Violation of Company Computer Policy Not a Federal Crime

It’s not a federal offense to use your company computer for personal browsing, even if it is contrary to corporate policy—at least in the Ninth Circuit.

The appellate court upheld the dismissal by the trial court of criminal charges under the Computer Fraud and Abuse Act (CFAA) against David Nosal, a former employee of the executive search firm of Korn/Ferry, for aiding and abetting some of his coworkers to exceed their authorized access by encouraging them to download source lists, names, and contact information from a confidential data base and giving it to the defendant to help start up a competing company.

The appellate court agreed with Nosal that the phrase “exceeds authorized access” under the CFAA applies when a person “hacks” into a computer, not when a person has legitimate access to the computer and only violates the company’s policies by downloading computer files.

“If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions—which may well include everyone who uses a computer—we would expect it to use language better suited to that purpose,” the court wrote in the majority opinion.

Charges were brought against Nosal for aiding and abetting some of his former colleagues to provide information to him to start up a competing company.  The government argued that by violating the company’s computer policy, the remaining employees exceeded their authorized access and thereby violated the CFAA.

“Basing criminal liability on violations of private computer use policies can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved,” the court said.  “Employees who call family members from their work phones will become criminals if they send an email instead.  Employees can sneak in the sports section of the New York Times to read at work, but they’d better not visit ESPN.com.  And Sudoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their Sudoku skills behind bars.”

Additionally, the court noted that a post “describing yourself as ‘tall, dark and handsome,’ when you’re actually short and homely, will earn you a handsome orange jumpsuit.”

In a dissenting opinion, the minority said the case “has nothing to do with playing Sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values.”  Instead, it noted, the case involved “stealing an employer’s valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants’ employment contracts.”

United States of America v. David Nosal, Ninth Cir. No. 10-10038, filed April 10, 2012.