Don’t Just Because You Can

CFAA prohibits accessing computer information that a person can physically obtain, but doesn’t have permission to do soWeingand v. Harland Financial Solutions, 2012 WL 2327660 (N.D. Cal. June 19, 2012)

Under the Computer Fraud and Abuse Act (CFAA), a person commits a federal crime if he or she “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . .”  18 U.S.C. § 1030.  In April, an en banc Ninth Circuit decision (colorfully penned by Chief Judge Kozinski) said the term “exceeds authorized access” excludes unauthorized use of computer information as opposed to unauthorized accessing of such information.  See United States v. Nosal, 676 F.3d 854 (9th Cir. 2012).  In other words, a person who uses his employer’s confidential computer information in an unauthorized manner (say he discloses it to his employer’s competitors) does not violate the CFAA if his physical access to the information was authorized.  As an anti-hacking statute, the CFAA was not intended to criminalize misuse of proprietary information.  Otherwise, millions of people could be subject to federal prosecution.  Many employment policies forbid employees from using work computers for nonbusiness purposes, but employers do not necessarily physically restrict their employees’ access to the Internet.  So, as Judge Kozinski pointed out, an employee subject to such a workplace policy could unwittingly violate the CFAA just by sending a personal email on a work computer, checking a personal Facebook account during work hours, or playing a game of sodoku online.

A recent trial-level decision considered a similar as the one in Nosal–an ex-employee misappropriates confidential computer files from his ex-employer after termination–but came out with a different result.   Weingand v. Harland Financial Solutions, Inc. focused on the concept of authorization.  In Weingand, a financial services company (Harland) requested the court’s permission to file a counterclaim for violations of the CFAA against a terminated employee (Weingand).  Based on Weingand’s representations that he wanted retrieve his “personal files,” Harland allowed him access to its computer system after the termination.  Weingand allegedly took that opportunity to copy over 2,700 business files belonging to Harland, its clients, and third-party software vendors.  Harland claimed that Weingand was not authorized to access those files.

Harland had physical access to the proprietary and confidential files.  Question is, did such physical access translate into “authorized access” under the CFAA?  The court said no.  Although Nosal rejected the argument that “exceeds authorized access” could refer to someone with unrestricted physical access to a computer who is limited as to how he could use that information, this case did not turn on the access/use distinction.  Harland did not authorize Weingand to access its confidential and proprietary business files even though he physically was able to copy the files.  In copying files that he had no permission to access, Weingand exceeded his authorized access to his former employer’s computer system.  The court analogized to the situation where an ex-employee uses his old credentials (which have technically have not changed) to login to his former employer’s computer system and steal sensitive work files.  Even before Nosal, the Ninth Circuit considered such conduct a violation of the CFAA.   This was no different because the accessing of the files, though physically possible, was not authorized.  The court allowed Harland to file its counterclaim.

LegalTXT Lesson:  Weingard gives some breathing room to employers who do not explicitly forbid former employees from accessing proprietary and confidential company information . . . but why chance it?  If a company gives a former employee access to the company’s computer system after termination, set up technical restrictions on access if possible, and monitor what gets copied.  It’s better to avoid being put in the position of having to debate whether an ex-employee’s misconduct consisted of misusing company information versus illegally obtaining the information.