Ninth Circuit Narrows Scope of CFAA
Privacy & Information Security Update
Date: April 20, 2012
On April 10, 2012, the U.S. Court of Appeals for the Ninth Circuit issued its highly anticipated decision interpreting the Computer Fraud and Abuse Act (CFAA), in U.S. v. Nosal, 10-10038. In a 9-2 en banc decision, the Ninth Circuit narrowly construed the CFAA's criminalization of unauthorized computer access. The court rejected the government's broader interpretation of the CFAA, which would have made it a crime to violate an employer's internet access or computer use restrictions, regardless of whether the unauthorized use or access was related to the theft of an employer's confidential business data.
The CFAA originally was enacted in 1984 as a criminal statute to protect the federal government and certain financial institutions from computer hacking. As a result of several amendments, the CFAA now applies to any computer used in interstate commerce (meaning, in effect, virtually all computers linked to any network) and authorizes private civil actions against violators. There are several categories of prohibited conduct that would permit a civil claim under the CFAA, each of which involves access to a protected computer "without authorization" or by "exceeding authorization." Courts have struggled to determine the nature of "unauthorized" access that is sufficient to constitute a violation of the CFAA.
In the Nosal case, an employee who had permission to access his employer's computer system was indicted under the CFAA for allegedly accessing the company's computers with the purpose of misappropriating confidential business information in violation of, among other things, the company's computer use policy. The government alleged that the CFAA's proscription on unauthorized access to a protected computer should be interpreted to refer to someone who, like the defendant, has unrestricted physical access to a computer, but whose access to information on that system is limited in scope. In other words, under the government's interpretation, individuals who violate their employer's computer or internet use restrictions face criminal liability.
Writing for the majority, and upholding the lower court's dismissal, Chief Judge Alex Kozinski disagreed with the government's interpretation, noting "[t]he government's construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime." The court illustrated the flaws in a broad interpretation of the CFAA by noting that "[u]nder the government's proposed interpretation of the CFAA, posting for sale an item prohibited by Craigslist's policy, or describing yourself as 'tall, dark and handsome,' when you're actually short and homely, will earn you a handsome orange jumpsuit." The Ninth Circuit ultimately held that the phrase "exceeds authorized access" in the CFAA "does not extend to violations of use restrictions." In other words, checking sports scores or sending personal emails at work is not a crime under the Nosal holding.
The dissent objected to the majority's characterization of the case. "This case has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values. It has everything to do with stealing an employer's valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants' employment contracts," wrote Judge Barry Silverman. Judge Silverman described the majority's reasoning as "ridiculing scenarios not remotely presented by this case" and "knocking down straw men."
Several other circuits have adopted an expansive view of the CFAA like the one advocated by the government in Nosal. Following the decision in Nosal, it is unclear whether other circuits will follow the Ninth Circuit's lead and adopt a narrow construction or will continue to criminalize violations of use restrictions. And it may get even more interesting: Congress currently is considering proposals to amend the CFAA yet again, one of which would make violations of the CFAA a predicate act under the Racketeer Influenced and Corrupt Organizations Act (RICO). Should this come to pass, the current limits on civil damages under the CFAA would be unimportant, since RICO violations allow for recovery of treble damages, which are not defined as narrowly as damages under the CFAA.
Thompson Hine Is Available to Assist You
Thompson Hine's Privacy & Information Security practice, an interdisciplinary and international group of lawyers with experience in complex national and international issues including privacy, data protection, information security, records retention, employment and labor law, consumer protection, internet law and intellectual property, helps clients develop, implement and benefit from globally compliant data management practices. Our team has assisted numerous companies in developing and implementing global privacy and data protection programs and strengthening their strategic use of competitively critical data.