This past Monday I blogged of what I called the “Trilogy of Access Theories” to refer to the 3 lines of circuit court cases that have different theories for interpreting “access” under the Computer Fraud and Abuse Act (“CFAA”).
That was a FAIL!
United States v. Nosal
[EDITOR’S NOTE: THE CASE DISCUSSED IN THIS BLOG POST WAS SUBSEQUENTLY REVERSED BY YET ANOTHER UNITED STATES V. NOSAL — ACCORDINGLY, THIS BLOG POST IS OUTDATED]
As of today the trilogy has become a duo with the Ninth Circuit‘s opinion in United States v. Nosal. Honestly, however, I can’t say that it is that much of a surprise that the Ninth Circuit backed off of the hard line it took in LVRC Holdings LLC v. Brekka in which it established the rigid “access means access” theory. The facts of Brekka were quite distinguishable from the facts of United States v. Rodriguez, United States v. John, United States v. Phillips, and International Airport Centers, LLC v. Citrin–the cases in which the Eleventh, Fifth, and Seventh Circuits, respectively, ruled differently on the access issue. Moreover, the Brekka Court left a few clues in its opinion though I am saving those for a different day … but here’s a hint: study those Bluebook signals!
As for Nosal, if you are interested in reviewing the entire opinion then here it is: Nosal Opinion. The basic facts of Nosal are these: Employee resigns his position as an executive to become an independent contractor. Employee signs agreements agreeing to not compete with his former employer and governing his access to and use of confidential and proprietary information belonging to employer. Employee decides to open his own company competing with his former employer, takes three employees with him, and they all obtained trade secrets and other proprietary information from the former employer’s computer system and are now using it to compete. Former employee then indicted for violating the Computer Fraud and Abuse Act.
Key Facts Materially Different from Brekka
What really forced the Ninth Circuit’s hand in this case are the great lengths to which the former employer had gone to restrict and limit access to and use of its confidential and proprietary information, and they were extensive. Recall, in Brekka there were no restrictions and the employee had unfettered access to the computer and all data thereon.One of the Brekka Court’s biggest hang-ups was the employee had no way of knowing when authorization to access would terminate and, therefore, ruled on the side of being lenient. Not so in Nosal.
The Nosal Court found that because of the employer’s extensive restrictions and limitations, the issue before the court was whether the defendants “could have exceeded their authorized access by accessing information that they were entitled to access only under limited circumstances.” The Court held “that an employee ‘exceeds authorized access’ under [the CFAA] when he or she violates the employer’s computer access restrictions including use restrictions.” In other words, the court basically adopted the Intended-Use Theory first set forth by the Fifth Circuit in United States v. Phillips and United States v. John which was then joined by the Eleventh Circuit in United States v. Rodriguez. Now I make this overly generalized statement knowing full well that there already are and will continue to be differences in the application between the courts, just as there are differences in the reasoning between John and Rodriguez. Of course there will be. Nonetheless, …
What Was the Intended-Use Theory Again?
The Intended-Use Theory, as explained in the Trilogy, provides that an employee’s own subjective changing of allegiances (which is sufficient according to the Citrin Agency Theory), is not sufficient by itself to terminate authorization; Yet an employer is not required to expressly notify the employee that his access has been terminated either. Rather, the employer can implement certain restrictions on access and use of information obtained thereby, ahead of time by policies and agreements, that are known by the employee, and if the employee still violates those limitations by accessing information and using it for improper purposes–not for its intended use–that access will be considered as having been unauthorized for purposes of the Computer Fraud and Abuse Act.
“Bye Bye Brekka”? Not Really … the Nosal Court is Not Abandoning, But Refining Brekka
The Nosal Court made it clear that it was not abandoning its reasoning in Brekka but was simply refining its application in this Nosal. Given how substantially different the facts of Brekka were vis-a-vis most other cases to which it has been compared, that certainly makes sense and follows from the court’s reasoning. The court also made it clear that it was not adopting the Citrin line Agency Theory. The court maintained its earlier position from Brekka that “it is the action of the employer that determines whether an employee is authorized to access the computer.” In Brekka it had held that once access to a computer had been authorized the only way the employer could terminate that authorization was to notify the employee that it was rescinding the right to access. In Nosal the court has simply taken that reasoning one step further, to the place of John and Rodriguez, and found that the authorization to access the computer can be limited at the outset by placing clear and conspicuous restrictions on the right to access and use the computer and any data there from. When one has knowledge of those limitations on that authorization, he “exceeds authorized access” by violating those limitations. “It is as simple as that,” as the court put it.
In conclusion, the holding of the Nosal court is as follows:
Today, we clarify that under the CFAA,an employee accesses a computer in excess of his or her authorization when that access violates the employer’s access restrictions, which may include restrictions on the employee’s use of the computer or of the information contained in that computer. We reaffirm our previous conclusion that “an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has ‘exceed[ed] authorized access.'”
What Does All of This Mean?
From an employer’s standpoint, this case is very helpful. While it was a criminal case, the same standards of “access” that apply criminally under the CFAA also apply to civil actions. This case puts employers in the Ninth Circuit in the same position as employers in the Fifth and Eleventh Circuits. That is, it allows employers to implement clear and unambiguous policies that define the scope of permissible authorization for employees to access and use their computers as well as any data from those computers. If they have such policies, then under Nosal employers may have a valid CFAA claim against employees who exceed that authorization. If they do not, and their employees have “unfettered access” to the computers and data, then under Brekka the employer will not then be allowed to assert CFAA claims against them because the limitations on access were not set at the outset. In other words, the lesson for employers is to have comprehensive computer access and data use policies!
From a business litigation standpoint, I appreciate the Ninth Circuit’s opinion in United States v. Nosal though there are an awful lot of district courts who have taken a very hard line approach to following Brekka, in a way that was not followed in Nosal, and they are going to have a lot of work to do in order to get their rulings in line with this new opinion out of the Ninth Circuit. Now, however, we are left with only two clearly distinct lines of reasoning on the “access” issue, with the second being the agency theory set forth below.
From a jurisprudence standpoint, this shows the wisdom of the courts, including the United States Supreme Court, in allowing a body of law to mature and develop in the district courts and the circuit courts.
The Trilogy started with the Seventh Circuit in International Airport Centers, LLC v. Citrin (citing Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc.) in which it held that under common law agency principles, an employee’s right to access his employer’s computer is premised on his serving the interests of his employer. Should his loyalties to his employer change and his interests become adverse, so to would his authorization change by becoming unauthorized. Under this “agency theory” the authorization to access was based upon the employee’s own subjective loyalties and interests and, if they changed, his authorization to access the employer’s computer changed with it.
This line of reasoning remains unfazed by the Ninth Circuit’s ruling in United States v. Nosal though it remains to be seen whether the Seventh Circuit will now move closer to the Intended-Use Theory. If it does then this issue may never need to be interpreted by the Supreme Court. If it doesn’t, then as long as there are at least two diverging theories on this issue, there’s always a chance that the access issue will be the vehicle to get the Computer Fraud and Abuse Act before the United States Supreme Court so that we can finally learn what the justices have to say about it. Until then, we’ll all keep arguing over it … and that’s our job!
- New “Employment” Computer Fraud and Abuse Act case … but with a twist! (shawnetuma.com)
- Basic Elements of a Computer Fraud and Abuse Act – “Fraud” Claim (shawnetuma.com)
- Taking of Confidential Info Alone Not “Loss” Under CFAA (shawnetuma.com)