Can checking sports scores from the office, using your employer's computer, land you in the slammer? It could, warn computer privacy advocates. They believe a case pending in San Francisco before a group of 9th Circuit judges could be interpreted to mean that anyone who abrogates his employer's rules about computer use exposes himself to federal prosecution -- no matter how petty the rule.
At the center of the case, reported by Politico last week, is David Nosal, a San Francisco headhunter who once worked for search firm Korn/Ferry International.
After leaving Korn/Ferry — first to join a competing firm, then to start his own -- Nosal was indicted in 2008 for having tried to steal Korn/Ferry data to which he no longer had legitimate access. According to the indictment, he recruited three Korn/Ferry employees to help him. The indictment says the three gave Nosal "source lists, names and contact information" from Korn/Ferry's database, which was considered by K/F to be "one of the most comprehensive databases of executive candidates in the world."
The Department of Justice brought suit against Nosal, claiming he had violated the Computer Fraud and Abuse Act (CFAA), a federal statute that, under certain circumstances, makes misuse of an employer's computers not just a felony but one punishable by up to 20 years in prison and fines of $250,000 or higher.
Privacy advocates, including the Electronic Frontier Foundation, have argued that the danger exists that CFAA penalties could be applied to an employee's infraction of trivial office rules -- for example, ones that forbid personal shopping on the Internet or the sending and receiving of personal email.
"It's a very important issue," Nosal's attorney, Dennis Patrick Riordan of San Francisco's Riordan & Horgan, tells ABC News. "There is little doubt the Supreme Court will confront it."
Virtually every employer, he says, now has rules against use of office computers for anything but work-related purposes. "Checking baseball scores, surfing the Internet — it's one thing to say those are violations of employer policy leading to discharge. It's another to say they're a federal crime for which you could be put in prison." The question raised by the Nosal case, he says, is this: Is the CFAA limited to serious criminals — hackers, fraudsters, thieves — or is it more expansive, embracing any kind of computer use that violates company policy?
"Some will say," says Riordan, "that this is a tempest in a teapot. That the law applies only to persons intending to defraud. But people don't realize what 'intent to defraud' might mean." It could, he says, apply to an employee wasting serious amounts of his employer's time — someone, for example, goofing off by going on eBay a lot. Two hours of hanky-panky a day could run into real money, costing an employer $10,000 a year in unearned pay. That could be construed as fraud.
"Did Congress intend to turn 50 million Americans into federal criminals, when they passed this statute?" asks Riordan. He thinks not.
Nick Akerman, a partner with Dorsey & Whitney in New York who specializes in issues of computer fraud and abuse, says Nosal is indeed a teapot tempest.
It's "ridiculous," he says, and "absurd" to imagine the law being applied to rinky-dink infractions, such as people goofing off. The idea that somebody could be sent to jail for checking sports scores? He dismisses it as "crazy."
Courts, he says, "Would never prosecute anything like that. There's a degree of prosecutorial discretion involved. If a college kid in California calls his parents and asks for $100 to buy books, but instead buys beer, I suppose he'd be guilty of wire fraud. But nobody would bring so ridiculous a case."
To run afoul legitimately of the CFAA, says Akerman, a person has to do more than simply violate a company rule. He has to do so with criminal intent, to take something of value or to defraud.
That's not to say that recent court decisions haven't strengthened the employer's hand when it comes to employee misuse of computers. In a forthcoming article for the National Law Journal, Akerman writes that four decisions in the past year by four different federal courts, taken together, have "greatly enhanced the ability of businesses to use the CFAA as a tool to protect competitively sensitive data and personal information stored in company computers."
As for the Nosal case, last week it was granted an "en banc" hearing, meaning that all the judges of the 9th Circuit will re-hear it as a group. That move basically wipes the legal slate clean for a re-interpretation of the law. Akerman writes that "the state of the law could drastically change in the near future," and it could be up to the Supreme Court "to determine the applicability of the CFAA in the employer/employee context."