On April 28, 2011, the Ninth Circuit Court of Appeals held in an important decision upholding legal protections for employer data that employees may be held liable under the federal Computer Fraud and Abuse Act (18 U.S.C. 1030 et seq.) in cases where employees steal or remove electronic files or data in violation of their employers' written computer-use restrictions.
In U.S. v. Nosal (9th Cir. No. 10-10038), the Ninth Circuit held that a former employee "exceeds authorized access" to data on his employer's computer system under the CFAA where the employee takes actions on the computer that are prohibited by his employer's written policies and procedures concerning acceptable use (e.g. prohibitions against copying or e-mailing files to compete or help a third party compete with the employer).
The court rejected the argument that it was overruling its 2009 decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), which dismissed an employer's CFAA claim against an employee who had e-mailed confidential documents to his personal address when working for the employer, and used those files post-termination to compete with the employer. The Brekka panel said that so long as the employee was authorized to use the computer for any purpose and such authorization had not been completely rescinded, the employee could not be held liable under the CFAA for using files for unauthorized purposes.
In distinguishing Brekka, the Nosal panel held that the employer in Brekka did not place any restrictions on employees e-mailing themselves confidential files, and thus the employees could not be said to have exceeded any such computer-use restriction. The employer in Nosal, on the other hand, had password-protected computers, written computer-use agreements with its employees which restricted access to computers to employer business, and automatically placed restrictive legends on its confidential database printouts advising readers that the printouts were confidential and company property.
The employers' computer-use restrictions, the Nosal court held, were the key distinction from Brekka, and the touchstones for "exceeding authorized access" under the CFAA. The Nosal majority noted that it was siding with the First, Fifth, and Eleventh Circuits' decisions in prior cases which similarly upheld employer CFAA claims against dishonest employees for exceeding authorized access by stealing employer files.
The dissent in Nosal argued that the majority’s decision goes too far, and potentially criminalizes otherwise innocuous employee use and access of his employer's computer. The definition of "exceeding authorized access" under the intent-to-defraud provision of the CFAA (i.e. Section 1030(a)(4)), the dissent said, was inconsistent with the statute's use of the same phrase in section 1030(a)(2), which made such access a crime whether or not the employee intended fraud. Any time the employee even technically violated an employer's restrictions, the employee could be indicted at the whim of the government.
With the Nosal decision, employers in the Ninth Circuit now have a clear CFAA remedy against dishonest employees who exceed their authorized access of their employers' computer systems. Employer computer-use restrictions determine whether an employee exceeds authorized access under the CFAA. Conversely, employees looking to avoid federal indictment or civil liability under federal law should strictly adhere to their employers' computer-use restrictions.
To avail themselves of the helpful Nosal decision, employers should ensure that they have written computer-use policies which prohibit improper computer use and activities. The policies should prohibit the use of company computers to copy, e-mail, or otherwise distribute company files to compete or help a third party compete with the employer. Computer access should be authorized for work activities only. Employers should also consider prohibitions on the distribution of company data to employees' non-work e-mail accounts and prohibitions or limitations on the use of electronic storage devices, such as external hard drives and data sticks. Employers should also audit employee computer use and access activity to ensure that employees are following company policies. Recurring training on acceptable computer usage is also critical. Employers should carefully circumscribe employee access to company prized data to only those employees who truly need to have access to such data to perform their jobs. Employers should also require employees to return all company data upon termination, as well as all company computers and other electronic devices.
The Nosal decision provides employers with a viable remedy to help address employee data theft but employers must be vigilant and ensure that they have crafted thoughtful computer-use policies to maximize their protections under the CFAA.