Business Management, Economy

Database Theft is Not Criminal?

18 Comments
No Gravatar
Map of the geographic boundaries of the variou...
Map of the geographic boundaries of the various United States Courts of Appeals and United States District Courts. (Photo credit: Wikipedia)

A ruling this past month for the Ninth Circuit (AK, WA, OR, CA, MT, ID, HI, NV) will change a lot of employer actions – and may make those of us living in the rest of the US reconsider our practices.

The Computer Fraud and Abuse Act (CFAA) was first passed in 1986, which protected Federal computers from various acts.  It has been amended more than a few times, including by the Patriot (sic) Act and the 2008 Identity Theft Enforcement and Restitution Act.    It now covers acts- and the conspiracy to perform certain acts.  It now also covers financial institutions, the US Government or any computer used in or affecting interstate or foreign commerce/communication- including those computers outside the US that can affect these covered entities.  Given these facts, you can see that this act covers almost every company’s computers. Unless, of course, you reside in the area governed by the Ninth Circuit.

The Court held that workers can’t be charged with criminal violations of the CFAA, if they misuse electronic data for which they had normal access as part of their employment.  (US v. Nosal, 10-10038 [10 Apr 2012, 9th cir.]  This was a 9-2 decision, by the way).  Let’s make this clearer by providing the facts of this case.

David Nosal, who was at one time employed by Korn/Ferry (an executive search firm) decided to start a competing business after he left KF’s employ.  He asked his old pals at KF to download data from the confidential database for his uses.  These pals were legally authorized to peruse and examine the database- but not for this purpose, of course.  They clearly understood that the company policy stipulated that the database was for “company use only”.

Given these transgressions, Nosal was indicted on 20 counts of mail fraud, trade secret theft, conspiracy, and CFAA violations.  The thought was he aided and abetted Korn/Ferry employees to exceed authorized access, with the intent to defraud.

Nosal’s position was that the CFAA only applies to hackers- and not to employees who misappropriate data to which they have access.  Now, we get to the Talmudic argument.   The CFAA defines “exceeds authorized access” as meaning “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter”.  No one altered the data; hence, the case was basically dismissed.  (Of course, they did “obtain” the data.)

Chief Just Kozinski (who wrote the opinion) stated that it was Congress’ intent to limit this act to outsiders, and not to those who may already have access to such data.  If his interpretation were not maintained, then the CFAA “would make criminals of large groups of people who who have little reason to suspect they are committing a federal crime”.

Kozinski further acknowledged that this conflicts with the Fifth, Seventh and Eleventh Circuits- which courts he admonished to reconsider their opinions.  He also cited the fact that District Courts in New York, Maryland, Arizona, and Georgia have held positions in concert with this majority opinion.    This is employer-employee or company-consumer relationships; as such they are subject to tort or contract law and not criminal law.  Had this opinion not been issued, this would have “federalized” trade secret misappropriation (as it relates to computers)- and that has traditionally been a State right.

What is does mean for sure is that corporations need to find better ways to secure their databases.

Enhanced by Zemanta
Share this:
Share this page via Email Share this page via Stumble Upon Share this page via Digg this Share this page via Facebook Share this page via Twitter
Share

Related posts:

  1. Times a’wasting- and we are the ones who will be hosed
  2. Big Brother is Coming to Town- YOUR town!
  3. Business Sales and Valuations (even if you don't want to sell)
  4. Go Directly to Jail. Do NOT Pass Go!
  5. Truth or Internet? Why are they often mutually exclusive?

18 thoughts on “Database Theft is Not Criminal?”

  1. This is fantastic…in that it isn’t. It is a classic case of someone upholding the letter of the law but not the spirit of the law. It is how we end up with a thousand little micro laws. When all we need is “Don’t steal” we now have “Don’t steal and hundreds of don’t steal this or that, or if you think this don’t steal this, and it’s considered stealing of you take this.” And that’s the bottom line isn’t it. If it isn’t yours don’t freaking take it (period).

    Those little mirco laws are why people who do wrong get off, the more words in any contract the more loopholes there are. Honest people don’t need to worry about it, but crooks use those to enable their behavior.

    Well, my blood pressure is up now…

    Great post though!
    Lisa Brandel recently posted..Sandy Beach Bridge by Lisa Brandel

  2. Interesting. I know as a merchant my VISA/MC processor has stringent rules as to how customers’ data is safeguarded. My employees had to read and sign documents and watch videos in order for me to obtain continued permission to process. All part of this new age. LOL, and I still have customers that present checks with their social security numbers on them. Maybe they are still going through an old stock pile of printed checks!
    Carolina HeartStrings recently posted..CUCUMBER TEA SANDWICHES

    1. Alessa…
      You brought up one of our nightmare scenarios. We have tons of data. You have access rights, just like in this case. But, now you take the data and publicize it. I’m liable? Because you took it from my stash???

  3. Let me get this straight. Some dude left his company and opened competition. Then he want to his old colleagues and got them to give him client information from the old company.

    The dude did not go to jail and the colleagues did not do anything illegal because they were allowed access to the information. If people at a job cannot access their information, they can’t do their jobs or if there is a ruling saying the colleagues were in the wrong then everyone who accesses company information anywhere is violating a ruling.

    Now how does this become a federal right take over from state’s rights. What happened to plain old theft?
    Ann recently posted..Determining Marketing Strategies — 6th Marketing Ball Stragegy

    1. Ann…
      I’m just as dumbfounded. We are worried because of all the information in our databases. Now, at least in our case, every time you touch the database, there is a record you did- when, where, and what was accessed. But, the fact that I know someone is stealing information is not a very comforting one…

  5. Wow – that’s just plain crazy. I am amazed at some of these court decisions. I don’t understand why this case was dismissed when information was obtained and misused. It’s a scary world out there!
    Suerae Stein recently posted..What is Normal?

  6. I don’t know about US laws but using physical assets of the company you work for to gain personal profit (i.e. using a company’s vehicle) is penalized by civil laws; even if the company is a public one. Information should be treated as any other asset. There should not be confusion there.
    Gustavo | Frugal Science recently posted..What are dreams made of.

  7. If a Federal law like HIPAA can protect a person’s medical information why not any intellectual property? The politics of protecting information has historically not protected the owner of the information. It’s an avenue to stave off litigation more than anything else. In the Nosal case, the law was clearly violated when his coworkers passed on the information to Nosal at which point he “obtained the information” in violation of the CFAA. Inventors need patents to protect what always starts as intellectual property before it beomcs the finished product. Protecting information is crucial in these times and it’s not small matter with terrorist groups (native and foreign) ever seeking such info.

  9. Pingback: XMC.PL*

Comments are closed.