On October 27, 2011, the United States Court of Appeals for the Ninth Circuit agreed to rehear the appeal in United States v. Nosal, 642 F.3d 781 (9th Cir. Apr. 28, 2011). Nosal involves a prosecution under the Computer Fraud and Abuse Act for alleged employee theft of confidential data from an employer's network for the benefit of a competitor. The circumstances under which an insider with a disloyal purpose, such as an employee who has permission to use the employer's network resources, can be charged either civilly or criminally under the CFAA with unauthorized access to a network, or access exceeding authorization, has been the subject of disagreement in the federal courts
As we
wrote last April, the panel in Nosal ruled that an employee
exceeds authorized access within the meaning of the CFAA "when
he or she obtains information from the computer and uses it for a
purpose that violates the employer's restrictions on the use of
the information." The Nosal ruling narrowly interpreted a
prior Ninth Circuit panel opinion in a civil action under the CFAA,
LVRC Holdings, LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009).
(See prior blog post
here.) There, a different panel ruled that under the plain
language of the CFAA, an act of disloyalty to an employer, e.g.,
access to a employer's network for purposes of providing data
to a competitor, does not render the employee's access
unauthorized within the meaning of the CFAA.
The key distinction that the panel in Nosal made from the facts of
LVRC v. Brekka, was the existence in Nosal of "a computer use
policy that placed clear and conspicuous restrictions on the
employees' access" both to employer's computer system
in general and to specific data in question. No such agreement was
in place in LVRC v. Brekka.
The implications of the issues in LVRC v. Brekka and Nosal go
beyond the employer-employee context. In its Amicus Brief filed urging the Ninth Circuit to
rehear the Nosal case en banc, the Electronic Frontier
Foundation argued that the panel opinion in Nosal would criminalize
routine, mundane acts committed by Internet users that were deemed
to violate provisions in broadly written Internet Terms of
Service.
It is important to note that other federal courts of appeal have
upheld broad readings of the CFAA in the employee-employer context.
In the civil context, see, e.g., International Airport Centers, LLC
v. Citrin, 440 F.3d 418 (7th Cir. 2006); and in the criminal
context, see, e.g., United States v. John, 597 F.3d 263 (5th Cir.
2010), United States v. Rodriguez, 628 F.3d 1258 (11th Cir.
2010).
Oral argument in the rehearing en banc is scheduled for
some time in the week of December 12, 2011.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.