A federal appellate court upheld an indictment of several employees under the Computer Fraud and Abuse Act for passing their employer’s computer files to a former coworker starting a competing business. The employees argued they were authorized to access the files but the court held that unauthorized sharing could be criminally prosecuted.
The Ninth Circuit Court of Appeals in United States v. Nosal (.pdf) rejected the argument that the statute was aimed at computer hackers rather than employees who breach contractual confidentiality agreements. It explained that
Although we are mindful of the concerns raised by defense counsel regarding the criminalization of violations of an employer’s computer use policy, we are persuaded that the specific intent and causation requirements of § 1030(a)(4) sufficiently protect against criminal prosecution those employees whose only violation of employer policy is the use of a company computer for personal — but innocuous— reasons.
The court described the employer’s efforts to protect confidential information, including controlling electronic and physical access to its databases and servers and the “clear and conspicuous restrictions” in its computer use policy. It distinguished a previous case where an employee with “unfettered access to the company computer” had not violated the Act by forwarding his employer’s business documents to his personal email account during negotiations to purchase an ownership interest in the company.
The court indicated that it may not go as far as the Seventh Circuit did in a civil case, International Airport Centers, LLC v. Citrin (.pdf), which the Ninth Circuit panel interpreted as ruling that “an employee accesses a computer ‘without authorization’ the moment the employee uses a computer or information on a computer in a manner adverse to the employer’s interest.” At least in criminal cases, the Ninth Circuit seems to require employers to notify employees of access restrictions– even those that may seem obvious – to find that unauthorized access violated the Act.
Previously on Post or Perish – Court: Email Spying Violated Wiretap Act