The Split in the Circuit Courts Over the Proper Interpretation of the Computer Fraud and Abuse Act Actually Goes Three Ways

Posted on April 3rd, 2013 by Brian Bialas

Posted on March 15th, 2013 by Brian P. Bialas

on our sister blog, Massachusetts Noncompete Law.

I’ve written many times about the significant split in circuit courts’ interpretation of the Computer Fraud and Abuse Act (CFAA), which affects whether an employer can sue an employee for violating computer use restrictions, usually embodied in a confidentiality agreement or company IT policy, when an employee downloads confidential information he is permitted to access but then takes that information to a competitor. The debate centers on when an employee “exceeds authorized access” under the text of the CFAA. In states that are part of the First Circuit Court of Appeals (which includes Massachusetts), an employer can use the CFAA in a lawsuit against an employee in such a situation. But in the Ninth Circuit, which includes California, an employer can sue only if the employee did not have access to the information as part of his job, meaning, in most cases, that the employee “hacked” into an area of the employer’s computer system that he was not permitted to access.

Yet in a recent article (subscription required), Alan W. Nicgorski argues that there is another trend among the circuits that is even more favorable to employers than the First Circuit’s interpretation. Nicgorski contends that the Seventh Circuit, which is based in Chicago, allows claims under the CFAA whenever an employee “embarks on a course of conduct adverse to his employer’s interest,” such as when an employee takes company information from a computer for the purpose of giving it to a competitor, even if there is no written agreement that the employee violated. See Int’l Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006). The Seventh Circuit’s reasoning is that an employee violates his duty of loyalty to the employer when he acts adverse to his employer’s interests, which automatically terminates the employee’s right to access the employer’s computers and information. As a result, the employee acts “without authorization,” another way a defendant can be liable under the statute. After all, the right to access the information was based on the employee being an “agent” of the employer, but a breach of the duty of loyalty terminates that relationship. In effect, this interpretation using the “without authorization” language eliminates an employer’s need for the “exceeds authorized access” language altogether, at least when dealing with an employee who takes information to a competitor, because any authorization given to an employee terminates once the employee acts for a competitor. An employee can’t exceed his authorized access when he has no authorization at all.

So would the First Circuit interpret “without authorization” in the same way as the Seventh Circuit? One judge of the U.S. District Court of Massachusetts thinks so. See Guest-Tek Interactive Entm’t Inc. v. Pullen, 665 F. Supp. 2d 42 (D. Mass. 2009). In Guest-Tek, Judge Nathaniel Gorton denied a motion to dismiss a CFAA claim where the plaintiff alleged that the defendant breached his duty of loyalty to the plaintiff employer by copying files and secretly planning a competitive venture. In short, Judge Gorton ruled that the First Circuit “has favored a broader reading of the CFAA” (see above) and cited Citrin. This decision by no means guarantees that the First Circuit would follow Citrin should the issue be presented to that court, but it does show that the circuits may continue to diverge in three directions. The Seventh Circuit’s decision in Citrin, I think, has been lumped together with the decisions of other circuits that allow CFAA claims based on computer use restrictions because the Seventh Circuit’s interpretation also would allow such a claim. (If anything, an employee who violates a computer use restriction likely breaches his duty of loyalty.) Because most employers have policies upon which CFAA claims can be based, many commentators (including yours truly) have tried to simplify the circuit split by drawing a line between those courts that allow CFAA claims based on computer use restrictions, and those that don’t. But the Seventh Circuit is indeed an outlier, and Nicgorski shows that, at least in that court, an employer need not have a policy to have a claim.

Commentary on the Status of the Computer Fraud and Abuse Act

Posted on February 27th, 2013 by Colin Zick

Feb 18, 2013

U.S. Supreme Court takes pass on CFAA lawsuit; uncertainty remains

In 1st Circuit, ‘ball in employer’s court’

By Correy E. Stephenson

The U.S. Supreme Court’s denial of certiorari in a Computer Fraud and Abuse Act case leaves employment lawyers in the 1st Circuit and beyond with continuing uncertainty.Employers frequently add a CFAA claim to suits against former employees that take confidential information from company computer systems.

But federal courts across the country have split on just how broadly the act should be interpreted.

The CFAA provides for criminal and civil penalties against an employee who “knowingly and with the intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.”

The 1st U.S. Circuit Court of Appeals has granted employers the right to sue under the act when employees have authorized access but use it for non-job-related purposes, while others, such as the 9th Circuit, have narrowly interpreted the law to require an actual hacking of the computer system.

Raising the hopes of employment lawyers nationwide, a 4th Circuit case sought certiorari before the Supreme Court, hoping to end the circuit split.

But in January, the justices denied review, leaving employment lawyers with continuing uncertainty.

“This is a big deal for employment lawyers,” said Brian P. Bialas of Foley Hoag in Boston.

Until the Supreme Court agrees to decide the issue, Bialas added, “the ball is definitely in the employer’s court in the 1st Circuit.”

Circuit split widens

For multiple reasons, the CFAA is a valuable tool for attorneys representing employers. In addition to establishing federal jurisdiction, the CFAA lets victorious plaintiffs recover damages such as the cost of hiring a computer forensic firm to investigate the employee’s activities, Bialas said.

And the act provides for injunctive relief, which can allow employers to stop a former worker from taking information to a new employer or using it for his own benefit.

The law comes into play when an employee leaves a job or is terminated and attempts to take information with him.

While an employee typically is authorized to access company documents on an internal document management system, “if she does so not in the course of her employment but rather for the purpose of viewing information that might be helpful for her next employer or some other improper purpose, then [the CFAA] can be triggered,” said John R. Bauer, a partner at Robinson & Cole in Boston.

For example, Bauer said, an employer would consider financial information, a formula or a client list confidential.

“Even though the person has literal authorized access to the documents, the access is used not for the purpose of fulfilling job responsibilities,” he said, adding that an alleged breach of the company’s computer use policy can — in some jurisdictions — provide the basis for a CFAA claim.

In the 1st Circuit, an employer has been allowed to bring suit against a former employee for accessing data in violation of a confidentiality agreement. The decision in EF Cultural Travel BV v. Explorica stands with similar decisions from the 5th, 8th and 11th circuits, where courts have also allowed employers to allege violations of the CFAA when the employee breached a confidentiality or computer use agreement.

A case from the 9th Circuit stands in stark contrast.

In an en banc decision issued last year, a criminal action against an employee who had authorization to access his employer’s database but used his log-in credentials to download source lists, names and contact information to start his own business was dismissed.

Even though the employee in U.S. v. Nosal violated a company policy that prohibited the disclosure of confidential information, the panel held that the statute did not apply. The CFAA requires unauthorized access to computer data or computer hacking, the 9th Circuit said.

Last July, the 4th Circuit agreed, holding in WEC Carolina Energy Solutions LLC v. Miller that the CFAA does not impose liability on authorized workers who breach computer user policies.

Noting the widening circuit split, the company petitioned the high court for review, which was declined by the justices in January.

Employers: Establish a policy

The Supreme Court’s denial of cert leaves attorneys representing employers in Massachusetts standing on solid ground.

To protect a company, make sure to have a data or computer use policy in place, Bialas advised, and “include a provision about confidentiality to use as a basis for a CFAA claim.”

However, the jurisdictional split “creates a problem for employers who have employees in multiple states,” Bauer said.

The employer “might be able to bring an action against an employee in one state but can’t take action against an employee in another state for doing the exact same thing,” he said.

For now, employees — and their new employers — face potential lawsuits with the existing 1st Circuit CFAA caselaw.

But attorneys agreed that the circuit split will be resolved, whether by the Supreme Court or via an update to the legislation.

The CFAA has received the attention of federal lawmakers recently after the suicide of Aaron Swartz, a computer prodigy who had been criminally charged under the law. With the statute under consideration, a tweak to clarify the breadth of its application in civil employment suits is possible, Bialas noted.

If not, “the Supreme Court would certainly be the easiest way for a lot of people to get some clarity,” he added hopefully.

PCI-DSS Update: The Payment Card Industry Security Standards Council Issues Guidelines for Security Risk Assessments, Cloud Computing, and Accepting Payments on Mobile Devices

Posted on February 27th, 2013 by Brian Bialas

Merchants who accept credit cards have a duty to protect customer information, not only by law (see, e.g., 201 CMR 17.00), but also because the credit card companies tell them so. The Payment Card Industry Security Standards Council was created by Visa, MasterCard and American Express to tell merchants precisely what they are supposed to do to protect consumers. Merchants must follow the Payment Card Industry Data Security Standard (PCI DSS) or risk fines or losing the ability to process credit cards. This past November, and then again in February, the Council issued guidelines to help merchants (and some third-party service providers) comply with PCI DSS when they perform assessments of risks to cardholder information within their systems, deal with cloud service providers, and accept payments using mobile devices.

Risk Assessments

On November 16, 2012, the Council issued its guidelines to help organizations perform risk assessments that comply with PCI DSS. According to BNA, some of the Council’s key recommendations include encouraging them to:

implement risk assessment methodologies that suit the culture and requirements of the particular organization; and

utilize continuous discovery processes that allow organizations to discover threats and mitigate them in a proactive and timely fashion.

The Council also emphasized that risk assessments should not replace the requirements of PCI DSS.

Cloud Service Providers

The Council also has published guidelines for dealing with cloud service providers. Because many organizations entrust cardholder information to cloud service providers (like Google), the Council emphasized that compliance with PCI DSS is a shared responsibility between the organization and the cloud service provider. The more aspects of a business a third party manages for that business, the more responsibility that third party has for maintaining PCI DSS protections. Significantly, the guidelines suggest that organizations and cloud service providers clearly set out security responsibilities in contracts between them to avoid misunderstandings.

Mobile Devices

The Council also has offered best practices for accepting credit card payments on mobile devices. Mobile devices are not designed to accept sensitive financial information, and are therefore particularly vulnerable. For this reason, the Council provided recommendations to ensure the security of mobile devices used to process payments. The Council did not recommend that merchants allow “bring your own device” policies, where an employee brings a device to work that the employee (who is not the merchant) owns and controls, because the merchant does not have control over the content and configuration of the device. With the increasing popularity of Square, merchant vigilance to strict standards in this area is only going to become more important.

* * *

Above all, the Council’s guidelines show just how seriously the credit card industry considers the protection of cardholder information at each step of the payment process, from the initial purchase through to the storage of the information. Yet some security threats to cardholder information, including a basic one that I wrote about here, remain unaddressed, so the credit card industry still has some work to do.

More on President Obama’s Executive Order on Cybersecurity

Posted on February 14th, 2013 by Stephen Bychowski

On February 12, 2013, President Obama signed an executive order entitled “Improving Critical Infrastructure Cybersecurity.” The Order has two key components.

First, the Attorney General, the Secretary of Homeland Security and the Director of National Intelligence must ensure timely production of unclassified reports of cyber threats and must rapidly disseminate the reports to the targeted entities.

Second, the National Institute of Standards and Technology (“NIST”), which is part of the Commerce Department, must develop a Cybersecurity Framework. The Cybersecurity Framework will be a set of standards, methodologies and procedures to help owners and operators of critical infrastructure to reduce cyber risks. NIST must consult with other agencies and stakeholders and must incorporate voluntary consensus standards and industry best practices.

In conjunction with the Department of Homeland Security (“DHS”), sector-specific agencies must develop a program to support the private sector in adopting the Cybersecurity Framework. DHS must coordinate and recommend to the President a set of incentives to encourage industry adoption.

The President also issued the Policy Directive on Critical Infrastructure Security and Resilience. Under the Policy Directive, DHS and sector-specific agencies must assess the Nation’s critical infrastructure and assist the owners and operators in strengthening their cyber security.

The Executive Order and Policy Directive were issued after Congress failed to pass numerous cybersecurity bills in 2012, including a proposal by the White House. In September, the White House said that it would consider issuing an executive order if Congress remained deadlocked. The White House noted that the executive branch is “hamstrung by outdated and inadequate statutory authorities,” and in President Obama’s State of the Union Address, he called on Congress to “pass[] legislation to give our government a greater capacity to secure our networks and deter attacks.”

Administration Rolls Out Its New Cybersecurity Policy

Posted on February 13th, 2013 by Ara Beth Gershengorn

Yesterday President Obama signed an executive order directing federal agencies to develop voluntary best cyber security practices for key industry sectors and to create a system for broader public-private information sharing, and today administration officials have been speaking at an event highlighting the order. The Order places primary responsibility for managing cyber security in the hands of the Department of Homeland Security. Under the Order, the government will also be identifying baseline data and systems requirements for the government to allow the exchange of information and intelligence, and will be producing and disseminating unclassified cyber threat reports. The Order also seeks to increase information sharing within the government and with the private sector, looking for options to improve the public-private partnership in both physical and cyber space and to streamline the process of information sharing.

Deputy Attorney General James Cole, speaking at today’s event, emphasized that this would be done without violating the Administration’s commitment to protecting privacy and civil liberties. He mentioned that each federal department and agency is required to develop and implement privacy and civil liberties safeguards in connection with their cyber space activities, and must also assess the safeguards and their implementation, with the results of the assessment sent to the DHS Chief Privacy Officer and Officer for Civil Rights and Civil Liberties to be included in a public report.

Keep watch here for further analysis of the Executive Order and industry reactions to it.

Pentagon to Increase Cybersecurity Force More than Five Times Current Size

Posted on January 29th, 2013 by Colin Zick

In a recent article, the Washington Post reported that “The Pentagon has approved a major expansion of its cybersecurity force over the next several years, increasing its size more than fivefold to bolster the nation’s ability to defend critical computer systems and conduct offensive computer operations against foreign adversaries.”

The Pentagon’s plan would create three types of forces under the Cyber Command:

“national mission forces” to protect computer systems that undergird electrical grids, power plants and other infrastructure deemed critical to national and economic security;
“combat mission forces” to help commanders abroad plan and execute attacks or other offensive operations; and
“cyber protection forces” to fortify the Defense Department’s networks.

The first of these categories is the one I find most interesting, as it most closely relates to daily life and work in this country. It also raises the interesting question as to which businesses are deemed to be critial infrastructure. While electric grids seem obvious, what about electronic health records? Or Google? Cloud storage? And would you want your company to be designated as critical, if there is increased government oversight as a result?