In a decision likely to be sobering for companies fighting insider threats, an appeals court has ruled that an employee who used his valid computer access rights to access data from his employer can't be prosecuted under a federal anti-hacking law.
The case involves Mike Miller, a former project director at WEC Carolina Energy Solutions, in Rock Hill, S.C. Miller and his assistant Emily Kelley allegedly downloaded proprietary data from WEC's computers just before they resigned in April 2010.
Miller is accused of using the data to win business for his new employer, a WEC rival.
WEC sued Miller and Kelley for violating nine state laws and the Computer Fraud and Abuse Act (CFAA), a federal anti-hacking statute passed in 1986. The law basically provides for criminal penalties against individuals who access computers without authorization. It's typically used to prosecute external hackers who break into a computer to steal data or do sabotage.
In its October 2010 lawsuit, WEC claimed that Miller illegally downloaded the company's confidential and trade secret documents, including those with details on pricing terms and pending projects to Miller's laptop.
The company argued that Miller and Kelley breached the company's computer use policies when they grabbed the data. WEC maintained that because of the policy breach, Miller lost his authorized access and was therefore liable under CFAA.
The U.S. District Court in South Carolina, which heard the case, rejected WEC's claims in February 2011. That court held that WEC failed to make its case because Miller had authorized access to the data when he had downloaded it.
"WEC's company policies regulated use of information, not access to that information," the court ruled. Even if Miller's purpose in accessing the information was contrary to company policies, the access itself was not improper and could not be prosecuted under CFAA.
The case was appealed by WEC to the U.S. Court of Appeals for the Fourth Circuit. It arrived at the same conclusion.
In a 14-page ruling, the appellate court held that WEC had no case against Miller and his assistant under CFAA. The ruling was announced July 26, but received scant attention until several legal blogs reported on it. Venable.com and JD Supra both highlighted the case this week.
"We agree with the district court that although Miller and Kelley may have misappropriated information, they did not access a computer without authorization or exceed their authorized access," Appeals Court Judge Henry Floyd wrote. "Our conclusion here likely will disappoint employers hoping for a means to rein in rogue employees. But we are unwilling to contravene Congress's intent by transforming a statute meant to target hackers into a vehicle for imputing liability to workers who access computers or information in bad faith, or who disregard a use policy."
The Fourth Circuit decision is identical to one in April by the U.S. Court of Appeals for the Ninth Circuit. In that case, too, the Appeals Court held that several employees at an executive recruitment firm did not exceed their authorized access to a company database when they logged into the system and stole confidential data.
The Ninth Circuit decision also held that the CFAA primarily applied to external hackers and violations of computer access restrictions -- not usage restrictions.
The decisions make it much harder for companies in the jurisdictions of the two appellate courts to use the CFAA to prosecute rogue insiders, said Todd Horn, a labor and employment lawyer with Venable LLC. The rulings show why it is more important than ever for companies to ensure that their computer use and access policy is "as robust as possible and not boilerplate," he said.
The Fourth Circuit court's ruling in the Miller case leaves the door open for the CFAA to be used in situations where a company's computer access policies are tightened sufficiently, he said.
"The door isn't completely shut," Horn said. For instance, a company's policy could specifically make it illegal for an employee to access company data on behalf of outsiders. Any employee who violated such a policy would likely be on the hook under CFAA, he said. In this case, the court relied on WEC's internal policies to decide what constituted authorized access.
As a result, he said, companies should review their polices to close any loopholes that might allow rogue insiders to escape prosecution under CFAA.
Horn added that companies also have state and common law cases they can use to go after rogue insiders. He also noted that other appellate courts have allowed CFAA to be used in similar prosecutions against rogue insiders.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is [email protected].
Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.