By David Lindsey Attorney of David Lindsey, Attorney at Law posted in Fraud on Monday, April 16, 2012.
In a 9-2 decision, California’s 9th Circuit Court of Appeals has ruled that prosecutors are too broadly applying the 1984 Computer Fraud and Abuse Act in going after someone who violates employer computer policies or a website’s terms of service; the majority upheld the decision of San Francisco U.S. District Court judge in the government’s case against David Nosal, a former employee at an executive search firm who allegedly asked colleagues to access a confidential database to get information for his new business.
The CFAA statute was passed by the U.S. Congress in 1986, and was intended to address federal computer-related offenses such as hacking. It has been amended repeatedly in an effort to keep up with advances in technology and security, most recently, as part of the Patriot Act and the Identity Theft Enforcement and Restitution Act.
Writing for the majority, Chief Judge Alex Kozinski said, “The government’s construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.” The majority is following the 9th Circuits controlling case, LVRC Holdings LLC v. Brekka, and holds that “exceeds authorized access” as defined by the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.
The two dissenting judges point out that the statute requires “intent to defraud”, and that intent was clearly present. “This case has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values,” Judge Barry Silverman wrote, with Judge Richard Tallman joining. “It has everything to do with stealing an employer’s valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants’ employment contracts.”
There are other laws the government can use to prosecute someone who steals confidential information; interpreting the CFAA too broadly essentially leaves individuals at the mercy of a local prosecutor. And while the opinion breaks from 5th and 11th Circuit Court decisions in similar cases, it remains to be seen whether prosecutors will seek high court review.