On April 10, 2012, the Ninth Circuit took back what it gave briefly to California employers last year: a remedy for employee trade secret misappropriation under the federal Computer Fraud And Abuse Act.
The CFAA establishes criminal and civil remedies for damages or loss caused by unauthorized access to computers. The issue in United States v. Nosal was whether CFAA violations occur when an employee with authorized access uses the employer's computer for an unauthorized purpose.
In Nosal, a departed executive search firm employee had convinced former colleagues still working for the company to assist his launching a competing business. These employees used their log-in credentials to download source lists, names, and contact information from a confidential database on the company's computer, then transferred that information to the competitor—all in violation of company policy. The Government filed criminal charges against the instigator, including a count for "aiding and abetting" the employees' violation of the CFAA.
Rejecting the initial appellate panel's ruling—and diverging from the rule in other jurisdictions—the Ninth Circuit held that liability under the CFAA "is limited to violations of restrictions on access to information, not restrictions on its use." Since the employees' access to the company's computer system was authorized, no CFAA violation occurred—even though the computers were accessed specifically to misappropriate company trade secrets. According to the Ninth Circuit, Congress intended the CFAA to apply only to "hackers," not "to incorporate misappropriation liability into the CFAA."
Under this ruling, the CFAA will likely have limited utility for California employers pursuing remedies for employee misuse of trade secret and other confidential information. The CFAA will apply to employee "hacking:" "to someone who's authorized to access only certain data or files but accesses unauthorized data or files." It will not apply to the more common scenario: employees who misuse information obtained through authorized access.
Unless the Supreme Court overrules the Ninth Circuit—or Congress broadens the CFAA's coverage—California employers must continue to rely primarily on confidentiality agreements, company policies and data security practices, and state trade secret law to protect trade secrets and confidential information.