The law at issue is the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030 et seq., which generally creates both civil and criminal liability for the access of a computer “without authorization” or in excess of “authorized access.” Employers have used the CFAA as a powerful weapon in civil litigation against current and former employees for misappropriation of trade secrets and other proprietary information. The CFAA has been a favorite tool of federal prosecutors, as well, much to the dismay of some civil libertarians.
On Tuesday, Richard Downing, the Justice Department’s deputy section chief in charge of computer crimes, asked a subcommittee of the U.S. House of Representatives to formally amend the CFAA to allow “prosecutions based upon a violation of terms of service or similar contractual agreement with an employer or provider.” As he explained in a released statement: “[O]ur Nation cannot improve its ability to defend against cyber threats unless certain laws that govern cybersecurity activities are updated, including the [CFAA].”
Voicing the concerns of civil libertarians, George Washington Law Professor Orin Kerr told the same House subcommittee that “many if not most computer users violate the CFAA on a regular basis” with this kind of interpretation. He said that, if broadly construed in such a manner, CFAA “criminalizes conduct as innocuous as using a fake name on Facebook or lying about your weight in an online dating profile. That situation is intolerable.”
Significantly, the U.S. Court of Appeals for the Ninth Circuit decided this fall to rehear en banc a case involving these same issues. A split panel of the federal appeals court had broadly construed the statute in April by holding that an employee could violate the CFAA for purposes of criminal law whenever he disobeyed an employer’s restrictions regarding the proper use of its computers. The decision is United States v. Nosal, 642 F.3d 781 (9th Cir. Apr. 28, 2011).
Although the decision of the panel in Nosal seems consistent with desires of the Justice Department, the rehearing grant might be a sign of significant changes to come. Many legal experts are eagerly waiting to see the composition of the rehearing panel to the extent that it might influence the outcome. Unlike many other courts of appeal, when the Ninth Circuit rehears a case en banc not all of the judges participate due to the sheer size of the court. Instead, only a select panel of 11 judges will participate.
Several other federal courts of appeal have construed the CFAA broadly in both the civil and criminal context, including the Fifth Circuit, Eleventh Circuit, and Seventh Circuit. See United States v. John, 597 F.3d 263 (5th Cir. 2010); United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); and Intern’l Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006). But the decision in Nosal is seemingly odds with an earlier decision by a different panel of the Ninth Circuit interpreting the CFAA in a civil case. That decision is LVRC Holdings, LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). There, the court held that an employee’s access of a computer network for purposes of providing information to a competitor did not make the employee’s access unauthorized for purposes of the CFAA.
Tuesday’s request by the Justice Department is no doubt a response to the recent approval by a committee of the U.S. Senate of an amendment that would narrow the CFAA.
All of this wrangling will likely have significant implications for the future of the federal cybercrime law and the ability of employers to pursue legal action against their employees for the improper use of its computers.
Consider the illustrative facts of Nosal: After David Nosal left his executive recruiting firm to establish a competing business, his former colleagues allegedly used the firm’s computer system to send him confidential and proprietary information. Federal prosecutors charged Mr. Nosal with conspiracy to violate the CFAA and alleged that his former colleagues had exceeded their authorized access to the firm’s computers in violation of 18 U.S.C. § 1030(a)(4).
Mr. Nosal asked the trial court to dismiss the CFAA claims, arguing that his former colleagues could not have violated the CFAA because they had authorization as employees to access the computer and its information. Prosecutors responded that the authorization extended only to use for legitimate business purposes, which did not include misappropriation of proprietary information. The trial court ultimately agreed with Mr. Nosal, and the panel reversed on appeal.
As Judge Stephen S. Trott explained in the panel opinion, the language of the CFAA necessarily implied that an employee could access an employer’s computer in a manner so as to render the access unauthorized. “Because the statute refers to an accesser who is not entitled to access information in a certain manner,” he wrote, “whether someone has exceeded authorized access must be defined by those access limitations.” Judge Trott’s opinion was joined by Judge Diarmuid F. O’Scannlain.
In her dissenting opinion, Judge Tena Campbell warned against the dangers of construing the language of the CFAA so broadly so as to turn the statute into one that criminalized general workplace misconduct.
“[U]nder the majority’s interpretation, any person who obtains information from any computer connected to the internet, in violation of her employer’s computer use restrictions, is guilty of a federal crime,” she wrote. “Under the majority’s interpretation, had Mr. Nosal ever viewed any information [at issue] out of curiosity instead of for legitimate . . . business, he would be guilty of a federal crime.”
Judge Trott: “Although we are mindful of the concerns raised . . . regarding the criminalization of violations of an employer’s computer use policy, we are persuaded that the specific intent and causation requirements of § 1030(a)(4) sufficiently protect against criminal prosecution those employees whose only violation of employer policy is the use of a company computer for personal—but innocuous— reasons.”
Oral argument in the rehearing en banc before the Ninth Circuit is scheduled for the week of December 12, 2011.