The U.S. Court of Appeals for the Ninth Circuit (based in California) recently issued an important ruling regarding the effects of an employee’s use of a company’s computer network beyond the scope authorized by the employer. This ruling follows similar rulings that were issued by U.S. Courts of Appeals in 2010 here in the Eleventh Circuit (Georgia, Florida and Alabama) and in the Fifth Circuit (Texas and Louisiana). Now that three U.S. Circuit Courts of Appeals have reached similar interpretations of the federal law at issue, it seems likely that the other Circuit Courts will follow suit when similar issues are raised in their jurisdictions.
The federal Computer Fraud and Abuse Act (“CFAA”) is widely regarded as a body of federal law designed to protect companies and individuals from computer hackers. The Ninth Circuit has followed the example of the Fifth and Eleventh Circuits and broadened the application of the law to an employee who accessed company customer information with the intent to use it for purposes that violated the company’s usage policy, and then used the downloaded information to start a competing business.
Here is what happened in the Ninth Circuit case. The CFAA, which is a criminal statute, authorizes punishment of anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.” In United States v. Nosal, Mr. Nosal was accused of having transferred to his new company a confidential database of executives and companies that was proprietary to his former employer, an executive search firm. While employed, he had signed a nondisclosure agreement that restricted his use and disclosure of the company’s confidential information. (This is a common type of nondisclosure requirement used in industries that maintain confidential or proprietary information.) In addition, when he or any other employee accessed the company’s computers, a notice popped up warning that accessing company computer information without specific company authorization could lead to criminal prosecution. Mr. Nosal nevertheless, individually and with the assistance of others who also left the company to join his competing business, accessed the database with the intent to use the database to benefit his new competing business. He argued that this conduct could not be “unauthorized” in violation of the statute because he and his co-conspirators did have authority to access the database even though they did not have authority to use the database for the purposes of which they were accused. In other words, they argued that their actions were authorized even if their intentions were not consistent with the authority they had been granted by their employer.
The Ninth Circuit concluded that, because the company had placed clear restrictions on Mr. Nosal’s use of the database, and because he had exceeded those restrictions with intent to defraud and had furthered his intended fraud and gained something of value by exceeding the use restrictions, the CFAA was applicable. Therefore, he could be prosecuted under the CFAA. The court made a clear distinction between this type of conduct and an employee’s unauthorized use of the employer’s computer system to access personal email or search the Internet for personal use, where such use does not represent an effort to defraud the employer. Such latter conduct, while against company rules, would not necessarily violate federal law under the Nosal decision.
This decision teaches lessons to both employers and employees.
For employers, the message is that a computer usage policy should place clear limits on what an employee can and cannot do with the information located on the computer. In addition, if an employee is only authorized to access certain databases, or certain drives within the computer system, the employee should be given written notice of those restrictions as well. (The latter concern can also be addressed by the system administrator by limiting each employee’s “permissions” to parts of the computer system that are authorized.) Where an employee is found to have exceeded the employer’s clear usage restrictions, the company may wish to consider making an example of the employee to discourage others from following suit.
For employees, the lesson is that the employee should make sure he/she fully understands how he/she is allowed to use the company’s computer system, as well as which portions of the computer system he/she is allowed to access. If in doubt, the employee should ask for clarification or steer clear of any gray areas. Ignoring clear restrictions can potentially result in not only termination but also a criminal prosecution.
The analysis set forth in this article is provided for general understanding only and should not be considered legal advice. Counsel should always be consulted for advice regarding a specific situation.