Information security threats come from a variety of sources, including outside hackers and disloyal corporate insiders. One federal statute that may provide a powerful remedy when a company’s defenses are breached and data is stolen from its computer system is the Computer Fraud and Abuse Act (CFAA). The CFAA imposes criminal penalties upon anyone who, among other things, “knowingly and with intent to defraud, accesses a protected computer without authorization or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.” The CFAA also gives victims a private cause of action against violators. While the CFAA clearly applies to outside hackers, the extent to which the statute can be used against disloyal insiders has been vigorously disputed and has resulted in an ongoing federal circuit split.
If an employee possesses legitimate credentials to access his employer’s computer system, can it violate the CFAA for the employee to use those credentials to download and use corporate information for an improper, prohibited purpose? Courts in the 1st, 5th, 7th, and 11th circuits say “yes.” In those circuits, regardless of whether an employee owns legitimate computer access credentials, his actions may violate the CFAA if he obtains data for a purpose contrary to the interests of the company in violation of company policies. By contrast, courts in the 2nd, 4th, and 9th circuits apply the statute much more narrowly. To be liable for a CFAA violation in one of these jurisdictions, a defendant must gain access to a company system and either (a) obtain data without legitimate access credentials or (b) “exceed authorized access” by gathering information from a part of the company’s system the person was not authorized to access. Because North Carolina falls within the 4th Circuit, cases decided here apply the CFAA narrowly to cover only situations in which the defendant obtains information from a computer system without proper credentials or without authorization to access the part of the system from which the information was obtained.
A recent case from the 9th Circuit, United States v. Nosal, broadened the circumstances in which a corporate insider may be liable for a CFAA violation under the “narrow” view. Nosal was an employee for an executive search firm who left the company to launch a competitor. After leaving his former position, Nosal continued to access his prior employer’s computer system and steal important data by using credentials provided to him by his former assistant who remained with the company. If his former assistant had downloaded the data using her own credentials and then provided it to Nosal, there would have been no CFAA violation. However, the 9th Circuit held that since the assistant instead gave her credentials to Nosal and he accessed the system after his credentials had been revoked, he acted in violation of the CFAA. The fact that Nosal used credentials given to him by someone with a legitimate right to access the system did not protect him from CFAA liability because the company itself did not authorize him to access the system.
Nosal generated a vigorous dissenting opinion, in which Judge Stephen Reinhardt argued the court’s holding could be broadly applied to criminalize relatively innocuous password sharing, such as allowing a friend to check your email or providing your Netflix password to a relative. To avoid this result and limit the CFAA’s application to situations more commonly characterized as hacking, Judge Reinhardt asserted that a defendant has “authorization” to access a company’s system under the CFAA whenever that person either has legitimate access credentials from the company or accesses the company’s system using the credentials of an authorized user with that person’s consent. In other words, according to the dissent, the necessary “authorization” to access the computer can come either from the company itself or from any authorized user of the company’s computer system.
If a case similar to Nosal were to arise in North Carolina, whether a North Carolina-based court would adopt the majority rule from Nosal or be persuaded by the dissent remains open. Regardless, Nosal serves as a reminder that companies should, as a part of a robust information security plan, adopt and enforce strong policies governing access to and use of company systems, including immediately revoking system access privileges of terminated employees, strictly limiting the circumstances under which employees may share their access credentials with others, and carefully considering all available remedies, including those provided under the CFAA, whenever a data breach occurs.