United States v Nosal
In United States v. Nosal the U.S. Court of Appeals for the 9th Circuit held that an employee’s use of confidential information, in violation of their duties to the company and for unintended or unauthorized uses, is not a violation of the Computer Fraud and Abuse Act (CFAA) because the employee did not initially exceed their authorization.
The significance for private and government employers is that this ruling now severely limits an employer’s ability to seek relief under the CFAA and the Stored Communications Act.
Do employers have any recourse where intellectual property and critical information (IPCI) are removed by an employee with ‘‘authorization’’? How is it determined if an employee has “authorization”? Further who knows if they did or did not have access or use prohibitions under the terms of their employment and/or have been removed due to their future termination.
Dissenting in Nosal, Judge Barry G. Silverman made a good comment.
This case has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values. It has everything to do with stealing an employer’s valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants’ employment contracts. . . . No other circuit that has considered this statute finds the problems that the majority does.
This is a close to being the perfect case to justify a proper OPSEC program with needs to know and needs to use clearly spelled out. Further, it highlights the necessity for the use of a good employment agreement. This agreement should be very clear about what is considered by the company to be its IPCI and why that company considers the IPCI a real and valuable and unique asset. It should also have the opportunity for administrative penalties – as opposed to having to always seek a court of competent jurisdiction.