Insiders who have valid credentials to access confidential info cannot be charged under US anti-hacking law

A ruling handed up this week in a US appeals court found staff who violate their organisation's user policies do not violate the federal Computer Fraud and Abuse Act (CFAA).

David Kosal, a former manager at executive search firm Korn/Ferry, beat charges that he convinced three of his former co-workers to use their valid login credentials to access and download customer lists and then transfer them to him so he could start a competing company.

While staff were prohibited from disclosing private information under their company policy, Kosal filed a motion to have five counts including "aiding and abetting" and "intent to defraud" dismissed.