Cybercrimes are a constant threat as criminals seek to take advantage of online users. The COVID-19 pandemic is no...
Exiting CTO who copied source code and company files wins dismissal of CFAA claim; Thoughts on the CFAA post-NosalCyber Crimes
Viral Tolat, ex-CTO of Integral Development Company, is accused by his former company of copying gigabytes of source code and confidential files on his way out the door to a position with another company. He copied the source code to multiple places and uploaded some of the data to his personal Google Docs account. In Integral’s First Amended Complaint, it alleged, inter alia, that Tolat violated the CFAA (and the analogous Cali statute) by misappropriating Integral data in derogation of the company’s confidentiality policy and Tolat’s employment agreement; Integral also alleged that Tolat “exceeded authorized access” because he had no “legitimate reason” to copy the source code (Tolat knew next to nothing about programming).
A federal judge in the N.D. Cal. did not buy Integral’s allegations of “hacking” and granted Tolat’s motion to dismiss those claims; the court’s holding was based on United States v. Nosal’s narrow reading of the CFAA. The court reiterated the premise in Nosal that the CFAA was meant to criminalize unauthorized access to information, not the misappropriation of information obtained through authorized access.
The order granting Tolat’s motion to dismiss the hacking claims is here: Integral Dev. Co. v. Tolat, No: 3:12-CV-06575-JSW (N.D. Cal. Oct. 25, 2013).
In holding, as a matter of law, that the CFAA did not apply to Tolat’s conduct, the court stated:
The Ninth Circuit has rejected the contention that the terms “exceeds authorized access” within the meaning of the CFAA applies where someone has access to a computer’s information but is limited in permissible use of that information. The plain language of the CFAA “target[s] the unauthorized procurement or alteration of information, not its misuse or misappropriation.”
Integral does not and cannot allege that Tolat gained improper or unauthorized access to Integral’s computers for illegitimate purpose. Rather, Integral alleges that Tolat “copied, downloaded and removed numerous Integral source code files . . . when he clearly had no legitimate reason to do so.” Integral does not allege that Tolat used improper methods to gain access to the source code, but rather concedes, as it must, that at the time of the alleged acquisition of the materials, Tolat was working for Integral and had access to virtually all of Integral’s trade secret information and confidential and proprietary intellectual property. (citations in entire quote omitted)
Integral argued strenuously, in its brief opposing Tolat’s Motion to Dismiss, that the company had a written confidentiality policy that Tolat was aware of and clearly violated when he uploaded company files and source code (trade secrets) to “the cloud” (i.e. his personal Google Docs). And thus, the argument continued, the existence of the policy and the knowing violation by Tolat was sufficient to create civil liability under the CFAA. The court’s opinion, which ultimately held the CFAA inapplicable, summarily rejected Integral’s argument by simply ignoring it altogether. I interpret the court’s failure to even touch the merits of this argument as an implicit rejection of the “wide” interpretation of the CFAA Integral attempted to forward.
Wide interpretations of the CFAA have, in the most general sense, attempted to define liability (civil or criminal) for “hacking” by tying the statute (or defining the scope of it, at least in part) to the policies or terms of service drafted by private parties. The fundamental flaw in the wide approach is the unmooring of the CFAA from its original legislative purpose – real hacking; a wide interpretation also injects fluctuation into the law (or, perhaps, constitutes a “slippery slope”), allowing a serious federal crime to evolve whenever corporate policies or terms of service change (often at the whim of in-house counsel or in response to information technology changes).
Conversely, narrow interpretations of the CFAA reject (correctly, I would argue) any attempt to expand the scope of the CFAA beyond the purpose for which it was enacted. This is the interpretation of the CFAA I have consistently argued for and is the one adopted by the 9th Circuit in Nosal (an opinion that, to be clear, was binding on the court here).
The CFAA has become a flawed statute through no fault of its own. It is merely an antiquated remnant of a different era, poorly suited to address an area of law (and technology) that is constantly evolving at an incredible pace. The CFAA is, by analogy, the abacus in a room full of iPhone 5Ss. Attempting to fix the CFAA through ever wider interpretations of its scope is, to be honest, nothing more than the judiciary answering the CFAA’s anachronism with acquiescence. This acquiesce is not innocuous, however. It carries with it a dangerous and misguided solution: granting legislative fiat over the CFAA’s scope to private entities instead of Congress.
The rest of the documents for the case:
First Amended Complaint
Defendant’s Motion to Dismiss, inter alia, the hacking claims
Plaintiff’s Opposition to the MTD
Defendant’s Reply to the Plaintiff’s Opposition