Computer Fraud & Abuse Act: Unauthorized Use by Employees

An employee who makes unauthorized use of an employer’s computer equipment is subject to civil and criminal liability under the federal Computer Fraud & Abuse Act (“CFAA,” 18 U.S.C. §§ 1030).

Needless to say, the key issue is wither a given use is “authorized.”  Two key cases from the Ninth Circuit on this point are LVRC Holdings LLC v. Brekka, 5821 F.3d 1127 (9th Cir. 2009) and the more recent decision in U.S. v. Nosal (copy attached).  Taken together these two cases establish the following:

• The CFAA prohibits a number of different computer crimes, the majority of which involve accessing computers without authorization or in excess of authorization, and then taking specified forbidden actions, ranging from obtaining information to damaging a computer or computer data.

• Section 1030 (a) (4) subjects to punishment anyone who knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.

• Although the CFAA does not define the phrase “without authorization,” it does state that “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” (See § 1030(e) (6).)

• If an employer has revoked an employee’s access to computers, the employee must be so informed in order to trigger liability for unauthorized use.

• While the Brekka case held that a person accesses a computer without authorization “when the person has not received permission to use the computer for any purpose” (581 F.3d at 1135), the Nosal case clarifies that under the CFAA, an employee accesses a computer in excess of his or her authorization when that access violates the employer’s access restrictions, which may include restrictions on the employee’s use of the computer or of the information contained in that computer. The Ninth Circuit thus reaffirmed its previous conclusion that “an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has ‘exceed[ed] authorized access.’”

In the Nosal case, the defendant worked for Korn/Ferry International, an executive search firm. When he left Korn/Ferry in October 2004, Nosal signed a separation agreement whereby he agreed to serve as an independent contractor for Korn/Ferry and not to compete with the company for one year. In return, Korn/Ferry agreed to make certain payments to Nosal.

Nosal left the firm and engaged three Korn/Ferry employees to help him start a competing business. The indictment that was the subject of the case alleged that these employees obtained trade secrets and other proprietary information by using their user
accounts to access the Korn/Ferry computer system. Specifically, the indictment charged that the employees transferred to Nosal source lists, names, and contact information from the “Searcher” database — a “highly confidential and proprietary database of executives and companies” — which was considered by Korn/Ferry “to be one of the most comprehensive databases of executive candidates in the world.”

When the government charged Nosal and another defendant with a violation of the CFAA, the defendants argued that the statute was designed to deal with “hackers” and other employees who allegedly misappropriate information or otherwise violate contractual confidentiality agreements.  The defendants contended that they could not violate the statute – which required “unauthorized access” to trigger liability because they did indeed have access to the computer system in question.

The Ninth Circuit confirmed that there could, indeed, be CFAA liability is an employee’s use of computers or data on hard drives exceeds the authorization given by the employer for the use of the machines or the information in question.

We regularly counsel employers and employees alike on key workplace issues.  Feel free to give us a call if you have questions in this most important legal arena.

 

Litigation Topics: