Court Rules Workers Did Not Overstep On Stealing Data 88
MikeatWired writes "In a somewhat startling decision, the U.S. Court of Appeals for the Ninth Circuit has ruled that several employees at an executive recruitment firm did not exceed their authorized access to their company's database when they logged into the system and stole confidential data from it. The appellate court's decision affirms a previous ruling made by the U.S. District Court for the Northern District of California. The government must now decide if it wants to take the case all the way to the U.S. Supreme Court. The judge wrote that the Computer Fraud and Abuse Act, under which they were charged, applies primarily to unauthorized access involving external hackers. The definition of 'exceeds authorized access' under the CFAA applies mainly to people who have no authorized access to the computer at all, the judge wrote. The term would also apply to insiders who might have legitimate access to a system but not to specific information or files on the system Applying the language in the CFAA any other way would turn it into a 'sweeping Internet-policing mandate,' he wrote."
Re:Good news everyone... (Score:5, Informative)
The ruling is equivalent to "if you have a logon, you should have root".
The employees had access to the data in question. They could have easily been denied access if that were the intent.
Try reading the article next time.
Re:Good news everyone... (Score:5, Informative)
no, it just means it's not a criminal offense when employees take data with them. sales people have been doing this for decades. companies have had data security policies before computers and this is no different
It could still be an offense under a different law. The judge here is making a distinction between exceeding unauthorized access and abusing authorized access. An example: If I pick the lock on a filing cabinet in the boss's office and photocopy the trade secret documents inside and give them to a competitor I have exceeded authorized access. On the other hand if I use my key to open a filing cabinet in my own office and photocopy the same documents and give them to a competitor, I have abused (but not exceeded) my authorized access.
In both cases multiple offenses are committed. But there is one more offense in the first scenario than in the second.
This is not hair splitting. Without this distinction any misconduct by persons with authorized access makes their access unauthorized. This could have very surprising consequences. In one recent case a prosecutor argued that a user who violated the terms of use of a web site had obtained 'unauthorized access' because she had used the site in an 'unauthorized manner'. If we were to access this theory, then web site operators and employers could in effect write their own laws and get people sent to jail for violating them.