Federal Computer Fraud and Abuse Act: employee hacking legal in California and Virginia, but illegal in Miami, Dallas, Chicago, and Boston.

• Author: Kain, Robert C.

The Federal Computer Fraud and Abuse Act, 18 U.S.C. [section] 1030 (CFAA), criminalizes certain computer-related behavior and, if the damage exceeds $5,000 over a single year, provides a civil remedy for its victims. The Ninth Circuit in United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc), recently held that the CFAA does not cover an employee-hacker or an insider that takes data and uses it in an anticompetitive manner after leaving the company. Three months later, the Fourth Circuit agreed in WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012) (after resigning, the ex-employee used the data in an anti-competitive manner) (1) and held that the CFAA is not violated unless an employee lacks any authorization to obtain or alter the data when he or she was employed.

In contrast, the First, Fifth, Seventh, and 11th circuits take the opposite view and support the concept that an employee-hacker violates the CFAA whether he or she uses the data with or without financial gain. (2) The Ninth Circuit's analysis in Nosal is compelling and the Fourth Circuit followed suit. Nosal held that the CFAA covers "hackers" but not corporate insiders, employees, or consultants, called herein "employee-hackers," who improperly use computer data. WEC, citing the canon of strict construction of criminal statutes (the rule of lenity), held the CFAA "simply criminalize[s] obtaining or altering information that an individual lacked authorization to obtain or alter." (3) The court also rejected a cessation-of-agency theory, effectively holding that any employee's authorized access continues throughout the employment. (4) This article discusses the divisions between the courts. (5)

[ILLUSTRATION OMITTED]

The split in the circuits involves the question: What does "exceed[] authorized access" mean? The points raised by the Nosal and WEC courts are persuasive and the split in authority is not easily rectified.

Florida-based businesses rely upon the CFAA for relief because Florida's Computer Crimes Act, [section] 815.01, et seq., provides a relatively hollow civil action. An injured party "may bring a civil action against any person convicted" (6) under the act. Therefore, a criminal conviction must precede the civil action. Civil actions following a criminal conviction are not an effective enforcement mechanism. When concurrent criminal and civil actions are pending, defendants stymie civil action discovery and hence delay trial by asserting their Fifth Amendment privilege against self-incrimination. Also, the employee-hacker may exhaust his or her monetary resources in the criminal action. Therefore, Florida-based businesses often rely upon the federal act for relief.

Nosal--Ninth Circuit

The Ninth Circuit in Nosal, narrowly construed the CFAA finding that the criminal prosecution of an ex-employee, who convinced current employees to access and transfer employer's customer data to him, did not violate the CFAA because "exceeds authorized access" does not cover unauthorized disclosure or use of information, contrary to company policy. The Nosal majority stated that the purpose of the statute "is to punish hacking--the circumvention of technological access barriers--not misappropriation of trade secrets." (7) The government argued that the CFAA covers hacking and also prohibits employees and former employees from accessing and using data from an employer's computer without authorization. The court disagreed, finding that the government's position would turn the CFAA into a sweeping Internet-policing mandate, thereby criminalizing employees who G-chat with friends, play games, shop, watch sports highlights, or post false information on Facebook or eHarmony. "Employer-employee and company-consumer relationships are traditionally governed by tort and contract law; the government's proposed interpretation of the CFAA allows private parties to manipulate their computer-use and personnel policies so as to turn these relationships into ones policed by the criminal law." (8) Interestingly, the Nosal court cited an earlier decision from the Middle District of Florida, Lee v. PMSI, Inc., No. 8:10-cv-2904-T23TBM, 2011 WL 1742028 (M.D. Fla. May 6, 2011), (9) wherein the district court dismissed an employer's CFAA counterclaim in an employment discrimination action.

The Nosal court indicated that if criminal liability turns on the vagaries of an employee-employer contract, or a company-consumer contract, then a "notice" issue arises as to 1) the meaning of ambiguous terms; 2) the changeable nature of the contracts; and 3) the scope of "lengthy, opaque, [contracts which are] subject to change and [are] seldom read." (10) Per the court, when an employee can use his or her cell phone to do the same thing, it is unjust to criminally punish the same activity when done on the employer's computer.

Nosal Dissent

The dissent in Nosal points out that the case:

has nothing to do with playing sudoku, checking email, fibbing on dating sites, or...