Earlier this month, a federal judge in San Francisco sentenced David Nosal to a year in prison, three years’ supervised release, 400 hours of community service, and $60,000 in fines. His crime? Nosal violated the Computer Fraud and Abuse Act (“CFAA”), among other federal statutes, when he departed from his former employer with a stash of its most sensitive business data.
Employment law doesn’t normally develop in criminal courtrooms, but Nosal’s case is an important exception. The outcome of his pending appeal to the 9th Circuit will almost certainly offer important guidance for employers on how best to prevent and, where necessary, remedy employee data theft. It’ll likely reinforce a familiar lesson: employers should craft their employee technology policies with an eye toward the law of data security. A well-developed IT infrastructure can give an employer substantial legal advantages and lead to better outcomes when employee data theft occurs.
What Is The CFAA?
To understand the practical importance of Nosal’s case, employers should first understand how the CFAA can apply to departing employees who steal company data. Congress passed the CFAA in 1986 – before the advent of most modern information technology – to combat computer hacking. The CFAA makes it a federal offense to obtain information or perpetrate a fraud either by (a) accessing a computer “without authorization,” or (b) by “exceed[ing] authorized access” on any such computer. In addition to its criminal penalties, the CFAA creates a parallel civil cause of action for hacking victims.