Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

9th circuit

433 Aufrufe

Veröffentlicht am

Veröffentlicht in: Business
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

9th circuit

  1. 1. Litigation Alert Ninth Circuit Holds Computer Fraud and Abuse Act Criminalizes Employee’s Access To Information In Violation Of Employer’s Express Access Limitations laurence f. pulgram, tyler g. newby and sebastian e. kaplanUnited States v. Nosal, No. 10-10038 (April 28, 2011) and by means of such conduct furthers the intended(Trott, J., O’Scannlain, J., Campbell, J.) fraud and obtains anything of value.” In light of the Ninth Circuit’s decision in LVRC Holdings LLChttp://www.ca9.uscourts.gov/datastore/ v. Brekka, which construed the phrase “accessesopinions/2011/04/28/10-10038.pdf . . . without authorization” to exclude the actionsSummary of individuals who had misused their otherwise authorized access to computer systems, the districtOn Thursday, April 28, 2011, the Ninth Circuit, in a split court dismissed five of the eight counts againstdecision, held that an employee could be criminally Nosal.liable under the Computer Fraud and Abuse Act, 18U.S.C. § 1030 (the “CFAA”), for exceeding authorized The Ninth Circuit’s Decisionaccess to an employer’s computer system by accessing In reversing the district court, the Ninth Circuitproprietary information in violation of the employer’s held that “an employee ‘exceeds authorizedwritten policies. In so holding, the Ninth Circuit access’ under § 1030 when he or she violatesjoined several other circuits in interpreting the CFAA’s the employer’s computer access restrictions—“exceeds authorized access” prong to cover violations including use restrictions.” Because the companyof an employer’s clearly disclosed computer use policy had contractually prohibited its employees fromto misappropriate proprietary company information. disclosing information on its computer system toThis interpretation of the CFAA also has ramifications third parties, or from using the information exceptoutside the employment context, and potentially for legitimate business purposes, the employeesextends to enforceable terms of use policies and other exceeded their authorization when they violated thatcontracts restricting network access. prohibition.Background of the Case The Ninth Circuit distinguished Brekka, whichThe facts of the case read like a garden-variety civil addressed the CFAA’s access without authorizationtrade secret dispute. David Nosal had worked for prong, as opposed to the exceeding authorizedthe executive search firm Korn/Ferry International, access prong at issue in Nosal. Unlike the companywhich he left to start a competing firm. Soon after in Brekka, Korn/Ferry had made its computer accessleaving the firm, Nosal engaged three Korn/Ferry and non-disclosure policies conspicuously clear toemployees to help set up the rival company. Those all its employees.employees downloaded information about executive The Ninth Circuit addressed the concern that itscandidates from Korn/Ferry’s password-protected interpretation of “exceeds authorized access” wouldleads database and provided that information to make criminals out of employees who violated theirNosal. All Korn/Ferry employees had been required to employer’s use policies by using work computers forsign employment agreements prohibiting disclosure of personal reasons. It held that the government—andsuch information. by extension, a plaintiff in a private civil action, whichIn a federal criminal indictment, Nosal, was charged is also available to enforce the CFAA—would still needwith violating § 1030(a)(4) of the CFAA, which imposes to satisfy the other elements of § 1030(a)(4). Thosecriminal liability for anyone who: “knowingly and elements require proof that that (1) the defendantwith intent to defraud, accesses a protected computer intended to defraud the company, (2) the computerwithout authorization, or exceeds authorized access, access furthered that intent, and (3) the defendant obtained something of value through the access.litigation newsletter www.fenwick.com
  2. 2. Implications For further information, please contact:Nosal gives greater teeth to computer access and use Laurence F. Pulgram, Partner, Litigation Grouppolicies, thereby improving companies’ ability to deter lpulgram@fenwick.com, 415.875.2390both outsiders and insiders from stealing confidential Tyler G. Newby, Of Counsel, Litigation Group andbusiness information. In Nosal, the computer use White Collar/Regulatory Grouppolicy prohibited disclosure to outside parties and tnewby@fenwick.com, 415.875.2495use other than for legitimate business purposes. Sebastian E. Kaplan, Associate, Litigation GroupRestrictions on disclosure create a bright line rule skaplan@fenwick.com, 415.875.2477that puts employees on notice. Restrictions on thepurpose of access—such as for legitimate business ©2011 Fenwick & West LLP. All Rights Reserved.purposes—present greater vagueness problems.Although the majority did not explicitly criticize Korn/ the views expressed in this publication are solely those of the author, andFerry’s restriction for legitimate business purposes, do not necessarily reflect the views of fenwick & west llp or its clients. the content of the publication (“content”) should not be regarded asit effectively replaced that standard by focusing on advertising, solicitation, legal advice or any other advice on any particular matter. the publication of any content is not intended to create and doesthe “intent to defraud” element. This suggests that not constitute an attorney-client relationship between you and fenwick &companies may face difficulty enforcing a computer west llp. you should not act or refrain from acting on the basis of any content included in the publication without seeking the appropriate legaluse policy where an employee’s motivation falls in or professional advice on the particular facts and circumstances at issue.the gray area between a legitimate business purposeand outright fraud. Where possible, computer usepolicies should be drafted to prohibit actions, insteadof intentions.Employers’ computer use policies, in addition tobeing clear, must be conspicuous. Korn/Ferry’s policywas disclosed to employees at the time of hiring andeach time an employee logged onto the Korn/Ferrycomputer system.Nosal also has implications for restrictions on accessto electronic information provided to customers orthe public. A company that provides informationon its website may be able to restrict the use of thatinformation through enforceable Terms of Use. Bythe same token, companies who access informationon an outside website should take note of whatuse restrictions exist. Nosal, however, involved theemployment context, and the Ninth Circuit has notyet addressed whether the definition of access orauthorization will be interpreted differently for non-employees.2 litigation alert – may 2, 2011 fenwick & west