Workers did not exceed authorization when data stolen, says appeals court
Ninth Circuit offers unique take on Computer Fraud and Abuse Act
Computerworld - In a somewhat startling decision, the U.S. Court of Appeals for the Ninth Circuit last week ruled that several employees at an executive recruitment firm did not exceed their authorized access to their company's database when they logged into the system and stole confidential data from it.
In a 22-page ruling, the appellate court held that an employee with valid access to corporate data cannot be held liable under the federal Computer Fraud and Abuse Act (CFAA) if they then misuse or misappropriate the data.
"The CFAA expressly prohibits improper 'access' of computer information," chief judge Alex Kozinski wrote in the court's majority opinion. "It does not prohibit misuse or misappropriation," he wrote. The term "exceed authorized access" under the CFAA applies specifically to external hackers and violations of "restrictions on access to information, and not restrictions on its use," Kozinski held.
The appellate court's decision affirms a previous ruling made by the U.S. District Court for the Northern District of California. The government must now decide if it wants to take the case all the way to the U.S. Supreme Court.
The case in question involves David Nosal, a former employee at Korn/Ferry, a large executive recruitment firm based in Los Angeles. Soon after Nosal left the firm a few years ago, he convinced a few of his former colleagues to join him in setting up a competing firm, according to a description of the case in court documents.
Before joining Nosal, some of he employees used their login credentials to access a confidential Korn/Ferry database and download a large list of names and contact information of executive candidates from around the world. The information, which was clearly marked as meant for Kron/Ferry's internal use and prohibited from disclosure, was then passed on to Nosal.
After the theft was discovered, Nosal was indicted on 20 counts, including mail fraud, trade secret theft and violations of the CFAA. He was accused under CFAA of aiding and abetting his former colleagues to exceed their authorized access on the Korn/Ferry system. Nosal appealed the CFAA charges, contending that the law applied only to external hackers and not to individuals who misused data after obtaining it in an authorized fashion.
His appeal was originally dismissed by the district court. The court held that individuals who accessed a computer with the intention to defraud were in fact exceeding their authorized access to the system.
- Arrests made after international cyber-ring targets StubHub
- SQL injection flaw opens door for Wall Street Journal database hack
- Goodwill Industries probes possible payment card breach
- Aloha point-of-sale terminal, sold on eBay, yields security surprises
- The biggest data breaches of 2014 (so far)
- Blue Shield discloses 18,000 doctors' Social Security numbers
- PF Chang's says breach was 'highly sophisticated criminal operation'
- Breaches exposed 1 in 7 US debit cards in 2013
- New malware program targets banking data
- How to protect yourself against privileged user abuse
- A More Predictable Way to Budget Software Costs Wavetronix enables creative collaboration while cost-effectively accessing all the latest tools with Adobe Creative Cloud for teams. For Wavetronix, collaboration was easy when...
- Adobe Creative Cloud for teams Security Overview This white paper describes the proactive approach and procedures implemented by Adobe to increase the security of your Creative Cloud experience and your...
- 3 Big Data Security Analytics Techniques You Can Apply Now to Catch Advanced Persistent Threats This technical white paper demonstrates how to use Big Data security analytics techniques to detect advanced persistent threat (APT) cyber attacks, and it...
- IT Security by the Numbers: Calculating the Total Cost of Protection Humorist Franklin P. Jones may have said it best: "When you get something for nothing, you just haven't been billed for it yet."...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success! All Data Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!