Workers did not exceed authorization when data stolen, says appeals court
Ninth Circuit offers unique take on Computer Fraud and Abuse Act
Computerworld - In a somewhat startling decision, the U.S. Court of Appeals for the Ninth Circuit last week ruled that several employees at an executive recruitment firm did not exceed their authorized access to their company's database when they logged into the system and stole confidential data from it.
In a 22-page ruling, the appellate court held that an employee with valid access to corporate data cannot be held liable under the federal Computer Fraud and Abuse Act (CFAA) if they then misuse or misappropriate the data.
"The CFAA expressly prohibits improper 'access' of computer information," chief judge Alex Kozinski wrote in the court's majority opinion. "It does not prohibit misuse or misappropriation," he wrote. The term "exceed authorized access" under the CFAA applies specifically to external hackers and violations of "restrictions on access to information, and not restrictions on its use," Kozinski held.
The appellate court's decision affirms a previous ruling made by the U.S. District Court for the Northern District of California. The government must now decide if it wants to take the case all the way to the U.S. Supreme Court.
The case in question involves David Nosal, a former employee at Korn/Ferry, a large executive recruitment firm based in Los Angeles. Soon after Nosal left the firm a few years ago, he convinced a few of his former colleagues to join him in setting up a competing firm, according to a description of the case in court documents.
Before joining Nosal, some of he employees used their login credentials to access a confidential Korn/Ferry database and download a large list of names and contact information of executive candidates from around the world. The information, which was clearly marked as meant for Kron/Ferry's internal use and prohibited from disclosure, was then passed on to Nosal.
After the theft was discovered, Nosal was indicted on 20 counts, including mail fraud, trade secret theft and violations of the CFAA. He was accused under CFAA of aiding and abetting his former colleagues to exceed their authorized access on the Korn/Ferry system. Nosal appealed the CFAA charges, contending that the law applied only to external hackers and not to individuals who misused data after obtaining it in an authorized fashion.
His appeal was originally dismissed by the district court. The court held that individuals who accessed a computer with the intention to defraud were in fact exceeding their authorized access to the system.
- The new security perimeter: Human Sensors
- Snowden advocates at SXSW for improved data security
- Joomla receives patches for zero-day SQL injection vulnerability, other flaws
- NSA used 'European bazaar' to spy on EU citizens
- Target CIO resigns following breach
- Evan Schuman: Mobile IT Roach Motel: Data checks in, but it won't check out
- Sears finds no evidence of data breach -- yet
- Gameover malware is tougher to kill with new rootkit component
- Mobile app for RSA Conference exposes personal data
- UK man charged with hacking Federal Reserve
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Top tips for securing big data environments - Why big data doesn't have to mean big security challenges Organizations don't have to feel overwhelmed when it comes to securing big data environments. The same security fundamentals for securing databases, data warehouses...
- Top 3 Myths about Big Data Security : Debunking common misconceptions about big data security Big data represents massive business possibilities and competitive advantage for organizations that are able to harness and use that information. But how are...
- Three guiding principles for data security and compliance Data security is a moving target-as data grows, more sophisticated threats emerge; the number of regulations increase; and changing economic times make it...
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva.
- How SIEM Addresses the Challenges of Big Security Data This webcast will help you understand today's big data security challenges and how intelligent and scalable SIEM solutions give IT the tools and... All Data Security White Papers | Webcasts