Appeals Court Narrows Computer Fraud Abuse Act (CFAA)

The Ninth Circuit Court of Appeals has again narrowly construed the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, finding that the criminal prosecution of an ex-employee who convinced current employees to access and transfer employer’s customer data to the ex-employee, was not a violation of the CFAA because “exceeds authorized access” does not cover unauthorized disclosure or use of information, contrary to company policy (a contractually imposed term of use, a TOU or TOS).  United States v. Nosal, Case no. 10-10038 (9th Cir. April 10, 2012) (available here).

The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6).  The court focused on two examples. (A) An employee, who is permitted to access only product information on the company’s computer but accesses customer data, potentially “exceeds authorized access” if he looks at the customer list.  (B) An employee may be authorized to access the customer list in order to do his job but is not contractually permitted, would also potentially exceed authorized access by misuse of the information.

The purpose of the statute “is to punish hacking — the circumvention of technological access barriers — not misappropriation of trade secrets”.  Slip opn. P. 3872 (herein “p. xx”).

The court found that the CFAA is an anti-hacking statute and not a misappropriation statute.  “The government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. This places a great deal of weight on a two-letter word [‘so’ in the CFAA] that is essentially a conjunction. If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions — which may well include everyone who uses a computer — we would expect it to use language better suited to that purpose.”  Pp. 3861-62.

The court pointed out that there is a federal trade secrets statute, 18 U.S.C. § 1832 — where Congress used the common law terms for misappropriation, including “with intent to convert,” “steals,” “appropriates” and “takes.”  See 18 U.S.C. § 1832(a), the Economic Espionage Act of 1996, which  provides penalties for anyone that knowingly engages in theft of trade secrets or the attempt or conspiracy to steal trade secrets.   However, there is no private cause of action under 18 U.S.C. § 1832. Pisani v. Van Iderstine, Case. No. 07-187S , 2011 U.S. Dist. LEXIS 73985 (D.R.I. June 27, 2011); Gibbs v. SLM Corp., 336 F.Supp.2d 1, 17 (D. Mass. 2004); Ryan v. Ohio Edison Co., 611 F.2d 1170, 1178-1179 (6th Cir.1979). There is also no private cause of action for mail fraud under 18 U.S.C. § 1341 or for wire fraud under 18 U.S.C. § 1343. See Pisani, supra, and Vasile v. Dean Witter Reynolds Inc., 20 F.Supp.2d 465, 478 (E.D.N.Y. 1998).

Inside Versus Outside Hackers – the CFAA Is Not An Internet Policing Policy

The Government argued that the CFAA covers hacking but also prohibits employees and former employees from accessing and using data from an employer’s computer without authorization.

Per the court, “But it is possible to read both prohibitions as applying to hackers: ‘[W]ithout authorization’ would apply to outside hackers (individuals who have no authorized access to the computer at all) and ‘exceeds authorized access’ would apply to inside hackers (individuals whose initial access to a computer is authorized but who access unauthorized information or files). This is a perfectly plausible construction of the statutory language that maintains the CFAA’s focus on hacking rather than turning it into a sweeping Internet-policing mandate.  The government’s construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime. While ignorance of the law is no excuse, we can properly be skeptical as to whether Congress, in 1984, meant to criminalize conduct beyond that which is inherently wrongful, such as breaking into a computer.”  P. 3863 – 644.  The Government’s arguments that “exceeds access” used in different sections of the CFAA have different meanings was rejected by the court.  Once a court determines the meaning and scope of “exceeds authorized access,” that judicial construction must be applied to all other sections in the CFAA.  P. 3865.

“Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by g-chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it’s unlikely that you’ll be prosecuted for watching Reason.TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit.  Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.”  P. 3866.

As further support, the court cited  Lee v. PMSI, Inc., No. 8:10-cv-2904-T-23TBM, 2011 WL 1742028 (M.D. Fla. May 6, 2011) wherein the court dismissed an employer’s counterclaim under the CFAA notwithstanding the fact that the plaintiff employee made personal use of the Internet at work by checking Facebook and sending personal email in violation of company
policy.

“Employer-employee and company-consumer relationships are traditionally governed by tort and contract law; the government’s proposed interpretation of the CFAA allows private parties to manipulate their computer-use and personnel policies so as to turn these relationships into ones policed by the criminal law.”  P 3867

The court indicated that if criminal liability turns on the vagaries of an employee-employer contract, or a company-consumer contract, then a “notice” issue arises as to (a) the meaning of ambiguous terms; (b) the changeable nature of the contracts; and (c) the scope of “lengthy, opaque [contracts which are], subject to change and seldom read.”  P. 3867.  Also, when an employee can use his or her cell phone to get the same information from the Internet, it is unjust to criminally punish the same activity when done on the employer’s computer.  The court then analyzes Google’s and Facebook’s terms of service (TOS) or terms of use (TOU) and notes that the Government’s statutory construction would criminalize “vast numbers of teens and pre-teens.”  The dating service eHarmony’s TOS prohibits inaccurate or misleading information.  Since many adults overstate their attributes and hide their faults the proposed construction would criminalize this behavior.  The Supreme Court has refused to adopt the government’s broad interpretation of a statute because it would “criminalize a broad range of day-to-day activity.” United States v. Kozminski, 487 U.S. 931, 949 (1988).

The court discounted other appellate court decisions contrary to its current statutory construction.  “We remain unpersuaded by the decisions of our sister circuits that interpret the CFAA broadly to cover violations of corporate computer use restrictions or violations of a duty of loyalty. See United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); United States v. John, 597 F.3d 263 (5th Cir. 2010); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006). These courts looked only at the culpable behavior of the defendants before them, and failed to consider the effect on millions of ordinary citizens caused by the statute’s unitary definition of ‘exceeds authorized access.’ They therefore failed to apply the long-standing principle that we must construe ambiguous criminal statutes narrowly so as to avoid ‘making criminal law in Congress’s stead.’ United States v. Santos, 553 U.S. 507, 514 (2008).”  Pp. 3870 – 71.

The court followed its earlier decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), which narrowly construed the phrases “without authorization” and “exceeds authorized access” in the CFAA. “A growing number of courts that have reached the same conclusion.  These courts recognize that the plain language of the CFAA ‘target[s] the unauthorized procurement or alteration of information, not its misuse or misappropriation.’ Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 965 (D. Ariz. 2008) (internal quotation marks omitted); see also Orbit One Commc’ns, Inc. v. Numerex Corp., 692 F. Supp. 2d 373, 385 (S.D.N.Y. 2010) (‘The plain language of the CFAA supports a narrow reading. The CFAA expressly prohibits improper ‘access’ of computer information. It does not prohibit misuse or misappropriation.’); Diamond Power Int’l, Inc. v. Davidson, 540 F. Supp. 2d 1322, 1343 (N.D. Ga. 2007) (‘[A] violation for ‘exceeding authorized access’ occurs where initial access is permitted but the access of certain information is not permitted.’); Int’l Ass’n of Machinists & Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479, 499 (D. Md. 2005) (‘[T]he CFAA, however, do[es] not prohibit the unauthorized disclosure or use of information, but rather unauthorized access.’).”  P. 3871.

In conclusion, the scope and meaning of the CFAA and what does and does not cover acts which “exceeds authorized access” continues to be a hot topic for the courts.

Related Posts