In this security-related case, most 9th Circuit judges thought the U.S. government sued the defendants under a law that, in the circumstances, they didn’t break. What defendants did, they ruled, was not a federal crime under the Computer Fraud and Abuse Act (CFAA). But what they did appears to be highly illegal, perhaps under different laws.
What happened. “Norman” worked for the executive search firm Korn/Ferry in California. And, he resigned from his employer, with the specific intent to open a competing business. Then he contacted three friends among his former co-workers and persuaded them to join him in his new business—but to do something else before they resigned. He asked them to use their passwords to access Korn/Ferry’s database, download proprietary information about executive candidates, and forward that information to him.
They complied. But it wasn’t long before the federal government indicted Norman on 20 charges, including trade secret theft, mail fraud, conspiracy, and violations of CFAA. Norman argued to a federal district judge, essentially, that CFAA protects against hackers but not against employees with legitimate access, which his former co-workers had at the time. The judge agreed, and the government appealed to the 9th Circuit, which covers Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, Oregon and Washington.
A three-judge circuit panel overturned the district court, finding Norman had violated CFAA. Norman asked the circuit to have his case reheard by the full bench, which complied.
What the court said. Nine of the 11 judges agreed with the district judge that CFAA was not violated in this case. In a colorful opinion, the judge wrote that people violate the terms of various websites all the time, and would be shocked to be accused of a federal crime, for lying on a dating site, for example, or playing Sudoku on their computers at work. U.S. v. Nosal, U.S. Court of Appeals for the 9th Circuit, No. 10-10038 (4/10/12).
Points to remember: First, CFAA was enacted in 1984 and is already woefully out of date, which suggests it wasn’t intended to cover violations like Norman’s. Second, several other circuits—the 5th (LA, MS, TX), 7th (IL, IN, WI) and 11th (AL, FL, GA)—have given CFAA the broad interpretation that the government sought here. Observers have suggested that the U.S. Supreme Court may review this or a similar case. Wise employers wishing to protect their proprietary data should erect restrictions and technological barriers to its access; policies aren't enough. Finally, Norman may still be sued on other grounds, such as violating his employment agreement with Korn/Ferry.