As previously reported in EmployNews, employers and federal prosecutors have become more aggressive in using anti-hacking laws to address employee theft and misappropriation of confidential computer information. On Tuesday, the full Ninth Circuit Court of Appeals applied the brakes to some of these efforts, refusing to allow use of the federal Computer Fraud and Abuse Act (CFAA) to punish a departed employee who allegedly directed recruited colleagues to download sensitive information before leaving to start a competing business.
In U.S. v. Nosal, the defendant left work with his employer to start a rival company. He then allegedly recruited several of his former co-workers to join him. Before these employees provided notice of resignation, they downloaded confidential information from their employer's database and transferred it to the defendant. The federal government indicted the defendant for criminal violations of the CFAA.
The CFAA was enacted as an anti-hacking measure. It prohibits unauthorized access to computer systems, or access beyond authorized levels. The defendant sought dismissal of the criminal CFAA claims, arguing that the employees who accessed his former employer's computer system had authority to download the databases. The government contended that CFAA also prohibits access to the systems when such access violates the employer's confidential information policies.
In an en banc decision, the Ninth Circuit disagreed, affirming dismissal of the criminal CFAA charges. The court used a technical interpretation of the statute to reject the government's interpretation, noting that to do otherwise would convert what was intended as a hacking law into one that punishes the broader area of misappropriation of confidential business information. If the employee has been granted access to the subject information, he or she cannot be prosecuted under CFAA even if they use that access for purposes that violate company policy.
The Ninth Circuit speculated that the broader reading of the CFAA urged by the government would potentially criminalize employees' use of their company's Internet access for personal purposes. A dissenting opinion dismissed this concern, noting that the defendant was accused of engaging in clear fraud and abuse through his former employer's computer system.
CFAA prosecutions are therefore limited to situations where the government can demonstrate that the employee accessed files to which he or she had no authority to download for any reason. Three other federal circuits have made a broader reading of the CFAA, affirming use of the law in situations similar to that rejected in Nosal. This split in authority may prompt the Supreme Court to review this question.
In the meantime, in addition to criminal prosecution, employers may also attempt to use civil remedies under the CFAA to pursue claims against employees who misappropriate electronic information, along with traditional statutory and common law actions. When faced with employee misappropriation of confidential business information, employers should explore all potential avenues for responding to this conduct. Employers may also decide to limit authorized access to certain sensitive company information in order to bolster potential CFAA claims.