Decision deepens circuit split on scope of CFAA.
In many cases, terms of service are used as a contractual agreement between a company and users of a service they provide. are not criminally liable under the federal Computer Fraud and Abuse Act The Computer Fraud and Abuse Act is a law passed by the United States Congress in 1986 intended to reduce "hacking" of computer systems. It was amended in 1994, 1996 and in 2001 by the USA PATRIOT Act. (CFAA CFAA Canadian Fire Alarm Association
CFAA Country Financial Accountability Assessment (World Bank)
CFAA Canadian Federation of Apartment Associations (Ottawa, ON, Canada) ), which allows for the prosecution of anyone who "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access." The decision represents a split with several other circuits, which could result in the issue heading to the Supreme Court.
David Nosal resigned as head of the CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. practice group at executive recruiting firm Korn/Ferry International in October 2004. After his departure, Nosal allegedly tried to start a competing business by convincing three former colleagues to download a confidential client database in violation of Korn/Ferry's company policy.
The government indicted Nosal on numerous violations of the CFAA, arguing that although Nosal's co-workers had authorization to access the confidential database, they had exceeded authorized access by subsequently misusing this information. Nosal sought a dismissal of the case, saying that the CFAA was an antihacking statute that should not be used to prosecute computer usage violations.
A district court agreed with Nosal, citing the 9th Circuit's precedent in LVRC LVRC Lehigh Valley Railroad Company Holdings LLC (Logical Link Control) See "LANs" under data link protocol.
LLC - Logical Link Control v. Brekka (see "The Brekka Precedent," p. 57). The 9th Circuit panel initially reversed the lower court's ruling in April 2011, but one year later, an en banc [Latin, French. In the bench.] Full bench. Refers to a session where the entire membership of the court will participate in the decision rather than the regular quorum. In other countries, it is common for a court to have more members than are ruling reaffirmed the lower court's decision to dismiss the case.
In its most recent opinion, the 9th Circuit returned to its Brekka position and took a narrow interpretation of what constitutes "unauthorized access." Under the new standard, if a company allows its employees to use work computers, it has granted them authorization to access any information they can reach without "the circumvention of technological access barriers," such as password protections.
This is far from 9th Circuit's original Nosal ruling. According to according to
1. As stated or indicated by; on the authority of: according to historians.
2. In keeping with: according to instructions.
3. BrittonTuma Founding Partner Shawn Tuma, the court may have taken public opinion into account when reversing its position. "This case was a beautiful example of the power of framing the issue in a legal case," Tuma says. "In this appellate opinion, it barely even mentioned the actual facts of this case. It talked all about the public policy and the fears that had been ginned up over the past year."
The court's opinion makes extensive references to the CFAA's broader implications, namely that minor violations of computer usage policies--such as checking Facebook, playing Sudoku or sending personal emails--could result in criminal charges. Writing the opinion for the court, Judge Alex Kozinski worried that the government's interpretation of the CFAA would "transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved."
Judge Barry Silverman criticized the majority's use of "far-fetched hypotheticals" in his dissent. He focused on the CFAA's prohibition of "exceed[ing] unauthorized access," arguing that Nosal and his co-workers clearly exceeded their access by using confidential information with the intent to defraud their company.
Silverman also noted that the 9th Circuit's decision contrasts sharply with rulings by the 5th, 7th and 11th Circuits, which applied the CFAA more broadly in U.S. v. John, International Airport Centers v. Citrin and U.S. v. Rodriguez, respectively. "What those courts have focused on is that there is a requirement that there be an intent to defraud in connection with the access or improper action in question," says Hahn Loeser Partner John Marsh, who speculates that the circuit split may ultimately send the case to the Supreme Court.
In his opinion, Judge Kozinski acknowledged the split, but urged the other circuits to reconsider their stance, saying that they "looked only at the cupable behavior of the defendants before them, and failed to consider the effect on millions of ordinary citizens caused by the statute's unitary definition of 'exceeds authorized access.'"
Until the split is resolved, companies should be aware of how courts view the CFAA in their jurisdictions. In the 9th Circuit, the Nosal ruling has raised the bar for employers trying to recover misappropriated information. "Even if you didn't have the strongest level of information, you still got some cachet cachet /ca·chet/ (ka-sha´) a disk-shaped wafer or capsule enclosing a dose of medicine.
An edible wafer capsule used for enclosing an unpleasant-tasting drug. with CFAA claims," Seyfarth Shaw Partner Robert Milligan says. "[Nosal] may make it more difficult to pursue claims against employees, particularly if the information is what the company would consider confidential and proprietary, but not a trade secret."
In light of Nosal, Tuma advises employers to regularly re-evaluate their computer access policies. "Have policies in place that limit permission to access," he says. "For different employees at different levels, take the time to delineate what authority they have. Don't just have a blanket policy, where everybody has free rein to x, y and z."
Even if an employee does manage to misuse information, employers are not without recourse A phrase used by an endorser (a signer other than the original maker) of a negotiable instrument (for example, a check or promissory note) to mean that if payment of the instrument is refused, the endorser will not be responsible. . Businesses can still pursue misbehaving employees with charges including misappropriation misappropriation n. the intentional, illegal use of the property or funds of another person for one's own use or other unauthorized purpose, particularly by a public official, a trustee of a trust, an executor or administrator of a dead person's estate, or by any of trade secrets, breach of contract and theft. "At the end of the day, the CFAA is one remedy, and every state still provides a course of action or a civil action for an employer that feels confidential information has been stolen or misappropriated," Marsh says.
Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, Oregon, Washington
RELATED ARTICLE: The Brekka Precedent
THE 9TH CIRCUIT REFERENCES ITS SEPT. 15, 2009, RULING IN LVRC Holdings v. Brekka multiple times in the Nosal opinion. And, as Seyfarth Shaw Partner Robert Milligan notes, the Brekka references aren't confined to one side. "Both the majority and the dissent rely on Brekka," Milligan says, "in the case of the majority, saying that the [Nosal] indictment should be dismissed, and the dissent, saying it should be upheld."
Christopher Brekka was an employee of LVRC Holdings, an addiction treatment center. Brekka allegedly used an administrative login to access client information even after he left the company. Both a district court and the 9th Circuit found in Brekka's favor, ruling that LVRC Holdings had given him authorized access to the client information by providing him with login credentials.
In the first Nosal ruling, however, the 9th Circuit panel differentiated between the two cases. LVRC Holdings had no written agreement prohibiting employees from accessing client information, whereas Korn/Ferry explicitly notified its employees that accessing privileged information without relevant authority could lead to prosecution. Judge Barry Silverman noted this distinction in his dissent; Judge Alex Kozinski relied instead on Brekka's narrow interpretation of "unauthorized access."