US 9th Circuit: Computer Fraud & Abuse Act Targets Unauthorized Access to Computerized Information, Not Its Subsequent Misuse or Misappropriation.

The U.S. Ninth Circuit Court of Appeals gave a restrictive reading to the Computer Fraud and Abuse Act (“CFAA”), rejecting its use to remedy violations of a private company’s computer use policies by the company’s employee. United States v. Nosal, No. 10-10038 (April 10, 2012).

The CFAA, 18 U.S.C. § 1030, imposes criminal penalties and civil liability in a variety of circumstances in which one accesses a “protected computer” without authorization or “exceeds authorized access” in doing so. Some courts have held that an employee who has been granted unlimited access to his employer’s computer acts without authorization or exceeds authorized access in violation or the CFAA when he makes an unauthorized use of information obtained from the computer, such as by sending the information to a competitor. In those opinions, the courts determined that an employee’s breach of his employer’s computer use policy, or a violation of the employee’s fiduciary duty to his employer, could invalidate the employee’s previously-granted authorization to access his employer’s computer. See, e.g., United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); United States v. John, 597 F.3d 263 (5th Cir. 2010); International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006).

Writing for a majority of the en banc Ninth Circuit. Chief Judge Alex Kozinski disagreed with those cases, ruling that “the plain language of the CFAA ‘target[s] the unauthorized procurement or alteration of information, not its misuse or misappropriation.’” The court opined that transforming a workplace violation of an employer’s policy into a criminal law violation would violate the rule of lenity, which “requires penal laws . . . to be construed strictly.” In addition, the court suggested that the reasoning underlying the rule adopted by the Eleventh, Fifth, and Seventh Circuits could logically be used to impose criminal liability whenever one accesses a private website in a manner which does not comply with the website operator’s terms of use—an everyday occurrence which Congress surely did not intend to penalize as a crime.

Print Friendly    Send article as PDF   
This entry was posted in Communications Law, Employment Law, Intellectual Property Law, Internet Law. Bookmark the permalink.