Below is an article that I wrote for the June edition of Massachusetts Lawyers Journal, the monthly publication of the Massachusetts Bar Association. It discusses an important case that interprets the Computer Fraud and Abuse Act and the split in the law that case has created with the First Circuit, which includes Massachusetts.
The U.S. District Court for the District of Massachusetts has noted that employers are increasingly using the federal Computer Fraud and Abuse Act (CFAA) “to sue former employees and their new companies who seek a competitive edge through wrongful use of information from the former employer’s computer system.” But in April, the U.S. Court of Appeals for the Ninth Circuit made such employer lawsuits more difficult in that circuit by issuing its en banc decision in United States v. Nosal. In Nosal, the Ninth Circuit determined that an employee does not “exceed authorized access” to information in a computer under the CFAA when he or she violates an employer’s computer use restrictions. In contrast, the First Circuit concluded more than a decade ago in EF Cultural Travel BV v. Explorica, Inc. that contractual restrictions can serve as the basis for a CFAA violation. This circuit split affects the ability of employers to maintain lawsuits under the CFAA against former employees who were authorized to access their employer’s confidential information but took that information to competitors. It also tees up the CFAA for review by the Supreme Court.
I. The CFAA
The CFAA provides for both criminal and civil liability (if certain conditions are met) when a person commits various acts involving a computer and “exceeds authorized access” or acts “without authorization” in the process. The provision under review in both Nosal and Explorica was 18 U.S.C. § 1030(a)(4), which imposes liability on someone who “knowingly and with the intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.” The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” “Without authorization” is not defined. Both the Ninth Circuit and the First Circuit focused their respective analyses on whether employees “exceed[ed] authorized access” when they were permitted by their employers to access certain information on a computer, but then used that information for the benefit of competitors. But because “without authorization” is not defined, judicial interpretations of “exceeds authorized access” necessarily affect the meaning of “without authorization” as well.
II. The Ninth Circuit: Limiting the CFAA to “Hacking”
In Nosal, the defendant Nosal worked for an executive search firm and convinced several employees shortly before he left to start a competing business with him. He asked the employees to use their log-in credentials to download confidential information from the firm’s computers and to send the information to him. The employees were permitted to access the information by their employer, but were forbidden from disclosing it. Nosal was indicted for aiding and abetting the employees in “exceed[ing] their authorized access” in violation of 18 U.S.C. § 1030(a)(4). The charge was dismissed by the district court, and the government appealed.
The Nosal court, sitting en banc, affirmed, reasoning that “exceeds authorized access” should only be applied to a person “who’s authorized to access only certain data or files but accesses unauthorized data or files—what is colloquially known as ‘hacking.’” The statutory definition of the phrase supported this interpretation because “entitled” should be read as a synonym for “authorized” in the text and a broader interpretation “would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute,” which the court would not presume Congress intended absent clearer language. A broader construction “would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer.” What is more, because § 1030(a)(2)(C) punishes a person who merely “exceeds authorized access” and “obtains information from any protected computer” without intent to defraud, a broader interpretation “makes every violation of a private computer use policy a federal crime.” The court construed the statute narrowly “so that Congress will not unintentionally turn ordinary citizens into criminals” and concluded that “‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.” Because Nosal’s coworkers had permission to access the information, Nosal was off the hook.
The dissent, citing the Explorica decision among others, noted that none of the other circuits to consider the meaning of “exceeds authorized access” read the statute the same way.
III. The First Circuit: Breach of Confidentiality Agreement Proves Excessive Access
The First Circuit in Explorica reviewed the district court’s issuance of a preliminary injunction against defendant Explorica and several of its employees pursuant to § 1030(a)(4) of the CFAA. In Explorica, an employee of Explorica and a former employee of the plaintiff, EF Cultural Travel BV (EF), revealed EF proprietary information to Zefer, a company employed by defendant Explorica, an EF competitor, in violation of his confidentiality agreement with EF. Zefer then used that information to create a computer program that “scraped” EF’s public website of pricing information, thus allowing Explorica to undercut EF’s prices.
The court ruled that the district court’s decision was not clearly erroneous because “whatever authorization Explorica had to navigate around EF’s site (even in a competitive vein),” if EF’s allegations were proven, EF likely would prove that Explorica “exceeded that authorization by providing proprietary information and know-how to Zefer to create the scraper.” In fact, “[p]ractically speaking, . . . if proven, Explorica’s wholesale use of EF’s travel codes to facilitate gathering EF’s prices from its website reeks of use—and, indeed, abuse—of proprietary information that goes beyond any authorized use of EF’s website.” Although decided in a different factual and procedural context than Nosal, as one judge in the District of Massachusetts noted, the First Circuit in Explorica “advocated a broader reading” of the CFAA than the Ninth Circuit.
IV. Conclusion: On to the Supreme Court?
The Nosal decision’s statement that a CFAA violation is limited to violations of restrictions on access to information, not use, when read with Explorica’s competing conclusion that a CFAA violation may be based on the abuse of proprietary information, crystallizes the CFAA circuit split for Supreme Court review. Violations of an employer’s contractual and computer use policies cannot be used to show a CFAA violation in the Ninth Circuit, but they can in the First Circuit. Assuming the government seeks certiorari, a decision by the Supreme Court not to review the Nosal case will have an immediate impact on employer decisions on where to file CFAA claims against former employees who may have taken confidential information. In fact, the Nosal decision adds yet another hurdle for employers filing lawsuits in California (part of the Ninth Circuit) in addition to the unenforceability of non-competition agreements as a matter of policy in that state. The circuit split is even more important because of the location of important industries: Silicon Valley and Massachusetts (part of the First Circuit) are high-tech hubs where many companies rely on highly sensitive information to stay ahead of the competition. If the Supreme Court chooses not to review Nosal, more employers will file CFAA cases outside of the Ninth Circuit.