View upcoming events at Boston College
Books by alumni, faculty, and staff
Order books noted in Boston College Magazine
Join the online community of alumni
View the current BCM in original format
Is it a crime to shop on your company computer?
In 2004, David Nosal was working for an executive search firm in California when he used confidential information pulled from his employer’s computer system to start his own, competing company. He was criminally prosecuted under, among other laws, the amended federal Computer Fraud and Abuse Act (CFAA) of 1986, which takes aim at anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access. . . .” The case, United States v. Nosal, went to the Ninth Circuit Court of Appeals, where the question of a CFAA violation was decided, in 2012, in Nosal’s favor. Had it been heard on appeal in another circuit—the Fifth, say, or Eleventh—the decision might have gone the other way, as divergent paths have marked the courts’ interpretations of the law.
When is it okay for an employee to transfer data from an office computer system to a personal device? When is it okay to conduct personal affairs on office machines? With new technologies the lines between work and personal time have blurred, as have conventional notions of ownership and use of information. Writing in the American Business Law Journal, two Carroll School of Management faculty members from the business law department—Associate Professor Stephanie Greene and Professor Christine Neylon O’Brien—recently questioned whether the CFAA should be embraced by employers and prosecutors to go after workers who “violate an employment policy, contract, or duty of loyalty.” Their article, “Exceeding Authorized Access in the Workplace: Prosecuting Disloyal Conduct under the Computer Fraud and Abuse Act,” has received several academic and industry awards and drawn attention in the popular media.
Greene and O’Brien argue that the CFAA is properly applied “narrowly”—as an anti-hacking statute that imposes civil and criminal liability for code-based breaches of computer systems. A “broad” interpretation, initially adopted in civil cases by the First and Seventh Circuit Courts of Appeals in the 2000s, spread to criminal prosecutions in 2010, in the Fifth and Eleventh Circuits. Under the broad interpretation, courts apply the CFAA’s provisions to violations of company computer policies, to misappropriations of confidential or proprietary information, and to breaches of an employee’s duty of loyalty to an employer—even when hacking is not involved. In United States v. Rodriguez, for example, a Social Security Administration employee was charged with misusing his access to a government database by looking up birthdates and addresses so that he could send gifts and cards to friends. Even though he did not use the information for criminal purposes, the Eleventh Circuit, in 2010, held him criminally liable.
The Ninth Circuit rejected the broad interpretation in a 2009 civil case, reasoning that what mattered for CFAA purposes was not what an employee intended to do with information he took from his employer, but whether he had his employer’s permission to use the computer and to access and obtain the information—a pure hacking question. In Nosal, the court went further, warning that prosecutions based on whether an individual has violated a company computer-use policy could “transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved.” Think shopping online or checking a personal email account on your work computer.
Greene and O’Brien agree. “The broad interpretation of the CFAA,” they say, “would allow criminalization of employer policies that employees frequently don’t understand and may not be aware of, creating issues of inadequate notice and due process.” They see a judicial preference emerging now for the narrow interpretation—rooted not in sympathy for employees who stray from office rules, but in a plain reading of the CFAA, its legislative history, and the “rule of lenity,” an analytical method in which courts, faced with vagueness in a criminal statute, apply the least-harsh meaning.
Improper deviations from company policies—even when these grow out of computer access—are better dealt with as civil matters, say Greene and O’Brien, which will lessen the potential for prosecutorial overreach.
Jeri Zeder is a writer in the Boston area.
Read more by Jeri Zeder