Reports Of The Computer Fraud and Abuse Act’s Demise Have Been Greatly Exaggerated
Posted: April 26, 2012
Recently, the Ninth Circuit issued an en banc decision in US v. Nosal, holding that the “exceeds authorized access” provision of the Computer Fraud and Abuse Act (CFAA) should be construed narrowly so as to be “limited to violations of restrictions on access to information, and not restrictions on its use.” This ruling represents a split from the Fifth, Seventh, and Eleventh Circuits. Some have even gone so far as to suggest that the Ninth Circuit decision gives a license to employees to steal from company computers.
While the Nosal decision is certainly important, it does not give bad-acting employees carte blanche to steal from their employers. Nor does it mean that the CFAA is no longer a useful tool to be employed when deciding how to proceed against an employee’s theft of your company’s confidential information. Rather, Nosal is best understood as cautioning against using the CFAA as a means of criminalizing violations that would traditionally be considered to be state law civil claims such as misappropriation of trade secrets, unfair competition, unjust enrichment, or breach of a confidentiality agreement, for example.
Why Has The CFAA Traditionally Been An Attractive Tool For Employers?
The CFAA was originally enacted in 1984 in order to target hackers seeking access to protected computers (i.e., governmental or financial services industry computers) in order to access confidential information or to distribute worms or viruses.
Since its enactment, however, the CFAA has been repeatedly amended. These amendments have added greater protection for privately-maintained computers, added a private right of action for civil remedies, and attempted to adapt the statute to the Internet age. As it reads today, the CFAA provides that “[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.”
Thus, the CFAA provides employers with the option of a federal forum when they seek to go after a current or former employer for theft of confidential information. Depending on the jurisdiction, the federal court may be less bogged-down than state court and more capable of rapidly hearing and determining a TRO or Preliminary Injunction hearing.
The CFAA is also attractive to employers because they may bring a CFAA claim even in the absence of an employment agreement or confidentiality agreement. Moreover, employers may find it easier to obtain relief under the CFAA because it does not require the employer to prove that the misappropriated information constitutes a trade secret. Accordingly, a CFAA claim would not require that the employer demonstrate the reasonableness of the steps taken to safeguard the information. A CFAA claim would also not open the employer up to the risks accompanying a public court ruling that the information at issue was, in fact, not subject to trade secret protection.
Finally, the CFAA is attractive to employers because, in some circumstances, such as the Nosal case, the United States government might decide to criminally prosecute violations of the CFAA, which has obvious advantages.
US v. Nosal
In Nosal, the defendant worked for an executive search firm. After he left the firm, he convinced some of his former colleagues to download customer information from the company’s confidential database and send it to him so that he could start a competing business. While the employees were authorized to access the database, company policy forbade the disclosure of confidential information.
The government decided to prosecute Nosal, and he was indicted on 20 counts, including aiding and abetting the search firm’s employees in exceeding of their authorized access with intent to defraud, in violation of the CFAA. Nosal moved to dismiss, arguing that the CFAA does not apply to individuals who access computers with authorization and then misuse the information they obtain. The District Court granted Nosal’s motion to dismiss. On appeal, the Ninth Circuit affirmed the decision. In construing the CFAA narrowly, the court found that the statute is not written clearly enough to assume that Congress intended to expand the scope of criminal liability “to everyone who uses a computer in violation of computer-use restrictions—which might as well include everyone who uses a computer… .”
What Should Be Done In The Wake of Nosal?
Although it remains to be seen whether the United States Supreme Court will get and take the opportunity to reconcile the split that now exists among the circuits after Nosal, the Ninth Circuit’s decision has exposed a weakness in the CFAA in terms of its application. Employers outside of the Ninth Circuit may continue to attempt to use the CFAA to address employees who have misused their information. But employers in all jurisdictions should consider that there are other ways to protect their confidential business information that do not depend on clarification by the United States Supreme Court.
First, employers need to carefully consider which employees should have access to which information. Perhaps your manufacturing employees do not need to have access to your sales information. In such a case, an employer is well advised to use the different technical means that are available to segregate different categories of information so that access is limited to those with a “need to know.”
Second, employers should consider other physical safeguards that restrict access to computerized information under circumstances that are relevant to the employer’s security regime, such as requiring that employees use high-security passwords, or change passwords often.
Third, employers should have comprehensive confidentiality agreements with all employees who have access to sensitive business information.
Fourth, employers should have detailed computer use policies. These policies should be specific, clearly-written, and enforced regularly and consistently so that employees would be deemed to have fair notice as to what types of conduct is prohibited. Policies should specify that employees’ authorization to access company information and systems ends upon termination and that it is a violation of policy to assist a former employee from accessing information. Employers should train supervisors as to how policies should be interpreted and applied. Employers should require employees to sign that they have reviewed and agreed to these policies, and these documents should be maintained in employees’ personnel files. Employers should make their policies easily accessible to employees and should regularly remind employees about their policies.
Fifth, employers should, with appropriate notice, regularly monitor their employees’ computer usage for unusual usage patterns and any usage that may be in violation of the company’s computer usage policy.
Sixth, where applicable, employers should use enforceable restrictive covenants in order to provide additional protection against the employers’ information landing in the hands of competitors.
The CFAA can be a valuable tool to employers faced with employee theft of sensitive business information, and the Nosal case is getting significant attention in the aftermath of the Ninth Circuit’s somewhat controversial decision. But the CFAA remains only one arrow in an employer’s quiver, and other arrows mentioned above are equally, if not more, important.