Ninth Circuit Rejects Application of Computer Fraud and Abuse Act in Employee Theft Cases

On Tuesday, April 10, 2012, a Ninth Circuit en banc panel released its highly anticipated decision in United States v. Nosal. The Ninth Circuit affirmed the judgment of the district court dismissing criminal counts against a former employee of a headhunter firm accused of violating the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq. (“CFAA”), by conspiring with employees of his former employer to log on to the employer’s confidential database and send proprietary files to a competitor.

Because the CFAA provides for both criminal and civil remedies, it has been a potentially useful tool for employers potentially damaged by employees who access employer computers and computer systems in violation of company computer access and use policies. The Nosal decision has significantly narrowed the circumstances in which CFAA civil claims may be available to employers.

The 9-2 opinion, authored by Chief Judge Alex Kozinski, is at odds with decisions by the Fifth, Seventh, and Eleventh Circuit Courts of Appeal construing the CFAA, and emphasizes the Ninth Circuit’s view that the government’s interpretation of the CFAA “would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.”

In framing this conclusion, the Court observed early in its decision that:

Computers have become an indispensable part of our daily lives. We use them for work; we use them for play. Some times we use them for play at work. Many employers have adopted policies prohibiting the use of work computers for nonbusiness purposes. Does an employee who violates such a policy commit a federal crime? How about someone who violates the terms of service of a social networking website?

This depends on how broadly we read the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030.

The Court then went on to reject the federal government’s interpretation of the CFAA, finding that the statute was meant to punish hacking, not misappropriation of trade secrets or someone who checks sports scores or logs onto Facebook from work. To find otherwise, Judge Kozinski reasoned would “criminalize any unauthorized use of information obtained from a computer” and “make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.”

“Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by g-chatting with friends, playing games, shopping or watching sports highlights,” Kozinski wrote. “Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it’s unlikely that you’ll be prosecuted for watching Reason.TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.”

Although the Court acknowledged that the Fifth, Seventh, and Eleventh Circuits permit employers to pursue CFAA claims against employees who violate computer use policies or violate duties of loyalty to their employer, the Ninth Circuit reasoned that:

“We remain unpersuaded by the decisions of our sister circuits that interpret the CFAA broadly to cover violations of corporate computer use restrictions or violations of a duty of loyalty. [Citations omitted.]. These courts looked only at the culpable behavior of the defendants before them, and failed to consider the effect on millions of ordinary citizens caused by the statute’s unitary definition of “exceeds authorized access.” They therefore failed to apply the long-standing principle that we must construe ambiguous criminal statutes narrowly so as to avoid “making criminal law in Congress’s stead.” United States v. Santos, 553 U.S. 507, 514 (2008).

We therefore respectfully decline to follow our sister circuits and urge them to reconsider instead. For our part, we continue to follow in the path blazed by Brekka, 581 F.3d 1127, and the growing number of courts that have reached the same conclusion.

The Ninth Circuit concluded that because Nosal’s accomplices had permission to access the company database and obtain the information contained within, the government’s charges fail to meet the element of “without authorization, or exceeds authorized access” under 18 U.S.C. § 1030(a)(4).

Further, discounting the government’s assertions of prosecutorial restraint, Judge Kozinski added that “The government assures us that, whatever the scope of the CFAA, it won’t prosecute minor violations.” “But we shouldn’t have to live at the mercy of our local prosecutor.”

In a powerful dissent, Judge Barry Silverman wrote:

This case has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values. It has everything to do with stealing an employer’s valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants’ employment contracts. The indictment here charged that Nosal and his co-conspirators knowingly exceeded the access to a protected company computer they were given by an executive search firm that employed them; that they did so with the intent to defraud; and further, that they stole the victim’s valuable proprietary information by means of that fraudulent conduct in order to profit from using it. In ridiculing scenarios not remotely presented by this case, the majority does a good job of knocking down straw men — far-fetched hypotheticals involving neither theft nor intentional fraudulent conduct, but innocuous violations of office policy.

The majority also takes a plainly written statute and parses it in a hyper-complicated way that distorts the obvious intent of Congress. No other circuit that has considered this statute finds the problems that the majority does. (emphasis added)

It remains to be seen whether the federal government will seek Supreme Court review. The clear split amongst the Circuit Courts of Appeal may be a path to such review.

The majority’s decision leaves employers in the Ninth Circuit, and particularly California, with less options than those in other circuits that recognize CFAA claims (both civil and criminal) for wrongful access to company computers to steal company data for competitive purposes.

In light of the Nosal decision, companies operating in the Ninth Circuit should continue to carefully evaluate the scope of access they provide employees to company computer systems and limit access to highly valuable information to only those who need to know.