On July 5, 2016, the Ninth Circuit Court of Appeals issued its highly anticipated decision in the most recent chapter of United States v. Nosal, holding that an individual acts “without authorization” as used in the Computer Fraud and Abuse Act (“CFAA”) when, after his/her own access has been revoked, the individual utilizes legitimate log‑in information of another to access company databases. This decision has important consequences for organizations as they consider how to implement policy and technical controls on user access to ensure they are protected against unauthorized access under the CFAA.
On Monday, January 25th, the Supreme Court issued the most recent Computer Fraud and Abuse Act decision in Michael Musacchio v. United States. After leaving his employer to start his own company, the defendant (a former executive) continued to use his password and login credentials to get access to his now former employer’s computer and e-mail system. The government charged the Musacchio with violating the CFAA for intentionally accessing his former employer’s computer systems without authorization. However, at trial the court instructed the jury incorrectly that a CFAA violation required proof that he gained unauthorized access and exceeded authorized access. The CFAA, however, only requires proof that the individual either “intentionally accesses a computer without authorization or exceeds authorized access.” The Supreme Court upheld his conviction, explaining that “[w]hen a jury finds guilt after being instructed on all elements of the charged crime plus one more element, the jury has made all the findings that due process requires.”
On December 3, the Second Circuit Court of Appeals became the most recent entrant into the circuit conflict on the question of when and under what circumstances an employee’s use of a computer to gain access to unauthorized information constitutes a violation of the Computer Fraud and Abuse Act. Over a dissent, the Court held that an employee cannot be convicted of violating the CFAA when he uses a database, to which he has been granted access, in a manner that is prohibited by company policy. With the Second Circuit joining the Fourth and Ninth Circuits in the minority on the issue, the answer continues to turn on the jurisdiction in which the suit was brought. Employers should take note because the decision reinforces the need to consider carefully whether and how to limit employee access to sensitive company information within its network—e.g., by use of written policy or technical access restrictions—and how those protections will play out in court if an employee takes company information for use in future employment.