"Obtaining" the right result: a novel interpretation of the Computer Fraud and Abuse Act that provides liability for insider theft without overbreadth.

• Author: Jakopchek, Kevin

TABLE OF CONTENTS INTRODUCTION I. THE PROBLEM OF DIGITAL THEFT A. A Rising Problem B. Computer Misuse Statutes as Potential Remedies II. THE CFAA STATUTE III. THE CIRCUIT SPLIT REGARDING CFAA'S REACH A. Broad Interpretation Through Agency Theory B. Broad Interpretation Through Contract Theory C. Narrow Interpretation IV. THE CIRCUIT COURTS' FLAWED APPROACHES A. Policy Concerns Justify a Federal Prohibition on Insider Digital Information Theft B. CFAA Legislative History Shows It Should Be Interpreted to Criminalize Insider Digital C. CFAA Text Demonstrates that It Applies to Insider Digital Theft D. Current Broad Liability Theories Are also Flawed V. THE "OBTAIN" THEORY CONCLUSION INTRODUCTION

For major financial trading firms, the money is not really in the stocks they trade; it is in the methods they have developed to trade them. In 2008, financial firms generated an estimated $21 billion in profits from high-frequency trading (HFT). (1) HFT utilizes computers, operating under the control of complex algorithms, to mine dozens of marketplaces for information, while simultaneously executing purchase and sale orders. (2) These computers are able to spot trends, analyze information, and place millions of orders in fractions of a second, giving them a distinct advantage over human traders and slower computers. (3) The algorithms that control the computers are the geese that lay many of Wall Street's golden eggs, and their development and confidentiality are vital to the success of HFT firms. (4)

One of the biggest firms using HFT is Goldman Sachs. (5) Goldman understands the value of its algorithms, richly compensating the employees who develop them. In 2009, Sergey Aleynikov was programming HFT code for Goldman and making $400,000 a year. (6) In return, Aleynikov agreed to Goldman's confidentiality policy that made clear that his work was the intellectual property of the firm, required him to keep all proprietary information in confidence, and barred him from taking any information or using it when his employment ended. (7)

In April 2009, a start-up firm called Teza Technologies was attempting to develop its own HFT system and offered Aleynikov more than $1 million per year to develop part of its algorithm. (8) Teza let Aleynikov know that it was expecting the system to be developed far faster than usual. (9) Aleynikov accepted Teza's offer and set his last day at Goldman for June 5, 2009. (10) In a scene reminiscent of spy capers, at 5:20 p.m. that day--just before his going away party--Aleynikov went to his office, secretly encrypted more than 500,000 lines of Goldman's HFT source code, and uploaded the code to a foreign server. (11) He then deleted the encryption program and tried to erase the history of his computer commands. (12) Later that evening, he downloaded the source code to his home computer and copied some of the files to other computers. (13) On July 2, Aleynikov flew to Chicago to attend meetings at Teza and brought a flash drive and laptop containing portions of Goldman's HFT code. (14)

Aleynikov was arrested by federal agents when he arrived home from those meetings. (15) He was charged with one count each of violating the Computer Fraud and Abuse Act (CFAA), the Economic Espionage Act (EEA), and the National Stolen Property Act (NSPA). (16) The district court dismissed the CFAA count before trial, but Aleynikov was ultimately tried and convicted under the EEA and the NSPA counts. (17) However, on April 11, 2012, the United States Court of Appeals for the Second Circuit overturned both convictions on Aleynikov's appeal. (18)

The NSPA makes it a crime to "transport[ ], transmit[ ], or transfer[ ] in interstate or foreign commerce any goods, wares, merchandise, securities or money, of the value of $5,000 or more, knowing the same to have been stolen, converted or taken by fraud." (19) The question before the Second Circuit regarding the NSPA was whether the algorithm constituted a "good, ware, or merchandise." (20) Relying on Supreme Court precedent, the Second Circuit concluded that the code did not qualify because "[s]ome tangible property must be taken from the owner for there to be deemed a 'good' that is 'stolen' for purposes of the NSPA." (21) Since the HFT code was intangible property, the court reversed Aleynikov's NSPA conviction. (22)

The EEA conviction appeal also centered on the nature of the HFT code. Here, the Second Circuit asked whether the FIFT code was either "produced for" or "placed in" commerce. (23) The district court had ruled that the HFT code was "produced for" commerce because Goldman used it to execute trades. (24) The Second Circuit ruled that because Goldman had no intention of selling or licensing its system to anyone, however, the code itself was not a product produced for commerce. (25) Indeed, the court noted that Goldman went to "great lengths" to maintain the code's secrecy, as Goldman's profits "depended on no one else having" the code. (26) Thus, the very attribute that made the theft damaging to Goldman--that the value of the source code depended on confidentiality--meant that Aleynikov's theft was not a violation of the EEA.

HFT systems are valuable because they confer traders an advantage over competitors who are not using them. (27) If another firm can gather the same information and make the same trades at the same frequency, the value of Goldman's system is reduced. Such loss is the reason why prosecutors tried to fit three different statutes to Aleynikov's actions. The EEA and NSPA counts' failures illustrate a point that underlies this Comment: traditional statutory regimes are, at times, inadequate to address certain criminal acts presented in the digital age.

This Comment argues that Aleynikov's theft should constitute a violation of federal law, but not the NSPA or EEA. Rather, this Comment focuses on the third statute Aleynikov was originally charged with violating, one specifically enacted to address digital age crimes: the Computer Fraud and Abuse Act (CFAA). In dismissing the CFAA count, the district court looked to persuasive authority that held that the CFAA is only violated when computer users access information that they do not have permission to access for any purpose. (28) Such precedent represents a CFAA narrow interpretation, which developed in response to other cases that applied a broad interpretation. (29) Those cases held that the CFAA implicitly contained use restrictions, meaning that improper information use could violate the statute. (30) The narrow interpretation adopted in the Aleynikov trial court criticized these "broad interpretation" or "use restrictions" approaches as overly broad with little textual grounding. (31)

Those criticisms have merit, but the narrow interpretation adopted in Aleynikov is also flawed. It renders the CFAA ineffective when employees misappropriate data. This Comment advances a novel interpretation of the CFAA, which would impose liability for employee data theft while avoiding the pitfalls of overbreadth that plague the current broad interpretations.

Part I of this Comment gives a brief background of computer crime, computer misuse statutes, and the CFAA. Part II discusses CFAA provisions that are relevant to employee data theft. Part III provides a summary of the current circuit split regarding insider theft under the CFAA, the split between the narrow and broad interpretation theories. Part IV argues that insider theft should be prohibited by federal law generally and the CFAA specifically, but acknowledges the validity of critiques of the CFAA's current broad interpretation. Finally, Part V advances a new CFAA interpretation that brings insider data theft within the scope of the statute, while eliminating concerns about overbreadth.

1. THE PROBLEM OF DIGITAL THEFT

   1. A RISING PROBLEM

      It is a truism that computer technology occupies a central place in modern business. It is not just digital communication that is pervasive; businesses have largely discarded paper and boxes for hard drives and servers as the preferred means of storing information. And with the advent of mobile devices (flash drives, laptops, smart phones, etc.) employees can access and transmit electronic data with ease. Given the concurrent dependence on digital storage and ease in digital transmission, it may be no surprise that data theft is a rising problem for businesses. (32) In fact, many data thieves are in positions similar to Sergey Aleynikov: members of a company's management with the ability to take electronic files as they prepare to leave the company (or even after they have left). (33)

      A study conducted by accounting and consulting firm KPMG showed that between 2006 and 2008, cases of employee-related data theft more than doubled. (34) In roughly 70% of those thefts, the employees moved to a rival company, and a substantial number of thieves used stolen data to start competing businesses themselves. (35) The KPMG study predicted that the number of such insider thefts was "almost certain" to increase further, (36) and a 2010 report on trends in international fraud validated that prediction. (37) In that survey, businesses reported that electronic data thefts outnumbered tangible property thefts and that financial losses from data theft were greater than losses from physical thefts of cash, assets, and inventory. (38)

      The firms most threatened by the rise in data theft are those in "information-rich industries" such as financial services, professional services, technology, and communications. (39) These industries both depend most on proprietary information and are plagued by the highest levels of electronic theft. Damage from data theft is not limited to the monetary value of the information; there is a "risk of reputational damage if your firm loses customer data. That itself could be an existential threat to your business." (40) Disturbingly, firms are not well protected against such threats, as...