This guest post was authored by Alison Carrinski
The U.S. Ninth Circuit Court of Appeals recently held in U.S. v. Nosal that an employer may sue for damages under the federal Computer Fraud and Abuse Act (CFAA) when an employee’s computer or data use exceeds authorization provided by the employer.
Section 1030(a)(4) of the CFAA prohibits employees from knowingly, and with intent to defraud, accessing an employer’s computer without authorization or exceeding authorized computer access, to further their intended fraud. The Ninth Circuit held for the first time that employees exceed authorized access whenever they violate the employer’s computer and data access policies.
Nosal, a former employee of an executive search firm, engaged three current employees of the firm to help him start a competing business. The employer had a clear policy that allowed use of its proprietary information only for legitimate business reasons. The company notified employees that accessing electronic information without authority may lead to discipline or criminal prosecution. In violation of this policy, these employees accessed the firm’s trade secrets and proprietary information by using their user accounts to access the employer’s electronic database. Nosal argued that they could not be liable under the CFAA because the employees were not accessing the computer system without authorization, i.e., they were not hacking into the system. The Ninth Circuit disagreed with Nosal, reasoning that, by violating the employer’s clearly stated policy, the employees had exceeded their authorized computer access and may be liable under the CFAA.
Consider the difference between this example and LVRC Holdings LLC v. Brekka, where an employee who sent confidential work emails to his and his wife’s personal email accounts was not liable under the CFAA. In that case, as opposed to Nosal, the employer never notified the employee of any computer restrictions, either through a policy or in an employment contract. Brekka teaches an important lesson: if an employer does not publish a written policy, it will be unable to hold employees liable under the CFAA when the employee uses a computer in an unauthorized manner with the intent to commit fraud.
Therefore, it is important for employers to maintain a written, up-to-date computer access policy that limits use of work computers to work activities only, and that limits access to confidential and sensitive data to only those employees who need such information to perform their jobs.