Earlier today, the Ninth Circuit handed down a decision which could affect every employee at every company with an IT access policy. In a 2-1 ruling in United States v. David Nosal, the Court held that workers who obtain information from a company’s computer system and then use that information in violation of company regulations could face criminal prosecution under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030.
In the Nosal case, the Court was faced with a situation where Mr. Nosal allegedly left his employment at the executive search firm Korn/Ferry and then allegedly inveigled some Korn/Ferry employees to appropriate information from the firm’s proprietary database in order to help him start a competing business. At the District Court, Mr. Nosal argued that the CFAA didn’t apply unless the employee had no right to access the information under any circumstances–and in this case, his alleged accomplices had been given access to the database as part of their work tools.
While Mr. Nosal ultimately persuaded the Hon. Marilyn Patel, he had less luck with the Ninth Circuit. “The government contends…that an employee exceeds authorized access when he or she obtains information from the computer and uses it for a purpose that violates the employer’s restrictions on the use of the information. We have jurisdiction under 18 U.S.C. § 3731, and we agree with the government,” wrote the Hon. Stephen S. Trott for the majority.
After today, a host of behavior which was previously considered to be a civil offense (e.g. theft or misappropriation of trade secrets) can now be prosecuted criminally if an employer can persuade the local U.S. Attorney to take up their cause.
This didn’t seem to bother Judge Trott or the majority much.
“We do not dismiss lightly Nosal’s argument that our decision will make criminals out of millions of employees who might use their work
computers for personal use, for example, to access their personal email accounts or to check the latest college basketball scores. But subsection
(a)(4) does not criminalize the mere violation of an employer’s use restrictions. Rather, an employee violates this subsection if the employee (1) violates an employer’s restriction on computer access, (2) with an intent to defraud, and (3) by that action “furthers the intended fraud and obtains anything of value.” 18 U.S.C. § 1030(a)(4) (emphasis added). “ In his mind, therefore “[T]he requirements of a fraudulent intent and of an action that furthers the intended fraud distinguish this case from the Orwellian situation that Nosal seeks to invoke. Simply using a work computer in a manner that violates an employer’s use restrictions, without more, is not a crime under § 1030(a)(4).”
Alas, in an age of Wikileaks, the above argument is too clever by half. Imagine if an employee at TransOcean or BP accessed their company’s respective database and discovered a document establishing that either firm acted recklessly during the Gulf oil spill and its aftermath. The employee leaks it to WikiLeaks or to the media. What is the practical barrier to either company demanding the United States prosecute the leaker under CFAA? The company will argue that their information has value (and indeed, the revelation of an otherwise hidden document might realistically mean the difference of hundreds of millions of dollars in the final bill for the Gulf cleanup); that the leaker “defrauded” the company by “stealing” the information, that they furthered their intended fraud by accessing the computer system and as a result, obtained public attention (a thing of value) for their actions.
The civil penalties for theft of trade secrets can be severe enough. It beggars belief that criminal sanctions can now be imposed (and paid for through our taxes) for the almost exclusive benefit of a private victim. Congress should amend the CFAA posthaste.
–CAD
