Employers often prohibit employees from using work computers for personal, non-work related purposes, but let’s say an employee accesses a work computer to plan a personal vacation to Hawaii or shop for clothes for a child.  Has the employee committed a federal crime?  The question of whether it is a federal crime for an employee to access a company computer for purposes outside the scope of a company’s computer policy was posed by the Ninth Circuit during a recent oral argument regarding the reach of the Computer Fraud and Abuse Act (“CFAA”), in the case of En Pointe Technologies, Inc. v. Sarcom, Inc., et al.

In January 2010, En Pointe filed a federal lawsuit against two former employees seeking $1,000,000 in damages.  En Pointe alleged that its former employees violated the CFAA by taking confidential information from company computers.  The CFAA is a federal law that prohibits certain actions that range from obtaining information from a computer without authorization, to damaging a computer through unauthorized access.  En Pointe alleged that its former employees unlawfully exceeded their authorization to access its computers and fraudulently obtained valuable company information.  The lower court dismissed the claims because the former employees were authorized to access En Pointe’s computers.  Therefore, the court reasoned that no violation of CFAA could have occurred – notwithstanding other laws protecting employer information. 

On appeal, En Pointe urged a three-judge panel to reinstate its CFAA claims based on the Ninth Circuit’s prior ruling in United States v. Nosal.  In that case, the court held that a CFAA claim may stand against former employees who obtain information from their employer’s computers in violation of a computer access policy. Highlighting the importance of the employer’s policy, the court reasoned that an employee may violate the CFAA by exceeding the employer’s restrictions on the employee’s use of the computer itself or the information contained in that computer.

During oral argument in the En Pointe case, the Ninth Circuit examined the differences between the company policies.  In Nosal, the employer had a policy with “clear and conspicuous restrictions” on the employees’ access to the computer system, whereas En Pointe’s policy related to the disclosure of business information.  The attorney for the former employees argued that En Pointe effectively sought to federalize state trade secret law by expanding the scope of the CFAA beyond a statute regulating computers.  He argued that, while Nosal contained “loose language” regarding the application of employer-imposed computer access limitations in CFAA cases, the Ninth Circuit should remember that “it’s the initial access that’s unlawful.” 

Although we await the Ninth Circuit’s decision, the oral argument in the En Pointe case reminds us of the key distinction between a policy that prohibits disclosure of company information and a policy that imposes a blanket restriction on access to company computers.  With the ever-increasing digitization of business data, the practical lines between these polices are blurring at a time when the legal distinction has never been more important.  Furthermore, the structure of computer systems and the confidentiality of certain information will often vary from one employer to the next, thus precluding a “one-size fits all” employment policy.  Experienced employment counsel should be consulted for assistance with preparing non-disclosure and computer access policies that are best-suited for your company’s unique needs.