By Robert Milligan and Joshua Salinas
The Solicitor General indicated yesterday that he will not file a petition for a writ of certiorari with the Supreme Court in U.S. v. Nosal.
It was anticipated by some legal commentators that a Supreme Court decision in Nosal may resolve a deepening split between the Circuit Courts regarding the proper interpretation of the statutory language in the Computer Fraud and Abuse Act (CFAA) and its applicability to factual scenarios where employees steal company data in violation of computer usage policies or in breach of their loyalty obligations.
Earlier this spring, a Ninth Circuit en banc panel in Nosal adopted a narrow interpretation of the CFAA and found that an employee’s violation of his/her employer’s computer usage policies was not a violation of the CFAA. The Court focused on whether the employee originally had access to the information, not whether the employee misused the employer’s confidential information in violation of usage policies.
Last week, the Fourth Circuit in WEC Carolina Energy Solutions v. Miller joined the Ninth Circuit and adopted this narrow interpretation of the CFAA. Please see John Marsh’s and Ken Vanko’s blogs on the case.
On the other side, the Fifth, Seventh, and Eleventh Circuits have adopted a broader interpretation of the CFAA based on either common-law agency principles or computer usage policies. Under the agency theory, when an employee accesses a computer to further interests adverse to the employer, such actions terminate his or her agency relationship and, thus the employee loses any authority to access the computer. Under the computer usage theory, a violation of a computer usage policy can serve as a basis for holding an employee liable under the CFAA, Thus, an employee who is authorized to access a company computer, but uses that access to steal or damage valuable company data in violation of a computer usage policy, would be liable for his or her wrongful conduct.
The Supreme Court has yet to decide a CFAA case since the statute’s inception in 1984. With the Solicitor General refraining from filing a petition in Nosal, a resolution of the circuit split may lie with a statutory fix by the legislature or possible review of the Fourth Circuit’s decision in WEC Carolina Energy Solutions v. Miller. No such fix, however, appears imminent.
Earlier this week, Senator Patrick Leahy (D-Vt.) proposed an amendment to the Cybersecurity Act of 2012 (S3413), that would in effect adopt the Ninth Circuit’s narrow interpretation of the CFAA.
Yesterday, the cybersecurity bill failed to obtain the required amount of votes required to move the legislation forward. With Congress on August recess and its focus turning towards the upcoming November elections, any cybersecurity legislation is not expected to be voted on until next year.
As of now, an employer’s protection under the CFAA against rogue employees that steal valuable company data may simply depend on which jurisdiction they are in and/or the genius of counsel.