USA v. Nosal

Perhaps more closely connected to the material in the information security module than the more regulatory aspect of telecoms law dealt with on the telecoms law module, the case of USA v. Nosal is likely to be of interest to those of you considering issues of access to a computer system without a right — the chief judge in the case draws a number of parallels with more general communications activities in making his decision.

This is a US decision from the ninth circuit, and was a 9-2 ruling — it's likely that this will reach the Supreme Court in the US for another appeal. The case looks at an employee's extraction of data from his employer and examines whether, under the US legislation, "access without a right" (as per the Convention on Cybercrime) means solely unauthorised access (such as an external hacker), or else the use of authorised access for unauthorised purposes, such as a user downloading data to which they have legitimate access, but for non-approved purposes.

The case sides in favour of unauthorised access only.

How should employers protect their data, then? Is it right that an external hacker who removes data commits a criminal offence, but that some form of breach of fiduciary duty or breach of contract would be required to take action against an employer who has access for authorised purposes, but abuses this access?