Computer Policies and the 9th Circuit

Last month I posted my article from the National Law Journal, entitled, “Time to Review Computer Policies,” discussing three recent cases, including LVRC Holdings LLC v. Brekka, 81 F.3d 1127, 1131 (9th Cir. 2009). I cited Brekka for the proposition that it is important to delineate the scope of an employee’s permissible access to the company computers. Since then, two new district court decisions from California and Washington have called into question whether such a strategy will work in the 9th Circuit. Both decisions narrow the meaning of exceeding authorized access under the federal Computer Fraud and Abuse Act (“CFAA”) and underscore how the 9th Circuit is taking a much more restrictive view of the CFAA than the other federal Circuits which have considered the breadth of this statute.

The first of these cases is U.S. v. Nosal, 2010 WL 934257 (N.D. Ca. Jan. 6, 2010), a criminal prosecution of Korn/Ferry employees who stole confidential data from the company computers prior to joining a competitor. The court had originally upheld the CFAA counts against the defendants based on precedent in other Circuits but changed its decision and dismissed the counts after the Brekka decision.

Brekka refused to apply the CFAA to employee data theft, holding that employees cannot act “without authorization” because their employer gave them “permission to use” the company computer. Brekka at 1133. The Ninth Circuit recognized that its decision was contrary to Int’l Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), which held that an employee’s authorization to access the company computers is predicated on his agency relationship with his employer, such that when an employee violates his duty of loyalty by stealing his employer’s data, his authorization to access the company computers is terminated. Id. at 420.

Nosal stated that “Brekka provides some indication, in dicta, that an employer might be able to define the scope of an employee’s access in terms of how the employee uses the information obtained from the computer system. See Brekka, 581 F.3d at 1133 (“An individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has ‘exceed[ed] authorized access.’ “) (emphasis added). And Brekka is quite clear that it is the employer who determines whether or not an employee has access. Id. at 1133, 1135.”

This dicta is consistent with the First Circuit’s view that the “CFAA…is primarily a statute imposing limits on access and enhancing control by information providers.” EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003). Under this view of the CFAA, a company “can easily spell out explicitly what is forbidden,” Id. at 63, through a compliance code or an Employee Handbook, see e.g. Cont’l Group Inc. v. KW Property Mgmt., 622 F. Supp.2d 1357 at 1372 (S.D. Fla. 2009) or through employee agreements. See EF Cultural Travel BV, v. Explorica, Inc. 274 F.3d 577, 583-84 (1st Cir. 2001).

The government argued that Nosal was distinguishable from Brekka and that the “court could still hold that Nosal ‘exceed[ed] authorized access.’” The argument was predicated on the existence of company policies violated by the defendants:

They contend that whereas in Brekka, there was an absence of any employment agreement or express company policy limiting the scope of his authorization to access the company’s computer system, here there were a number of policies regulating the manner in which Nosal, Christian, J.F and M.J. could access and use the Korn/Ferry system. The superseding indictment alleges that “Korn/Ferry required all of its employees–including the defendants David Nosal and Becky Christian–to enter into agreements that both explained the proprietary nature of information disclosed or made available to Korn/Ferry employees (including the information contained in the Searcher database) and restricted the use and disclosure of all such information, except for legitimate Korn/Ferry business.” Superseding Indictment ¶ 10. Korn/Ferry also allegedly “declared the confidentiality of information in the Searcher database by placing the phrase ‘Korn/Ferry Proprietary and Confidential’ on every Custom Report generated from the Searcher database.” Id. ¶ 11. Finally, each time an individual logged in to a Korn/Ferry computer, a notice would appear explaining “[t]his computer system and information it stores and processes are the property of Korn/Ferry. You need specific authority to access any Korn/Ferry system or information and to do so without relevant authority can lead to disciplinary action or criminal prosecution.” Id. 

Id. at 7. Thus, “[t]he government argue[d] that these notices and agreements defined the extent of a Korn/Ferry employee’s access to the computer network . . . [and that] when Nosal and his confederates violated these provisions, they “exceed[ed] authorized access.”

The district court, however, rejected the government’s position and held that “[a]n individual only ‘exceeds authorized access’ if he has permission to access a portion of the computer system but uses that access to ‘obtain or alter information in the computer that [he or she] is not entitled so to obtain or alter.'” 18 U.S.C. § 1030(e)(6) (emphasis in original). The court concluded that “[t]here is simply no way to read that definition to incorporate corporate policies governing use of information unless the word alter is interpreted to mean misappropriate.” Id. at 7.

Based on Brekka, which held that “access and intent are separate elements,” the court found that “the government’s proposed interpretation of “exceeds authorized access” would create an uncomfortable dissonance within section 1030(a)(4).” Id. Thus, under the interpretation advanced by the government “an individual’s intent would be irrelevant in determining whether that person accessed a computer ‘without authorization,’ but as long as the company had policies governing the use of the information stored in its computer system, that same individual’s intent could be dispositive in determining whether they ‘exceed[ed] authorized access.’” Id.

Because “access” and “intent” are separate and distinct elements of the CFAA does not mean that proof of the two elements cannot overlap. This is one of the fatal flaws with the Brekka reasoning. There are many instances in the criminal law where the proof on the element of intent and another element of the crime can overlap. For example, in the mail fraud statute a jury can rely on the deceptive nature of the content of the mailing to determine whether the defendant acted with fraudulent intent to perpetrate a scheme to defraud.

The Eleventh Circuit resolved this issue correctly in U.S. v. Salum, 257 Fed. Appx. 225, 230-31 (11th Cir. 2007) which interpreted “without authorization” based on the defendant’s change of mental state. Brekka totally ignores this decision. In Salum, a police officer with the Montgomery, Alabama Police Department was charged with a criminal violation of the CFAA for providing information from the FBI’s criminal record database to a private investigator. Although Salum, as an employee, “had authority to access the [National Crime Information Center] database,” the court held that there was sufficient evidence for the jury to conclude that Salum had accessed the computer “without authorization” because at the time he accessed the computer Salum knew that he was accessing the information “for an improper purpose.” Id. at 230.

The one Circuit which has directly addressed Brekka in the context of corporate computer policies, U.S. v. John, 2010 WL 432405, *2-*4 (5th Cir., Feb. 9, 2010) also got it right. John affirmed the criminal conviction of a Citigroup account manager, Dimetriace Eva-Lavon John, for violations of the CFAA for accessing customer account information contained in Citigroup’s internal computer system. John provided that Citigroup customer information to her half-brother, who used it to incur fraudulent charges on four different customer accounts. 

On appeal John, citing Brekka, argued that as a Citigroup employee, she was authorized to access the company computers for customer account information and that her mental state or motive in accessing the customer account information cannot be the basis for a violation of the CFAA. She argued “that the statute does not prohibit unlawful use of material that she was authorized to access through authorized use of a computer. The statute only prohibits using authorized access to obtain information that she is not entitled to obtain.” 

 Id. at *2. The court rejected John’s argument based, in part, on Citigroup’s corporate computer policies that “prohibited misuse of the company’s internal computer systems and confidential customer information.” Id. at *4. The court pointed out that John was aware of these policies and attended corporate training programs where these policies were reiterated.

By virtue of her violation of Citigroup’s computer policies, the court held that the jury could have properly found that John exceeded her authorized access to Citigroup’s computer because she “was not authorized to access that information for any and all purposes but for limited purposes.” Id. at *3. She was certainly “not authorized to access data or information in furtherance of a criminally fraudulent scheme.” Id. at *4. In reference to Brekka, the court held that the “Ninth Circuit’s reasoning at least implies that when an employee knows that the purpose for which she is accessing information in a computer is both in violation of an employer’s policies and is part of an illegal scheme, it would be ‘proper’ to conclude that such conduct ‘exceeds authorized access’ within the meaning of section 1030(a)(2).” Id.

The second case providing an identical interpretation of Brekka as Nosal is National City Bank, N.A. v. Republic Mortgage Home Loans, LLC, 2010 WL 959925 (W.D. Wash. March 12, 2010), in the context of a civil CFAA action,. The court read Brekka to mean that “[a]n employee who has permission to access a range of documents and stays within the confines of his authorization would have no reason to suspect that he could be charged with hacking, i.e., exceeding his authorized access, simply because he uses those documents in a way that violates company policies regarding confidentiality or document retention.” Id. at *4.

The Court, however, did state that “there is a clear split in authority on this point.” Id. This issue ultimately will be decided by the U.S. Supreme Court. See my previous posting, “Will the Justices Rule on the CFAA?,” as to why I believe Brekka will ultimately be reversed.