By Robert Milligan and Joshua Salinas

In connection with proposed Congressional amendments to the federal Computer Fraud and Abuse Act (CFAA), on November 15, 2011, Department of Justice Deputy Chief Richard W. Downing (Computer Crime and Intellectual Property Section) emphasized the importance of an expansive CFAA before the House Committee on the Judiciary and came out against attempts by critics of the CFAA to restrict employers’ ability to use the CFAA against employees who steal company data in violation of company computer usage policies. The Department of Justice prepared a statement in advance of Mr. Downing’s live testimony.

Mr. Downing addressed concerns that an expansive reading of “exceeds authorized access” under the CFAA might subject computer users to prosecution for merely violating a website’s terms of use. We have blogged about recent cases in which courts have applied an expansive view of the CFAA. In U.S. v. Nosal, the Ninth Circuit Court of Appeal held that an employee’s violations of an  employer’s computer use policies constituted “exceeding authorized access.” A California district court in Facebook v. MaxBounty applied Nosal’s holding and found that Facebook could sufficiently state a claim under the CFAA because the defendant advertising company had violated Facebook’s terms of service policies. Note, the Ninth Circuit Court of Appeal recently ordered that Nosal be heard before an en banc panel. 

Mr. Downing stressed that a restrictive reading of the CFAA would make it difficult or impossible to deter and address serious insider threats, including threats by rogue employees working for competitors to steal their employers’ data. Technology has become so pervasive that nearly every employee is required to access database with large amounts of information. Mr. Downing highlighted the importance of protecting the nation’s economic security and not just national security. Indeed, businesses should have confidence that their confidential, proprietary, and/or trade secret information is protected.

Mr. Downing provided several examples in which a restrictive reading of “exceeds authorized access” would allow violators to escape any liability for their wrongdoings. For example, in 2006 a contract systems administrator for a medical services provider used his authorized computer access to download thousands of employee names and social security numbers. See United States v. Salum, 578 F. 3d 682 (7th Cir. 2009).   In 2008, nine employees of Vangent, Inc. used their authorized computer access to obtain and disclose loan records and confidential information regarding President Obama and other well known political figures, celebrities, and sports figures. A restrictive reading of the CFAA would not only hurt employers, but would also hurt the public and customers whose information is often the subject of data theft.

Mr. Downing highlighted that the use of employer agreements and internal computer usage policies are routinely used for prosecuting offenders in such cases. Mr. Downing reiterated the Department of Justice’s growing concern that advancements in computer technology have increased the vulnerability of businesses which rely on trade secret, confidential, and/or proprietary information. In the age of Wikileaks, Facebook, Twitter, and rapidly evolving social media, employees are able to leak company information to the entire world in only a matter of minutes. Mr. Downing and the Department of Justice support the ability of companies to be proactive and clearly communicate the restrictions on computer usage to employees and hold them accountable in civil and criminal court for violations of such policies. Restricting the CFAA to only hackers (rather than insiders) through proposed amendments to the CFAA would provide employees a license to steal company data and weaken a company’s defenses in protecting its data.