9th Circuit Clarifies Brekka: Employees Can Be Criminally Prosecuted for Violating Their Employer’s Computer Policies

In California, Washington, Oregon, Alaska, Montana, Arizona, Nevada and Idaho – states covered by the 9th Circuit Court of Appeals — the answer as of yesterday is an emphatic “YES.” In U.S. v. Nosal, 2011 WL 1585600 (9th Cir. April 28, 2011) the court clarified its decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1131 (9th Cir. 2009) which up until now was considered to be a bar to using the Computer Fraud and Abuse Act (“CFAA”), the federal computer crime statute, against employees who stole their employer’s computer data. This case places the 9th Circuit in sync with the other Circuit Courts that permit the CFAA to be used against employees who steal data from the company computers.

The CFAA, while primarily a criminal statute, permits victims of computer crime, including companies, to bring civil actions for damages and injunctive relief based on violations of the statute. Title 18, U.S.C. §1030. A key element in proving either a civil or criminal violation of the CFAA is that the employee accessed the company computer “without authorization” or “exceed [ed] authorized access.” Brekka has been cited for the simplistic proposition that employees have permission to access the company computers and, thus, by definition cannot access the company computers without authorization.

David Nosal, a Korn/Ferry executive, was indicted for stealing confidential data from the company computers prior to joining a competitor. Nosal had allegedly recruited “three Korn/Ferry employees to help him start a competing business.” Id. at *2. According to the Indictment, these employees, “using their user accounts to access the Korn/Ferry computer system” “transferred to Nosal source lists, names, and contact information from the ‘Searcher’ database – a ‘highly confidential and proprietary database of executives and companies’ – which was considered by Korn/Ferry ‘to be one of the most comprehensive databases of executive candidates in the world.’” Id.

The district court had originally upheld the CFAA counts against Nosal based on precedent in other Circuits but changed its decision and dismissed the counts after the Brekka decision. The government appealed, relying on Korn/Ferry’s computer policies that restricted the scope of employees’ access to the company computers including one that “restricted the use and disclosure of all such information, except for legitimate Korn/Ferry business.” Id. The government argued that based on these policies, Nosal had exceeded authorized access.

The court agreed with the government, citing the statutory definition of ‘exceeds authorized access” which means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The court held that the word “so” in the statutory definition “refers to an accesser who is not entitled to access information in a certain manner. Id. at *4. Thus, the court held that “an employee ‘exceeds authorized access’ under §1030 when he or she violates the employer’s computer access restrictions – including use restrictions.” Id.

Nosal distinguished its prior decision in Brekka on the facts — “[b]ecause LVRC [the employer] had not notified Brekka of any restrictions on his access to the computer, Brekka had no way to know whether – or when – his access would have become unauthorized.” Id at *6. The key difference was the Korn/Ferry computer policies. The court concluded “as long as an employee has some permission to use the computer for some purpose, that employee accesses the computer with authorization even if the employee acts with a fraudulent intent.” Id. Thus, “as long as the employee has knowledge of the employer’s limitations on that authorization, the employee ‘exceeds authorized access’ when the employee violates those limitations.” The court emphasized, “[i]t is as simple as that.” Id.

Finally, the court directly responded to Nosal’s argument that its decision “will make criminals out of millions of employees who might use their work computers for personal use, for example to access their personal email accounts or to check the latest college basketball scores.” Id. at *7. The court pointed out that the CFAA “does not criminalize the mere violation of an employer’s use restrictions.” Id. Rather, the employee must evince an intent to defraud and take something of value. Thus, there must be more than “[s]imply using a work computer in a manner that violates an employer’s use restrictions.” Id.

This case is all about instituting clear and conspicuous computer use policies. (“Korn/Ferry employees were subject to a computer use policy that placed clear and conspicuous restrictions on the employee’s access to the system in general and to the Searcher database in particular” Id). The major take away from the Nosal decision is that every company that is serious about protecting its computer data should have comprehensive computer policies that clearly spell out the scope of their employees’ authorization to access the company computers. It is no longer a viable option to do nothing.