Stealing Corporate Data Doesn't Violate Federal Computer Fraud Law

ID THREATPOST:8C8024F1C0DF04D219D71975216D3E55
Type threatpost
Reporter Brian Donohue
Modified 2013-04-17T20:03:37


In a ruling that could be felt throughout the business world, the U.S. Court of Appeals for the Ninth Circuit in California ruled that a man did not violate the Computer Fraud and Abuse Act (CFAA) after pilfering contacts from the client database of his former employer to help jumpstart his competing business venture.

Chief Judge Alex Kozinsky ruled in David Nosal vs. USA that the CFAA’s prohibition on “exceeding authorized access” to a computer is limited to violations of restrictions on access to information, and not restrictions on the use of such information, if it is fairly obtained.

According to the opinion, Mr. Nosal was an employee at the executive head-hunting firm Korn/Ferry. After leaving that firm voluntarily, Nosal reached out to some former colleagues and convinced them to download source lists, names, and contact information from a confidential database on the company’s computer. Nosal’s former colleagues were still employed with Korn/Ferry, and thus they did not exceeed authorized access. However, the company had a policy in place that forbade the disclosure of confidential information.

The government charged Nosal with twenty counts, including trade secret theft, mail fraud, conspiracy and violations of the CFAA for aiding and abetting Korn/Ferry employees in “exceed[ing their] authorized access” with the intent to defraud.

Nosal and his defense team filed a motion to dismiss the CFAA counts, arguing that the statute was designed to target hackers who gained access to systems from the outside, not persons who misuse information on systems to which they had authorized access. The district court rejected Nosal’s argument.

Kozinski and the Appeals Court, however, concluded that the CFAA does not extend to violations of use restrictions.

“Does an employee who violates such a policy commit a federal crime?” Kozinsky asked in his opinion. “How about someone who violates the terms of service of a social networking website?”

He went on to write, “If Congress wants to incorporate misappropriation liability into the CFAA, it must speak more clearly.”

Kozinsky further justified his ruling by explaining that criminal statutes must be construed narrowly so that citizens may have fair notice of laws and so that Congress will not unintentionally turn citizens into criminals.

Furthermore, he reasoned, the legislative history of the statute in question proves that is intended to punish hackers for the circumvention of technological access barriers. Nosal misappropriated trade secrets. But that is a subject, Kozinsky claims, that Congress has dealt with elsewhere.

The issue of how far to extend copyright protections and other kinds of contracts that end users engage in with software vendors is a pressing one. Protest erupted over the proposed federal Stop Online Privacy Act (SOPA) which sought to increase penalties for copyright violations. The controversy over software like CarrierIQ has made the public suspicious of corporate spying. At the same time, changes to the Digital Millenium Copyright Act have made it easier for technology enthusiasts to jailbreak and otherwise modify hardware without fear of criminal prosecution.