(CN) – Refusing to broaden its interpretation of a federal anti-hacking law, the full 9th Circuit on Tuesday affirmed dismissal of several charges against a corporate headhunter who allegedly relied on his former employer’s confidential information.
A majority of the 11-judge court rejected the government’s more expansive reading of the Computer Fraud and Abuse Act (CFAA), finding that the statute was meant to punish hacking, not misappropriation of trade secrets. To find otherwise would “criminalize any unauthorized use of information obtained from a computer” and “make criminals of large groups of people who would have little reason to suspect they are committing a federal crime,” according to the lead opinion authored by Chief Judge Alex Kozinski.
The case involves David Nosal, a former employee of the executive search firm Korn/Ferry. After he left Korn/Ferry to start a competing company, Nosal allegedly convinced some of his former co-workers to log onto a confidential Korn/Ferry database and send him client information. The employees were allowed to access the database, but Korn/Ferry had a policy against disclosing confidential information.
Federal prosecutors in San Francisco indicted Nosal for trade-secret theft, mail fraud, conspiracy and violations of the CFAA.
Relying on the 9th Circuit’s 2009 resolution of LVRC Holdings LLC v. Brekka, U.S. District Judge Marilyn Patel dismissed the charges related to the CFAA. In LVRC, the federal appeals court found that the phrases “without authorization” and “exceeds authorized access” in the statute should be narrowly construed.
The government challenged Patel’s interpretation on appeal before an en banc panel of 9th Circuit judges, arguing that the Korn/Ferry employees exceeded authorized access under the CFAA when they violated the company’s computer-use policy. Nosal contended that “exceeds authorized access” refers only to data one is not authorized to access.
The en banc panel chose the narrower view after considering the worst-case effects of the government’s interpretation – a world in which frittering away work time on the Internet becomes a federal crime.
“Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by g-chatting with friends, playing games, shopping or watching sports highlights,” Kozinski wrote. “Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it’s unlikely that you’ll be prosecuted for watching Reason.TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.”
Because Nosal’s alleged accomplices had permission to access the company database, they did not “exceed authorized access” under the CFAA, the panel found.
“The government assures us that, whatever the scope of the CFAA, it won’t prosecute minor violations,” Kosinski added. “But we shouldn’t have to live at the mercy of our local prosecutor.”
Two justices dissented, arguing that the majority had crafted a straw man built on “far-fetched hypotheticals.”
“This case has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values,” Judge Barry Silverman wrote. “It has everything to do with stealing an employer’s valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants’ employment contracts. The indictment here charged that Nosal and his co-conspirators knowingly exceeded the access to a protected company computer they were given by an executive search firm that employed them; that they did so with the intent to defraud; and further, that they stole the victim’s valuable proprietary information by means of that fraudulent conduct in order to profit from using it. In ridiculing scenarios not remotely presented by this case, the majority does a good job of knocking down straw men – far-fetched hypotheticals involving neither theft nor intentional fraudulent conduct, but innocuous violations of office policy.” (Emphasis in original.)
Judge Richard Tallman joined Silverman’s dissent.