Earlier this month, a federal judge in San Francisco sentenced David Nosal to a year in prison, three years’ supervised release, 400 hours of community service, and $60,000 in fines. His crime? Nosal violated the Computer Fraud and Abuse Act (“CFAA”), among other federal statutes, when he departed from his former employer with a stash of its most sensitive business data.
Employment law doesn’t normally develop in criminal courtrooms, but Nosal’s case is an important exception. The outcome of his pending appeal to the 9th Circuit will almost certainly offer important guidance for employers on how best to prevent and, where necessary, remedy employee data theft. It’ll likely reinforce a familiar lesson: employers should craft their employee technology policies with an eye toward the law of data security. A well-developed IT infrastructure can give an employer substantial legal advantages and lead to better outcomes when employee data theft occurs.
What Is The CFAA?
To understand the practical importance of Nosal’s case, employers should first understand how the CFAA can apply to departing employees who steal company data. Congress passed the CFAA in 1986 – before the advent of most modern information technology – to combat computer hacking. The CFAA makes it a federal offense to obtain information or perpetrate a fraud either by (a) accessing a computer “without authorization,” or (b) by “exceed[ing] authorized access” on any such computer. In addition to its criminal penalties, the CFAA creates a parallel civil cause of action for hacking victims.
For employers, a key benefit of the CFAA is that it may provide a ticket into federal court in a data theft case. (It’s one of only a few federal statutes that does so.) The benefits of a federal forum can be significant for an employer. Particularly in multi-state disputes, the federal system allows for the streamlined discovery of electronically stored information in ways that many states do not. Additionally, CFAA plaintiffs need not prove that the stolen information rises to the level of a trade secret, which is often a central dispute in other types of data theft cases.
When Is Employee Access To Sensitive Data "Unauthorized" Under The CFAA?
That makes the CFAA important for employers. But just how broadly does its concept of “unauthorized access” sweep? At the time of its passage, the CFAA seemed only to target “hacking” in the traditional sense of the word, i.e., external bad actors who – often from remote locations – secretly program their way into a company’s computer system without ever setting foot on company premises. (Consider, for example, the recent attack on Target’s computer system.)
Today, however, breaches due to external threats make up only a limited portion of all yearly data theft in the U.S. In May 2013, the Commission on the Theft of American Intellectual Property found that “[m]uch [data theft] occurs the old-fashioned way.” The culprit is often a disloyal employee who had legitimate access to the stolen data through her employment: “Hard drives are either duplicated on site or physically stolen by bribed employees; employees are planted temporarily in companies or permanent employees leave and illegally share proprietary information; . . . and email accounts are compromised.”
At first blush, theft by a disloyal employee would seem to fall outside the scope of the CFAA. Employees are, after all, typically “authorized” to access and use hard drives, email accounts, and the proprietary information they contain in connection with their jobs. So, for employers, is the CFAA off-limits?
Not quite. In the last decade or so, a handful of federal courts have applied the CFAA to employee data theft using a duty-of-loyalty theory. The best-known example is International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006), in which Judge Richard Posner reasoned that an employee who misused a company laptop forfeited his authorization to use the laptop when he engaged in misconduct. The court held that “Citrin’s breach of his duty of loyalty terminated his agency relationship . . . and with it his authority to access the laptop, because the only basis of his authority had been that relationship.”
Nosal: Misuse Is Not Unauthorized Access
But then along came David Nosal. In October 2004, Nosal voluntarily resigned from Korn/Ferry International, a major executive search firm headquartered near San Francisco. He departed with confidential business data from Korn/Ferry’s internal database of executive candidates. When it discovered Nosal’s theft, the government indicted him for violating the CFAA, the Economic Espionage Act, and other federal laws. The district court eventually dismissed the CFAA counts against Nosal, and the government appealed.
In United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), the 9th Circuit affirmed the dismissal of the CFAA counts against Nosal. In a colorful opinion by Judge Alex Kozinski, the court held that the CFAA does not cover an employee who merely misuses an employer’s information to which he otherwise has legitimate access. Judge Kozinski viewed the government’s argument to the contrary as giving way to an essentially unlimited category of criminal liability:
Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, . . . . Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes.
Instead, he wrote, “‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.” Because the government had not alleged that Korn/Ferry restricted Nosal’s access to the data at issue, it affirmed the dismissal.
Unfortunately, that rule wasn’t good news for employers in the 9th Circuit, who now face a significant obstacle when pursuing CFAA claims against thieving employees. According to Nosal, they must allege and prove that the offending employee had no authorization to access the stolen data for any purpose.
Nosal’s Case Goes On
But the case hasn’t ended there. Nosal’s indictment contained several other CFAA counts that the 9th Circuit didn’t consider on appeal. On remand, those counts presented another intriguing question about the CFAA: can a former employee violate the CFAA through an agent?
Consider, for example, a case in which employees Jack and Jill work for Acme, Inc. Jack voluntarily resigns from Acme, thereby terminating his authorization to use its computer systems. Jill, however, still works for Acme and is authorized to access its computer network. Jack then asks Jill to steal data from the Acme network on his behalf. By herself, Jill is immune from CFAA liability under Nosal, because she is authorized to access the network. But Jack has no such authorization. May the government prosecute him under the CFAA for asking Jill to pass him data that she herself may legitimately access?
In United States v. Nosal, 930 F. Supp. 2d 1051 (N.D. Cal. 2013), a federal district judge overseeing Nosal’s prosecution on the remaining counts said yes. The government alleged that – in addition to the theft he personally committed – Nosal and a co-conspirator had persuaded then-current Korn/Ferry employees to steal valuable business data on Nosal’s behalf. At the time of the theft, the employees were authorized to access the information, but Nosal and the co-conspirator were not. Nosal moved to dismiss those counts. “[B]ecause [a then-current employee] allowed Defendant’s co-conspirators to use her credentials to access the Korn/Ferry system, the co-conspirators cannot be said to be acting ‘without authorization’. . . .”
The court disagreed and denied the motion to dismiss. “[T]he Ninth Circuit made clear,” it held, “that it is the actions of the employer who maintains the computer system that determine whether or not a person is acting with authorization,” a rule established in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). Applying Brekka, the court found that “the CFAA appears to contemplate that one using the password of another may be accessing a computer without authorization.” Nosal has indicated that he will likely challenge that conclusion on appeal.
So What Does All This Mean For Employers?
On a practical level, what does this mean for employers? Nosal’s second appeal will likely reaffirm Brekka’s principle that “it is the actions of the employer who maintains the computer system that determine whether or not a person is acting with authorization.” In other words, the ways in which an employer designs its information technology infrastructure can have far-ranging legal consequences for its business. To anticipate those consequences, employers should:
- Implement access controls with the law of data security in mind. The manner in which an employer restricts access to its business data can make or break a subsequent CFAA claim. For each category of business data, employers should impose clear requirements dictating who may access it and who may not. Of course, well-developed access controls have other benefits, too. The Uniform Trade Secrets Act, for example, defines “trade secret” to include only information that “is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.” Trade secret plaintiffs commonly meet that requirement by offering evidence of thorough access controls.
Deciding to implement effective access controls in the abstract is easy. Actually doing so isn’t, for a number of reasons. For one thing, the particular controls that an employer should adopt depend heavily on the specifics of its broader IT infrastructure and business needs. Password protection alone may in some cases be too lax, especially if the employer has not developed a clear electronic technology policy for its employees. On the other hand, overly-restrictive controls might inhibit communication among employees, hampering productivity and innovation. To achieve the right balance, employers need more than abstract legal knowledge; they (and their counsel) should carefully analyze the particulars of their business goals and IT infrastructure in light of the standards and ground rules set by the applicable law of data security.
- Use IT to determine the full scope of data theft. Nosal’s conviction also usefully illustrates the value of a well-designed IT infrastructure in uncovering evidence of theft, particularly when it comes to exiting tech-savvy employees. Had the evidence shown that only Nosal himself accessed Korn/Ferry’s confidential database, the CFAA charges against him would likely have failed. However, because the evidence revealed the involvement of multiple other co-conspirators, the government successfully showed that Nosal “accessed” its computer system through an agent, and at a time when he had no right to do so for any purpose.
Careful analysis of a departing employee’s company computer media can easily yield such key evidence. That analysis is as much a lawyer’s work as it is an IT professional’s. A normal computer’s hard drive contains far too much information for anybody to digest completely, which means that computer forensic investigators often need guidance on where and what to look for. Many investigators are familiar with the basic technical aspects of data theft – rapid file access, indicia of USB and cloud storage activity, etc. – but even the best investigators may miss key evidence. Evidence of illegal solicitation or a fragment of a web-based personal email to a co-conspirator may be lurking in a computer’s slack and unallocated space, but if an investigator focuses solely on an employee’s use of external storage devices, she may miss it. A lawyer’s involvement in the forensic investigation is often necessary to unearth such key facts.
Nosal’s case is an important reminder that employers should plan ahead when it comes to data security. We will track his appeal as it progresses.