In a somewhat startling decision, the U.S. Court of Appeals for the Ninth Circuit last week ruled that several employees at an executive recruitment firm did not exceed their authorized access to their company's database when they logged into the system and stole confidential data from it.
In a 22-page ruling, the appellate court held that an employee with valid access to corporate data, cannot be held liable under the federal Computer Fraud and Abuse Act (CFAA), if they then misuse or misappropriate the data.
"The CFAA expressly prohibits improper 'access' of computer information," chief judge Alex Kozinski said writing the court's majority opinion. "It does not prohibit misuse or misappropriation," he wrote. The term "exceed authorized access" under the CFAA applies specifically to external hackers and violations of "restrictions on access to information, and not restrictions on its use," Kozinski held.
The appellate court's decision affirms a previous ruling made by the U.S. District Court for the Northern District of California. The government must now decide if it wants to take the case all the way to the U.S. Supreme Court.
The case in question involves David Nosal, a former employee at Korn/Ferry, a large executive recruitment firm based in Los Angeles. Soon after Nosal left the firm a few years ago, he convinced a few of his former colleagues to join him in setting up a competing firm, according to a description of the case in court documents.
Before joining Nosal, some of he employees used their login credentials to access a confidential Korn/Ferry database and download a large list of names and contact information of executive candidates from around the world. The information, which was clearly marked as meant for Kron/Ferry's internal use and prohibited from disclosure, was then passed on to Nosal.
After the theft was discovered, Nosal was indicted on 20 counts, including mail fraud, trade secret theft and violations of the CFAA. He was accused under CFAA of aiding and abetting his former colleagues to exceed their authorized access on the Korn/Ferry system. Nosal appealed the CFAA charges, contending that the law applied only to external hackers and not to individuals who misused data after obtaining it in an authorized fashion.
His appeal was originally dismissed by the district court. The court held than individuals who accessed a computing with the intention to defraud were in fact exceeding their authorized access to the system.
Nosal filed a second appeal seeking to dismiss the CFAA charges after a Ninth Circuit decision in a separate case involving similar unauthorized access charges. That case involved an individual named Christopher Brekka, who was accused by his employer LVRC Holdings, LLC of accessing the company's computers without proper authorization, both while he was an employee and later after he had left the firm. The appellate court ruled that Brekka did not violate CFAA provisions through his actions, even when he accessed LVRC's computers and emailed confidential documents to himself and his wife just prior to leaving the company.
Sign up for Computerworld eNewsletters.