Monday, May 2, 2011

The Ninth Circuit Gets Tough With Violations of Computer Use Restrictions

The Ninth Circuit has expanded criminal liability under the Computer Fraud and Abuse Act for violation of specific use restrictions.

The Computer Fraud and Abuse Act (CFAA) creates civil and criminal liability in certain instances for conduct relating to the unauthorized access to a computer, or exceeding the authorized access to a computer. A person is criminaly liable under the CFAA if he or she:

Knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period[.]
18 U.S.C. §1030(a)(4).

On April 28, 2011, in the case of USA v. Nosal, the Ninth Circuit expanded the use of CFAA into the criminal arena. The court made clear the following basic tenets under CFAA §1030(a)(4):

1. If the business owner of the computer does not restrict a user’s access to and use of computer data, then a user’s access to computer data and the use of the data for purposes contrary to the interest of the computer owner does not constitute a crime under CFAA.

2. If the business owner of the computer restricts access to computer data, then there is criminal liability under CFAA §1030(a)(4) when:

a. The person who accesses the computer does so in violation of the computer owner’s specific restrictions on computer access;

b. The person accesses the computer data with the intent to defraud the owner of the computer data; and

c. By accessing the computer data in violation of the restrictions, the person “furthers the intended fraud and obtains anything of value.”

3. If a person without access to the computer induces another person who has access to obtain and pass along restricted data, then under criminal conspiracy theories both the person without access who receives the restricted data and the person with access who passes along the restricted data may be criminally liable.

The Nosal case deals with a former employee of a business who engaged with several existing employees of the business to obtain proprietary information from the business’ computer system. The former employee intended to use this information to establish a competing business. The existing employees had access to the computer data, but their access and use were restricted by the employer’s specific written business rules. The employer’s use restrictions were “clear and conspicuous.” The employer required its employees to sign employment agreements that specifically prohibited “use and disclosure of all such information, except for legitimate * * * business * * *.” Further, the employer’s computer system displayed a cautionary message whenever a user logged on, stating:

This computer system and information it stores and processes are the property of * * *. You need specific authority to access any * * * system or information and to do so without the relevant authority can lead to disciplinary action or criminal prosecution * * *.
The criminal case was brought when the existing employees used their restricted access to obtain proprietary data and pass the data to the former employee for purposes of developing a competing business. This conduct occurred in direct violation of the employer’s specifically defined use restrictions. Nosal represents the first criminal use of the CFAA in this manner by the Ninth Circuit.

The Ninth Circuit’s Nosal opinion goes to some length to explain that the foregoing criminalization of computer access is not designed to impose liability on an employee who uses an employer’s computer system for unauthorized use that is merely personal and non-fraudulent, “for example, to access their personal email accounts or to check the latest college basketball scores.”

While the Nosal opinion involves an employment context, the teaching of Nosal is not so limited. Other examples in which a person can intentionally access and use computer data in violation of specific restrictions and for a fraudulent purpose include:

 downloading data with a “borrowed” access code when the owner of the database specifically requires that each user obtain his or her own access code, or

 accessing and using a computer database to redistribute downloaded data in violation of a personal use agreement, or

 downloading data for commercial purposes when the use agreement restricts usage to personal or household purposes.

While the CFAA is not limited to the traditional concept of hacking, the Ninth Circuit will allow criminal application only when the owner of the computer clearly and conspicuously establishes access and use restrictions.

No comments: