High Court May Rule on Computer Law Question

At issue is whether the Computer Fraud and Abuse Act applies to data theft by employees; the circuits are split.

BY Nick Akerman

On July 26, the U.S. Court of Appeals for the Fourth Circuit became the first circuit to adopt the Ninth Circuit’s holding in U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012), that the Computer Fraud and Abuse Act does not apply to employees who steal data from the company computers. WEC Carolina Energy Solutions LLC v. Miller, 2012 WL 3039213 (4th Cir. July 26, 2012). This case places the Fourth and Ninth circuits in direct conflict with the First, Third, Fifth, Seventh, Eighth and Eleventh circuits, increasing the odds that the U.S. Supreme Court will address this issue at some point.

The CFAA, the federal computer crime statute, allows individuals or companies victimized by violations of the statute to bring a civil action against the perpetrator. U.S.C. 1030(g). For a theft of data a plaintiff must prove that the defendant accessed the computer “without authorization” or exceeded his authorized access. The conflict among the circuits centers on what it means to access a computer without authorization. This article will examine the scope of this issue and the likelihood that the Supreme Court will resolve this conflict in favor of the more expansive meaning of “without authorization.”

The complaint in WEC alleges the classic employee theft of data: Willie Miller, immediately prior to his resignation from WEC to join a competitor, downloaded WEC’s confidential and trade-secret information from his company-issued laptop computer at the direction of his new employer and thereafter used it on behalf of his new employer to obtain business from two WEC customers. WEC’s policies, while not directly restricting his “authorization to access the information,” prohibited him from “using the information without authorization or downloading it to a personal computer.” 2012 WL 3039213, at *1.

The Fourth Circuit in WEC, like the Ninth Circuit in Nosal, interpreted the key element of accessing the computer “without authorization” or exceeding “authorized access” narrowly to hold that the CFAA applies “primarily” to outside hackers and “that an employee is authorized to access a computer when his employer approves or sanctions his admission to that computer.” Id. at *4. Nosal went even further to engraft upon “without authorization” the requirement that the defendant’s access involve “the circumvention of technological barriers” to the computer. 676 F.3d. at 863.

Challenging the Seventh Circuit

Both WEC and Nosal take direct issue with Judge Richard Posner’s holding in Int’l Airport Ctrs. LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006), that “when an employee accesses a computer or information on a computer to further interests that are adverse to his employer, he violates his duty of loyalty, thereby terminating his agency relationship and losing any authority he has to access the computer or any information on it.” In rejecting this “cessation-of-agency theory,” the court in WEC stated that “[s]uch a rule would mean that any employee who checked the latest Facebook posting or sporting event scores in contravention of his employer’s use policy would be subject to the instantaneous cessation of his agency and, as a result, would be left without any authorization to access his employer’s computer systems.” 2012 WL
3039213, at *6.

The Ninth Circuit rejected Citrin on the basis that “[n]othing in the CFAA suggests that a defendant’s liability for accessing a computer without authorization turns on whether the defendant breached a state law duty of loyalty to an employer.” LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1135 (9th Cir. 2009). However, both the Ninth and Fourth circuits ignore the Supreme Court’s decision in Carpenter v. U.S., 484 U.S. 19 (1987), which relied on the same state law agency principles to uphold a “scheme to defraud,” the key element of the mail and wire fraud statutes.

Carpenter affirmed the conviction of a Wall Street Journal reporter who, prior to publication, had provided his upcoming financial columns to confederates, who bought or sold stock “based on the probable impact of the column on the market.” Id. at 23. The court held that “an employee has a fiduciary obligation to protect confidential information obtained during the course of his employment,” and intentionally exploiting that information for his own personal benefit constituted a scheme to defraud his employer of confidential information. Id. at 29.

WEC also incorrectly stated that only “two schools of thought exist” between Nosal and Citrin. 2012 WL 3039213, at *3. What Nosal and WEC fail to address is that the other circuits simply interpret “without authorization” unqualifiedly to mean lack of permission. Thus, the Fifth and Eleventh circuits have found lack of permission based limits on access and enhancing control by information providers.” EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir.2003). Thus, a company “can easily spell out explicitly what is forbidden” through its policies. Id.

The Fifth Circuit in U.S. v. John, 597 F.3d 263, 269, 272 (5th Cir. 2010), held that a Citigroup account manager, who accessed Citigroup’s internal computer system to provide her brother with customer account information that he used to perpetrate fraudulent charges, had exceeded authorized access based on “Citigroup’s official policy, that…prohibited misuse of the company’s internal computer systems and confidential customer information.” Id. at 272. Similarly, the Eleventh Circuit relied on company rules in U.S. v. Rodriguez,628 F.3d 1258 (11th Cir. 2010), to affirm the CFAA conviction of a Social Security Administration employee who accessed Social Security information for personal reasons in violation of the agency’s policy against “obtaining information from its databases without a business reason.” Id.

The Third and Eighth circuits have found unauthorized access to the company computer when the access was done without a legitimate business purpose. The Third Circuit in U.S. v. Tolliver, 2011 WL 4090472, at *5, found unauthorized access by a bank teller who provided customer information to fraudsters who siphoned funds from customers’ accounts because “she did not have a business purpose” to access those accounts. The Eighth Circuit in U.S. v. Teague, 646 F.3d 1119 (8th Cir. 2011), similarly found unauthorized access by an employee of a government contractor for the Department of Education who viewed President Obama’s student loan records without any legitimate business purpose.

Concern Over Innocent Activities

In the final analysis, the driving force that separates Nosal and WEC from the other circuits in narrowly defining “without authorization” is a concern that “private computer use policies can transform whole categories of otherwise innocuous behavior into federal crimes,” for example, that an employee “could be prosecuted” for innocent activities such as watching television on his “work computer.” Nosal, 676 F.3d at 860; see also, WEC, 2012 WL 3039213, at *6.

There are two reasons why the Supreme Court is unlikely to share this concern. First, the precise same arguments could be leveled at the federal mail and wire fraud statutes because they could be used to prosecute individuals for stealing paltry sums of money through the wires or mails under circumstances that should not be criminalized, yet the court has persistently upheld both statutes. Second, based on its recent decision in Morrison v. National Australia Bank Ltd., 130 S.Ct. 2869, 2881 n.5 (2010), in which the court criticized “judicial lawmaking,” it is highly unlikely that the Supreme Court, without any support in the plain language of the statute, will interpret “without authorization” to exclude employees.

No Password for You: California Enacts Social Media Privacy Laws Affecting Employers and Postsecondary Educational Institutions

By: Gary Gansle, Jessica Linehan, and Kurt Whitman

Addressing a recent hot topic regarding the forced disclosure of social media passwords and/or content as part of the employment application process, California has promptly resolved the issue legislatively. Effective January 1, 2013, employers in California are generally prohibited from requiring applicants and employees to disclose or access social media information. This new law, AB 1844, parallels an analogous law, SB 1349, which prohibits California’s public and private postsecondary educational institutions from requiring similar mandatory social media disclosure from students, prospective students, or student groups. Consistent with its historically strong state constitutional rights to privacy, California becomes the first state to pass social media privacy protection in both the employment and education contexts.

Employers

On September 27, 2012, California Governor Jerry Brown signed AB 1844, which passed unanimously in both the California Assembly and Senate. This new law prohibits employers from requiring applicants or employees to disclose username or password information to employers, to access personal social media in the presence of the employer, or to divulge any personal social media. AB 1844 defines “social media” broadly to include videos, photographs, blogs, instant and text messages, email, online services or accounts, or other web profiles or locations.

Moreover, employers may not retaliate against an employee or applicant for failing to comply with an employer’s unlawful request for access to the employee’s social media in violation of the new law.

AB 1844 carves out limited remedial access rights to the employer. Where the employee’s social media is “reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations,” the employer may request access to social media for the limited purpose of investigating such misconduct. Additionally, for employer-issued electronic devices, employers may still require disclosure of access information, such as usernames and passwords associated with the device.

The new law marks continued expansion of privacy protections for employee social media. Through the passage of AB 1844, California joins Maryland and Illinois, which have enacted comparable laws in the employment context. Similarly, the National Labor Relations Board has increasingly focused on employer social media policies in an effort to invalidate policies that are unlawfully overbroad and chill employee speech that is protected under Section 7 of the National Labor Relations Act. The passage of AB 1844 significantly curtails an employer’s ability to access employee social media in the first place.

In anticipation of these new restrictions, employers should review hiring policies and practices to ensure compliance with the new limitations. In addition, employers should not ask current employees to divulge their social media, or information needed to access it, except in the narrow situations outlined in the statute.

Postsecondary Educational Institutions

On September 27, 2012, Governor Brown also signed SB 1349, which passed unanimously in both the California Assembly and Senate. The new law adds a new social media privacy chapter to the California Education Code and prohibits all postsecondary educational institutions from requiring or requesting current or prospective students to “disclose, access, or divulge personal social media.” Similar to AB 1844, “social media” is defined to include any electronic service, account, or content, such as videos, photographs, blogs, instant and text messages, email, online services or accounts, or other web profiles or locations.

Under SB 1349, a postsecondary educational institution may not threaten a current or prospective student or student group with disciplinary action for refusing to comply with a prohibited request. Private nonprofit or for-profit postsecondary educational institutions must additionally post their “social media privacy policy” on their websites.

The new law will not affect the rights or obligations of postsecondary schools to 1) protect against and investigate alleged student misconduct or violations of applicable laws and regulations, or 2) take adverse action against a student, prospective student, or student group for any lawful reason.

In enacting the law, California becomes the second state, joining Delaware, to establish social media privacy protections for students and student groups. Other state legislatures and the U.S. Congress have proposed similar bills in the educational and employment context, and the trend will likely continue.

SB 1349 takes effect January 1, 2013. In light of this, public and private postsecondary educational institutions should assess their social media policies accordingly to ensure that their policies are compliant under the new limitations. Postsecondary institutions should also refrain from requesting social media information from current or prospective students other than under the exceptions outlined in the new law.

Gary Gansle is the head of the Labor and Employment group in Dorsey & Whitney’s Palo Alto office. Jessica Linehan is a member of the Labor and Employment group in Dorsey’s Southern California office. She practices exclusively in the area of employment law. Kurt Whitman is a member of the Regulatory Affairs group in Dorsey’s Minneapolis office. He is licensed in California and Minnesota and advises educational institutions on federal and state education law matters. The authors are all members of Dorsey’s Social Media and Privacy Law Group, which counsels clients on a wide variety of privacy law issues.

© 2012 Dorsey & Whitney LLP. This article is intended for general information purposes only and should not be construed as legal advice or legal opinions on any specific facts or circumstances. An attorney-client relationship is not created or continued by reading this article. Members of the Dorsey & Whitney LLP group issuing this communication will be pleased to provide further information regarding the matters discussed therein.