The Computer Fraud and Abuse Act (“CFAA”) is a federal law that, in part, makes it a crime to access a computer in an unauthorized manner. In the employment context, the statute has proven valuable in protecting confidential and proprietary information that employees can access on their employers’ electronic systems.
Recent decisions by the United States Courts of Appeals for the Ninth and Third Circuits emphasize the breadth of the CFAA’s application to the workplace. In U.S. v. Nosal, 642 F.3d 781 (9th Cir. 2011), reh’g en banc granted 2011 U.S. App. LEXIS 21777 (Oct. 27, 2011), the court held that employees violated the CFAA where their use of an employer’s systems exceeded their authority under the employer’s policies, which warned of criminal liability for misuse. The court went one step further in U.S. v. Tolliver, No. 10-3439, 2011 U.S. App. LEXIS 19090 (3d Cir. Sept. 15, 2011), finding that an employee who accessed her employer’s systems as part of bank fraud exceeded authorized access even though the employer only generally prohibited use of its electronic systems for non-business reasons.
In Nosal, the defendant worked for an executive search firm. When his employment with the firm ended, he entered into a non-competition agreement with the firm. Despite the agreement, the defendant purportedly asked three current employees of the firm to help him compete against his former employer. These employees allegedly transferred confidential information from the firm’s computer database to this individual – information that the employees were authorized to access as employees of the firm.
Notably, pursuant to firm policy, employees only could access the information using individualized usernames and passwords. Additionally, the employees agreed only to use and disclose such information for legitimate business reasons. The firm also marked the information as “proprietary and confidential” and warned that employees needed “specific authority to access” the information and that access “without the relevant authority can lead to disciplinary action or criminal protection.
The issue before the court was whether the employees “exceed[ed] authorized access” under the CFAA (assuming the allegations set forth against them were true). As noted in the opinion, some courts outside the Ninth Circuit have limited the CFAA’s protections in this context to “computer hackers, electronic trespassers and other ‘outsiders’” only, while others have found violations where employees with authorized access engaged in activities that harmed the employer and breached their duties of loyalty.
The court focused on the plain language of the statute in rendering its decision. By statute, in order to exceed authorized access, one must “access a computer with authorization and . . . use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The court concluded the word “so” in the definition would be meaningless unless it extended to actions by individuals beyond those which are indicated or suggested. As a result, the court ruled that employees with some authority to access an employer’s computer systems can nonetheless violate the CFAA if their access extends beyond the express authorization permitted by their employer.
The court explained that its ruling was consistent with LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), where the court decided that an employee did not exceed authorized access because he had permission to access the employer’s system, regardless of the manner in which he used it. The court distinguished Brekka by highlighting that the employer’s policies in the case before it limited the manner in which the employees were authorized to access information on the employer’s system. To the contrary, the employee’s access in Brekka was “unfettered.”
Whether the Nosal decision will stand is yet to be decided. The Ninth Circuit heard argument en banc in the case on December 15, 2011.
In Tolliver, the defendant, a bank employee, allegedly accessed customer account information stored in the bank’s electronic systems. The individuals whose accounts were accessed subsequently became victims of a scheme involving fraudulent checks that were drawn against their accounts.
Bank employees, like the defendant, could access the customer account information using their employee numbers and passwords. Additionally, bank policy generally prohibited employees from accessing customer account information without a business purpose. It was undisputed that the customer accounts were accessed using the defendant’s employee number, and that the defendant had no business reason to access the information.
Without specifically referencing the bank’s policies regarding use of its electronic systems, the court held that the defendant violated the CFAA by intentionally exceeding her authorized access. It explained that although the bank permitted her to access customer information, she accessed the information without a business purposes, thereby exceeding her authorized access in violation the CFAA.
* * * * *
The Ninth Circuit’s decision in Nosal underscores the importance of having comprehensive workplace policies in place that limit employee use of electronic systems. The court in Nosal decided that employees exceeded their authorized access in violation of the CFAA by using the employer’s systems in a manner contrary to detailed policies. The Third Circuit’s decision in Tolliver demonstrates that the absence of such policies may not be fatal to a CFAA claim based on an “exceeding authorized access” theory (albeit the case was an extreme one involving a bank fraud). Together, these decisions both emphasize the continued significance that the CFAA plays in protecting confidential and proprietary electronic information in the workplace.
In light of the continuous evolution of the law in this area, employers should review their electronic systems policies with employment counsel periodically to ensure that the policy language complies with current law and protects your business’s interests. To discuss your company’s policy needs, please contact any attorney in the Gibbons Employment & Labor Law Department.