In a decision likely to be sobering for firms fighting insider threats, an appeals court has ruled that a worker who used valid computer access rights to access data from his company can’t be prosecuted under a federal anti-hacking law.