It’s a common scenario: a company thinks an employee is using its computers to do something wrong. Maybe the employee is stealing clients for a new venture, copying data from proprietary research or leaking documents to the media about the CEO’s financial impropriety.
The company will often ask me to analyze whether the employee broke the law. It may want to report the employee to the authorities or to determine if there is some civil liability against the employee.
The federal statute that is most often implicated in this scenario is the Computer Fraud and Abuse Act (“CFAA”). I wrote about the basics of the CFAA a few weeks ago, related to the prosecution of a former employee of the St. Louis Cardinals.
There is a split among the circuits over the standard the government must meet to charge an employee for misusing her work computers. The Second Circuit recently weighed in on this issue in United States v. Valle. The court had to decide whether an employee “exceeds authorized access” under the CFAA when he searched certain databases of information for purely personal reasons.
The case involved some . . . interesting facts. Ultimately, the Second Circuit sided with the circuits that have imposed a higher standard on the government to prosecute employees for violating the CFAA. Let’s learn more about this win for defendants.
CFAA, Redux
You can find the CFAA at 18 U.S.C. § 1030 et seq. Under the CFAA, an individual is criminally liable if he “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” 18 U.S.C. § 1030(a)(2). Also, there is criminal liability if an individual “intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.” 18 U.S.C. § 1030(a)(5).
There is also a provision for civil liability under the statute, but the plaintiff must prove losses over $5000. 18 U.S.C. § 1030(g).
The Facts in Valle
Gilberto Valle was an officer of the NYPD who lived at home with his wife and child. During his spare time, Valle engaged in behavior that most would find to be quite . . . odd. He was a member of an online community called the “Dark Fetish Network” where he chatted and emailed with strangers using screen names.
With these strangers, Mr. Valle discussed his fantasies of kidnapping, torturing, and raping women that he knew, including his wife and her friends. (Spoiler alert: the jury did not like him). He transmitted photos of the women to these individuals and discussed detailed plans to carry out various kidnappings and other graphic acts.
(In a convergence of real life and blog life, The Good Wife aired an episode along the same lines as the facts of this case. But in that case, the defendant won at trial.)
Mr. Valle’s wife became suspicious and installed spyware on the couple’s shared laptop. She discovered the conversations along with graphic photographs of dead women. She moved out with their child and contacted the federal authorities. Mr. Valle was charged with conspiracy to commit kidnapping and improperly accessing a computer in violation of the CFAA.
The CFAA charge was a result of Mr. Valle’s use of his work computer to access the Federal National Crime Center Database, which contains sensitive information about individuals, such as their home address and date of birth. According to the NYPD’s policy, the database was only to be accessed in the course of an officer’s official duties. Personal use was against the policy. Mr. Valle used the database to search for a woman that he knew from high school and discussed kidnapping her with one of his online buddies.
The jury convicted Mr. Valle under both counts and he appealed.
The District Court Decision
The district court judge granted Mr. Valle’s motion for judgment of acquittal on the kidnapping charge. He found that there was no evidence that Mr. Valle had specific intent to commit that crime because his communications were fantasy only. The judge was also troubled by the prosecution’s tactics, believing that the jury’s verdict was based on “disgust and revulsion,” particularly in light of the prosecution’s statements that police officers should be held to a higher standard than others.
The district court did not, however, grant the motion as to the CFAA verdict. As the court of appeals stated:
While acknowledging the existence of a “vigorous judicial debate” over the meaning of “exceeds authorized access,” the court nonetheless concluded that Valle’s conduct fell “squarely within the plain language” of the statute because Valle had not been authorized “to input a query regarding [the woman’s] name” without a law enforcement reason for doing so.
Both parties appealed.
The Second Circuit’s Decision
The Second Circuit agreed with the district court’s logic regarding the kidnapping charge and affirmed that decision, explaining that fantasizing about committing a crime does not amount to the commission of a crime.
Whew. One correct decision down.
As to the CFAA charge, the Second Circuit also heard arguments from both parties and considered the opinion of various amici, including the Electronic Frontier Foundation, Center for Democracy & Technology, Marion B. Brechner First Amendment Project, National Coalition Against Censorship, Pennsylvania Center for the First Amendment, and various law professors.
Mr. Valle did not dispute that he violated the terms of his employment when he conducted the search for the woman in the police database. He argued, however, that he did not violate the statute because he didn’t “obtain any information he was not entitled to obtain.” In other words, he would have been allowed to look up this sort of information about an individual if it were connected with his duties as a police officer, such as during an investigation.
The government countered that because he used the computer in a manner that was not consistent with the NYPD’s policy, he exceeded his authorization to use the computer.
The Second Circuit considered a lengthy legislative history of the statute to determine the proper interpretation of the phrase “exceeds authorized access.” It found support in the legislative history for both parties. It also noted that because of the circuit split, the “statute is readily susceptible to different interpretations.”
Because the “ordinary tools of legislative construction fail to establish that the Government’s position is unambiguously correct,” the court applied the rule of lenity.
The rule of lenity is a judge’s best friend and a defendant’s last hope. Basically, this rule provides that when construing an ambiguous criminal statute, a court should resolve the ambiguity in favor of the defendant. Here, of course, that meant that Mr. Valle won.
The government did not have a strong argument in response to the rule of lenity or to the argument that its interpretation ran the risk of criminalizing ordinary behavior. Instead, it argued that these concerns “must be raised in the first instance by individuals actually affected by the provision at issue.” The court clearly disagreed, noting that its interpretation of the statute in this case would affect a lot more people than just Mr. Valle, given that the court’s ruling was binding precedent on lower courts.
The court of appeals also considered the wide split among the circuits and was more persuaded by the view of the Fourth and Ninth Circuits. It provided this compelling quote from WEC Carolina Energy Solutions LLC v. Miller (687 F.3d at 206) from the Fourth Circuit:
The deficiency of a rule that revokes authorization when an employee uses his access for a purpose contrary to the employer’s interests is apparent: Such a rule would mean that any employee who checked the latest Facebook posting or sporting event scores in contravention of his employer’s use policy would be subject to the instantaneous cessation of his agency and, as a result, would be left without any authorization to access his employer’s computer systems . . . . [W]e do not think Congress intended . . . the imposition of criminal penalties for such a frolic.
And the following from the Ninth Circuit case, United States v. Nosal (676 F. 3d at 859):
Because ‘protected computer’ is defined as a computer affected by or involved in interstate commerce – effectively all computers with Internet access – the government’s interpretation of ‘exceeds authorized access’ makes every violation of a private computer use policy a federal crime.
Ultimately, the Second Circuit held that the phrase “exceed[] authorized access” means
to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.
How this Ruling Affects the Future of the CFAA
As I noted in my previous post, the CFAA has become an increasingly popular statute for prosecutors. This case is a major win for defendants, as the Second Circuit showed a willingness to narrow the scope of the CFAA statute. The tide may be turning in the circuit split on the issue. It now appears to be the Second, Ninth and Fourth Circuits versus the First, Fifth, Seventh and Eleventh Circuits. We’re gaining on them.
It may be that the (bitterly divided, eight-justice) Supreme Court will ultimately have to resolve this battle but, for now, defendants in the Second Circuit can breathe just a little bit easier.