Thursday, April 12, 2012
U.S. v. Nosal Leaves Me Feeling a Bit Conflicted
Put simply, what does it mean to use a computer "without authorization" or to use it in such a manner which "exceeds authorized access"? Courts have not been consistent in interpreting these terms, and those terms are key to stating a computer fraud claim under federal law.
This issue arises in competitive disputes - not just the obvious cases of computer hacking. How does it arise? Simple. An employee who is planning a departure accesses a customer list on a server, copies it, quits, and competes by using the list. That's a straightforward example. (No doubt, there are others that are more nuanced, but we'll leave it at that for today.)
Courts in several circuits - the Seventh included - have taken a broad interpretation of the CFAA's terms, reasoning that once an employee violates a duty of loyalty, his use and access of a protected computer to obtain confidential information must exceed what has been authorized. Others - the Ninth, sort of - have construed the statute narrowly.
In Nosal, the Ninth Circuit addressed the issue of whether an individual commits a federal crime by accessing protected computer information in a manner inconsistent with an employment policy regarding confidential data. The full Ninth Circuit held that the CFAA could not be read so narrowly.
For discussion on this case, please see excellent posts by John Marsh here and Robert Milligan here.
My take. I'm conflicted.
Ultimately, I think the dissent in this case - which cautioned against reading too much into absurd hypotheticals - has a point about the gravity of stolen confidential data in the workplace. Judge Posner, who wrote an influential opinion in the Seventh Circuit, also has soundly reasoned that the common law duty of loyalty has to play a role in putting color on the meaning of "authorized access."
Here's my problem, though. Don't other claims cover this type of conduct? Why do we have common law torts for breach of the duty of loyalty, interference, trade secrets misappropriation, unfair competition, or even civil theft? And what is up with the incessant need of lawyers to pile on multiple, duplicative claims for the same conduct? I don't get this.
In short, I think the CFAA has been overapplied and has resulted in a broad federalization of claims that were intended to fall within the purview of state courts. Personally, federal courts should be courts of limited jurisdiction, and it seems kind of silly to keep expanding a statute which was originally intended to prevent computer hacking, damage to records of the federal government, and theft of information from financial institutions.
There is another problem. The statute is abysmal, cobbled together through a patchwork of amendments (six by my count in less than twenty years). I still don't understand it. The dissent in Nosal got it wrong, in my opinion, when it called the CFAA's provisions "quite clear." Not so. This also isn't the first time Congress or some other legislative body screwed up a statute. But if the intent is to federalize what amounts to trade secrets misappropriation, Congress should just say so.