Enter to open, tab to navigate, enter to select
Internet Surfing on Company Computers Is Not Criminal Conduct: Ninth Circuit
Practical Law Legal Update 4-518-8844 (Approx. 5 pages)
Internet Surfing on Company Computers Is Not Criminal Conduct: Ninth Circuit
by PLC Intellectual Property & Technology and PLC Labor & Employment
| Published on 11 Apr 2012 • USA (National/Federal) |
On April 10, 2012, the US Court of Appeals for the Ninth Circuit issued an en banc decision in US v. Nosal, holding that employees who are authorized to access their employer's computers but use them in violation of company computer-use policy cannot be prosecuted for a federal crime under the Computer Fraud and Abuse Act.
On April 10, 2012, the US Court of Appeals for the Ninth Circuit issued an en banc decision in US v. Nosal, narrowly construing the Computer Fraud and Abuse Act (CFAA) in ruling that employees who are authorized to access their workplace computers but use them in violation of corporate policy do not "exceed[] authorized access" under the CFAA and therefore cannot be prosecuted under the statute.
David Nosal, a former employee of Korn/Ferry, an executive search firm, convinced some of his former colleagues still working for Korn/Ferry to use their log-in credentials to download client information from a confidential database on the company's computers and transfer it to Nosal to help him set up a competing business. Nosal's former colleagues were authorized to access the database, but Korn/Ferry had a policy that forbade the disclosure of confidential information.
The government indicted Nosal on 20 counts, including violations of the CFAA. Nosal sought to dismiss the CFAA counts. The district court initially rejected Nosal's argument. Shortly after the district court's decision, the US Court of Appeals for the Ninth Circuit decided LVRC Holdings LLC v. Brekka narrowly construing certain CFAA language (581 F.3d 1127 (9th Cir. 2009)). Nosal then filed a motion for reconsideration and a second motion to dismiss. The district court followed the Brekka decision and dismissed the CFAA counts for failure to state an offense. The government appealed to the Ninth Circuit.
The Ninth Circuit noted that the CFAA is an anti-hacking statute in its analysis of the relevant portion of the CFAA, which states that:
"Whoever . . . knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by any means of such conduct furthers the intended fraud and obtains anything of value . . . shall be punished . . ."
Section 1030(a)(6) of the statute defines "exceeds authorized access" as:
"...to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."
The court held that the phrase "exceeds authorized access" in the CFAA does not extend to violations of a company's or website's computer-use restrictions noting that:
- The rule of lenity requires the court to strictly construe the statute.
- A narrower interpretation aligns with a sensible reading of the text and legislative history of a statute whose general purpose is to punish hacking.
- A broad interpretation of the statute would criminalize minor activities such as texting and chatting with friends, playing games, shopping or watching videos if done on company computers in violation of company computer-use policy.
Since Nosal's former colleagues had permission to access the company database and obtain the information contained within it, the court held that the government failed to prove that they met the "without authorization, or exceeds authorized access" CFAA element.
Circuit Split
The decision in US v. Nosal continues the split between:
- The Ninth Circuit and Second Circuits that interpret the CFAA narrowly. See LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) and U.S. v. Aleynikov, No. 11-1126 (2d Cir. Apr. 11, 2012).
- The Fifth, Seventh and Eleventh Circuits that interpret the CFAA broadly to cover violations of corporate computer use restrictions or violations of a duty of loyalty. See US v. John, 597 F. 3d 263 (5th Circuit 2010); Int'l Airport Ctrs., LLC v. Citrin, 440 F3d 418 (7th Cir. 2006) and US v. Rodriguez, 628 F. 3d 1258 (11th Cir. 2010).