An en banc U.S. Court of Appeals for the Ninth Circuit ruled today that employers and website hosts cannot use the Computer Fraud and Abuse Act to prosecute users who violate company policies or website terms of use. The ruling puts the Ninth Circuit at odds with four other federal circuits which have opined on the same issue, and raises the possibility of U.S. Supreme Court review. In addition, a bill pending in the Senate would amend the CFAA to eliminate contract-based civil claims under the statute.
Chief Judge Alex Kozinski authored the opinion, which stemmed from a case where a former employee of an executive search firm convinced his former co-workers, who were still with the firm, to use their log-in credentials to download source lists, names and contact information from a confidential company database in order to help him start a competing business. The government indicted the defendant on twenty counts, including violations of the CFAA for aiding and abetting his former co-workers in exceeding their authorized access to their work computers.
In its ruling, the court held that the phrase in the CFAA “exceeds authorized access” should be construed narrowly to apply to hacking only and should not extend to violations of use restrictions. A broader construction would “allow private parties to manipulate their computer-use and personnel policies” to turn employer-employee relationships into ones policed by criminal law, and could criminalize behavior such as using an employer’s computer to chat with friends, play games, shop or watch sports highlights. Further, the court acknowledged the circuit split, stating that the other courts “looked only at the culpable behavior of the defendants before them, and filed to consider the effect on millions of ordinary citizens caused by the statute’s unitary definition of ‘exceeds authorized access.’”
Written by Bruce Sarkisian, Associate | Alston & Bird LLP