Ninth Circuit Rules That Employers' Computer Use Policies Can Support Claims Under the Computer Fraud and Abuse Act

May 4, 2011

 

A recent Ninth Circuit decision reinforces the importance of drafting appropriate policies governing employees’ access to and use of their employers’ computers. In United States v. Nosal, No. 10-10038, 2011 U.S. App. LEXIS 8660, *10 (9th Cir. April 28, 2011), the Ninth Circuit held that “an employee ‘exceeds authorized access’ under § 1030 [of the Computer Fraud and Abuse Act (the “CFAA”)] when he or she violates the employer’s computer access restrictions—including use restrictions.” But “[s]imply using a work computer in a manner that violates an employer’s use restrictions, without more, is not a crime under § 1030(a)(4).” Id. at *21. To successfully assert a private cause of action under the CFAA, an employer’s computer access and use restrictions must be “clear and conspicuous” and the employee must have knowledge of those restrictions. Id. at *17.

In Nosal, the government alleged that Nosal entered into a conspiracy with three of his former coworkers to obtain trade secrets and other proprietary information from a highly confidential and proprietary database owned by Nosal’s former employer, Korn/Ferry International (“Korn/Ferry”). Nosal allegedly intended to use the misappropriated trade secrets and proprietary information to establish a business in competition with Korn/Ferry. Nosal and his co-conspirators also allegedly used the co-conspirators’ Korn/Ferry database account usernames and passwords to obtain the trade secret and proprietary information.

This conduct violated the employer’s computer access and use policies as made known through confidentiality agreements with its employees, confidentiality designations on trade secret and proprietary information, and a confidentiality notice displayed upon logging into Korn/Ferry’s highly confidential and proprietary database.

Nosal argued that he could not be held liable under the CFAA because his co-conspirators, as employees of Korn/Ferry, necessarily had authorization to access the database and obtain information in it. In making this argument, Nosal relied on the Ninth Circuit’s earlier holding in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009): “If the employer has not rescinded the defendant’s right to use the computer, the defendant would have no reason to know that making personal use of the company computer in breach of a state law fiduciary duty to an employer would constitute a criminal violation of the CFAA. It would be improper to interpret a criminal statute in such an unexpected manner.” Nosal, 2011 U.S. App. LEXIS 8660 at *14.

In rejecting Nosal’s argument, the Ninth Circuit noted that its holding was merely an “application of Brekka’s reasoning.” Id. at *16. The Ninth Circuit explained that under Brekka, “[i]t is the employer’s decision to allow or to terminate an employee’s authorization to access a computer that determines whether the employee is with or ‘without authorization.’” Id. (citing Brekka, 581 F.3d at 1133). In Brekka, the employer did not have any computer access or use restrictions. Because the employee in Brekka had unfettered access to the subject computer, the employee was not accessing the computer without authorization or in excess of his authorization. But where, as in Nosal, “employees [are] subject to a computer use policy that place[s] clear and conspicuous restrictions on the employees’ access” to a computer and the “employee has knowledge of the employer’s limitations on that authorization, the employee ‘exceeds authorized access’ when the employee violates those limitations. It is as simple as that.” Id. at *17-18.

With Nosal, the Ninth Circuit joins the Fifth and Eleventh Circuits in finding that an employee’s knowing violation of his or her employer’s computer access or use policies may be sufficient to establish a violation of the CFAA. See United States v. John, 597 F.3d 263, 271 (5th Cir. 2010) (stating that “at least when the user knows or reasonably should know that he or she is not authorized to access a computer and information obtainable from that access in furtherance of or to perpetrate a crime,” the user is subject to prosecution under the CFAA); United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010) (distinguishing Brekka on the basis that the employer “told” the defendant that he “was not authorized to obtain personal information for nonbusiness reasons”).

Using the Ninth Circuit’s guidance, employers should review their computer access and use policies to ensure that the policies appropriately and effectively protect trade secrets and proprietary information. As part of this review, employers should take steps to ensure that any policies, and any ongoing changes to such policies, are clearly and conspicuously communicated to employees. Although not necessarily required, employers ideally will have a signed acknowledgement from each employee that they (i) are aware of the employer’s computer access and use policies; (ii) understand the policies; (iii) agree to abide by the policies; and (iv) understand that any violation of the policies may be subject to discipline, civil liability, and/or criminal prosecution.