Yesterday the Ninth Circuit, in an en-banc opinion, determined that the Computer Fraud and Abuse Act ("CFAA") did not apply to employees who "spend six hours tending his FarmVille stable," visit ESPN.com, or play Sudoku on www.dailysudoku.com while at work. While seemingly an obvious conclusion, the Court also excluded from the CFAA other more nefarious employee computer misdeeds.
At issue was the phrase "exceeds authorized access" as defined by the CFAA. Corporations have policies preventing the personal use of the internet during company time. The Ninth Circuit was concerned that employees who surf the web at work, could violate the CFAA by exceeding his or her authorized access granted by the corporate internet use policies.
The Ninth Circuit determined that "exceeds authorized access" means violations of restrictions on the access to information, not restrictions on its use. Therefore the CFAA would apply to hackers, who circumvent technological barriers to access computer systems, as opposed to employees who are granted access by the company. As a result, an employee who checks his personal e-mail or updates his status on Facebook at work would not violate the CFAA because the employee's use of the company's internet access is not actionable under the CFAA.
Unfortunately, the case at hand, U.S. v. Nosal, Docket No. 10-10038, dealt with a former employee who convinced current employees to steal information from a confidential database to help his competing business. The Ninth Circuit found that the Nosal, the former employee, did not aid and abet the current employees in violating the CFAA because the current employees had access to the corporate computers and the issue was their "use" of the access. In other words, the Ninth Circuit determined that an employee can use information it obtains from a corporate computer in any way he or she pleases - even to the detriment of the employer - and not violate the CFAA so long as the employer gave the employee access to the computer system.
The majority's focus on clearly not fraudulent use of a workplace computer is misleading. The CFAA only punishes unauthorized use of a computer done with an intent to defraud. Employees who watch YouTube, surf the web, or update their Facebook pages have no such intent and are therefore outside the prohibition of the CFAA. By contrast, the employees in Nosal who purloined confidential information from their employer to assist a competitor clearly had the requisite intent and therefore it would not be unreasonable for the CFAA to apply.