U.S. Solicitor General, Donald B. Verrilli, Jr., has announced that his office has decided not to appeal from the U.S. Court of Appeals for the Ninth Circuit’s 9-2 en banc decision narrowing the scope of the Computer Fraud and Abuse Act (CFAA) in U.S. v. Nosal (for more on that announcement, see Seyfarth Shaw’s post yesterday detailing that decision). I had promised to do a recap of what others in the trade secret community and other interested commentators had to say about the decision, as well as my own take on the decision after having had the opportunity to more carefully review it and its construction of the CFAA. And, unfortunately for employers in the Ninth Circuit and especially those in California, I have concluded the Ninth Circuit dropped the ball on this one.
First a quick recap of Nosal. The federal government indicted David Nosal, a former employee of AON, for violating the CFAA because after his resignation, he persuaded other former colleagues at AON to access their computers and gather information that would be helpful to his new venture. AON had a policy forbidding the use of company computers for anything other than company business, so the government argued that Nosal and those employees had exceeded their authorized access of the protected computers in question by violating those polices.
The district court rejected that argument and dismissed the CFAA claim. The first panel of the Ninth Circuit reversed the trial court, finding that violating a computer use policy was sufficient grounds for exceeding authorized access in April 2011. The Ninth Circuit then agreed to reconsider the panel en banc and then issued its 9-2 ruling on April 10.
What Other Commentators Think: No surprises here. Bloggers and commentators who represent employers were generally disappointed with the decision, while academics, privacy advocates and the media were generally enthusiastic about it. Of all of the fine commentary on both sides of the holding, I especially liked Kenneth Vanko’s take on the decision.
The Trade Secret Litigator’s Take: When I first read the Nosal decision, I wanted to agree with Chief Judge Kozinski and the majority for primarily three reasons. First, like others, I was troubled by the potential for Internet Service Providers or companies like Facebook, Google and others to use their “Terms and Conditions” (i.e., the fine print accompanying each application, license or grant of access to use their site) to convert every garden-variety breach of contract action into a CFAA case.
Second, like Kenneth Vanko, I thought that in the context of trade secret litigation, the CFAA was arguably redundant. Most employers and companies already have plenty of legal remedies under state trade secret laws, through breach of contract remedies such as breach of a non-compete or non-disclosure agreement, and under common law claims of breach of fiduciary duty and conversion.
Third, there has also been mounting criticism of federal prosecutors for criminalizing trivial things like inadvertently scavenging for arrowheads in a national park (take a look at The Wall Street Journal’s series of articles on these and other prosecutions), and the CFAA could present yet another opportunity for an overzealous prosecutor. In that respect, the Nosal majority’s concern was not “chimercal” as Judge Kozinski noted.
Despite these leanings, when one applies a plain reading to the language of the statute, the Nosal majority simply got it wrong on two counts. (I have attached a link to the statute for everyone to see for themselves).
There are two key provisions of the CFAA at issue. First, subsection 1030(a)(4) reads as follows:
“[Whoever] knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.”
The second relevant provision is 1030(e)(6) which defines the critical terms “exceeded authorized access.” It defines those words to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
First, the underlined language “knowingly and with intent to defraud” and “by means of such conduct furthers the intended fraud . . .” obviates the majority’s concern that the statute could be used to criminalize or expose an employee for checking out ESPN at work, as such a frolic could not credibly be equated with an intent to defraud. The minority correctly criticized the majority for setting up “straw men” arguments because of the existence of that limiting language.
Second, the majority punted on the plain meaning of the language “exceeded authorization access.” When faced with prosecutor’s arguments that it would be rendering some of the language of the definition superfluous if it adopted Nosal’s interpretation (in particular, it would be ignoring the word “so”), the majority resorted to arguing that the government’s interpretation would render other provisions of the CFAA superfluous (in particular subsection 1030(a)(4)). However, as the minority pointed out, that issue or subsection was not before the majority, and the Ninth Circuit erred in entertaining these hypothetical positions to interpret what was otherwise straightforward language before it.
The decision’s impact? In the four months since Nosal was issued, its reasoning has rippled well beyond the Ninth Circuit. Two district courts in Michigan and the U.S. Court of Appeals for the Fourth Circuit in WEC Carolina Energy v. Miller, have adopted some or all of Nosal’s reasoning and have refused to extended the CFAA to computer usage policies. As I noted earlier this week, there is now a full-blown split between the circuit (the reasoning of the Fifth, Seventh and Eleventh Circuits was rejected in Nosal and in WEC Carolina). For this reason, it is disappointing that the Solicitor General did not throw his considerable weight behind an appeal to see that this split was resolved.
Nosal’s impact will be felt greatest in California, which rarely enforces non-competes. As a result, I think employers in California will feel Nosal’s brunt most because they are pretty much now limited to California’s version of the Uniform Trade Secret Act.
What can employers do? As I mentioned on Monday, the Fourth Circuit found that the policy in question in WEC Carolina only addressed “use” and did not forbid “accessing” the computer for any improper purpose. Consequently, tailoring your client’s computer use policies to forbid accessing files for any purpose beyond the employer’s business or interests could salvage a CFAA claim, at least for those in the Fourth Circuit.