Ninth Circuit Allows Employees to be Prosecuted Under Computer Fraud and Abuse Act for Breach of Employer’s Network Policy

After leaving the company, a former executive search firm employee persuaded former co-workers to provide him with certain information from the company’s databases as it pertained to various candidates and employers, in order to help him set up a competing company. The employer had a computer-use policy that placed clear and conspicuous restrictions on the employees’ access to the system and to the information contained in the system. Specifically, the company had taken considerable steps to protect and ensure the privacy of its confidential data, including assigning unique login credentials to employees, controlling access to the computer systems, and requiring employees to execute confidentiality agreements pertaining to these databases and information. The government indicted the former employee and the two current employees for violations of the Computer Fraud and Abuse Act (CFAA) for knowingly accessing a protected computer without authorization or exceeding authorized access with the intent to defraud. The former employee and current employees argued that they had been authorized to access and use the database and the information, and thus did not violate the CFAA. The U.S. Court of Appeals for the Ninth Circuit held that the employees had violated the criminal statute by accessing the database, obtaining information from that database, and using it in a way that violated the employer’s restrictions. The court found that the employer took considerable measures to protect its information and that the employees knew (by virtue of these written protective measures) that they were not authorized to access the database and information in order to defraud the employer. This ruling demonstrates the importance of having computer-use and electronic-communications policies. Such rules are critical so that employers can protect their trade secrets and confidential information by making employees aware of what access is “authorized” versus “unauthorized.”