• July 15, 2016

Thief Criminal Burgler RobberWe all understand employers chasing departing employees who downloaded company data on their way out the door. We all understand the interest in suing the disloyal rogues (from the employers’ perspective, at least). But do we want to “make a federal case out of it”? Should the feds be involved under these circumstances? When is federal criminal law triggered?

The question is too vague and general to answer in a vacuum but one can point to many instances when employers have tried to invoke the federal Computer Fraud and Abuse Act (CFAA) against departing employees without success (see previous posts here). Recognizing that the CFAA’s impetus, target, and focus, from the start, was “hacking” (infiltration into computer systems by third-parties, to either misappropriate data or damage the systems), courts across the country have been reluctant to use its “sweeping Internetpolicing [sic] mandate” to resolve day-to-day, computer-related employment disputes.

But businesses (and criminal prosecutors) have not given up on the CFAA as a means of pursuing purportedly malfeasant ex-employees. In a recent case out of the U.S. Court of Appeals for the Ninth Circuit, the Ninth Circuit, over a dissent, held that an ex-employee who gains access to his former employer’s computer system through a current employee’s username/password has accessed the system “without authorization” and has exposed himself to criminal liability under the federal CFAA.

Judge Stephen Reinhardt dissented.  He criticized the majority for “jeopardizing most password sharing [and losing] sight of the anti-hacking purpose of the CFAA, [threatening] to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.”

Take the case of an office worker asking a friend to log onto his email in order to print a boarding pass, in violation of the system owner’s access policy; or the case of one spouse asking the other to log into a bank website to pay a bill, in violation of the bank’s password sharing prohibition. There are other examples that readily come to mind, such as logging onto a computer on behalf of a colleague who is out of the office, in violation of a corporate computer access policy, to send him a document he needs right away. ‘Facebook makes it a violation of the terms of service to let anyone log into your account,’ we noted in Nosal I, but ‘it’s very common for people to let close friends and relatives check their email or access their online accounts.’ 676 F.3d at 861 (citing Facebook Statement of Rights and Responsibilities § 4.8).

Was access in these examples authorized? Most people would say ‘yes.’ Although the system owners’ policies prohibit password sharing, a legitimate account holder ‘authorized’ the access. Thus, the best reading of ‘without authorization’ in the CFAA is a narrow one: a person accesses an account ‘without authorization’ if he does so without having the permission of either the system owner or a legitimate account holder.

This narrower reading is more consistent with the purpose of the CFAA.

If this were a civil statute, it might be possible to agree with the majority, but it is not. The plain fact is that the Act unquestionably supports a narrower interpretation than the majority would afford it. Moreover, the CFAA is not the only criminal law that governs computer crime. All fifty states have enacted laws prohibiting computer trespassing. A conclusion that Nosal’s actions do not run afoul of the CFAA need not mean that Nosal is free from criminal liability, and adopting the proper construction of the statute need not thwart society’s ability to deter computer crime and punish computer criminals — even the ‘industrious hackers’ and ‘bank robbers’ that so alarm the majority.

Mitchell-Hamline law professor, Ted Sampsell-Jones, was on the appeal for Mr. Nosal, the losing party in this, his second appeal. In addition to Prof. Samsell-Jones’ advocacy, Nosal also received support from the Electronic Frontier Foundation and the BSA Software Alliance, whose members include Adobe, Apple, Dell, IBM, Intuit, McAfee, Microsoft and other software industry leaders — serious firepower on a battle line sure to be contested again.

Leave a Reply

Your email address will not be published. Required fields are marked *