Ninth Circuit's Nosal Decision in CFAA Case Making Headlines
We've linked above (click on the title to this blog post) the Ninth Circuit's decision and opinion in their April 29th decision in United States v. Nosal.
Nosal had originally won a dismissal of the United States' indictment in arguing “that the CFAA was aimed primarily at computer hackers and that the statute does not cover employees who misappropriate information or who violate contractual confidentiality agreements by using employer-owned information in a manner inconsistent with those agreements.” In other words, the Korn/Ferry employees could not have acted “without authorization,” nor could they have “exceed[ed] authorized access,” because they had permission to access the computer and its information under certain circumstances.
The United States appealed. Succesfully appealed.
The appellate court held: "Korn/Ferry employees were subject to a computer use policy that placed clear and conspicuous restrictions on the employees’ access both to the system in general and to the Searcher database in particular. By using their authorized access to defraud Korn/Ferry in violation of Korn/Ferry’s access restrictions, Nosal’s accomplices certainly had fair warning that they were subjecting themselves to criminal liability. For this reason, we conclude that the rule of lenity, which applied with particular force in interpreting the phrase “without authorization,” does not support ignoring the statutory language and the core rationale of Brekka. Nosal’s argument that the government’s “Orwellian” interpretation would improperly criminalize certain actions depending only on the vagaries and whims of the employer is foreclosed by Brekka, which held unequivocally that under § 1030 the employer determines whether an employee is authorized. Id. at 1133, 1135. Therefore, as long as the employee has knowledge of the employer’s limitations on that authorization, the employee “exceeds authorized access” when the employee violates those limitations. It is as simple as that."
This is a statutory interpretation issue that will probably ultimately be decided by the Supreme Court - maybe even in this case.
Obviously counsel for companies who permit competitively sensitive access to their employees will be advising that policies need to be audited and revised. These policies should contain clear and conspicuous use restrictions for computer usage. The policy should plainly state that employees may access and use information available on or through work computers only for legitimate and authorized business purposes, and that employee access and use rights will be deemed revoked if they use work computers for unauthorized purposes.
Nosal had originally won a dismissal of the United States' indictment in arguing “that the CFAA was aimed primarily at computer hackers and that the statute does not cover employees who misappropriate information or who violate contractual confidentiality agreements by using employer-owned information in a manner inconsistent with those agreements.” In other words, the Korn/Ferry employees could not have acted “without authorization,” nor could they have “exceed[ed] authorized access,” because they had permission to access the computer and its information under certain circumstances.
The United States appealed. Succesfully appealed.
The appellate court held: "Korn/Ferry employees were subject to a computer use policy that placed clear and conspicuous restrictions on the employees’ access both to the system in general and to the Searcher database in particular. By using their authorized access to defraud Korn/Ferry in violation of Korn/Ferry’s access restrictions, Nosal’s accomplices certainly had fair warning that they were subjecting themselves to criminal liability. For this reason, we conclude that the rule of lenity, which applied with particular force in interpreting the phrase “without authorization,” does not support ignoring the statutory language and the core rationale of Brekka. Nosal’s argument that the government’s “Orwellian” interpretation would improperly criminalize certain actions depending only on the vagaries and whims of the employer is foreclosed by Brekka, which held unequivocally that under § 1030 the employer determines whether an employee is authorized. Id. at 1133, 1135. Therefore, as long as the employee has knowledge of the employer’s limitations on that authorization, the employee “exceeds authorized access” when the employee violates those limitations. It is as simple as that."
This is a statutory interpretation issue that will probably ultimately be decided by the Supreme Court - maybe even in this case.
Obviously counsel for companies who permit competitively sensitive access to their employees will be advising that policies need to be audited and revised. These policies should contain clear and conspicuous use restrictions for computer usage. The policy should plainly state that employees may access and use information available on or through work computers only for legitimate and authorized business purposes, and that employee access and use rights will be deemed revoked if they use work computers for unauthorized purposes.
No comments:
Post a Comment