9th Circuit: Violations of Computer-Use Restrictions Are Not Criminal
In a recent 9-2 en banc ruling, the Ninth Circuit Court of Appeals adopted a narrow interpretation of the 1984 Computer Fraud and Abuse Act (CFAA), which makes it a crime to "exceed authorized access" to a computer. Chief Judge Alex Kozinski authored the majority opinion in U.S. v. Nosal, affirming the district court’s dismissal of the charges against a former employee of an executive search firm. The defendant was starting his own search business and persuaded his former co-workers to give him information from a confidential company database. The employees who violated company policy by disclosing confidential information to the defendant were authorized users who had logged into the system with valid usernames and passwords.
The Ninth Circuit noted that prosecutions under the Act were typically directed at hackers who were alleged to have penetrated computers and networks maliciously with the intent to commit fraud. The Court refused to accept the Government’s broader application of the CFAA to the acts of employees who were authorized to use their company's computers and networks, reasoning that basing criminal liability on violations of private computer-use policies could transform innocuous behavior (such as visiting ESPN.com at work) into a federal crime.
Several other circuits have interpreted the CFAA in this broader way, as the dissent pointed out. Thus, whether the intent to defraud and to steal trade secrets and proprietary information serves to criminalize computer use that exceeds authorized access is a question decided differently in different federal circuits. From a compliance perspective, the division of opinion among the Circuits makes training employees on acceptable computer use challenging, since the ramifications of non-compliance are location-dependent.Categories: General Business Compliance
Tags: appropriate internet use