In a somewhat startling decision, the U.S. Court of Appeals for the Ninth Circuit last week ruled that several employees at an executive recruitment firm did not exceed their authorized access to their company's database when they logged into the system and stole confidential data from it.
In a 22-page ruling, the appellate court held that an employee with valid access to corporate data, cannot be held liable under the federal Computer Fraud and Abuse Act (CFAA), if they then misuse or misappropriate the data.
"The CFAA expressly prohibits improper 'access' of computer information," chief judge Alex Kozinski said writing the court's majority opinion. "It does not prohibit misuse or misappropriation," he wrote. The term "exceed authorized access" under the CFAA applies specifically to external hackers and violations of "restrictions on access to information, and not restrictions on its use," Kozinski held.
The appellate court's decision affirms a previous ruling made by the U.S. District Court for the Northern District of California. The government must now decide if it wants to take the case all the way to the U.S. Supreme Court.
The case in question involves David Nosal, a former employee at Korn/Ferry, a large executive recruitment firm based in Los Angeles. Soon after Nosal left the firm a few years ago, he convinced a few of his former colleagues to join him in setting up a competing firm, according to a description of the case in court documents.
Before joining Nosal, some of he employees used their login credentials to access a confidential Korn/Ferry database and download a large list of names and contact information of executive candidates from around the world. The information, which was clearly marked as meant for Kron/Ferry's internal use and prohibited from disclosure, was then passed on to Nosal.
After the theft was discovered, Nosal was indicted on 20 counts, including mail fraud, trade secret theft and violations of the CFAA. He was accused under CFAA of aiding and abetting his former colleagues to exceed their authorized access on the Korn/Ferry system. Nosal appealed the CFAA charges, contending that the law applied only to external hackers and not to individuals who misused data after obtaining it in an authorized fashion.
His appeal was originally dismissed by the district court. The court held than individuals who accessed a computing with the intention to defraud were in fact exceeding their authorized access to the system.
Nosal filed a second appeal seeking to dismiss the CFAA charges after a Ninth Circuit decision in a separate case involving similar unauthorized access charges. That case involved an individual named Christopher Brekka, who was accused by his employer LVRC Holdings, LLC of accessing the company's computers without proper authorization, both while he was an employee and later after he had left the firm. The appellate court ruled that Brekka did not violate CFAA provisions through his actions, even when he accessed LVRC's computers and emailed confidential documents to himself and his wife just prior to leaving the company.
The court held that Brekka had been authorized to use the computer and had been entitled to access the documents and therefore could not be charged of exceeding his access rights.
The district court upheld Nosal's second motion to dismiss the CFAA charges, after the Brekka ruling. The government filed an appeal following that decision. Kozinski last week offered the same rational used in the Brekka case to dismiss the government's appeal.
The CFAA, he wrote, applies primarily to unauthorized access involving external hackers. The definition of "exceeds authorized access" under the CFAA applies mainly to people who have no authorized access to the computer at all. The term would also apply to insiders who might have legitimate access to a system but not to specific information or files on the system Applying the language in the CFAA any other way would turn it into a "sweeping Internet-policing mandate," he wrote.
"Consider the typical corporate policy that computers can be used only for business purposes. What exactly is a 'nonbusiness purpose'?" he wrote. "If you use the computer to check the weather report for a business trip? For the company softball game? For your vacation to Hawaii? And if minor personal uses are tolerated, how can an employee be on notice of what constitutes a violation sufficient to trigger criminal liability?"
Kozinski acknowledged that other appellate courts have applied the CFAA more broadly to apply to violations of corporate computer use restrictions or violations of a "duty of loyality". In his opinion, Koznski said he was not persuaded by the decisions of the other courts and insisted that the term "exceeds authorized access" was meant to be applied in a very narrow and specific context.
"Basing criminal liability on violations of private computer use polices can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved," he said. "Employees who call family members from their work phones will become criminals if they send an email instead.".
In a dissenting opinion, Circuit Judges Barry Silverman and Richard Tallman wrote that the majority had taken a clearly written federal statute and parsed it in a manner that distorts the original intent.
"This is not an esoteric concept," Silverman wrote. "A bank teller is entitled to access a bank's money for legitimate banking purposes, but not to take the bank's money for himself." Similarly, while a new car buyer might be entitled to test drive a new car, he would "exceed his authority" to take the car to Mexico. "No other circuit that has considered this statute finds the problems that the majority does," he wrote.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is [email protected].
Read more about data security in Computerworld's Data Security Topic Center.