Reprinted with permission from the November 18, 2015 edition of The Recorder© 2015 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. ALMReprints.com – 877-257-3382 - firstname.lastname@example.org.
An essential aspect of any effective cybersecurity strategy is the ability to obtain meaningful remedies and enforcement for the theft of data when possible. Yet federal law has proven inadequate over the past several years to address current challenges involving the theft of data from a computer.
The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §§ 1030, the primary federal statute to address criminal and civil computer violations, was originally enacted in 1984 and has been amended nine times, the last time in 2008. The CFAA has separate provisions to address different computer offenses including hacking (Section 1030(a)(5)); extortion (Section 1030(a)(7)); obtaining information from a financial institution, federal agency or protected computer (Section 1030(a)(2)); and computer fraud (Section 1030(a)(4)), among other provisions.
The CFAA has not kept up with changes in technology and fails to address many common scenarios involving efforts to steal data by insiders, former insiders and outsiders. Given the importance of cybersecurity and the role and protection of data in our economy today, Congress needs to modernize and strengthen the primary federal computer statute to address the variety of ways in which data may be stolen.
Current 'Nosal' Case
The latest reminder on the need for Congress to update and clarify the statute was highlighted in the recent Oct. 20, 2015 Ninth Circuit oral argument in United States v. David Nosal, No. 14-10037. The case involved defendant Nosal's role with others in downloading trade secrets and other proprietary information from the confidential database of his former employer, Korn/Ferry International.
At a jury trial, defendant Nosal was convicted as charged on six counts: one conspiracy count, three CFAA counts for computer fraud under 18 U.S.C. §§ 1030(a)(4) and 2, and two trade secret counts. He was sentenced to serve a year and a day in prison, pay a $60,000 fine and $827,983.25 in restitution.
One central issue now pending on appeal concerns the application and scope of the CFAA. Under prevailing Ninth Circuit case law, on the three Section 1030(a)(4) computer fraud counts, the government was required to establish that the defendant aided and abetted the (1) access of a protected computer, (2) "without authorization" or "exceed[ing] authorized access," (3) knowingly and with intent to defraud, and thereby (4) furthered the intended fraud and obtained something of value. See LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1132 (9th Cir. 2009). The dispute in the appeal focuses on the second element.
Over the past several years, the courts have wrestled with the meaning of "without authorization" and "exceeding authorized access." These statutory terms have generated confusion concerning the scope of the CFAA in a variety of circumstances most often arising in the employee or former employee context.
In Nosal, the defendant was a top executive and Silicon Valley managing director of Korn/Ferry International, a leading executive-search firm. After departing the company in 2004, Nosal began his own employment search company. Two other employees, who joined him in 2005, persuaded a current employee to share her password to give them access to the confidential database which they used to run searches and obtain source lists, names and information for employment candidates in Nosal's new firm.
It is undisputed that Nosal and the two former employees lacked authority to directly access the specific information they sought from the confidential database of their former employer. The government argues that the two former employees, aided and abetted by Nosal, accessed the company computers "without authorization" since all of their access rights had been rescinded. Instead, they used the password credentials of a current employee to obtain the information from the confidential database. The company policy prohibited the employee from sharing her log-in credentials. In contrast, the defense contends on appeal that "the downloads in question were effectuated by the consensual use of a password validly issued to a KFI employee, and thus involved no hacking."
During the oral argument, Ninth Circuit Judge M. Margaret McKeown asked whether the former employees were essentially "going through the backdoor to get what they cannot get through the front door" since they were no longer employees at the company and their authorization had been revoked. Ninth Circuit Judge Stephen Reinhardt noted that there was no disagreement on these facts. In his view, the question was whether a crime resulted under the present authorization language of the CFAA when someone else shared their password for access. Chief Judge Sidney R. Thomas wondered how the statute would apply if, as urged by the defense, the password was obtained by phishing or the employee was duped into providing the password. Judge McKeown also asked "who has the authority to give authorization?"
According to the defense, "password sharing is not hacking" and does not violate the CFAA. The defense asserts that "it is not merely the computer owner who can confer authorization—it is also the password holder."
This hyper-technical view relies on the "authorization" terms of the statute to claim that the shared password by a current employee granted "permission" to the two former employees whose authorization to access the company network had been rescinded. Under this position, any employee can provide authorization or access to outsiders even when the company policy forbids the sharing of passwords or access. This result would empower any employee to override clear company policy. Defendants could use this approach as an exception to evade enforcement under the statute. Also, if social engineering is used to entice someone to share their log-in credential, the access would be "authorized" under this construction. The outcome should not turn on the role or status of the person supplying the access credentials.
As noted during the oral argument, neither the government nor defense is asking the court to adopt a bright line rule that the sharing of a password always falls within or outside the CFAA. Given the narrow set of circumstances, the decision should be based on a fact specific inquiry on whether sufficient evidence was presented at trial to sustain the three CFAA jury convictions. The recent oral argument shows how some basic facts concerning a scheme to steal data can get unnecessarily bollixed around whether the conduct was "authorized" or not by one employee.
Inconsistent Application of the CFAA
But the problems with the CFAA extend beyond the Nosal oral argument. Over the past several years, a significant split in the circuit courts has emerged over the scope and application of the CFAA. The result is that the same or similar conduct is treated differently depending on where the theft occurred.
Generally, two judicial groups have emerged in applying the statute. The First, Fifth, Seventh and Eleventh Circuits apply the statute more broadly allowing for remedies or enforcement based on the theft or destruction of data by current or former employees. (See EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st 2001); United States v. John, 597 F.3d 263, 269 (5th Cir. 2010); International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006); United States v. Rodriguez, 628 F.3d 1258, 1260 (11th Cir. 2010).) The broader construction group considers whether the conduct involves a breach of a duty of loyalty or a non-business purpose or is contrary to non-disclosure or use terms.
In contrast, two circuits apply the CFAA more narrowly: the Fourth and Ninth Circuits. (See WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 202 (4th Cir. 2012); Brekka, 581 F.3d at 1129-30, 1134-35; United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012) (en banc).) These two courts focus on whether the original authorized access to the network was restricted or has been rescinded.
Given the importance of protecting computer data against theft by insiders and outsiders, this inconsistent application is simply intolerable. Congress should resolve the uncertain and confusing application of the CFAA by the courts and clarify that the theft of data, by any means, will be subject to effective civil remedies and criminal enforcement.
Congressional Reform Options
The Nosal case is just the latest reminder on the need for Congress to modernize and strengthen the CFAA. There are some distinct legislative options Congress can consider.
First, Congress can substitute a new standard which does not rely on "authorization" but instead focuses on the "use" or "purpose" to misuse the information. Several courts have considered this approach.
Second, Congress can use a misappropriation standard which would focus on whether the information was misappropriated or stolen. Initial authorized or unauthorized access to the information would not be dispositive. Instead, the facts concerning the intent and circumstances of the theft would determine whether the statute was violated.
Finally, if Congress is determined to retain the "authorization" standard, Congress should redefine the terms "without authorization" and "exceeds authorized access" to clarify that the statute applies when initial permitted access to information is later rescinded or abused. The current lack of clear guidance has resulted in disparate standards developed by the courts.
Congress should also consider establishing separate standards and provisions for civil cases. In 1994, Congress added a civil private right of action to the criminal statute. Consequently, some of the same provisions may result in civil or criminal enforcement. Consequently, the statute does not recognize common distinctions in proof for civil and criminal provisions. Traditionally, criminal cases have a higher standard for intent, such as an intent to defraud. Additionally, Congress should extend the two-year statute of limitations to five years, comparable to the criminal provisions.
The bottom line is that the theft of data should be subject to criminal penalties and civil remedies regardless of whether it is committed by insiders, former insiders, or outsiders. The outcome should not turn on some hyper-technical application on whether initial access was "authorized" or "exceeded." Theft of data is quite simply theft. As in other contexts, a jury can decide whether a theft occurred by considering the defendant's intent and all of the relevant circumstances and facts. These inquiries are fact-specific. The current CFAA should be updated to address the cyber realities of today including threats from insiders and outsiders. It is time for Congress to strengthen and modernize the CFAA.
Mark Krotoski is a partner in the litigation, privacy and cybersecurity, and antitrust practice groups of Morgan, Lewis & Bockius, resident in the Silicon Valley office. He previously served as the National Coordinator of the Computer Hacking and Intellectual Property Program (CHIP) in the Criminal Division of the U.S. Department of Justice and as a CHIP prosecutor in Silicon Valley prosecuting a range of computer intrusions, computer crimes, and economic espionage and trade secret cases. The views of the author do not necessarily represent those of the firm or its clients.