On Tuesday, October 10, 2017, the United States Supreme Court denied certiorari in Nosal v. United States, 16-1344. Nosal asked the Court to determine whether a person violates the Computer Fraud and Abuse Act’s prohibition of accessing a computer “without authorization” when using someone else’s credentials (with that other user’s permission) after the owner of the computer expressly revoked the first person’s own access rights. In denying certiorari, the Court effectively killed the petitioner’s legal challenge to his conviction in a long-running case that we have extensively covered here, here, here, here, here, here, and here (among other places). The denial of certiorari leaves further development of the scope of the CFAA in the hands of the lower courts. Continue Reading Supreme Court Refuses to Hear Password-Sharing Case, Leaving Scope of Criminal Liability Under Computer Fraud and Abuse Act Unclear
On October 20, 2015, a Ninth Circuit panel consisting of Chief Judge Sidney Thomas and Judges M. Margaret McKeown and Stephen Reinhardt heard oral argument from the U.S. Department of Justice and counsel for David Nosal on Nosal’s criminal conviction arising under the Computer Fraud and Abuse Act (CFAA). In 2013, Nosal was found to have violated the CFAA by allegedly conspiring to obtain access to company information belonging to his former employer, executive search firm Korn Ferry, through the borrowing of another employee’s login password. He was also convicted of trade secret misappropriation under the Economic Espionage Act.
The panel focused most of its questions around one main point of contention between the parties: the interpretation of the “without authorization” language appearing throughout Section (a) of the CFAA. Such a focus makes sense given that the interpretation of this short phrase could completely change the legal landscape surrounding password sharing, not only in professional settings, but also in personal, consensual settings.
Counsel for Nosal urged the panel to adopt a limited reading of the CFAA, based on the reasoning laid out in the Ninth Circuit’s previous en banc opinion (Nosal I). Nosal I held that the CFAA was an “anti-hacking” statute and did not contemplate, nor criminalize, the misappropriation of trade secrets. As an “anti-hacking” statute, the CFAA, the court held, criminalizes “the circumvention of technological access barriers.” In other words, a person cannot be found to have accessed a computer “without authorization” if he did not circumvent a technological access barrier, or “hack” into a computer.
This time around, counsel for Nosal argued that password sharing is not hacking, and therefore, such an action cannot amount to a federal crime. Further, counsel urged the panel to limit its interpretation of the “without authorization” language appearing throughout the Act, so as to prevent the over-criminalization of actions otherwise not prohibited by law (e.g., password sharing over a cloud system, or another consensual password sharing arrangement). Nosal’s counsel also argued that the “without authorization” language be read consistently throughout the Act, so that the same interpretation would apply to both the misdemeanor and felony provisions of the Act.
U.S. Government’s Arguments
On the other side of the spectrum lie the government’s arguments. Counsel for the government argued that protecting computers with passwords to prevent unintended user access indeed creates a “technological access barrier,” and any circumvention thereof (consensual or otherwise) constitutes a violation of the CFAA. Such a broad interpretation was met with raised brows from the members of the judicial panel.
Counsel for the government repeatedly argued that the interpretation of the “without authorization” language should mirror the interpretation in the LVRC Holdings LLC v. Brecka case. Per Brecka, a person accesses information “without authorization” under Sections (a)(2) and (4) of the CFAA when he has not received permission to use a computer for any purpose, or when the person’s employer has rescinded permission to access a computer and the person uses it anyway. In other words, the government’s counsel seemed to advocate the criminalization of any sort of password sharing. After receiving some push-back from the panel after making such an argument, counsel suggested limiting this interpretation to the employment context only, but members of the panel shot back because the CFAA includes no such limiting language. The government’s counsel argued that the person must have shared or used the password while also knowing it was prohibited by an employer to do so.
With regard to Nosal’s trade secrets conviction, the panel pressed the government’s counsel for a good portion of her allotted argument time. Counsel argued the record revealed sufficient evidence to establish the element that source lists derive independent economic value for not being generally known by the general public.
Possible Outcomes for Nosal and Beyond
Though the panel did not give a clear indication one way or the other whose side it was likely to advocate in Nosal’s case, recent Ninth Circuit precedent may prove enlightening on the topic. In the U.S. v. Christensen (9th Cir. 2015) decision, the Ninth Circuit (composed of a panel of different judges than those deciding Nosal’s fate) vehemently upheld the holdings in Nosal I, despite the different facts of each case. In particular, the Christensen panel relied heavily on the Nosal I rationale that the CFAA only deals with violations of restrictions on access to information, not restrictions on use. At the very least, Christensen demonstrates that the CFAA has been on the Ninth Circuit’s radar, even though its rationale may not impact the outcome in Nosal II.
Moreover, the panel’s surprise at the government’s assertion that all password sharing should be subject to criminal sanctions indicates an unwillingness to adopt such an argument. As a previous post hypothesized, the panel’s final ruling will likely put to bed the password sharing issue, and limit it to certain situations (on which ground is still unclear), at least in the Ninth Circuit. The ruling will hopefully provide helpful guidance on how to formulate acceptable computer policies prohibiting conduct running afoul of the CFAA. That way, employers and businesses can better protect their trade secrets from escaping the confines of their walls.
In United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc), the court held that the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, prohibits unlawful access to a computer but not unauthorized use of computerized information. Although that holding represents a minority position, two recent opinions — one in a Ninth Circuit criminal case and one by a California district court in a civil proceeding — indicate that the ruling in Nosal still is the law out west.
Recent Ninth Circuit and California district court CFAA cases.
Christensen. The 100+ page opinion in U.S. v. Christensen, Nos. 08-50531, et al. (9th Cir., Aug. 25, 2015), details what the court described as “a widespread criminal enterprise offering illegal private investigation services in Southern California.” Six individuals were accused and convicted in the District Court for the Central District of California pre-Nosal of computer fraud, bribery, racketeering, wiretapping, identity theft, and more. On appeal, several convictions were affirmed, and some others were remanded but just for resentencing. Of particular interest to readers of this blog, however, all three convictions for violating the CFAA were vacated on the ground that Nosal rendered the jury instructions clearly erroneous and prejudicial. A retrial may be possible.
Loop AI Labs. In Loop AI Labs Inc. v. Gatti, No. 15-cv-00798 (N.D. Cal., Sept. 2, 2015), the defendants’ motion to dismiss certain counts of the amended complaint was granted in part and denied in part. The defendant was Loop AI Labs’ former CEO. Although she had left the company and worked for a competitor, she continued to log in to Loop AI Labs’ computers. The court ruled that until Loop AI Labs formally revoked her authorization to access the company’s computers, she did not violate the CFAA by logging in, regardless of her motive.
Faulty jury instructions in Christensen. One of the defendants was a Los Angeles police officer. He was charged with violating the CFAA, among other statutes, by (a) logging in to confidential state and federal law enforcement databases — which he had the right to access — and (b) in exchange for a bribe, providing to two other defendants information they requested from those databases but to which they were not entitled. The prosecutor simply assumed, and did not attempt to prove, that the officer thereby committed a CFAA violation. According to the Ninth Circuit, that assumption was unwarranted after Nosal was decided.
By the same token, at trial the three defendants accused of CFAA violations did not object when the court instructed the jurors — before Nosal — that they should find a CFAA violation if they determined that a computer had been knowingly accessed with the intent to use the information to commit a fraud. In Christensen, the appellate court held that those jury instructions were plainly erroneous in light of Nosal and clearly were prejudicial. For these reasons, the CFAA convictions were vacated.
Takeaways. Approximately one-half of the circuit courts of appeal have ruled on the meaning of the phrase “exceeds authorized access” as used in the CFAA. In the circuits where there has not yet been a ruling, obviously, there is uncertainty as to which position the court will adopt.
The majority — so-called liberal — view is exemplified by holdings in cases such as International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (CFAA violated by accessing a computer for an unauthorized purpose). Nosal, and now Christensen, represent the minority (or narrow) position that an individual with authorization to access a computer does not commit a CFAA violation regardless of what the individual does with the information so obtained.
Adding to the confusion, courts are not in agreement over the meaning of Nosal. For example, in the recent case of U.S. v. Shen, Case No. 4:14-CR-122 (W.D. Mo. Apr. 21, 2015), the facts were somewhat similar to those in Loop AI Labs. Citing Nosal, the court in Shen stated: “There is some disagreement as to whether an employee who properly accesses a computer and then misuses the information can be convicted” of violating the CFAA. The Missouri court added: “However, courts are clear that employees who gain access to a computer through their employment lose authorization once they have resigned or been terminated. Moreover, persons of common intelligence would understand as much.” Id. at p.4 (citations omitted). As is apparent, the judge who decided Loop AI Labs does not concur. Further, there are also federal courts in California who have concurred with the Shen reasoning.
Similarly, one cannot be sure that all courts agreeing with the “narrow view” set forth in Nosal also would accept the holding implicit in Christensen that a corrupt police officer does not exceed his “authorized access” to confidential government data bases when he logs in solely for the purpose of providing other persons, in exchange for a bribe, information to which they have no right. With all this uncertainty, the one thing that is certain is that the Ninth Circuit continues to embrace a very narrow and restrictive view of CFAA liability, in contrast to most of the other circuits in the nation.
These tools are part of the modus operandi of every lawyer. This article may use dead language and assonance as running themes, but some lawyers take zealous advocacy ad infinitum. Such attorneys are rarely even admonished by the courts, much less sanctioned. That said, the Ninth Circuit has approved sanctions against an attorney for “misrepresentations” made in the complaint of a trade secret lawsuit.
Wait a minute…the COMPLAINT? The boiler-plate statement “upon information and belief” was somehow omitted? After the trial is over and the bad, bad defendant is found to be not so bad after all, is not all that bluster and bravado in the complaint long forgotten?
N.B.: Perhaps not.
Although they are called “pleadings” for a reason, statements in the pleadings must be at least “grounded in fact” to pass muster as fact, even in the complaint. Synonyms used to impress clients might better be left to other writing exercises, e.g., fantasy novels and fairy tales.
In Heller v. Cepia LLC et al., 11-cv-1146 (N.D. Cal. 2011), Jason Heller claimed that Cepia, the makers of “Zhu Zhu Pets” robot toy hamsters, used the same features and accessories he had disclosed to toy manufacturers in his prototype designs. Mr. Heller asserted, inter alia, that the manufacturers forwarded his trade secrets to Cepia, who then used his ideas in the Zhu Zhu Pets products.
In the 2011 complaint, Mr. Heller’s attorney alleged that visitor logs at one of the manufacturers “appeared to confirm” that Cepia had visited the manufacturer. Mr. Heller then “confronted” the manufacturing company who “refused” to provide information about any relationship with Cepia.
Sort of benign, isn’t it? Some visitor logs and a request for additional information that was denied. Prima facie this does not seem to be sanctionable writing or behavior. Yet the use of “appeared to confirm” and “confronted” are why Mr. Heller’s attorney was sanctioned.
This puffing seems rather tame in comparison to the damages Mr. Heller sought: over $2,000,000,000. Yes, two Billion. For a toy hamster? Such a damage request, seemingly made rather boldly across several pages in the complaint, appears somewhat less bona fide than something couched with “appeared,” and, remarkably, did not even rate a de minimis or dicta mention by the court as raising any cause for concern.
No wonder there are so many cries for tort reform.
Fast forward to a year later, where, on joint stipulation, the complaint was dismissed against Cepia with prejudice. Per se no sanctions, right?
In part of the quid pro quo for the dismissal stipulation, Cepia received Mr. Heller’s acknowledgement that “he did not find any evidence that Cepia had any access to any of Mr. Heller’s hamster toy ideas or information” in the documents and evidence produced during discovery.
First mistake: saying, “There is nothing in any of the evidence showing the defendant was bad.” Because then the complaint looks like, oh, a big lie.
Second mistake: letting a client say, “There is nothing in any of the evidence showing the defendant was bad.” Because then it looks like the attorney fabricated the complaint ab initio. And yes, now sanctions may be apropos, in this case to the tune of $5,000.00 from the Northern District of California.
Mr. Heller’s attorney appealed, arguing in his appellate brief that “in hindsight, my wording could have been better.” Admitting the wording was misleading is likely a third mistake.
Mr. Heller’s attorney then tried to save the day, ibid, by arguing that his letter to one of the manufacturers constituted a “method of confronting them on the issues.”
Fourth mistake: unless you are a Court of Appeals for the Federal Circuit judge, you are not allowed to construe the meaning of words de novo.
Confront means “to oppose or challenge (someone) especially in a direct and forceful way” or “to directly question the action or authority of (someone).” (Merriam-Webster).
The complaint implied that someone went to the defendant’s place of business and spoke to them face-to-face, or challenged them to prove they were innocent. Nope. His attorney dashed off a quick note saying, in essence, “Hey, thanks for the visitor logs, can you tell us a little more about your relationship with Cepia?” The defendants did not answer. There was no confrontation, and the visitor logs didn’t confirm any visits by Cepia.
In reality, the only mistake here was somebody thinking it was a good idea to make the defendants appear uncooperative and/or hiding the truth. Had the complaint contained the facts, instead of something that sounded a little more ominous, the lawsuit would have still gone forward exactly as it did.
Everything except for the sanctions.
For more on Heller v. Cepia, see the Law360 Article.
A California federal jury convicted a San Francisco executive recruiter this week for violations of the Computer Fraud and Abuse Act (“CFAA”) and theft of trade secrets from his former employer. The conviction represents a significant landmark in the closely watched eight-year case that deepened a federal circuit court split concerning the appropriate scope of the CFAA.
The case involves executive recruiter and former employee David Nosal, who allegedly conspired with then-current employees at his former employer, Korn/Ferry, to illegally access and download valuable candidate lists and other trade secret information from Korn/Ferry’s “Searcher” database. Nosal’s accomplices were able to access the computer system through a password provided to them by Nosal after he borrowed the password from a current Korn/Ferry employee. Nosal allegedly used this newly acquired information to start a competing business, Nosal Partners.
Nosal was indicted by a federal grand jury in 2008 for, inter alia, violations of the CFAA and trade secret theft. The district court for the Northern District of California initially dismissed several CFAA counts on grounds that the employees he allegedly conspired with had access to the computer systems and, thus, could not “exceed authorized access” under the CFAA. The prosecution argued that the employee’s violations of his employer’s computer use restrictions “exceeded their authorized access,” but the court found the employer’s restrictions irrelevant to such a determination.
In April 2011, the Ninth Circuit Court of Appeals reversed the district court and held that a former employee “exceeds authorized access” to data on his employer’s computer system under the CFAA where the employee takes actions on the computer that are prohibited by his employer’s written policies and procedures concerning acceptable use (e.g. prohibitions against copying or e-mailing files to compete or help a third party compete with the employer). The decision strengthened the CFAA as a viable remedy to help fight employee data theft.
The following year, however, a Ninth Circuit en banc panel affirmed the district court’s decision, reversed the prior Ninth Circuit opinion, and adopted a narrow interpretation of the CFAA. The panel found that an employee’s violation of his/her employer’s computer usage policies was not a violation of the CFAA. The Court focused on whether the employee originally had access to the information, not whether the employee misused the employer’s confidential information in violation of usage policies. The decision widened a split between the circuit courts regarding the proper interpretation of unauthorized access under the CFAA and its applicability to factual scenarios where employees allegedly steal company data in violation of computer usage policies or in breach of their loyalty obligations.
The government subsequently obtained superseding indictments, and charged Nosal with, inter alia, the remaining CFAA and trade secret theft counts. During the two-week trial, Nosal’s defense team developed a theme that Korn/Ferry was a corporate Goliath “using the government to essentially do [its] dirty work” and the case was a “perversion of the criminal process” orchestrated by Korn/Ferry to eliminate him as a competitor. The prosecution responded by reemphasizing that “it’s the defendant that’s on trial here … not Korn/Ferry.”
Nosal was found guilty on these counts on April 24, 2013 after two days of jury deliberations. None of the jurors would discuss their deliberations.
It is anticipated that the case may again return to the Ninth Circuit Court of Appeal for a third decision. One of the significant issues likely on appeal involves the factual scenario seen in Nosal where a password is borrowed by one individual, he/she provides the password to a second individual, and the second individual uses the password to access a computer system–is the first individual liable under the CFAA for “unauthorized access”? In fact, some legal commentators question whether Nosal actually committed a direct violation of the CFAA. Nevertheless, the case will continue to be closely monitored.
Nosal is scheduled for sentencing on September 4, 2013. He faces penalties up to five years’ imprisonment and $250,000 for the computer offenses, and up to 10 years’ imprisonment and $250,000 for the trade secret offenses.
Does the Computer Fraud and Abuse Act (“CFAA”) prohibit hacking–improperly gaining entrance into a computer system–or simply prohibit improper use of a computer system? U.S. Courts of Appeal are divided. Now, district and appellate court judges in a single federal case pending in the Northern District of California, U.S. v. Nosal, have produced several divergent opinions regarding congressional intent with respect to the meaning of the CFAA.
The defendant in Nosal allegedly persuaded employees of his former employer to log in to the employer’s computer system and forward confidential information to him. Nosal allegedly planned to use the information to compete with his former employer.
The CFAA provides that an individual who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access” is guilty of a crime. Although the CFAA is a criminal statute, most judicial opinions interpreting it are issued in civil (injunction and damages) litigation. Nosal is one of the unique reported CFAA cases in which the defendant was charged with a crime.
The most recent Ninth Circuit opinion in Nosal was written in 2012 by an en banc majority. Those judges concluded that the CFAA is simply an anti-hacking statute that criminalizes circumventing “technological barriers.” It does not apply to Nosal, the majority held, because he was not the person who entered his former employer’s computer system.
After the Ninth Circuit’s en banc decision was issued, affirming the district court’s dismissal of the indictment’s CFAA counts, a superseding indictment was returned. It alleged substantially the same crimes but added more facts with the purpose, apparently, of getting around the en banc ruling. Nosal again moved to dismiss the CFAA counts, stressing that the statutory words “accesses” and “access” relate to unauthorized logging into the company’s computer, not to the use that is made of the computer after logging in. Since he did not log in, he insisted, he could not be guilty of CFAA crimes.
In a ruling issued in mid-March 2013, Nosal’s motion was denied. The district court judge emphasized that the Ninth Circuit en banc majority’s words cannot be taken literally. According to that judge, “[h]acking was only a shorthand term used [by the en banc majority] as common parlance . . . to describe the general purpose of the CFAA,” and the phrase “circumvention of technological access barriers’ was an aside that does not appear to have been intended as having some precise definitional force.” In short, the district court judge concluded,
“[i]f the CFAA were not to apply where an authorized employee gave or even sold his or her password to another unauthorized individual, the CFAA could be rendered toothless. Surely Congress could not have intended such a result.”
Proposed legislation to expand the scope of the CFAA is currently being circulated among the House Judiciary Comittee. Nevertheless, practitioners and parties in the states and territory which encompass the Ninth Circuit — Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, Oregon, Washington State, and the Territory of Guam — will likely have to wait at least until the next CFAA lawsuit is decided by the Ninth Circuit before they may reliably predict what conduct will be held to violate the CFAA.
Two rival toy makers engrossed in an eight-year battle over the Bratz doll line have once again taken their fight to the Ninth Circuit. This week, a Ninth Circuit panel consisting of Chief Judge Alex Kozinski, Judge Kim Wardlaw, and Judge Stephen Trott, heard oral argument concerning an award of more than $310 million in damages and attorneys’ fees against Mattel, Inc. in its dispute with MGA Entertainment, Inc.
This is the second time the case has made its way to the Ninth Circuit and to the same three-judge panel. In 2010, the same panel reversed a jury verdict that awarded Mattel nearly $100 million in damages for copyright infringement and the ownership rights to the Bratz doll brand. Previously, Chief Judge Kozinksi, writing for a unanimous panel, reversed the decision below that Bratz creator and former Mattel employee Carter Bryant had assigned the intellectual property rights in the dolls to his former employer through his employment agreement’s invention assignment provision. The case was remanded for a retrial.
In a surprising turn of events, the second jury in the contentious case awarded more than $80 million in damages to MGA for Mattel’s alleged trade secret misappropriation (a claim that was not tried in the first jury trial), plus attorneys’ fees and treble damages for a total amount of more than $310 million.
Oral arguments began Monday in Pasadena, California. Mattel requested the court to vacate or reverse the award on grounds that MGA’s trade secret counterclaim was untimely and barred by the statute of limitations. Mattel also asked the court to reverse or vacate the trade secret damages award on grounds of insufficient evidence, and reverse or vacate the attorneys’ fees and costs award on grounds that Mattel’s pursuit of its copyright claim was objectively reasonable.
During yesterday’s oral arguments, the panel primarily focused on the timing issue. The statute of limitations for trade secret misappropriation under the California Uniform Trade Secrets Act (Cal. Civ. Code § 3426.7) is three years after the plaintiff discovers, or should have discovered, the misappropriation.
During its oral argument, Mattel explained that MGA filed its trade secret counterclaim against Mattel in August 2010, on grounds that Mattel allegedly stole trade secret information about the Bratz Doll lines during toy fairs. Mattel argued that the statute of limitations began running in 2004, when MGA had “reason to suspect” the alleged misappropriation after it hired two Mattel employees that were aware of Mattel’s alleged “toy fair conduct.” Specifically, Mattel pointed to MGA’s prior pleadings and discovery requests concerning the alleged toy fair conduct, which allegedly evinced MGA’s “reason to suspect.” Thus, Mattel argued that more than three years had passed and MGA’s trade secret counterclaim was untimely and barred.
In addition, Mattel argued that the district court erred when it found that MGA’s trade secret counterclaim compulsory and related back to Mattel’s own trade secret claim in 2006, because the two sets of claims involved different trade secrets that were allegedly stolen at different places and times; by different actors; and through different means.
MGA opened its argument by accentuating Mattel’s alleged deposition misconduct, which allegedly tolled MGA’s claim. MGA also argued that its counterclaim was compulsory because Mattel’s trade secrets claim concerned the same “category of documents.”
Chief Judge Kozinski pressed MGA hard on its “same category of documents” position. The Chief Judge emphasized that the compulsory issue is based on the claim, not documents. For example, he explained that the same document can simultaneously support different torts and contracts claims without giving rise to compulsory counterclaims. He stated that he “didn’t see how it’s compulsory or anywhere related.”
MGA also argued that there is a “logical relationship” between the parties’ trade secret claims. Judge Trott said he is having trouble with this argument based on the definition provided in In Re Pegasus Gold Corp., 394 F.3d 1189 (9th Cir. 2005), which is “the same aggregate set of operative facts as the initial claim.” Mirroring the Chief Judge’s concerns, Judge Trott said he does not see what constellation or common nucleus of facts makes them compulsory. He said the two claims are as different as “chalk and cheese.”
If the Ninth Circuit finds that the counterclaim was not compulsory, and MGA did not have reason to suspect it should have brought its counterclaim earlier, this could mean more litigation in this action in the upcoming year. In fact, Judge Wardlaw suggested that MGA refile its trade secret claim as a separate new lawsuit against Mattel.
While the ultimate outcome of this dispute is unclear, what is clear is that it does not appear to be reaching a resolution any time soon.
We will keep you apprised of any further developments.
According to a recent filing with the California federal district court in the United States v. Nosal case, the Solicitor General, in consultation with the Criminal Division of the Department of Justice and the United States Attorney’s Office, is still deciding whether to file a writ of certiorari with the United States Supreme Court.
The writ would challenge the Ninth Circuit’s recent decision in the case which circumscribes the use of the Computer Fraud and Abuse Act to primarily hacking activities, rather than violations of employer computer usage policies or internet service providers’ terms of service/use, and request that the Supreme Court resolve the current circuit split. We previously discussed the Court’s decision and its impact. Other legal commentators such as John Marsh, Ken Vanko, and Nick Akerman have weighed in on the decision. The parties’ stipulation indicates that the government’s deadline to file the writ is July 9, 2012.
Should your company be interested in taking a side in the dispute, including joining a letter to the Solicitor General or participating in an amicus filing, please contact your Seyfarth attorney contact or submit your interest here.
By Robert Milligan and Jeffrey Oh
A recent California federal court decision has permitted an employer to pursue a former employee for alleged violations of the employer’s computer usage policies under the Computer Fraud and Abuse Act (“CFAA”), while an en banc Ninth Circuit panel considers the validity of such claims. The Ninth Circuit’s decision in the United States v. Nosal provided employers with a potentially powerful tool under the CFAA to combat data theft by employees and other insiders, only to see the decision rendered non-citable in October 2011 while an en banc Ninth Circuit panel reconsiders the issue. A recent decision from federal district judge Larry Alan Burns of the United States District Court, Southern District of California, reflects a willingness to allow employers to continue to use the CFAA to combat data theft at least until the en banc panel rules in Nosal.
The case, Platinum Logistics v. Mainfreight and Melissa Ysais, centers around Ms. Ysais, a former sales manager at Platinum Logistics who allegedly violated a binding nondisclosure agreement by taking customer lists and rate sheets in her transition to a competitor. Platinum Logistics claims that in taking these electronic documents without permission Ms. Ysais violated the CFAA.
In its initial complaint, Platinum Logistics specifically cited § 1030(a)(5)(C), a subsection of the CFAA which prohibits “intentionally access[ing] a protected computer without authorization, and as a result of such conduct, caus[ing] damage and loss.” Ruling on a motion to dismiss, the Court cited the Ninth Circuit’s interpretation of § 1030(a)(5)(C) given in LVRC Holdings LLC v. Brekka in which access without authorization is defined as “without any permission at all.” Given that Ms. Ysais accessed the documents in question while still employed at Platinum Logistics and had accessed them previously within the scope of her job, the Court granted the defendant’s motion to dismiss, but without prejudice to Platinum Logistics. In his discussion on the matter, the Court provided Platinum Logistics with the opportunity to file an amended complaint, citing a different subsection of the CFAA as the potential basis for a valid claim.
According to the Court, Platinum Logistics may have a valid claim under §§ 1030(a)(2) and (a)(4), which offers legal recourse for cases where authorized access is exceeded. As interpreted by the Ninth Circuit in Nosal, “an employee ‘exceeds authorized access’ under § 1030 when he or she violates the employer’s computer access restrictions – including use restrictions.” In the case of Platinum Logistics, Ms. Ysais’s alleged apparent disregard of the company’s non-disclosure agreements in taking electronic documents puts her in violation of the CFAA as it is currently interpreted. Accordingly, the Court provided the plaintiff with an opportunity to amend its complaint to state this claim under the CFAA. Should the plaintiff elect to assert the CFAA claim, the Court ordered the claim stayed pending resolution of Nosal.
As modern computer technology continues to change the work place and how companies operate, the CFAA continues to serve as an increasingly important legal tool in preventing data theft by employees and insiders. The outcome of Nosal is being closely watched by employers and employees and United States Supreme Court challenge is probably inevitable once the Ninth Circuit renders its decision.
The Ninth Circuit held oral argument on the key United States v. Nosal case yesterday before an en banc panel.
The Court has made the oral argument available on-line.
At stake is whether the government can maintain criminal charges and an employer can maintain a civil cause of action under the Computer Fraud and Abuse Act against an employee who steals company data by “exceeding authorized access” in violation of an employer’s computer usage policies.
Ninth Circuit Judge Richard Tallman challenged Nosal’s position by questioning why employees should not be held responsible under the CFAA for violating clear and express computer usage policies by stealing company data.
Oral argument revealed that the en banc panel is likely divided on whether to reverse to the Ninth Circuit’s April decision which permitted the government to maintain its indictment against the employee for violating the employer’s computer usage policies.