Sunday, May 08, 2011

Case o' The Week: NSFW - Nosal and "Unauthorized" Access to an Employer's Computer

A slow week in the Ninth let's us reach back a bit to discuss an interesting, albeit disappointing, decision on the Computer Fraud and Abuse Act ("CFAA.") United States v. Nosal, 2011 WL 1585600 (9th Cir. Apr. 28, 2011), decision available here.

A warning, first: after
Nosal, do NOT click here if you're viewing this on a work computer - quite possibly a federal crime, to do so .
Link

Players: Decision by Judge Trott, hard-fought appeal by ND Cal appellate guru Dennis Riordan.

Facts: Nosal worked for a headhunter firm. When he left, he signed a non-compete agreement. Id. Despite this agreement, Nosal recruited three of the firm’s employees for his new, competing business: those employees allegedly transferred information from the old firm’s computer database to Nosal. Id. at *2.

The old firm had significant security measures on their computers: passwords, confidentiality stamps on all reports, and warnings against unauthorized access. Id. at *2.

Nosal and one of his accomplices were charged federally with violations of 18 USC § 1030(a)(4), the Computer Fraud and Abuse Act. Id. District Judge Marilyn H. Patel dismissed five counts on the defendant’s motion, concluding after the Ninth’s recent decision in LVRC Holdings v. Brekka that the CFAA only applied to hacking a computer (or directories) where the employee did not otherwise have no access. Id. at *3. The government took an interlocutory appeal. Id. at *1.

Issue(s): “The government contends . . . that Brekka counsels in favor of its interpretation of the statute – that an employee exceeds authorized access when he or she obtains information from the computer and uses it for a purpose that violates the employer’s restrictions on the use of that information.” Id. at *1.

Held: “Although we are mindful of the concerns raised by defense counsel regarding the criminalization of violations of an employer’s computer use policy, we are persuaded that the specific intent and causation requirements of § 1030(a)(4) sufficiently protect against criminal prosecution those employees whose only violation of employer policy is the use of the company computer for personal – but innocuous – reason.” Id. at *1. Brekka held that a person accesses a computer without authorization ‘when the person has not received permission to use the computer for any purpose.’ 581 F.3d at 1135. Today, we clarify that under the CFAA, an employee accesses a computer in excess of his or her authorization when that access violates the employer’s access restrictions, which may include restrictions on the employee’s use of the computer or of the information contained in that computer.' Therefore, we REVERSE the district court’s decision . . . .” Id. at *8.

Of Note: With all respect to the majority, dissenting Judge Tena Campbell – a visiting D.J. from Utah – has the better argument. Id. at *8. She persuasively argues that the key phrase relied upon by the majority – “exceeds authorized access” has much broader meaning (without an intent requirement) in other parts of the same statute, making the majority’s decision unconstitutionally vague. Id. Congress meant this statute for hacking, she explains, and she worries (with reason) that the majority’s decision makes any unauthorized action on a employer’s computer a federal crime. Id. at *9-*10. (How many millions of apparent federal criminals were checking their brackets during March Madness this year, one wonders). Judge Campbell also doesn’t buy Judge Trott’s heavy reliance on one word in the statute, (“so”) to salvage the government’s interpretation. Id. at *10.

Worth noting that in another recent case (which just went en banc), a great dissent by a visiting district judge caught the Ninth’s eye: the majority decision will hopefully soon be corrected. See United States v. Leal-Felix, 625 F.3d 1148, 1151 (9th Cir. 2010) (Bennett, D.J, dissenting). Here’s hoping that Judge Campbell is as persuasive a visitor as Judge Bennett, and that Nosal gets some much-deserved en banc scrutiny.

How to Use: As noted above, Nosal’s novel holding deserves en banc review, and a PFR seems likely. Preserve pretrial challenges to § 1030(a)(4) charges – Nosal will hopefully not be the last word on this statute.

For Further Reading: Who was Nosal’s attorney? Joe Russoniello, at one point – ring a bell? (Picture left). For more on the Nosal saga, and why the ND Cal USAO is still in the case, see blog here.


Image of the March Madness brackets (obtained while at a home computer), from http://www.betvega.com/march-madness-printable-bracket/

Image of (former) United States Attorney / (former) David Nosal defense counsel, David Nosal, from http://informant.kalwnews.org/2010/08/web-extra-extended-interview-with-joe-russoniello/



Steven Kalar, Senior Litigator N.D. Cal. FPD. Website at www.ndcalfpd.org

.

Labels: , , ,

1 Comments:

Anonymous Vladimir Gagic said...

Would there be a separate federal statute if there were national security implications, such as if this was a defense contractor?

In other words, while in this case I certainly don't think Mr. Nosal should be prosecuted for a crime, I hope there is some criminal law preventing this from happening with military information in the hands of a private firm.

Wednesday, May 18, 2011 11:22:00 AM  

Post a Comment

<< Home