Ninth Circuit Limits Federal Criminal Liability Reach of Computer Fraud and Abuse Act to Hackers Only, Not Employees in Violation of Company Policy


Employees cannot be criminally prosecuted by the federal government for breach of an employer’s computer policies, according to the Ninth Circuit’s April 10, 2012 en banc opinion in U.S. v. Nosal.  The 9-2 en banc panel (with a strongly worded dissent) opted to narrowly construe the Computer Fraud and Abuse Act (“CFAA”) to avoid creating a world in which employees could be held criminally liable for “workplace dalliances” like accessing social media sites which may be in violation of a company policy that work computers may be used for business purposes only.  The opinion reversed the Ninth Circuit’s earlier April 28, 2011 panel decision and further deepened a split among circuits on this issue.

The Nosal opinion makes clear that, in the Ninth Circuit, violations of company policy are appropriately governed by tort and contract and perhaps the civil provisions of the CFAA, reserving criminalization for conduct which is “inherently wrongful, such as breaking into a computer.”  The court emphasized that “Congress enacted the CFAA in 1984 primarily to address the growing problem of computer hacking” and that “the government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute.”

The en banc panel cited several cases from other circuits interpreting the CFAA’s “exceeds authorized access” language as being “limited to violations of restrictions on access to information, and not restrictions on its use.”  Applying this interpretation, the Ninth Circuit affirmed the trial court’s decision that, because David Nosal’s accomplices had permission to access the company database and obtain the information contained within, the CFAA’s reach did not extend to punish the intention to use.

The Ninth Circuit did not explicitly apply its holding to the civil remedies available under the CFAA, although in a footnote it does seem to suggest that one employer overstepped the bounds of a viable civil CFAA claim when after an employee sued her employer for wrongful termination, the company counterclaimed that her use of Facebook in violation of Company policy was a civil CFAA violation.  The Ninth Circuit also did not address, either from a criminal or civil liability standpoint under CFAA, a somewhat different aspect of the language of the CFAA besides unauthorized “access”.  It is also a violation of the CFAA for an employee to “alter information in the computer that the accesser is not entitled to…alter”. The alteration or destruction of computer data is in issue more and more often in departing employee cases when individuals download unauthorized erasure programs like CCleaner in hopes of covering their tracks of potential wrongdoing.  The Nosal opinion also does not, in any way, limit an employer’s ability to discipline employees for these policy violations or preclude employers from raising other civil claims against employees who improperly access the company’s computer systems.