When Does an Employee Act “Without Authorization” When Accessing Company Data

   A case recently argued before the entire Ninth Circuit Court of Appeals highlights the importance of having company policies that not only limit what data employees can access, but which also place specific limitations on how employees can use the data to which they are allowed access.
            The Ninth Circuit is reviewing its earlier decision in U.S. v. Nosal, 661 F.3d 1180, in which Nosal was accused of violating the Computer Fraud & Abuse Act (“CFAA”) by recruiting employees of Korn/Ferry International to obtain trade secrets and other proprietary information by using their user accounts to access the Korn/Ferry computer system.  The employees then transferred this information to Nosal.
            The CFAA prohibits accessing a protected computer without authorization, or by exceeding authorized access.  The issue for the court to decide is whether the employees, who had authority to access the computer system, nevertheless exceeded their authority when they used the information from the computer for an unauthorized purpose, i.e., transferring the information to Nosal.
            The court had previously found that such unauthorized use of the information did, in fact, constitute exceeding their authorized access.  Crucial to the court’s decision was the fact that Korn/Ferry had computer policies in place that specifically restricted the use of computer information.  The court stated that an employer’s restrictions on the use of computer information defines when an employee has exceeded their authorized access.  In the absence of specific restrictions on the use of computer information, the court probably would not have found a violation of the CFAA.  It is now up to the entire Ninth Circuit Court of Appeals in an en banc hearing to determine if they will uphold this decision.

Do your computer security procedures not only limit the information to which employees have access, but also limit the manner in which they can use the information to which they are allowed access? Such policies are an important part of a company data protection plan.

Post by: Richard N. Sheinis