En Banc Ninth Circuit Decision Could Send CFAA to Supreme Court for Review

more+
less-

Reproduced in Bloomberg BNA, with permission from Electronic Commerce & Law Report

Reproduced with permission from Electronic Commerce & Law Report (Apr. 10, 2012). Copyright 2012 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com/
Bruce Samuels, a partner at Lewis and Roca, is quoted in this article.

[author: Amy E. Bivens]

Employers and website hosts cannot, by contractually limiting how individuals may use information stored on their networks, define acceptable limits of access ‘‘authorization’’ under the Computer Fraud and Abuse Act, the U.S. Court of Appeals for the Ninth Circuit, on en banc rehearing, ruled April 10 (United States v. Nosal, 9th Cir., No. 10-10038, 4/10/12).

The court’s adoption of a hacking-based approach to access authorization, in an opinion written by Chief Judge Alex Kozinski, broke sharply with a three-judge panel’s 2011 ruling (16 ECLR 739, 5/4/11).

Here, the court held that employees who have permission to access information on corporate computers, but use it for purposes that violate company policies, cannot be prosecuted for exceeding their authorized access to protected computers under 18 U.S.C. § 1030.

The court went on to say that the same principle applies to violations of website terms of use. While breaches may be grounds for contract- or tort-based actions, they cannot support criminal prosecution or civil claims under the CFAA.

The only way an entity can effectively limit authorized access is by restricting specific information that individuals using their networks can access. Thus, if an employee has authorization to access product data only, but accesses client lists, too, the latter access would exceed his authorized access. His misuse of product data
he could access for work would not.

Using someone else’s password, in violation of clearly set policies, would also be grounds for civil liability and prosecution under the CFAA, the court said.

The court’s interpretation of ‘‘exceeds authorized access’’ is at odds with several other circuits, United States v. John, 597 F.3d 263 (5th Cir. 2010)(15 ECLR 272, 2/24/10); United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010)(16 ECLR 9, 1/5/11); International Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006)(11 ECLR 303, 3/15/06); United States v. Teague, 646 F.3d 1119 (8th Cir. 2011)(16 ECLR 1299, 8/3/11).

E-commerce attorneys interviewed by BNA said this split may ultimately tee up the issue for Supreme Court review. A bill pending in the Senate (S. 1151) would amend the statute to eliminate contract-based civil CFAA claims.

A dissenting opinion, filed by Judge Barry G. Silverman and joined by Judge Richard C. Tallman, pointed out that the majority’s reading of the statute seems to be in tension with the court’s earlier ruling—exploring a civil CFAA claim under 18 U.S.C. § 1030(g)—in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009)(14 ECLR 1358, 9/23/09).

The majority did not discuss Brekka, other than to say its ruling is in line with it.

Insider Hacking Possible, but Much More Narrow Claim.

The ruling narrows the reach of the CFAA, at least in the Ninth Circuit.

It also creates a very interesting circuit split that could set the stage for attention to the issue from the U.S. Supreme Court, Bruce Samuels, a litigation partner at Lewis and Roca, Phoenix, told BNA.

‘‘The court clearly left open the possibility of prosecution for insider hacking—for instance, if an employer restricted the data that employees can access on company computers,’’ Samuels said. As a result, employers might want to consider adopting better internal security processes to limit employees’ access to specific segments of their networks, and granting access to sensitive information only on a ‘‘need-to-know’’ basis, Samuels added.

Because of the court’s concern about contract-based access limits, it seems likely that the access restriction would have to be technical rather than contractual to effectively limit authorized access under this ruling, Samuels predicted.

En Banc Panel Adopts ‘Hacking’ Approach.

The CFAA makes it a crime to access a protected computer either ‘‘without authorization’’ or to ‘‘exceed authorized access’’ to the protected computer, and commit one of several offenses, including obtaining or altering information.

This defendant was indicted under Section 1030(a)(4), for aiding and abetting the plaintiff’s employees in exceeding their authorized access to the plaintiff’s computer network. Shortly after he left the company, he convinced former colleagues to join him in starting a competing business. The employees used their passwords to download confidential data — protected under corporate policies —and transferred the information to the defendant.

He was also indicted for trade secret theft, among other crimes.

The defendant moved to dismiss, arguing the law only targets hackers. The district court disagreed, but later reversed under the Ninth Circuit’s ruling in Brekka, which construed the phrases ‘‘without authorization’’ and ‘‘exceeds authorized access’’ relatively narrowly.

The district court found no way to read the law’s definition of ‘‘exceeds authorized access’’ to incorporate corporate policies governing data use. In 2009, the Ninth Circuit reversed, holding that employees who violate clearly and conspicuously disclosed limits on their access to corporate computer networks and use of information stored there exceed their authorized access to those computers.

The Ninth Circuit agreed to rehear the case en banc (16 ECLR 1805, 11/2/11). This time, it held that the statute does not make it a crime to violate employer policies
on the use of data stored on company networks.

No Contract-Based Prosecution, Liability.

The CFAA has a somewhat-bulky definition for ‘‘exceeds authorized access.’’ The law defines the act as ‘‘to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter,’’ 18 U.S.C. § 1030(e)(6).

The word ‘‘so’’ creates some uncertainty, the court said. The statute could be read—as the defendant argues—to only refer to what is colloquially known as ‘‘hacking’’—accessing information that a party is not entitled to access. ‘‘For example, assume an employee is permitted to access only product information on the company’s computer but accesses customer data: he would ‘exceed authorized access’ if he looks at the customer lists[,]’’ the court said.

The other way to read it would be to refer to someone who has access to a computer, but uses it for unauthorized purpose. The government—and many companies pursuing civil litigation against disloyal employees—has pushed courts to adopt that interpretation of the phrase.

The Ninth Circuit looked to the statute’s legislative history, and considered the policy implications of such a broad reading of the law, in adopting the ‘‘hacking’’-based approach.

The government’s interpretation of the law would transform it into an expansive misappropriation statute, the court said.

The government argued that such a narrow interpretation would make the ‘‘exceeds authorization’’ superfluous, but the court disagreed.

It is possible to read both provisions as applying to hackers, the court said. the ‘‘exceeds authorized access’’ section applies to internal hackers, while ‘‘without authorization’’ applies to outside hackers.

‘‘This is a perfectly plausible construction of the statutory language that maintains the CFAA’s focus on hacking rather than turning it into a sweeping Internetpolicing mandate[,]’’ the court added.

Unintended Consequences.

A contrary reading would turn minor dalliances into federal crimes, the court added. ‘‘Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by g-chatting with friends, playing games, shopping or watching sports highlights[,] the court said.

Those activities are routinely prohibited in many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Defining those acts to constitute exceeding authorized access could open the door to selective prosecution, the court predicted. The same is true for website terms of use, which users frequently do not read and site hosts continually update.

The risk is real, the court added, looking to the prosecution of an individual who violated MySpace’s terms of service in United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009)(14 ECLR 1249, 9/2/09).

People frequently lie on social networks, the court observed. ‘‘The difference between puffery and prosecution may depend on whether you happen to be someone an AUSA has reason to go after.’’

Circuit courts that have interpreted the statute more broadly, including the Eleventh, Fifth, and Seventh, failed to consider the effect on millions of ordinary citizens caused by the statute’s unitary definition of ‘‘exceeds authorized access,’’ the court said.

Dissent: Majority Trots Out, Knocks Down Strawmen.

‘‘This case has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values[,]’’ Judge Barry G. Silverman wrote, dissenting.

The indictment in this case charged Nosal with knowingly exceeding access to the company’s computers and stealing its valuable proprietary information.

Brekka held that an individual who is authorized to use a computer for certain purposes but goes beyond those purposes is considered to have exceeded authorized access under the CFAA.

‘‘This is not an esoteric concept[,]’’ the dissent said here. ‘‘A bank teller is entitled to access a bank’s money for legitimate banking purposes, but not to take the bank’s money for himself.’’

The majority’s decision conflicts with the plain language of the statute and every circuit-level decision on the matter, the dissent added. ‘‘Furthermore, it does not advance the ball to consider, as the majority does, the parade of horribles that might occur under different subsections of the CFAA, such as subsection (a)(2)(C), which does not have the scienter or specific intent to defraud requirements that subsection (a)(4) has.’’

Jenny C. Ellickson, United States Department of Justice, San Francisco, argued for the government. Ted Sampsell Jones, Riordan & Horgan, San Francisco, argued on behalf of the defendant.

Opinion at http://pub.bna.com/eclr/10cv10038_41012.pdf.
Text of S. 1151 at http://pub.bna.com/eclr/s1151.pdf.