Friday, April 29, 2011

Can Employees Be Criminally Prosecuted for Violating Their Employer’s Computer Policies?

Can Employees Be Criminally Prosecuted for Violating Their Employer’s Computer Policies?
BY: Nick Akerman

In California, Washington, Oregon, Alaska, Montana, Arizona, Nevada and Idaho – states
covered by the 9th Circuit Court of Appeals -- the answer as of yesterday is an emphatic “YES.”
In U.S. v. Nosal, 2011 WL 1585600 (9th Cir. April 28, 2011) the court clarified its decision in
LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1131 (9th Cir. 2009) which up until now was
considered to be a bar to using the Computer Fraud and Abuse Act (“CFAA”), the federal
computer crime statute, against employees who stole their employer’s computer data. This case
places the 9th Circuit in sync with the other Circuit Courts that permit the CFAA to be used
against employees who steal data from the company computers.

The CFAA, while primarily a criminal statute, permits victims of computer crime, including
companies, to bring civil actions for damages and injunctive relief based on violations of the
statute. Title 18, U.S.C. §1030. A key element in proving either a civil or criminal violation of
the CFAA is that the employee accessed the company computer “without authorization” or
“exceed [ed] authorized access.” Brekka has been cited for the simplistic proposition that
employees have permission to access the company computers and, thus, by definition cannot
access the company computers without authorization.

David Nosal, a Korn/Ferry executive, was indicted for stealing confidential data from the
company computers prior to joining a competitor. Nosal had allegedly recruited “three
Korn/Ferry employees to help him start a competing business.” Id. at *2. According to the
Indictment, these employees, “using their user accounts to access the Korn/Ferry computer
system” “transferred to Nosal source lists, names, and contact information from the ‘Searcher’
database – a ‘highly confidential and proprietary database of executives and companies’ – which
was considered by Korn/Ferry ‘to be one of the most comprehensive databases of executive
candidates in the world.’” Id.

The district court had originally upheld the CFAA counts against Nosal based on precedent in
other Circuits but changed its decision and dismissed the counts after the Brekka decision. The
government appealed, relying on Korn/Ferry’s computer policies that restricted the scope of
employees’ access to the company computers including one that “restricted the use and
disclosure of all such information, except for legitimate Korn/Ferry business.” Id. The
government argued that based on these policies, Nosal had exceeded authorized access.
The court agreed with the government, citing the statutory definition of ‘exceeds authorized
access” which means “to access a computer with authorization and to use such access to obtain
or alter information in the computer that the accesser is not entitled so to obtain or alter.” The
court held that the word “so” in the statutory definition “refers to an accesser who is not entitled
to access information in a certain manner. Id. at *4. Thus, the court held that “an employee
‘exceeds authorized access’ under §1030 when he or she violates the employer’s computer
access restrictions – including use restrictions.” Id.

Nosal distinguished its prior decision in Brekka on the facts -- “[b]ecause LVRC [the employer]
had not notified Brekka of any restrictions on his access to the computer, Brekka had no way to
know whether – or when – his access would have become unauthorized.” Id at *6. The key
difference was the Korn/Ferry computer policies. The court concluded “as long as an employee
has some permission to use the computer for some purpose, that employee accesses the computer
with authorization even if the employee acts with a fraudulent intent.” Id. Thus, “as long as the
employee has knowledge of the employer’s limitations on that authorization, the employee
‘exceeds authorized access’ when the employee violates those limitations.” The court
emphasized, “[i]t is as simple as that.” Id.

Finally, the court directly responded to Nosal’s argument that its decision “will make criminals
out of millions of employees who might use their work computers for personal use, for example
to access their personal email accounts or to check the latest college basketball scores.” Id. at *7.
The court pointed out that the CFAA “does not criminalize the mere violation of an employer’s
use restrictions.” Id. Rather, the employee must evince an intent to defraud and take something
of value. Thus, there must be more than “[s]imply using a work computer in a manner that
violates an employer’s use restrictions.” Id.

This case is all about instituting clear and conspicuous computer use policies. (“Korn/Ferry
employees were subject to a computer use policy that placed clear and conspicuous restrictions
on the employee’s access to the system in general and to the Searcher database in particular” Id).
The major take away from the Nosal decision is that every company that is serious about
protecting its computer data should have comprehensive computer policies that clearly spell out
the scope of their employees’ authorization to access the company computers. It is no longer a
viable option to do nothing.

Nick Akerman (212) 415-9217
Nick is a partner in the New York office of Dorsey & Whitney.
For additional articles like this one or to watch my one hour CLE seminar video go to:

PRESENTED BY: Executive Leadership, LLC 
SPECIALIZING IN: Career Transformation/Change and Executive Coaching/Development 

If you no longer wish to receive email blog updates from Executive Leadership LLC please send an email to with "BLOG UNSUBSCRIBE" in the Subject box. Thank You.