Friday, February 20, 2015

Obama Administration's Cybersecurity Proposal Would Broaden CFAA

The Obama Administration has been active in addressing concerns related to cybersecurity and trade secrets theft. In 2013, the Administration rolled its strategy to mitigate trade secrets theft - the first of its kind executive-level white paper that specifically identified trade secrets protection as part of a national economic security strategy.

In January of this year, the Administration went further than I anticipated by endorsing amendments to the somewhat controversial Computer Fraud and Abuse Act. As readers of the blog know, the CFAA can be a jurisdictional hook to bring trade secrets claims into federal court. It is broader than trade secrets law in some respects (it protects unauthorized access of any information contained in a protected computer, not just trade secret information) and much narrower in others (it contains a $5,000 damage or loss requirement).

Part of the controversy surrounding the CFAA has involved statutory language that bars someone from accessing a computer in a manner that "exceeds authorized access." That language has given courts fits, with circuit courts applying different interpretations to the statutory language. The controversy crystallized in United States v. Nosal, a federal prosecution of a Korn-Ferry executive recruiter that brought to the fore the various CFAA interpretations of "exceeds authorized access." My take on Nosal and a summary of circuit court treatment of the issue is found in this post.

The Administration's proposed set of amendments to the CFAA cuts against the Nosal approach and resolves a question where there's a split of authority: whether "exceeds authorized access" includes the misuse of information even if access to it was technically permitted. Example: copying data from a work computer to a personal thumb-drive for use at a new job.

The amendment would define "exceeds authorized access" to mean "to access a computer with authorization and to use such access to obtain or alter information: (a) that the accesser is not entitled to obtain or alter; or (b) for a purpose that the accuser knows is not authorized by the computer owner." Part (b) is the Nosal amendment and would resolve the circuit split in favor of what the employer-friendly jurisdictions, like the Seventh and Eleventh Circuits, endorse.

The impact of this proposed amendment is uncertain. On the one hand, if adopted, it almost surely would mandate corporate counsel to draft a computer usage policy so that a court would have some objective indication of what the computer owner authorizes.

On the other, it criminalizes a range of activity well below trade secrets theft, since there is no requirement that the information accessed be a trade secret or even lesser-protected "confidential" information. As long as the company can establish a value in excess of $5,000, the CFAA would apply. And on that score, the CFAA contains nothing to limit how a computer owner can establish that particular information is worth $5,000.

For a comprehensive take on the Administration's proposal, see Professor Orin Kerr's January 14 article in the Washington Post.

No comments:

Post a Comment