Mark Sableman is ABM's information policy counsel.
A key statute that helps businesses protect their private databases is under scrutiny by both Congress and the courts. Database owners like ABM members are carefully watching the battle between law enforcement authorities seeking to expand the law’s coverage, and employee advocates seeking to narrow its coverage.
The Computer Fraud and Abuse Act (CFAA) is an anti-hacking law passed by Congress in the wake of computer hacking scares in the 1990s. It makes it unlawful for anyone to hack into a computer system. It prohibits copying or use of data by anyone who accessed a computer system through “unauthorized access” or “access beyond the scope of authorization.”
The CFAA carries civil as well as criminal provisions, and it has long been considered an effective tool for protecting business databases. For example, if your business maintains its databases on a secure computer network, and an competitor hacks into your system, that is “unauthorized access” and it gives rise to civil CFAA claims. Similarly, if you have given someone limited access to your computer system, and that person (say, a franchisee, a customer, or a business partner) pries into your system beyond the areas he or she was allowed to access, that too gives rise to CFAA claims. Although the United States doesn’t have specific legal protection for databases, the CFAA affords businesses fairly good protection against database misappropriation by outsiders.
The recent controversies have arisen because of expansive interpretations of the CFAA’s “beyond the scope of authorization” coverage. In cases where employees have harvested trade secrets and customer lists from company computers, and then used that information in their subsequent employment, the original employers have brought CFAA claims. Their theory has been that while the employees were authorized to use the company’s computers, the use they made, gathering secrets for use against the company, was beyond the scope of authorization. Under this interpretation, “beyond the scope of authorization” covered unauthorized purposes, not just unauthorized areas of the computer system.
Lobbyists for employees have sought to narrow the CFAA to prevent its use against employees. But their proposed narrowing of the statute could also diminish its usefulness in protecting private databases, and ABM has joined other database companies in opposing the amendment.
Meanwhile, this week, the U.S. Court of Appeals for the Ninth Circuit, in a major case, United States v. Nosal, rejected a broad interpretation of the act (including the purpose-based interpretation of “beyond the scope of authorization”) advocated by the Justice Department. The court ruled that the CFAA’s “beyond the scope of authorization” language refers to unauthorized areas, not unauthorized purposes. This en banc ruling by Chief Judge Alex Kozinski is likely to be influential, and, if followed, could well remove the impetus for the proposed statutory amendment, and thereby preserve the CFAA’s protections against database misappropriation by outsiders.
By Mark Sableman