The 9th Circuit: Employees Are Free to Steal from the Company Computers

Yesterday the 9th Circuit Court of Appeals issued an opinion holding that limiting an employee’s access to the company computers solely for business purposes, i.e. not stealing the data for a competitor, cannot be the predicate for a violation of the federal computer crime statute, the Computer Fraud and Abuse Act (“CFAA”), Title 18, U.S. C. § 1030. U.S. v. Nosal, 2012 WL 1176119 (9th Cir. April 10, 2012). The CFAA makes it a crime in various instances to access a computer “without authorization” or to have “exceeded authorized access” to obtain information from the computer and permits those, including companies, who are victims of violations of the statute to bring a civil action against the perpetrators.

Acknowledging that its decision conflicts with the 5th, 7th and 11th Circuits, there is a good chance the Supreme Court will have the final say on this issue if the Department of Justice decides to appeal. As the dissent pointed out, this decision is counter to the common sense notion that a “bank teller is entitled to access a bank’s money for legitimate purposes, but not to take the bank’s money for himself.”

Brekka

The history of this case dates back to LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). Brekka involved the classic employee theft of data whereby employees, before they leave to compete, e-mail to themselves competitively sensitive company data. The Brekka court refused to apply the CFAA to this theft of data, holding that employees cannot act “without authorization” because their employer gave them “permission to use” the company computer. Id. at 1133. Thus, Brekka was predicated on the simplistic proposition that employees have permission to access the company computers and, thus, by definition cannot access the company computers without authorization.

Nosal I

Two years later, in U.S. v. Nosal, 642 F.3d 781(9th Cir. 2011), the 9th Circuit clarified its decision in Brekka, and allowed a violation of company policies to serve as a predicate to prove unauthorized access in the employer/employee context. As of the Nosal decision, Brekka had been relied upon by numerous district courts in and out of the 9th Circuit as a bar to using the CFAA against employees who stole data from their employers’ computers.

David Nosal, a Korn/Ferry executive, was indicted for stealing confidential data from the company computers prior to joining a competitor. Nosal had allegedly recruited “three Korn/Ferry employees to help him start a competing business.” Id. at 782. The Indictment charged these employees with “using their user accounts to access the Korn/Ferry computer system” who then “transferred to Nosal source lists, names, and contact information from the ‘Searcher’ database – a ‘highly confidential and proprietary database of executives and companies’ – which was considered by Korn/Ferry ‘to be one of the most comprehensive databases of executive candidates in the world.’” Id.

The district court had initially rejected Nosal’s motion to dismiss the CFAA counts but reversed itself after the Brekka decision. The government appealed relying upon Korn/Ferry’s computer policies that restricted the scope of employees’ access to the company computers including one that “restricted the use and disclosure of all such information, except for legitimate Korn/Ferry business.” Id.

The government argued that based on these policies, Nosal had exceeded authorized access. The court agreed, holding that “an employee ‘exceeds authorized access’ under §1030 when he or she violates the employer’s computer access restrictions – including use restrictions.” Id. Nosal distinguished Brekka on the lack of computer policies governing Brekka’s right to access the company computers — “[b]ecause LVRC [the employer] had not notified Brekka of any restrictions on his access to the computer, Brekka had no way to know whether – or when – his access would have become unauthorized.” Id. at 787.

The court concluded that “as long as the employee has knowledge of the employer’s limitations on that authorization, the employee ‘exceeds authorized access’ when the employee violates those limitations.” Id at 788. Subsequently, the court granted an en banc hearing of its decision in Nosal.

Nosal II

The recent reversal of the initial Nosal decision reasoned that the CFAA only applies to hackers and that “without authorization” and “exceeds authorized access” should be read only to “apply to outside hackers (individuals who have no authorized access to the computer at all) and “exceeds authorized access” would apply to inside hackers (individuals whose initial access to a computer is authorized but who access unauthorized information or files). The court stated that “[t]he government’s construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer.”

As the court admits, it basically defines “without authorization” to mean “the circumvention of technological barriers” in the computers. There is, however, nothing in the plain language of the CFAA that supports such a restrictive interpretation of access “without authorization.” Based on Morrison v. National Australia Bank Ltd., 130 S.Ct. 2869 (2010), where the Supreme Court criticized “judicial-speculation-made-law- divining what Congress would have wanted if it had thought of the situation before the court,” it is highly unlikely that the Supreme Court will read such a restriction into the statute.

Nosal further held that “the government’s construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer” and that this would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.” As described by the dissent in the case, the court “posit[s] a laundry list of wacky hypotheticals” that include “private computer use policies” that prohibit personal use of company computers making criminals out of “[e]mployees who call family members from their work phones . . . if they send email instead.”

This of course raises an issue of prosecutorial discretion. A similar laundry list of wacky hypotheticals could also be posited with the mail and wire fraud statutes, yet the Supreme Court has upheld both statutes. For example, a student who called home from college asking his parents to send him money for books, when he really intended to use the money to buy beer is technically in violation of the wire and mail fraud statutes. The bottom line is, as the dissent in Nosal pointed out, it is simple to come up with a contorted application of any criminal statute. That does not make the law unenforceable or unconstitutional.

Company computer policies risk becoming obsolete — Policies must reflect new laws and court decisions on data theft, social networking and cloud computing.

BY NICK AKERMAN
Have your client companies’ policies kept
pace with changes in the law affecting
computer technology?
New statutes and court
decisions relating to computer technology
affect every business.

Many companies
overlook opportunities to respond to these
new laws by adopting robust policies to
take advantage of the protections they
afford and to minimize the risks they pose.
This article will review three critical areas
of computer technology that should be
addressed by company policies: theft of data,
social networking and cloud computing.

Theft of data. Federal and state laws
obligate companies to take steps to prevent
data theft, notify consumers of the theft of
their personal data and create new remedies
for companies to sue data thieves. Policies
are a critical complement to these laws.

The most comprehensive of the
prevention laws is the Massachusetts
regulation that requires companies
maintaining personal data belonging to
Massachusetts residents, whether or not the
company does business in Massachusetts,
to institute a data-compliance program
that includes, among other things, security
policies that must be enforced through
technology such as encryption. 201 Mass.
Code Regs. 201, 17.03-17.05. The personal
data at issue—Social Security numbers,
credit card and banking information—are
data that can be used to perpetrate identity
theft. The obligation to protect data is not
limited to personal information. In 2004,
the Sarbanes-Oxley Act caused the New
York Stock Exchange to require its member
companies to promulgate policies as part
of a comprehensive compliance program
to protect both personal and competitively
sensitive data. NYSE’s Listed Company
Manual, § 303A, ¶ 10.

Also, since 2003, 45 states have enacted
statutes requiring businesses to notify
consumers of a breach of their personal data.
Although these notification laws do not
require companies to establish policies, they
do require a company to determine whether
there is a basis to trigger notification
under the statutes and determine how to
comply with the patchwork of 45 state
laws. Performing these tasks without
response policies will inevitably contribute
to an uncoordinated response and delay
when some states like California require
notification in the “most expedient time
possible and without unreasonable delay,”
while other states, such as Wisconsin, define
a more precise time period. Calif. Civ. Code
§ 1789.82(a); Wis. Stat. § 134.98.

A company cannot investigate data
theft unless it has policies that adequately
define an employee’s expectation of
privacy. In Stengart v. Loving Care Agency,
201 N.J. 300, 314 (2010), the New Jersey
Supreme Court, based on an ambiguity in
a company policy that allowed occasional
personal use of the company computer,
concluded that personal e-mails were
private. Also, with many employees now
using personally owned computing devices
to work outside of the office, a policy
permitting the employer to retrieve work related
data from these devices re-enforces
the employer’s rights to its data.

The Computer Fraud and Abuse Act
(CFAA), 18 U.S.C. 1030, the federal
computer crime statute, provides for a civil
remedy for a company that “suffers damage
or loss” by reason of a violation of the statute.
18 U.S.C. 1030(g). Liability for data theft is
based on whether the access to the company
computers was unauthorized or exceeded
authorized access. The “CFAA…is primarily
a statute imposing limits on access and
enhancing control by information providers.”
EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d
58, 63 (1st Cir. 2003). Thus, a company “can
easily spell out explicitly what is forbidden”
through its policies. Id. The violation of the
policy in turn is the predicate for proving the
critical element of the statute that the access
was unauthorized.

Social networking. Social media pose a
number of legal challenges to companies,
including ownership of social-media
accounts, labor and employment risks,
and the protection of the company’s
confidential information.

Businesses commonly market themselves
on major social-networking sites including
Facebook, LinkedIn and Twitter. As
demonstrated by two recent cases,
ownership of this marketing tool is not
always clear. Just last July, PhoneDog.com,
a popular mobile phone site, sued a former
employee who had amassed approximately
17,000 followers on Twitter, claiming that
the followers constituted a company-owned
customer list entitling it to $2.50 per month
per follower or $350,000 in total damages.

In December, an employer and former
employee sued each other, claiming
ownership to the former employee’s
LinkedIn account, the popular socialnetworking
site for business professionals.
Eagle v. Morgan, 2011 WL 6739448 (E.D.
Pa. Dec. 22, 2011). The only way to avoid
the inevitable lawsuits over the ownership
of these accounts is for businesses to be
proactive in establishing up-front policies on
ownership rights prior to adopting employee
social-media accounts as a marketing tool.

Labor And Employment Risks

Social networking is fraught with a
multitude of labor and employment risks.
Indiscriminately using social-networking
sites to conduct background checks of new
hires or current employees can lead to
discrimination or invasion-of-privacy suits
based on protected information discovered
during searches. For example, in Pietrylo
v. Hillstone Restaurant Group
, No. 2:06-cv-
05754 (D.N.J. 2009), management learned
of a password-protected MySpace site used
by its employees, obtained the password
from an employee, viewed the site and then
fired two other employees based on what
they saw. The fired employees sued, and
the employer was found liable for violating
the federal Stored Communications Act,
18 U.S.C. 2701-11. A company policy
defining the circumstances under which
such Internet investigations can properly be
conducted could have avoided this lawsuit.

What an employee can communicate
about the workplace on a social-networking
site should also be addressed in a policy. The
company has a clear interest in preventing
an employee from disparaging it or releasing
to the public its confidential information,
but it cannot deny an employee the
protected right to labor organizing. In

Policies should address
what an employee can
communicate about
the workplace on a
social-networking site.

October 2010, the National Labor Relations
Board filed a complaint on behalf of a
Connecticut ambulance company employee
fired after using vulgarities to ridicule
her supervisor on Facebook. The NLRB
claimed the company maintained overly
broad rules in its employee handbook
regarding blogging, Internet posting and
communications among employees. The
case settled in February 2011 with the
company agreeing not to prohibit discussion
of hours, wages and working conditions on
social-networking sites.

Cloud computing. Cloud computing
outsources the maintenance of company data
to a third party. The potential cost savings
in having data maintained by a third-party
provider can be quickly dissipated if company
policies do not anticipate the potential legal
traps created by entrusting data for safekeeping
to someone else. All of the company’s current
policies on security, record retention, incident
response to a data breach and the obligation to
provide e-discovery in the event of a lawsuit
or government investigation must apply on
the cloud and be reflected in the company’s
contract with its cloud provider.

Although the cloud service is typically the
party in possession of the data, the owner’s
overall policy must be to maintain control
of its data so that the data can be destroyed
in the regular course of the company’s
retention policies and preserved in response
to a litigation hold. For multinational
corporations, this also means policies
to ensure compliance with local laws
governing cross-border data transfers. For
example, in November 2009, the European
Network and Information Security Agency
issued a report on cloud computing warning
that companies remain responsible under
U.K. law for safeguarding their customers’
information even if those data are stored by
a service provider in the cloud.

Policies that worked yesterday will not
necessarily work today or tomorrow. Every
company should review its policies to
ensure that they adequately:
• Protect data and respond properly to
data breaches.
• Minimize the risks posed by social
media.
• Apply established policies and
appropriate foreign laws to data maintained
on the cloud.