In United States v. Nosal, a federal jury in California convicted a former employee of Korn/Ferry for violating the Computer Fraud and Abuse Act (“CFAA”). The evidence showed that the defendant directed his co-conspirators within the firm to use a borrowed password to gain access to trade secrets to be used in establishing their own business. The use of the borrowed password was critical to the successful prosecution under the CFAA because earlier in the case the Ninth Circuit Court of Appeals issued an opinion that narrowly interpreted the statute to prohibit only “unauthorized procurement or alteration of information, not its misuse or misappropriation.” The significant aspect of the Ninth Circuit’s interpretation of the CFAA in Nosal is the Court’s conclusion that a violation of the statute does not occur merely because an employee initially uses his authorized access to obtain his employer’s proprietary information even if he does so with the intent to misappropriate it. Presumably, had Nosal’s co-conspirators who accessed the computerized information in question been able to do so using their own passwords, there would have been no “unauthorized procurement” in violation of the CFAA.
Should Nosal appeal his conviction, as is likely, the Ninth Circuit will have to decide whether use of a borrowed password constitutes “unauthorized procurement” under its view of the reach of the CFAA. But that limited issue should not obscure the fact that, as discussed below, other courts have taken a much more expansive view of the CFAA than has the Ninth Circuit. The CFAA should be of special interest to employers because, in addition to its criminal penalties, it authorizes a civil action against the offending party for money damages and injunctive relief.
Current State of the CFAA’s Application to Employees Remains Unclear
Contrary to the Ninth Circuit’s view of the CFAA, several other Circuit Courts of Appeal previously interpreted the statute as more than just an “anti-hacking” law and found violations by employees who used their authorized access for unauthorized purposes. For example, in United States v. John the Fifth Circuit concluded that the defendant violated the CFAA when she used her authorized access to her employer’s computerized records to make copies of customer account information as part of a fraudulent scheme. More recently, in a similar case, United States v. Tolliver, the Third Circuit upheld a conviction under the CFAA of a bank employee because her accessing of electronically stored information was without any legitimate business purpose. Both the Seventh Circuit and the Eleventh Circuit also have adopted this more expansive interpretation of the CFAA. On the other hand, in WEC Carolina Energy Solutions LLC v. Miller, the Fourth Circuit rejected an employer’s argument that a departing employee violated the CFAA when he downloaded confidential documents from the company intranet while still employed and used them later when employed at a competitor. The Court expressed its agreement with the Ninth Circuit’s decision in Nosal and stated: “[W]e are unwilling to contravene Congress’s intent by transforming a statute meant to target hackers into a vehicle for imputing liability to workers who access computers or information in bad faith, or who disregard a use policy.”
It is apparent that there will be no resolution to the differing views concerning the scope of the CFAA until, and unless, the United States Supreme Court weighs in to tell us whether the statute extends beyond hacking and also proscribes the unauthorized use of computerized proprietary information. Nevertheless, the CFAA remains a tool for companies to seriously consider in responding to the theft, misappropriation or misuse of computerized information, even in instances where a disloyal employee originally had been given access to the information.
For answers to any questions regarding the CFAA, trade secrets, or confidentiality agreements, please feel free to contact an attorney in the Gibbons Employment & Labor Law Department or the Gibbons Intellectual Property Department.