete or help a third party compete with the employer).

The court rejected the argument that it was overruling its 2009 decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), which dismissed an employer's CFAA claim against an employee who had e-mailed confidential documents to his personal address when working for the employer, and used those files post-termination to compete with the employer. The Brekka panel said that so long as the employee was authorized to use the computer for any purpose and such authorization had not been completely rescinded, the employee could not be held liable under the CFAA for using files for unauthorized purposes.

In distinguishing Brekka, the Nosal panel held that the employer in Brekka did not place any restrictions on employees e-mailing themselves confidential files, and thus the employees could not be said to have exceeded any such computer-use restriction. The employer in Nosal, on the other hand, had password-protected computers, written computer-use agreements with its employees which restricted access to computers to employer business, and automatically placed restrictive legends on its confidential database printouts advising readers that the printouts were confidential and company property.

The employers' computer-use restrictions, the Nosal court held, were the key distinction from Brekka, and the touchstones for "exceeding authorized access" under the CFAA. The Nosal majority noted that it was siding with the First, Fifth, and Eleventh Circuits' decisions in prior cases which similarly upheld employer CFAA claims against dishonest employees for exceeding authorized access by stealing employer files.

The dissent in Nosal argued that the majority’s decision goes too far, and potentially criminalizes otherwise innocuous employee use and access of his employer's computer. The definition of "exceeding authorized access" under the intent-to-defraud provision of the CFAA (i.e. Section 1030(a)(4)), the dissent said, was inconsistent with the statute's use of the same phrase in section 1030(a)(2), which made such access a crime whether or not the employee intended fraud. Any time the employee even technically violated an employer's restrictions, the employee could be indicted at the whim of the government.

With the Nosal decision, employers in the Ninth Circuit now have a clear CFAA remedy against dishonest employees who exceed their authorized access of their employers' computer systems. Employer computer-use restrictions determine whether an employee exceeds authorized access under the CFAA. Conversely, employees looking to avoid federal indictment or civil liability under federal law should strictly adhere to their employers' computer-use restrictions.

To avail themselves of the helpful Nosal decision, employers should ensure that they have written computer-use policies which prohibit improper computer use and activities. The policies should prohibit the use of company computers to copy, e-mail, or otherwise distribute company files to compete or help a third party compete with the employer. Computer access should be authorized for work activities only. Employers should also consider prohibitions on the distribution of company data to employees' non-work e-mail accounts and prohibitions or limitations on the use of electronic storage devices, such as external hard drives and data sticks. Employers should also audit employee computer use and access activity to ensure that employees are following company policies. Recurring training on acceptable computer usage is also critical. Employers should carefully circumscribe employee access to company prized data to only those employees who truly need to have access to such data to perform their jobs. Employers should also require employees to return all company data upon termination, as well as all company computers and other electronic devices.  

The Nosal decision provides employers with a viable remedy to help address employee data theft but employers must be vigilant and ensure that they have crafted thoughtful computer-use policies to maximize their protections under the CFAA.

Tags: , , , , , ,

The Eleventh Circuit Splits with the Ninth Circuit in Interpreting the Computer Fraud and Abuse Act

Posted on January 7, 2011 by Paul Freehling

By Paul Freehling and Scott Schaefers

The Eleventh Circuit Court of Appeals’ December 27, 2010 decision in U.S. v. Rodriguez, Appeal No. 09-15265, -- F.3d --, 2010 WL 5253231 (11th Cir. Dec. 27, 2010) may mark a significant split among the federal appellate circuits over the meaning of the phrases “without authorization” and “exceeds authorized access” under the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq. (“CFAA”). On one side of the fence sit decisions which reject such suits due to the employer’s prior grant of access, regardless of the employee’s purpose of access or subsequent use of the files. On the other side are decisions which allow CFAA claims where the employee’s purpose for accessing the files was unauthorized, even if the access itself was permitted.

In Rodriguez, the court upheld the criminal CFAA conviction of defendant Roberto Rodriguez, a former Social Security Administration (“SSA”) telephone service representative, because he accessed confidential and sensitive files for “a non-business reason.” The SSA had previously established a policy prohibiting employee access of confidential databases “without a business reason,” of which Rodriguez was made aware several times. Despite these clear warnings from his employer, Rodriguez accessed more than 100 times confidential, personal information from Social Security files concerning women with whom he had a romantic relationship. Even though Rodriguez’s access of the database itself was authorized, the purpose of the access was not, thus triggering the “without authorization” or “exceeds authorized access” provisions of the CFAA.

The Eleventh Circuit thus aligned itself with the Seventh Circuit, which in Int’l Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), held that an employee violates the CFAA where he already has decided to quit, and thereafter accesses company files for unauthorized purposes in furtherance of his “breach of duty of loyalty” to the company (i.e. to erase valuable company data). That is, when an employee accesses computer files with a purpose to injure his employer, his access is necessarily unauthorized because by law because he never had permission to work against the company. 

On the other side of the split is the Ninth Circuit‘s September 2009 decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). There, the court dismissed the CFAA suit against the former employee for subsequent misuse of company files because the purpose and misuse of the employee’s access was irrelevant, so long as the access itself for was permitted, for any purpose. According to Brekka, reading a purpose-related qualification into the CFAA terms “without authorization” and “exceeds authorized access” would run counter to the plain meaning of those statutory requirements. In fact, Brekka explicitly rejected Citrin’s suggested interpretation along those lines.

Rodriguez did not explicitly reject BrekkaRodriguez instead distinguished Brekka because in Brekka there was no express prohibition against the employee’s accessing files and e-mailing them to his home address, whereas in Rodriguez, a prohibition against non-business-related access was in place. Nevertheless, Rodriguez implicitly rejected Brekka, because Brekka limited CFAA claims to those instances in which an employee had not received permission to access a computer for “any purpose,” or where the permission had been previously rescinded and the employee accessed the computer anyway. Rodriguez had permission to access the SSA database, albeit for a limited purpose, so his conviction likely would have been overturned by the Ninth Circuit, not upheld as the Eleventh Circuit did. Also, because of the unique circumstances in Rodriguez, there is a possibility that it could be distinguished on its facts alone.

In any event, the lessons to be learned by corporate counsel and management from this conflict are not limited to whether an employer can sue an employee for violating the CFAA. These decisions serve as reminders to management that they must carefully and vigilantly create and enforce employee computer-use policies, including the following:

*Write clear computer-access policies, disseminate those policies among employees, and periodically remind employees of their obligations;

*Require employees, whether professional, clerical, or otherwise, to sign non-disclosure and computer confidentiality agreements, where access to computers is strictly limited to furthering company business; and

*Develop a limited-permission structure so that employees are provided access only to those files needed to do their job.

You may contact Seyfarth Shaw’s Trade Secret Protection attorneys for further ideas and discussion of issues related to employee misuse or theft of company intellectual property.

Tags: , , , , ,

More on Brekka

Posted on October 10, 2009 by Seyfarth Shaw LLP

The BNA publication, Electronic Commerce & Law Report, recently quoted our own Carolyn Sieve, discussing the Brekka decision.  The Electronic Commerce & Law Report article, "Brekka Case Shows Need for Comprehensive Strategy to Shield Data from Insider Misuse," discussed how the Ninth Circuit recently joined a trend disfavoring Computer Fraud and Abuse Act (CFAA) claims brought by companies against disloyal employees. In LVRC Holdings LLC v. Brekka, the court resolved disagreement among federal district courts within the circuit about how the CFAA’s "authorization" standard applies to cases involving data theft by disloyal employees.

According to the article, the court explained that employers may be able to pursue claims under the CFAA, but only if employees violate clearly defined limits on access to company networks in the course of stealing proprietary information. Carolyn commented that the message from Brekka is that employers should not rely solely on potential CFAA claims to protect their proprietary information. She also noted, "The Brekka decision places more responsibility on the employer’s shoulders to provide notice to employees as to what is ‘authorized access.’" Carolyn recommended that employers determine what information they want to protect, implement security protocols to safeguard that information, and combine those efforts with systemic employee education regarding confidential and data use policies.

 A full copy of the article is available here.  It is reproduced with permission from Electronic Commerce & Law Report, 14 ECLR 1381 (Sept. 20, 2009). Copyright 2009 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

Tags: , , ,