e-commercelawreports FEATURED ARTICLE 04/09
cecile park publishing Head Office UK Cecile Park Publishing Limited, 17 The Timber Yard, Drysdale Street, London N1 6ND tel +44 (0)20 7012 1380 fax +44 (0)20 7729 6093
[email protected] www.e-comlaw.com
PROFESSIONAL EMAIL
United States v Nosal United States Court of Appeals No. 10-10038 (9th Cir. 28 April 2011) A US court of appeals held that the Computer Fraud and Abuse Act applied to employees who had authorisation to access company information but who used that information in violation of their employer's policies. In the case of United States v Nosal, the United States Court of Appeals for the Ninth Circuit held that the Computer Fraud and Abuse Act (CFAA) applied to employees who had authorization to access information but who used that information in violation of their employer’s policies. The Ninth Circuit thereby joined other federal courts of appeals with expansive interpretations of the CFAA. Nosal provides employers with a potent weapon in civil litigation against current and former employees, who could even face criminal prosecution under the CFAA. Nosal, however, does not restrict its reach to employeremployee relationships. The potential implications are much broader, plausibly subjecting casual internet users to criminal liability for violating the terms of use of a website or other online service. The Computer Fraud and Abuse Act The CFAA that Congress enacted more than 27 years ago targets hackers. Since then, Congress has amended the CFAA numerous times, expanding its scope. The CFAA is a criminal statute although, under certain circumstances, it also provides a private right of action in civil court (18 U.S.C. § 1030(g)). Civil cases involving the CFAA now routinely target employees and former employees. The Ninth Circuit interprets the statute identically in criminal and civil contexts, citing cases from both contexts interchangeably. Nosal, therefore, applies in both criminal and civil cases. Background David Nosal, a former executive of executive recruiting firm Korn/Ferry International (KFI), left KFI and started a competing firm.
10
According to federal prosecutors, two employees who still worked at KFI accessed, and then passed along to Nosal, confidential and proprietary information on KFI’s computer system. Federal prosecutors charged Nosal for conspiracy to violate the CFAA, alleging that the KFI employees had ‘knowingly and with intent to defraud, access[ed] a protected computer without authorization, or exceed[ing] authorized access, and by means of such conduct further[ed] the intended fraud and obtain[ed] anything of value’ (18 U.S.C. § 1030(a)(4)). Nosal moved to dismiss the CFAA claims, arguing that the employees who allegedly helped him had authorization as KFI’s employees to access KFI’s computers. The government countered that KFI’s policies only permitted employees to use the information on its computers for legitimate business purposes. Trial court The district court initially denied the motion to dismiss, agreeing with the government’s argument. The two KFI employees’ intent to defraud their employer was ‘nefarious’, rendering their actions ‘without authorization’ or ‘in excess of authorized access’. Before the case came to trial, however, the Ninth Circuit decided LVRC Holdings v Brekka1. In that case, Brekka worked for LVRC and, at one point, negotiated to become a part owner. Before negotiations fell apart and he left the company, Brekka emailed company documents to his and his wife’s personal email accounts. LVRC brought a civil suit under the CFAA after Brekka started a competing business using LVRC’s documents. In Brekka, the Ninth Circuit held that Brekka had permission to access the documents as an employee and
therefore did access the documents ‘without authorisation’ as required for a CFAA violation. The question of authorization ‘depended on actions taken by the employer’, and the employer did not revoke Brekka’s authorization while he still worked for the employer. Brekka created a split in authority between the Ninth Circuit and the Seventh Circuit. The Seventh Circuit’s leading CFAA case, International Airport Centers, LLC v Citrin2, had held that an employee automatically loses authorization to access an employer’s computer system upon betraying the common-law duty of loyalty owed to that employer3. In Brekka, the Ninth Circuit rejected the reasoning of Citrin. Under the rule of lenity, which stems from the principle that criminal statutes must give fair notice what conduct might violate them, the CFAA did not provide fair notice to an employee that violating a duty of loyalty might give rise to criminal liability - for one thing, the statute does not even mention the duty of loyalty. In light of the Ninth Circuit’s decision in Brekka, the district court changed its ruling and concluded that Nosal’s alleged accomplices could not have violated the CFAA because they had authorization as employees to access KFI’s computers. Appeal to the Ninth Circuit In a split decision, the Ninth Circuit held that Nosal’s alleged accomplices exceeded their authorised access to KFI’s computers because the employees violated KFI’s written employee agreement that restricted use of company information for legitimate business purposes. The Ninth Circuit also pointed to warnings on computer screens stating ‘you need specific authorisation to access any e-commerce law reports volume 11 issue 03
PROFESSIONAL EMAIL
Korn/Ferry system or information and to do so without the relevant authority can lead to disciplinary action or criminal prosecution’. The majority opinion turned on an analysis of the word ‘so’ in the definition of ‘exceeds authorized access’: ‘to access a computer with authorisation and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter’. 18 U.S.C. § 1030(e)(6) (emphasis added). The majority held that the word ‘so’ implied that one might obtain information in a manner that rendered the access unauthorized. ‘Thus, an employee exceeds authorized access under §1030(e)(6) when the employee uses that authorized access to obtain or alter information in the computer that the accesser is not entitled [in that manner] to obtain or alter’. Nosal (alterations in original). Because KFI had explicitly limited the uses to which employees could put its computers and information, obtaining information for other uses was ‘in excess of authorized access’ under the CFAA. Implications The majority parried a vigorous dissenting opinion that warned against transforming the CFAA from an anti-hacking statute into one criminalizing general workplace misconduct. After Nosal, an employee could face both civil and criminal liability under the CFAA for violating a company’s written policies, such as an employment agreement, employee handbook, or a company’s internet policy. The dissent warned against a reading of the law that might impose civil or even criminal liability for checking sports scores or one’s personal email in the workplace. The majority discounted this by e-commerce law reports volume 11 issue 03
pointing to the CFAA’s ‘fraudulent intent’ requirement, namely that the unauthorized access must be undertaken with ‘fraudulent intent and must further the fraudulent scheme’. Two weaknesses in this argument may undercut the majority’s stated intent to limit the reach of its opinion. Firstly, as the dissent pointed out, other sections of the CFAA contain the ‘exceeding authorized access’ language but do not contain the intent requirement of (a)(4)4. This provision might yet impose broad liability on any who violate an acceptable-use policy. Second, district courts in the Ninth Circuit, in other cases, have already discounted the requirement for fraudulent intent in the CFAA. Fraud, according to these cases, simply means ‘wrongdoing’5. According to these courts, the CFAA need not satisfy the heightened pleading standards the Federal Rules of Civil Procedure impose on cases involving fraud6. Most ominously, Nosal may also apply in the absence of an employer/employee relationship. It would thus sweep much wider than Citrin, which it was at pains to narrow. Citrin held that a violation of an employee’s duty of loyalty automatically revoked any authority the employee had to access the employer’s computers. Nosal, on the other hand, requires a knowing violation of an explicit policy. Although this ‘specific policy’ requirement provides Nosal the appearance of restraint, it also provides an avenue to further expand CFAA liability. Citrin, at least, requires an agency relationship that mandates a duty of loyalty. Nothing in Nosal limits its reach to workplace policies and infractions. An earlier trial court opinion had held that the CFAA would be impermissibly vague if it could elevate mere violation of a
website’s terms of service into a criminal offence7. But that is now in doubt. Under Nosal the CFAA may just as easily apply to the user who creates a false profile on a social networking site or a user who downloads a picture of a pair of shoes in violation of a webbased store’s terms of service in order to fashion knockoffs. Conclusion Under Nosal, a user’s ‘authorised access’ under the CFAA is governed by the system’s explicit policies. Accessing a computer for nonapproved purposes may be ‘in excess of authorization’ and may lead to civil or criminal liability. From an employer’s or system provider’s perspective, therefore, this case reinforces the importance of communicating clear use policies to one’s employees and users. Nosal also raises the possibilities that a knowing violation of the terms of service of a website or other online service might be both a civil offense and a crime under the CFAA. K. Joon Oh Associate J. Caleb Donaldson Associate Winston & Strawn LLP
[email protected] [email protected] 1. 581 F.3d 1127 (9th Cir. 2009). 2. 440 F.3d 418 (7th Cir. 2006). 3. See Citrin, 440 F.3d at 420-21. 4. See 18 U.S.C. 1030(a)(2)(C). 5. Facebook, Inc. v. MaxBounty, Inc., No. 5:10-cv-04712-JF (N.D. Cal. March 28, 2011); Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121, 1126 (W.D. Wash. 2000). 6. eBay Inc. v. Digital Point Solutions, Inc., 608 F. Supp. 2d 1156, 1164 (N.D. Cal. 2009). 7. U.S. v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009).
11