Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Workers did not exceed authorization when data stolen, says appeals court

Jaikumar Vijayan | April 20, 2012
In a somewhat startling decision, the U.S. Court of Appeals for the Ninth Circuit last week ruled that several employees at an executive recruitment firm did not exceed their authorized access to their company's database when they logged into the system and stole confidential data from it.

The court held that Brekka had been authorized to use the computer and had been entitled to access the documents and therefore could not be charged of exceeding his access rights.

The district court upheld Nosal's second motion to dismiss the CFAA charges, after the Brekka ruling. The government filed an appeal following that decision. Kozinski last week offered the same rational used in the Brekka case to dismiss the government's appeal.

The CFAA, he wrote, applies primarily to unauthorized access involving external hackers. The definition of "exceeds authorized access" under the CFAA applies mainly to people who have no authorized access to the computer at all. The term would also apply to insiders who might have legitimate access to a system but not to specific information or files on the system Applying the language in the CFAA any other way would turn it into a "sweeping Internet-policing mandate," he wrote.

"Consider the typical corporate policy that computers can be used only for business purposes. What exactly is a 'nonbusiness purpose'?" he wrote. "If you use the computer to check the weather report for a business trip? For the company softball game? For your vacation to Hawaii? And if minor personal uses are tolerated, how can an employee be on notice of what constitutes a violation sufficient to trigger criminal liability?"

Kozinski acknowledged that other appellate courts have applied the CFAA more broadly to apply to violations of corporate computer use restrictions or violations of a "duty of loyality". In his opinion, Koznski said he was not persuaded by the decisions of the other courts and insisted that the term "exceeds authorized access" was meant to be applied in a very narrow and specific context.

"Basing criminal liability on violations of private computer use polices can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved," he said. "Employees who call family members from their work phones will become criminals if they send an email instead.".

In a dissenting opinion, Circuit Judges Barry Silverman and Richard Tallman wrote that the majority had taken a clearly written federal statute and parsed it in a manner that distorts the original intent.

"This is not an esoteric concept," Silverman wrote. "A bank teller is entitled to access a bank's money for legitimate banking purposes, but not to take the bank's money for himself." Similarly, while a new car buyer might be entitled to test drive a new car, he would "exceed his authority" to take the car to Mexico. "No other circuit that has considered this statute finds the problems that the majority does," he wrote.



Previous Page  1  2 

Sign up for Computerworld eNewsletters.