b'No. 19-783\nIN THE\n\nSupreme Court of the United States\n\xe2\x80\x94\xe2\x80\x94\xe2\x80\x94\xe2\x80\x94\nNATHAN VAN BUREN,\nv.\n\nPetitioner,\n\nUNITED STATES OF AMERICA,\nRespondent.\n\xe2\x80\x94\xe2\x80\x94\xe2\x80\x94\xe2\x80\x94\nOn Writ of Certiorari to the\nUnited States Court of Appeals\nfor the Eleventh Circuit\n\xe2\x80\x94\xe2\x80\x94\xe2\x80\x94\xe2\x80\x94\nBRIEF OF THE\nMANAGED FUNDS ASSOCIATION\nAS AMICUS CURIAE\nIN SUPPORT OF RESPONDENT\n\xe2\x80\x94\xe2\x80\x94\xe2\x80\x94\xe2\x80\x94\nJOSEPH V. DEMARCO\nCounsel of Record\nDAVID M. HIRSCHBERG\nDEVORE & DEMARCO LLP\n99 Park Avenue, Suite 1100\nNew York, NY 10016\n(212) 922-9499\n(917) 576-2369\njvd@devoredemarco.com\nCounsel for Amicus Curiae\nSeptember 1, 2020\nWILSON-EPES PRINTING CO., INC. \xe2\x80\x93 (202) 789-0096 \xe2\x80\x93 WASHINGTON, D. C. 20002\n\n\x0cTABLE OF CONTENTS\nPage\nTABLE OF AUTHORITIES ................................\n\niv\n\nINTEREST OF AMICUS CURIAE .....................\n\n1\n\nSUMMARY OF ARGUMENT .............................\n\n3\n\nARGUMENT ........................................................\n\n6\n\nI.\n\nPETITONER\xe2\x80\x99S INTERPRETATION OF\nTHE CFAA, IF ADOPTED, WOULD\nLIMIT THE APPLICABILITY OF THE\nCFAA ALMOST ENTIRELY TO THE\nACTIONS OF OUTSIDERS, RENDERING IT INEFFECTIVE AGAINST THE\nOFTEN FAR MORE SIGNIFICANT\nTHREAT POSED BY FAITHLESS INSIDERS TO CONFIDENTIAL COMPUTER\nSYSTEMS AND INFORMATION ............\n\n6\n\nA. Modern Financial Firms Gather,\nCreate, Maintain, and Rely Upon\nMassive Amounts of Non-Public Data\nand Proprietary Programs in the Course\nof Conducting their Business ..............\n\n6\n\nB. Certain Employees and Third Parties\nMust Be Granted Access to Valuable\nProprietary Data and Systems in\nOrder for Those Systems to Operate\nProperly................................................\n\n8\n\nC. Investment Firms Implement Robust\nProcedures to Secure their Digital\nAssets ...................................................\n\n9\n\n(i)\n\n\x0cii\nTABLE OF CONTENTS\xe2\x80\x94Continued\nPage\nII.\n\nINVESTMENT FIRMS ARE UNDER\nCONSTANT THREAT OF DATA THEFT\nBY FAITHLESS INSIDERS.....................\n\n12\n\nIII. THE READING OF THE CFAA\nADVANCED BY PETITIONER UNDERCUTS THE STATUTE\xe2\x80\x99S EFFECTIVENESS AT PREVENTING CYBERCRIME AND IS CONTRARY TO THE\nPLAIN MEANING OF THE STATUTORY LANGUAGE ..................................\n\n17\n\nA. Giving Weight to the Terms of Employment Contracts and Policies Reinforces the Common Understanding\nthat One\xe2\x80\x99s Rights Concerning the\nProperty of Another Extend Only as\nFar as They Are Granted ....................\n\n18\n\nB. An Interpretation of the CFAA Which\nExcludes All Actions of Those with\nLegitimate Access to a Computer\nSystem Improperly Limits the Statute\nin a Manner Inconsistent with the\nActual Text of the Statute ...................\n\n20\n\nC. Concerns that a Broad Interpretation\nof \xe2\x80\x9cWithout Authorization\xe2\x80\x9d under the\nCFAA Would Require Examination of\nDefend-ants\xe2\x80\x99 Subjective Motivations\nAre Not Significant in the Context of\nClearly-Communicated, Action-Based\nLimitations on Authorization .............\n\n22\n\n\x0ciii\nTABLE OF CONTENTS\xe2\x80\x94Continued\nPage\nD. Taking into Consideration Policy and\nContract-Based Limitations on Computer System Use in the Context of\nEmployer-Provided Systems Raises\nNo More \xe2\x80\x9cPrivate Criminal Law\xe2\x80\x9d\nConcerns than Does Consideration of\nTechnology-Based Controls .................\n\n23\n\nE. Focusing Purely on Technological\nAccess Controls Leads to Plainly\nAbsurd Results .....................................\n\n24\n\nCONCLUSION ....................................................\n\n26\n\n\x0civ\nTABLE OF AUTHORITIES\nCASES\n\nPage(s)\n\nEnhanced Recovery Co. LLC v. Frady,\nNo. 3:13-cv-1262, 2015 WL 1470852\n(M.D. Fla. Mar. 31, 2015) .........................\n\n22\n\nUnited States v. Agrawal,\n726 F.3d 235 (2d Cir. 2013) ......................\n\n16\n\nUnited States v. Aleynikov,\n676 F.3d 71 (2d Cir. 2012) ........................\n\n16\n\nUnited States v. Aleynikov,\n737 F. Supp. 2d 173 (S.D.N.Y. 2010)........\n\n16\n\nSTATUTES AND REGULATIONS\n15 U.S.C. \xc2\xa7 80b-6 (2012) ...............................\n\n19\n\n17 U.S.C. \xc2\xa7 1201(a)(1)(A) (2012) ..................\n\n20\n\n18 U.S.C. \xc2\xa7 1030.............................................. passim\n18 U.S.C. \xc2\xa7 1030(a)(4) ......................................\n\n15\n\n18 U.S.C. \xc2\xa7 1030(e)(6) (2012)...........................\n\n21\n\n17 C.F.R. \xc2\xa7 240.10b-5 ...................................\n\n19\n\n17 C.F.R. \xc2\xa7 248.201 (2016) ...........................\n\n19\n\n17 C.F.R. \xc2\xa7 275.204A-1 .................................\n\n19\n\n17 C.F.R. \xc2\xa7 275.206(4)-7 (2007) ....................\n\n19\n\nCommission Interpretation Regarding Standard of Conduct for Investment Advisers,\nAdvisers Act Release No. 5248, 17 C.F.R.\nPart 276 (June 5, 2019) ............................\n\n19\n\n\x0cv\nTABLE OF AUTHORITIES\xe2\x80\x94Continued\nCOURT FILINGS\n\nPage(s)\n\nIndictment, United States v. Persaud, No.\n15-cr-00462 (E.D.N.Y. Sept. 14, 2015) .....\n\n14\n\nIndictment, United States v. Rosene et al.,\nNo. 3:12-CR-00369 (W.D.N.C. Nov. 15,\n2012) ..........................................................\n\n15\n\nInformation, United States v. Mercedes, No.\n1:19-cr-00435 (D.N.J. June 21, 2019) .......\n\n15\n\nOTHER AUTHORITIES\nAuthorized, MERRIAM-WEBSTER.COM DICTIONARY, https://www.merriam-webster.\ncom/dictionary/authorized (last visited Aug.\n26, 2020) ....................................................\n\n5\n\nEmployee at Mortgage Company Admits\nIllegally Accessing Computer to Steal\n$2 Million, U.S. DEP\xe2\x80\x99T OF JUSTICE (June\n21, 2019), https://www.justice.gov/usaonj/pr/employee-mortgage-company-admitsillegally-accessing-computer-steal-2-mill\nion-0 ...........................................................\n\n15\n\nFormer Fifth Third Staff \xe2\x80\x98Stole Customer\nData\xe2\x80\x99, Bank Confirms, BANKING EXCHANGE\n(Feb. 19, 2020), https://www.bankingexch\nange.com/compliance-management/item/\n8134-former-fifth-third-staff-stole-custom\ner-data-bank-confirms ..............................\n\n14\n\n\x0cvi\nTABLE OF AUTHORITIES\xe2\x80\x94Continued\nPage(s)\nFormer JP Morgan Chase Bank Employee\nSentenced to Four Years in Prison for\nSelling Customer Account Information,\nU.S. DEP\xe2\x80\x99T OF JUSTICE (Aug. 10, 2018),\nhttps://www.justice.gov/usao-edny/pr/form\ner-jp-morgan-chase-bank-employee-sente\nnced-four-years-prison-selling-customer ....\n\n14\n\nFormer Online Mortgage Broker Employee\nand Mortgage Broker Conspirator Sentenced to Prison for Computer Theft, U.S.\nDEP\xe2\x80\x99T OF JUSTICE (Dec. 15, 2014), https://\nwww.justice.gov/usao-wdnc/pr/former-onl\nine-mortgage-broker-employee-and-mortg\nage-broker-conspirator-sentenced-prison ....\n\n15\n\nLauren Tara LaCapra & Tanya Agrawal,\nMorgan Stanley Says Wealth Management Employee Stole Client Data,\nREUTERS (Jan. 5, 2015), https://www.reut\ners.com/article/us-morgan-stanley-data/mo\nrgan-stanley-says-wealth-management-em\nployee-stole-client-data-idUSKBN0KE1A\nY20150106 ......................................................\n\n14\n\nPONEMON INSTITUTE, 2020 COST OF INSIDER\nTHREATS: GLOBAL REPORT (2020), available at https://www.observeit.com/2020\ncostofinsiderthreat ....................................\n\n13\n\n2 WILLIAM BLACKSTONE, COMMENTARIES ON\nTHE LAWS OF ENGLAND (1ST ED. 1765-69) ...\n\n18\n\n\x0cINTEREST OF AMICUS CURIAE1\nManaged Funds Association (\xe2\x80\x9cMFA\xe2\x80\x9d) is a not-forprofit membership organization representing the global\nalternative investment industry. MFA is an advocacy,\neducation, and communications organization established\nto enable advisers to investment funds and managed\nfutures funds to participate in public policy discourse,\nshare best practices, learn from peers, and communicate the industry\xe2\x80\x99s contributions to the global economy.\nMFA\xe2\x80\x99s more than 4,200 professional members represent managers of hedge funds, separately managed\nfunds, managed futures funds, and their service\nproviders.\nMFA members represent a significant portion of\nthe American economy. MFA\xe2\x80\x99s over 200 investment\nmanagement member firms include many of the nation\xe2\x80\x99s\nlargest investment institutions, collectively managing\nmore than $1.1 trillion in capital, a figure which\ncomprises nearly two-thirds of the capital managed\nby the fifty largest U.S.-based hedge funds. Member\nfirms are headquartered in nineteen states and employ\nmore than 10,000 individuals in addition to tens of\nthousands of additional employees working at MFA\nmember banks. MFA investment management firms\nare fiduciaries to their clients. The investors of the\nclient funds of MFA members predominantly include\npension plans, university endowments, charitable\nfoundations, and philanthropic trusts. The goal of\nthese investors is to diversify their investments, manage\n\n1\n\nPursuant to Supreme Court Rule 37.6, no counsel for a party\nauthored this brief in whole or in part. No person or entity other\nthan the Managed Funds Association and its members made any\nmonetary contribution to fund the preparation or submission of\nthis brief. The parties have consented to this filing.\n\n\x0c2\nrisks, and generate reliable returns over time for\nretirees, students and other beneficiaries.\nMFA members include some of the most intensive\ncomputing and data-reliant businesses in the world.\nModern financial decision-making relies on massive\namounts of data, sophisticated algorithms, and the application of computer processing power \xe2\x80\x94 each one an area\nin which MFA members invest in heavily. Yet while\ncomputer-based analyses and trading tools have been\na boon to the investment industry, they have also given\nrise to the unfortunate side effect of data misappropriation and theft of confidential intellectual property. As\nhas been demonstrated in several high-profile instances,\nthe portability of digital information has given unscrupulous employees of financial firms the motivation to steal\ntheir employer\xe2\x80\x99s digital assets, often with the intent of\nbenefiting themselves or their future employers. MFA\nmembers therefore expend substantial resources in\nsecuring their digital assets \xe2\x80\x94 especially those assets\nwhich are proprietary and highly confidential.\nNotwithstanding these efforts, it is an unavoidable\nconsequence of conducting an analytical business that\ncertain employees and other third parties must be\ngranted access to sensitive and non-public information\nresiding on MFA member databases and systems. When\nthose individuals are responsible for information theft,\nvictimized financial firms can only rely upon the law\n\xe2\x80\x94 including the Computer Fraud and Abuse Act \xe2\x80\x94 to\nprotect themselves. MFA is therefore concerned that\nPetitioner\xe2\x80\x99s narrow reading of the term \xe2\x80\x9cauthorized\xe2\x80\x9d\nas used in that statute would, if adopted by this Court,\nsubstantially weaken MFA member firms\xe2\x80\x99 ability to\nprevent the theft of their highly valuable confidential,\nnon-public proprietary data and intellectual property.\n\n\x0c3\nSUMMARY OF ARGUMENT\nThe Computer Fraud and Abuse Act (Title 18, United\nStates Code, section 1030) (\xe2\x80\x9cCFAA\xe2\x80\x9d) is unquestionably\nthe most important federal statute protecting American\ncomputer systems and the data stored on those systems. As digital technology has become ever more\ncentral to the economy, the CFAA has, in a corresponding fashion, increased in importance. Adopted in the\npre-Internet age, when computer security was in its\nrelative infancy, the CFAA could not have been drafted\nwith precise knowledge of how computers would\neventually come to be used, or how those evolving\ncomplexities could generate uncertainty concerning\nthe meaning of apparently simple statutory language.\nYet Congress\xe2\x80\x99 fundamental purpose in enacting\nthe law \xe2\x80\x94 which must be reflected in interpreting the\nstatute \xe2\x80\x94 was clearly and unambiguously to protect\nnon-public computer systems and confidential data\nfrom the threats posed by malicious actors.\nAt issue in this case is the definition of the words\n\xe2\x80\x9cwithout authorization,\xe2\x80\x9d an element of several of the\nCFAA\xe2\x80\x99s enumerated criminal offenses (and, by reference,\nthe statute\xe2\x80\x99s civil provision), as well as its statutory\ncompanion, \xe2\x80\x9cexceeding authorized access.\xe2\x80\x9d As courts\naddressing the issue have often remarked, the lack of\nan explicit definition in the CFAA of what constitutes\n\xe2\x80\x9cauthorization,\xe2\x80\x9d and perhaps more importantly what\nparameters dictate when authorization is lacking,\nhas generated uncertainty as to how the statute\nshould be applied. Interested parties have advanced\n\xe2\x80\x94 or proposed as evils that must be avoided \xe2\x80\x94 rather\nextreme interpretations of the term. Those favoring\nthe narrowest possible scope of the term argue that\nany activity is \xe2\x80\x9cauthorized\xe2\x80\x9d unless technical measures\nare deployed specifically to prevent it. Under such a\n\n\x0c4\ndefinition, the CFAA would become essentially an\nanti-circumvention statute, prohibiting only the conduct\nof those who \xe2\x80\x9chack\xe2\x80\x9d through the security of a computer\nsystem. On the other extreme are those who champion\nan extremely broad interpretation of what constitutes\n\xe2\x80\x9cunauthorized access,\xe2\x80\x9d reasoning that any violation\nof the most innocuous contractual terms concerning\ncomputer access should qualify, even if the data in\nquestion is publicly-viewable by anyone with Internet\naccess. Such advocates miss the obvious point that\nthere is an array of activity involving access to nonpublic data that, while not within the conventional\nview of malicious \xe2\x80\x9chacking\xe2\x80\x9d by outside individuals or\ngroups, is nonetheless clearly without authorization\nunder any reasonable, common sense interpretation of\nthat term. MFA submits that among the actions\nwhich should be understood as violative of the CFAA\nare those of employees (and other insiders) which\nviolate plainly communicated, expressly agreed to,\nunambiguous restrictions on the use of non-public\ncomputer systems and non-public data on those systems.\nMFA\xe2\x80\x99s concerns with Petitioner\xe2\x80\x99s (mis)reading of\nthe CFAA are not hypothetical. In particular, our\nmembers are keenly aware of, and acutely concerned\nby, the threat posed by the exploitation of its members\ncomputer systems by faithless employees, contractors,\nvendors, suppliers and other third party \xe2\x80\x9cinsiders\xe2\x80\x9d\nwith permissioned access to member systems. The\ntheft of such intellectual property or proprietary information harms investment managers, fund investors,\npotentially other market participants and the economic\ncompetitiveness of U.S. firms to the extent that such\nproperty is exported to a foreign competitor. Indeed,\nin recent years, financial firms have seen a marked\nincrease in the prevalence of data theft and attempted\ndata theft by such \xe2\x80\x9cinsiders.\xe2\x80\x9d These incidents include\n\n\x0c5\nnot only widely reported-upon events which have\ngiven rise to criminal proceedings, but also countless\nother thefts and attempted thefts which, for various\nreasons, do not come to the public knowledge. Moreover,\nthe adoption of a narrow reading of the CFAA in\ncertain circuits has served as a deterrent to firms who\nwould otherwise seek to vindicate their rights in\nfederal court.\nMFA respectfully submits that adopting the extremely\nnarrow scope of the CFAA advocated by Petitioners\nbelies the ordinary meaning of the word \xe2\x80\x9cauthorized.\xe2\x80\x9d2\nIt also defies common sense. Such a narrow reading\nrenders the CFAA powerless against the most significant cyber-security threat faced by many financial\nfirms: the threat of insider malfeasance related to\ntrade secrets and other confidential data and IP.\nSimply put, if the line between authorized and unauthorized activity is only defined with reference to\ntechnological controls protecting against outside\nhackers, then it becomes nearly impossible for any\nuser of a computer system with access credentials to\nthat system \xe2\x80\x94 such an investment firm employee \xe2\x80\x94\nto violate the CFAA, no matter how egregious his\nconduct in relation to non-public data on those systems.\nMFA believes that a better interpretation of the\nCFAA is to apply the common, dictionary definition of\nthe term \xe2\x80\x9cauthorization\xe2\x80\x9d when applying the statute.\nRather than reading into the CFAA a requirement of\ncircumventing a technological access control \xe2\x80\x94 a term\nconspicuously absent from the statutory text \xe2\x80\x94\n2\n\nSee, e.g., Authorized, MERRIAM-WEBSTER.COM DICTIONARY,\nhttps://www.merriam-webster.com/dictionary/authorized (last visited\nAug. 26, 2020) (defining \xe2\x80\x9cauthorized\xe2\x80\x9d as \xe2\x80\x9csanctioned by authority:\nhaving or done with legal or official approval\xe2\x80\x9d).\n\n\x0c6\nfactfinders should instead determine the answer to\nthis straightforward question: \xe2\x80\x9cWas the defendant\nspecifically and knowingly prohibited from engaging\nin the complained-of conduct concerning the nonpublic systems and non-public data in question?\xe2\x80\x9d\nARGUMENT\nI. PETITONER\xe2\x80\x99S INTERPRETATION OF THE\nCFAA, IF ADOPTED, WOULD LIMIT THE\nAPPLICABILITY OF THE CFAA ALMOST\nENTIRELY TO THE ACTIONS OF OUTSIDERS, RENDERING IT INEFFECTIVE\nAGAINST THE OFTEN FAR MORE SIGNIFICANT THREAT POSED BY FAITHLESS\nINSIDERS TO CONFIDENTIAL COMPUTER\nSYSTEMS AND INFORMATION\nA. Modern Financial Firms Gather, Create,\nMaintain, and Rely Upon Massive\nAmounts of Non-Public Data and\nProprietary Programs in the Course of\nConducting their Business\nWithout a doubt, investment firms are among the\nmost technologically advanced and technology-reliant\nbusinesses in the American economy. While the types\nof systems and data used by each firm vary substantially in accordance with the nature and character of\ntheir investment activities, a high-level overview of\nthe digital assets maintained by such institutions sheds\nlight on the importance and breadth of computerized\ninformation used in the field. It also underscores the\ncriticality to member firms\xe2\x80\x99 competitive position of\nbeing able to keep confidential data and systems that\nit has expended time and effort creating.\n\n\x0c\xef\x82\xb7\n\n7\nPersonal Information and Personal Financial\nInformation. Like all businesses, financial firms\nmaintain non-public personal information, often\nquite sensitive, concerning their employees and\nclients. In particular, as a necessary incident to\nproviding investment services, most firms also\nmaintain confidential digital records of their\nclients\xe2\x80\x99 investments, income, tax information,\nand other financial and sensitive records.\n\n\xef\x82\xb7\n\nResearch and Data Analysis. Firms\xe2\x80\x99 research\ndepartments typically produce proprietary analyses, often in the form of confidential analyses\nand White Papers, of markets and investment\nstrategies.\n\n\xef\x82\xb7\n\nTrading Strategies, Platforms, and Source Code.\nAt the most fundamental level, an investment\nfirm\xe2\x80\x99s business is to implement trading strategies that provide clients with the best possible\nreturns on their investments. As such, investment firms often expend considerable resources\ndeveloping their own confidential trading strategies. Indeed, it is these \xe2\x80\x9csecret sauce\xe2\x80\x9d strategies\nwhich provide much of the value of a firm to\na prospective client and which differentiate\none firm from another. Although in some cases\ntrading strategies can be written out in humanreadable form and executed manually, often the\nstrategies consist of intricately detailed confidential statistical models which operate on realtime feeds of massive amounts of market data.\nIn many instances, the systems which run these\nmodels not only assist in making investment\ndecisions, but also execute the trades in an automated fashion. Such automated trading systems\n\n\x0c8\nrequire development of software platforms which\ncan quickly and efficiently execute transactions.\n\xef\x82\xb7\n\nData from Diverse Sources. Financial firms\nhave always relied on traditional forms of\nmarket data, including records of stock prices\nand transactions, financial records of publicly\ntraded companies, broad economic indicators,\ninterest rates, currency exchange rates and\nsimilar data inputs. In recent years, however,\ninvestment firms have gathered and incorporated\ninto trading strategies an ever-broadening array\nof data sets from a range of diverse sources.\nThese data sets can include financial data such\nas credit card data, as well as non-financial data\n(for example, weather data, satellite imagery, and\nreal-time inventory monitoring). Often, member\nfirms expend substantial resources aggregating,\nanalyzing, and interpreting these new datasets\nin order to create powerful confidential strategies to maximize client returns.\nB. Certain Employees and Third Parties\nMust Be Granted Access to Valuable\nProprietary Data and Systems in Order\nfor Those Systems to Operate Properly\n\nThe development of non-public confidential trading\nstrategies and the computing platforms upon which\nthose strategies are executed is, of course, accomplished through the efforts of individual employees of\nfinancial firms. For example, an algorithmic trading\nstrategy may be embodied in a complex spreadsheet\nwhich takes as its inputs a data feed of trades in a\ngiven market and which will execute a trade if certain\nconditions (embodied in computational formulas embedded within the spreadsheet) become satisfied. These\nconfidential formulas \xe2\x80\x94 and by extension the trading\n\n\x0c9\nstrategy itself \xe2\x80\x94 are developed and maintained by\nanalysts and programmers working for the trading\nfirm. Each of these people must have technological\naccess to the spreadsheet in order to develop and\nimplement the strategy. Similarly, in the context of\nnon-automated trading, investment professionals must\nhave access to confidential research materials and\nanalyses \xe2\x80\x94 often developed in-house and essentially\nalways maintained in computerized format \xe2\x80\x94 in order\nto use the contents of those materials in making\ninvestment decisions.\nNotably, however, the personnel who must have\naccess to a firm\xe2\x80\x99s computing environment are not\nlimited to investment professionals. Other employees,\nincluding sales personnel, compliance, operations and\nback-office and support staff, will require access to\ncommunications and records systems. Moreover, technicians who maintain the computer systems themselves\n(who may or may not be employees of the firm) will\noften have \xe2\x80\x9cadministrator\xe2\x80\x9d level permissions, permitting largely unfettered access to stored data. In\naddition, numerous non-employee personnel, including IT and other contractors, as well as temporary\nworkers, also regularly have access to confidential\nfirm and customer data.\nC. Investment Firms Implement Robust\nProcedures to Secure their Digital\nAssets\nAs noted above, financial firms invest heavily in the\nacquisition of data and the development of analytical\ntools and reports. Given that firms obtain substantial\nvalue from these assets, it is natural that they go to\ngreat lengths to secure those confidential materials\nfrom loss, corruption, and theft. Crucially, these safe-\n\n\x0c10\nguards include both technical as well as contractual\nand procedural elements. Both are described more\nfully below.\nTo begin with, investment firms implement some of\nthe most stringent technical access control, employee\nmonitoring, and cybersecurity measures of any private\nentities. Like other businesses, they typically require\nindividualized computer access credentials, limit access\nto systems necessary for an individual\xe2\x80\x99s job functions,\nmonitor electronic communications, log the dates and\ntimes files are accessed by employees, and deploy\nfirewalls with robust Data Loss Prevention (\xe2\x80\x9cDLP\xe2\x80\x9d)\ncontrols. Many firms go far beyond those prosaic\nmethods, taking steps such as preventing access to\noutside email systems and cloud-storage services,\ndisabling corporate systems from being able to connect\nto external peripherals such as portable hard drives,\nconducting video surveillance of their offices, and\nrequiring personal electronics (including cellular phones)\nto be stored outside of the areas where access to\ncomputer systems is provided. Importantly, many of\nthese practices limit technical access to data (e.g.,\nlimiting users to accessing only job-relevant systems).\nUnder either the broad or narrow interpretations of\nthe CFAA, defeating these protections may be indicative of \xe2\x80\x9cunauthorized\xe2\x80\x9d activity. Yet many of these\nprotections are expressly designed to prevent individuals who are permitted to access proprietary data from\nremoving it from the firm\xe2\x80\x99s computing environment\n(e.g., preventing the connection of portable hard drives\nto firm systems). The presence of these security\nmeasures serves as a clear indication that while\nfirm employees may be permitted to access and use\nconfidential information while at work, they are not\nauthorized to remove that data from the premises.\n\n\x0c11\nAnother group of data protection safeguards utilized\nby financial firms consists of non-technical limitations\non employee conduct. These measures consist primarily of contractual agreements and policies and procedures all of which are often reinforced through\ntraining. For example, typically at the outset of employment (and often periodically thereafter), employees of\na financial firm will agree to non-disclosure and\nconfidentiality agreements as part of their employment contracts. These agreements are often extremely\ndetailed, with explicit prohibitions against certain\nactions such as removal of confidential firm data from\nthe employer\xe2\x80\x99s computing systems and environment.3\nNotwithstanding those features, Petitioners and\nother proponents of the \xe2\x80\x9cnarrow\xe2\x80\x9d interpretation of\nthe CFAA argue that such non-technical policies are\nentirely irrelevant to the issue of whether an employee\nexceeds their authorized access when the employee\ncircumvents those non-technical controls and violates\nthe clear and unambiguous terms of his employment\ncontract in connection with non-public, confidential\ndata and IP belonging to the employer. This view is\n\n3\n\nNotably, this appeal does not implicate the question of\nrestrictions, through terms of service or otherwise, ostensibly\nrelated to publicly accessible information \xe2\x80\x94 for example, data\nwhich can be accessed by anyone through public-facing websites.\nThat issue is not before this Court. It is, however, worth noting\nthat MFA member contractual data protection controls related to\nnon-public data are entirely dissimilar to a public website\xe2\x80\x99s terms\nof service, which are often vague and often assertedly apply\nto public data on the site. In contrast, MFA employees\xe2\x80\x99 nondisclosure and confidentiality contracts and policies regularly\ncontain provisions which are (1) limited to non-public systems\nand data, (2) consistently and conspicuously monitored, and (3)\nreinforced through periodic training.\n\n\x0c12\nnot supported by the plain language of the CFAA. It\nalso makes no sense.\nII. INVESTMENT FIRMS ARE UNDER CONSTANT THREAT OF DATA THEFT BY\nFAITHLESS INSIDERS\nThe proprietary computerized information generated\nby investment firms is intrinsically valuable, as many\nof those data sets, algorithms, and trading platforms\nare used quite directly to generate revenue for investors.\nWhile the vast majority of employees at investment\nfirms are conscientious and trustworthy, it only takes\none unscrupulous employee to severely damage and\neven destroy a well-built investment management\nbusiness. In the hands of knowledgeable competitors\nwith adequate resources, misappropriated confidential\nfinancial intellectual property can be used to set up\na competing business without the need to invest in\ncostly research and development.4 These factors, combined with the frequency with which employees in the\nfield move between competing firms, unfortunately\nserve as strong incentives for unscrupulous individuals to attempt to transfer proprietary information to\ntheir new firms.\n\n4\n\nSome firms specifically manage their workforce in a manner\nwhich does not require complete knowledge of confidential trading\nstrategies by any single individuals (i.e., \xe2\x80\x9csiloing\xe2\x80\x9d information) to\navoid precisely this threat. However, there are limits to how far\nsuch efforts can go. Although it is common for researchers to\nspecialize in one area, for portfolios which consist of different kinds\nof asset classes or securities of companies from different industries,\nthere is benefit in joint research, collaborative idea generation,\nand data and information sharing so that researchers can have a\nmore full understanding of micro- and macro-economic factors.\n\n\x0c13\nThese dangers are far from theoretical: the scale\nof insider threats to financial firms is staggering.\nAccording to the 2020 Cost of Insider Threats Global\nReport study by the well-respected Ponemon Institute,\nthe financial services industry (defined to include\nbanking, insurance, investment management and\nbrokerage organizations) has experienced the highest\ncost of responding to insider threats of any industry.5\nFinancial services also experienced the second-fastest\nincrease in the number of insider incidents of any\nbusiness sector, experiencing a 20.3% increase over\ntwo-years.6 Moreover, the Ponemon study found\nthat incidents involving the criminal or malicious (as\nopposed to negligent) actions of faithless \xe2\x80\x9cinsiders\xe2\x80\x9d\ncost organizations an average of $755,760 per incident,\nand comprised 23% of all reported incidents involving\ninsiders.7\nMost insider threats to financial firms\xe2\x80\x99 confidential\ncomputer systems fall within a defined number of\npatterns. These include:\n\xef\x82\xb7\n\nFacilitation of Identity Theft and Fraud. As\nrequired by statute and regulation, financial\nfirms are required to retain records of extremely\nsensitive confidential personal information concerning their clients, including their names,\naddresses, account numbers, and tax information,\namong other sensitive information. In this\nscenario, corrupt firm employees target the\npersonal information that their employers\n\n5\n\nPONEMON INSTITUTE, 2020 COST OF INSIDER THREATS:\nGLOBAL REPORT 22 (2020) (available at https://www.observe\nit.com/2020costofinsiderthreat).\n6\n\nId. at 5.\n\n7\n\nId. at 4.\n\n\x0c14\nmaintain concerning firm clients in connection\nwith identity fraud. Sadly, this fact pattern has\nbecome increasingly common. The most recent\nsuch incident became public earlier this year,\nwhen Fifth Third Bank, a $169 billion banking\nand financial services group, announced that a\nsmall number of its former employees accessed\nand misused consumer data to commit fraud.\nThe bank contacted at least 100 customers\npossibly impacted.8 Indeed, in some cases,\ninsiders may simply sell client information to\ncriminal organizations. For example, in United\nStates v. Persaud, the defendant, a former\nemployee of JP Morgan Chase Bank abused his\naccess to the bank\xe2\x80\x99s systems by obtaining and\nselling the confidential personal and account\ninformation of customers.9\n\n8\n\nFormer Fifth Third Staff \xe2\x80\x98Stole Customer Data\xe2\x80\x99, Bank\nConfirms, BANKING EXCHANGE (Feb. 19, 2020), https://www.\nbankingexchange.com/compliance-management/item/8134-formerfifth-third-staff-stole-customer-data-bank-confirms.\n9\n\nFormer JP Morgan Chase Bank Employee Sentenced to Four\nYears in Prison for Selling Customer Account Information, U.S.\nDEP\xe2\x80\x99T OF JUSTICE (Aug. 10, 2018), https://www.justice.gov/usaoedny/pr/former-jp-morgan-chase-bank-employee-sentenced-four-ye\nars-prison-selling-customer; see also Indictment, United States v.\nPersaud, No. 15-cr-00462 (E.D.N.Y. Sept. 14, 2015). See also\nLauren Tara LaCapra & Tanya Agrawal, Morgan Stanley Says\nWealth Management Employee Stole Client Data, REUTERS (Jan.\n5, 2015), https://www.reuters.com/article/us-morgan-stanley-da\nta/morgan-stanley-says-wealth-management-employee-stole-clientdata-idUSKBN0KE1AY20150106 (discussing a wealth management\nemployee who stole account information of approximately 350,000\nclients and attempted to sell it online).\n\n\x0c\xef\x82\xb7\n\n\xef\x82\xb7\n\n15\nEffecting Fraudulent Financial Transactions.\nIn another scenario, insiders may abuse their\naccess to firm systems to directly steal money.\nAs an example, between April 2014 and May\n2017, Dilcia Mercedes, a payment processor\nemployee of a mortgage lender abused her access\nto the company\xe2\x80\x99s computer system to make\nhundreds of fraudulent wire transfers and steal\nover $2 million. She was indicted on and pleaded\nguilty to charges including unauthorized access\nof a computer with intent to defraud under 18\nU.S.C. \xc2\xa7 1030(a)(4).10\nTheft of Confidential Business Information.\nBusiness plans and customer lists have also\nfrequently been targeted by corrupt insiders. In\none conspiracy, a former employee of an online\nmortgage broker sold company-employee log-in\ncredentials to another mortgage broker, who\nsubsequently used the company\xe2\x80\x99s database to\nsteal thousands of mortgage leads. The conspirators were charged with and pleaded guilty\nto charges including CFAA violations.11\n\n10\n\nEmployee at Mortgage Company Admits Illegally Accessing\nComputer to Steal $2 Million, U.S. DEP\xe2\x80\x99T OF JUSTICE (June 21,\n2019), https://www.justice.gov/usao-nj/pr/employee-mortgage-co\nmpany-admits-illegally-accessing-computer-steal-2-million-0; see\nalso Information, United States v. Mercedes, No. 1:19-cr-00435\n(D.N.J. June 21, 2019).\n11\n\nFormer Online Mortgage Broker Employee and Mortgage\nBroker Conspirator Sentenced to Prison for Computer Theft, U.S.\nDEP\xe2\x80\x99T OF JUSTICE (Dec. 15, 2014), https://www.justice.gov/usaowdnc/pr/former-online-mortgage-broker-employee-and-mortgagebroker-conspirator-sentenced-prison; see also Indictment, United\nStates v. Rosene et al., No. 3:12-CR-00369 (W.D.N.C. Nov. 15,\n2012).\n\n\x0c\xef\x82\xb7\n\n16\nTheft of Algorithmic Trading Code and Trading\nPlatform Source Code. Perhaps the highest\nprofile incidents of employee theft of investment\nfirm data in recent years have concerned the\nremoval of highly confidential trading algorithms\nthemselves \xe2\x80\x94 particularly high frequency\ntrading algorithms \xe2\x80\x94 and the source code for\nthe platforms that execute transactions. Given\nthe extreme investment required to develop\nthese assets and the incredible value they\nrepresent, such incidents have given rise to\nprotracted litigation, including at the appellate\nlevel. Most notable of these cases is United\nStates v. Aleynikov, which concerned a former\nGoldman Sachs computer programmer who\nwas accused of misappropriating source code for\nthe firm\xe2\x80\x99s high-frequency trading system.12\nThe Aleynikov case is particularly notable for\npresent purposes as, prior to trial, the District\nCourt dismissed the CFAA charge against the\ndefendant, reasoning that the \xe2\x80\x9cphrases \xe2\x80\x98accesses\na computer without authorization\xe2\x80\x99 and \xe2\x80\x98exceeds\nauthorized access\xe2\x80\x99 cannot be read to encompass\nan individual\xe2\x80\x99s misuse or misappropriation of\ninformation to which the individual was permitted access.\xe2\x80\x9d13\n\n12\n\nUnited States v. Aleynikov, 676 F.3d 71 (2d Cir. 2012). See\nalso United States v. Agrawal, 726 F.3d 235 (2d Cir. 2013) (involving the theft of computer code underlying Soci\xc3\xa9t\xc3\xa9 G\xc3\xa9n\xc3\xa9rale\xe2\x80\x99s highfrequency trading platform).\n13\n\nUnited States v. Aleynikov, 737 F. Supp. 2d 173, 192\n(S.D.N.Y. 2010).\n\n\x0c17\nIII. THE\nREADING\nOF\nTHE\nCFAA\nADVANCED BY PETITIONER UNDERCUTS THE STATUTE\xe2\x80\x99S EFFECTIVENESS\nAT PREVENTING CYBERCRIME AND IS\nCONTRARY TO THE PLAIN MEANING OF\nTHE STATUTORY LANGUAGE\nIn determining the proper understanding of the\nCFAA, this Court should be cognizant of the practical\nreality of how access to computer systems is provided\nby corporations such as MFA members and avoid\nadopting an extremely constricted reading that focuses\nsolely on technological access controls to the exclusion\nof all other factors. MFA respectfully submits that a\nmore reasonable approach, and one which comports\nwith the common understanding of \xe2\x80\x9cauthorization\xe2\x80\x9d as\na quality which must be granted, would take into\nconsideration both technological controls and the\nunderstanding of the parties as to what actions are\n(and are not) permitted in relation to confidential\ndata. More particularly, in the context of employee\naccess to confidential data housed on non-publicly\naccessible, employer-operated computers, a proper\nand balanced understanding of the statute should take\ninto holistic consideration the (1) clearly communicated and agreed-to understandings of the parties\nas embodied in employment contracts and policies,\n(2) training and monitoring, and (3) the facts and\ncircumstances of access as applied in practice.\n\n\x0c18\nA. Giving Weight to the Terms of Employment Contracts and Policies Reinforces\nthe Common Understanding that One\xe2\x80\x99s\nRights Concerning the Property of\nAnother Extend Only as Far as They\nAre Granted\nIt is axiomatic to the law of property that, absent a\ngrant of permission, one is not entitled to use the\nproperty of another.14 In the context of employerprovided computer systems and confidential data, this\naxiom is reinforced by practical considerations: unless\nand until an employee is issued access credentials to a\nconfidential system or database, she has neither the\nright nor the ability to use the system or access the\ndata stored thereon.\nThe analysis does not, however, end there. The next\nquestion becomes whether an employer, in granting\naccess credentials to an employee, retains the right to\nimpose conditions upon the use of those credentials.\nClearly, they do. In fact, MFA member firms collectively have spent tens of millions of dollars creating,\nand implementing conditions on data access, use, and\nmisuse. Member firms have likewise collectively spent\nhundreds of millions of dollars on training employees\non these policies and in enforcing policy violations.\nMoreover, numerous statutory laws and regulations \xe2\x80\x94\nnot to mention fiduciary duties and obligations \xe2\x80\x94\naffirmatively require member firms to proactively\nsafeguard confidential and non-public data through\ncontractual and policy controls. See, e.g., Section 206\n14\n\n2 WILLIAM BLACKSTONE, COMMENTARIES ON THE LAWS OF\nENGLAND (1ST ED. 1765-69) *2 (defining property as \xe2\x80\x9cthat sole and\ndespotic dominion which one man claims and exercises over the\nexternal things of the world, in total exclusion of the right of any\nother individual in the universe\xe2\x80\x9d).\n\n\x0c19\nof the Investment Adviser Act of 1940 (\xe2\x80\x9cAdvisers\nAct\xe2\x80\x9d)15 and Commission Interpretation Regarding\nStandard of Conduct for Investment Advisers (stating\nthat Section 206 imposes a fiduciary duty on an investment adviser);16 Rule 206(4)-7 under the Advisers Act\n(requiring investment advisers registered with the\nSecurities and Exchange Commission (\xe2\x80\x9cSEC\xe2\x80\x9d) to adopt\nand implement written policies and procedures that\nare reasonably designed to prevent violations of the\nAdvisers Act);17 Rule 204A-1 under the Advisers Act\n(requiring investment advisers to adopt a written code\nof ethics that includes a standard of conduct reflective\nof its fiduciary obligations, and to require employees\nto comply with the code of ethics and other legal\nrequirements); Reg S-P18 (requiring SEC regulated\nmembers to adopt written policies and procedures\naddressing administrative, technical, and physical\nsafeguards for the protection of customer records and\ninformation); Reg S-ID19 (requiring SEC registered\ninvestment advisers and broker-dealers to develop\nand implement a written identity theft prevention\nprogram that is designed to detect, prevent, and\nmitigate identity theft in connection with the opening\nof a covered account or any existing covered account);\nRule 10b-5 under the Securities Exchange Act of 1934\n(regulating trading based on material non-public information).\n\n15\n\n15 U.S.C. \xc2\xa7 80b-6 (2012).\n\n16\n\nCommission Interpretation Regarding Standard of Conduct\nfor Investment Advisers, Advisers Act Release No. 5248, 17\nC.F.R. Part 276 (June 5, 2019).\n17\n\n17 C.F.R. \xc2\xa7 275.206(4)-7 (2007).\n\n18\n\n17 C.F.R. \xc2\xa7 248.201 (2016).\n\n19\n\n17 C.F.R. \xc2\xa7 248.201 (2016).\n\n\x0c20\nIndeed, an entire compliance industry of lawyers,\nconsultants, and subject-matter experts exists to assist\nmember firms in abiding by these policy requirements.\nMFA submits that, in light of this bevy of mandates to\nprotect confidential information from theft or misuse\nby outsiders and insiders, it would be anomalous (to\nsay the least) for the CFAA to be interpreted in a\nmanner that renders it wholly ineffective to vindicate\nthese obligations against corrupt insiders.\nB. An Interpretation of the CFAA Which\nExcludes All Actions of Those with\nLegitimate Access to a Computer\nSystem Improperly Limits the Statute\nin a Manner Inconsistent with the\nActual Text of the Statute\nProponents of the narrow interpretation of the\nCFAA advocate that this Court ignore the plain text of\nthe statute. In effect, they maintain that the statute\nshould be read either by inserting an implied clause \xe2\x80\x94\n\xe2\x80\x9cby circumventing a technological access control\nmechanism\xe2\x80\x9d \xe2\x80\x94 into each of the several provisions\nthat include the term \xe2\x80\x9cwithout authorization\xe2\x80\x9d or by\nignoring a portion of the text \xe2\x80\x94 \xe2\x80\x9cor exceeds authorized\naccess\xe2\x80\x9d \xe2\x80\x94 which is present. Either option would be an\nimpermissible revision of the actual text of the CFAA.\nAs a threshold matter, if Congress wished to limit\nauthorization to a purely technological matter, it could\nhave done so. For example, the anti-circumvention\nprovision of the Digital Millennium Copyright Act,\nTitle 17 United States Code, section 1201(a)(1)(A),\nspecifically prohibits the \xe2\x80\x9ccircumvent[ion] of a technological measure that effectively controls access\xe2\x80\x9d to a\ncopyrighted work.20 Had Congress intended Section\n20\n\n17 U.S.C. \xc2\xa7 1201(a)(1)(A) (2012).\n\n\x0c21\n1030 to be limited solely to persons who bypass\ntechnological barriers, it could have included similar\nlanguage.\nIn addition, adopting a narrow interpretation of\n\xe2\x80\x9cwithout authorized access\xe2\x80\x9d would render another\npart of the CFAA meaningless. Under Petitioner\xe2\x80\x99s\nreasoning, any time a user accesses a computer either\nshe has done so without authorization, and has\nviolated the CFAA, or she was authorized to access\nthe computer and no further inquiry is needed. The\nproblem with this wooden dichotomy is that it renders\nnull the companion phrase \xe2\x80\x9cexceeds authorized access.\xe2\x80\x9d\nThat is because if any activity accomplished following\ninitial authorized access is declared not to violate the\nCFAA, then what function does \xe2\x80\x9cexceeds authorized\naccess\xe2\x80\x9d serve?21\nWe submit that the only interpretation of the\ncombined phrase \xe2\x80\x9caccesses a computer without authorization or exceeds authorized access\xe2\x80\x9d which neither\ninserts language not present in the text nor reads text\nout of the statute entirely is one which recognizes that\n\xe2\x80\x9cauthorization\xe2\x80\x9d is not merely a technological concern\n\xe2\x80\x94 it also takes into account contractual and policy\nrestrictions \xe2\x80\x94 and that it is possible to violate the\nCFAA even following \xe2\x80\x9ctechnologically authorized\xe2\x80\x9d\naccess to a computer system.\n\n21\n\n18 U.S.C. \xc2\xa7 1030(e)(6) (2012) (defining \xe2\x80\x9cexceeds authorized\naccess\xe2\x80\x9d as to \xe2\x80\x9caccess a computer with authorization and to use\nsuch access to obtain or alter information in the computer that\nthe accesser is not entitled so to obtain or alter\xe2\x80\x9d).\n\n\x0c22\nC. Concerns that a Broad Interpretation\nof \xe2\x80\x9cWithout Authorization\xe2\x80\x9d under the\nCFAA Would Require Examination of\nDefendants\xe2\x80\x99 Subjective Motivations\nAre Not Significant in the Context of\nClearly-Communicated, Action-Based\nLimitations on Authorization\nSome courts, in choosing between the \xe2\x80\x9cnarrow\xe2\x80\x9d and\n\xe2\x80\x9cbroad\xe2\x80\x9d interpretations of the CFAA are significantly\nconcerned with the need to delve into the subjective\nintentions of a defendant and to rest a determination\nof whether conduct is unlawful on whether that subjective intent is contrary to the defendant\xe2\x80\x99s employer\xe2\x80\x99s\ninterests.22 While this difficulty may sometimes be\npresent, rejecting a broader interpretation on these\ngrounds ignores the fact that in the vast majority of\ncases, subjective intent is largely irrelevant to the\nanalysis. This is particularly true when an employer\nhas clearly communicated prohibitions on specific\nactions the employee may take. For example, if an\nemployer informs an employee that she may not run\ncryptocurrency mining software on firm computer\nsystems, it is clear that if she subsequently does run\ncryptocurrency mining software then her actions are\nunauthorized, whether or not her intent was to harm\nher employer. The inquiry can begin and end with an\nanalysis of the employee\xe2\x80\x99s actions.\nSimilarly, and more relevant to financial firms,\ncommunicated limitations on use are not typically\nlimited to the simple statement \xe2\x80\x9cyou may only use the\n22\n\nSee, e.g., Enhanced Recovery Co. LLC v. Frady, No. 3:13-cv1262, 2015 WL 1470852, at *4\xe2\x80\x936 (M.D. Fla. Mar. 31, 2015)\n(rejecting the broad interpretation of the CFAA because the\n\xe2\x80\x9canalysis focuses on the actions of the employer rather than the\nsubjective motivation of the employee\xe2\x80\x9d).\n\n\x0c23\ncomputer system for purposes of completing your\nassigned work.\xe2\x80\x9d In reality, firms (typically in confidentiality or non-disclosure agreements) explicitly\nenumerate prohibited actions, including, for example,\n\xe2\x80\x9cyou may not copy any data from the firm\xe2\x80\x99s computing\nsystems to any storage device or service not controlled\nby the firm.\xe2\x80\x9d Yet under the Petitioner\xe2\x80\x99s narrow interpretation of the CFAA, an authorized user of firm data\ncould ignore this restriction entirely without risking\ncriminal penalty (or civil liability under the CFAA\xe2\x80\x99s\ncivil provision) because the analysis begins and ends\nwith the provision of access. However, taking into\nconsideration the unambiguous \xe2\x80\x9cno copying\xe2\x80\x9d rule, the\nbroader reading of the CFAA can be imposed without\nneed to consider the defendant\xe2\x80\x99s motivations at all.\nD. Taking into Consideration Policy and\nContract-Based Limitations on Computer\nSystem Use in the Context of EmployerProvided Systems Raises No More\n\xe2\x80\x9cPrivate Criminal Law\xe2\x80\x9d Concerns than\nDoes Consideration of TechnologyBased Controls\nAnother concern raised by opponents of a broad\ninterpretation of \xe2\x80\x9cwithout authorization\xe2\x80\x9d in the context of the CFAA is that it allows private parties to\nmake criminal laws through imposition of contractual\nterms.23 These arguments are often bolstered by\nrather farfetched examples of \xe2\x80\x9cbrowse-wrap\xe2\x80\x9d or \xe2\x80\x9cclickwrap\xe2\x80\x9d terms of service or use for public websites, the\nminor violation of which sends an unsuspecting websurfer to a federal penitentiary.24\n23\n\nBrief for Computer Security Researchers et al. as Amici\nCuriae 17.\n24\nBrief for the National Association of Criminal Defense\nLawyers as Amicus Curiae 21-22.\n\n\x0c24\nWhat this argument ignores is that technical\nrestrictions on access to computer systems are every\nbit as under the control and subject to the supposed\nwhims of system operators as are contractual limitations. There is no natural right to access a computer,\nnor is the scope of what one can do when accessing a\ncomputer subject to any controls other than those\nwhich the operator elects to impose. The contractual\nlimitations and the technological limitations are both\nin a sense artificial. Considering that both arise from\nthe decisions and authority of the system operator,\ntreating, for example, a violation of a firewall rule\npreventing access to an offshore Internet casino as a\npotentially violative of the CFAA while at the same\ntime treating as entirely irrelevant a clear employee\npolicy against using firm computer systems for gambling should lead to cognitive dissonance. Instead,\nboth should be given consideration, in a balanced and\nholistic manner, as the true issue is whether the firm,\nas owner and operator of the computing system, is free\nto place limits on how its employees use their nonpublic systems and data.\nE. Focusing Purely on Technological Access\nControls Leads to Plainly Absurd Results\nIf the only factor given weight in assessing whether\na defendant\xe2\x80\x99s actions directed toward a computer\nsystem is whether he is, as a technical matter, able\nto access specific systems or data, absurd and nearly\ncontradictory conclusions necessarily follow. Assume,\nfor example, that a financial firm employs Defendant\nand has granted him access to exactly those computer\nsystems required for his job. At some point, Defendant\ntransfers to another department of the same firm,\nrequiring access to a different set of systems.\n\n\x0c\xef\x82\xb7\n\n25\nCase 1: The firm\xe2\x80\x99s IT department inadvertently\nchanges Defendant\xe2\x80\x99s technical permissions a\nday too early. In order to complete his assigned\ntasks, he uses a coworker\xe2\x80\x99s credentials to access\nthe required confidential files. Since Defendant\nlacked technical access, his action is unauthorized.\n\n\xef\x82\xb7\n\nCase 2: The Defendant\xe2\x80\x99s transfer occurs midweek, but, due to the manner in which the firm\xe2\x80\x99s\nIT department operates, his former permissions\nwill not be revoked until the end of the week.\nDefendant\xe2\x80\x99s supervisor specifically reminds him\nthat, having transferred out of the department,\nhe no longer has permission to access the department\xe2\x80\x99s confidential systems and data and should\nrefrain from doing so. The Defendant agrees to\nthis limitation, which aligns with his employment agreement. Later that day, the Defendant\naccesses the files of his former department and\nmaliciously deletes them. Because his credentials were still valid, his actions for purposes of\nthe CFAA are still ironically authorized.\n\n\xef\x82\xb7\n\nCase 3: Due to a configuration error, the transferred Defendant is inadvertently given access\nto the firm\xe2\x80\x99s human resources system. Although\nunrelated to his job, and knowing he should not\ndo so, he takes the opportunity to read the\nconfidential HR files of several of his coworkers.\nBecause of the configuration error, his spying on\nhis coworkers is considered authorized activity.\n\nEach of these situations results in an unexpected\nand irrational outcome as a result of an analysis which\nfocuses exclusively on technological access controls. In\nthe latter two cases, clearly blameworthy activity, far\noutside the intent of the employer in granting access,\nis rendered \xe2\x80\x9cauthorized\xe2\x80\x9d by application of Petitioner\xe2\x80\x99s\n\n\x0c26\nanalysis. On the other hand, an approach which considers additional factors would result in more sensible\nconclusions \xe2\x80\x94 conclusions which would comport with\nany reasonable observer\xe2\x80\x99s expectations and the purposes for which the CFAA was adopted.\nCONCLUSION\nIn light of the increasing threat to investment firms\xe2\x80\x99\ncomputerized systems and data posed by faithless\ninsiders, a narrow interpretation of the CFAA which\nlimits the statute\xe2\x80\x99s applicability only to the actions of\noutsiders with no legitimate use of a system would\nsubstantially undercut federal criminal law\xe2\x80\x99s protection of those systems and simultaneously render\nineffective the civil provision of the CFAA for the same\npurpose. In order to provide redress for victimized\nfirms and to align the application of the CFAA with its\ncommon sense interpretation, this Court should imbue\nthe statutory phrases \xe2\x80\x9cwithout authorization\xe2\x80\x9d and\n\xe2\x80\x9cexceeds authorized access\xe2\x80\x9d their plain meanings in a\nbalanced way, rendering them applicable both to\noutside \xe2\x80\x9chackers\xe2\x80\x9d and to inside wrongdoers who have\nclearly and explicitly agreed to policy-based limitations on their use of their employers\xe2\x80\x99 confidential\ncomputer systems and data.\nRespectfully submitted,\nJOSEPH V. DEMARCO\nCounsel of Record\nDAVID M. HIRSCHBERG\nDEVORE & DEMARCO LLP\n99 Park Avenue, Suite 1100\nNew York, NY 10016\n(212) 922-9499\n(917) 576-2369\njvd@devoredemarco.com\nSeptember 1, 2020\n\nCounsel for Amicus Curiae\n\n\x0c'