In United States v. Nosal, No. 10-10038 (9th Cir. 2011) (.pdf), the Ninth Circuit reinstated Computer Fraud and Abuse Act (“CFAA”) charges under 18 U.S.C. § 1030(a)(4) against employees who obtained information from their employer’s computer system with the intent of helping their former co-worker set up a competing business. The Court found that the CFAA is violated when an employee’s computer access “violates the employer’s access restrictions, which may include restrictions on the employee’s use of the computer or of the information contained in that computer.” Slip Op. at 16 (internal quotations omitted).
Nosal is the latest ruling in which courts have been trying to define the scope and limits of the CFAA. That statute general prohibits gaining unauthorized access to computers and exceeding authorized access. Courts have split on whether employees who are otherwise permitted to access their employer’s computer systems “exceed authorization” when they use their computer access contrary to the employer’s interests or policies. Nosal was an officer at an executive search firm who left the firm to start his own competing business. According to the indictment, Nosal commissioned three of his former co-workers to forward trade secrets and other proprietary information to Nosal, including a “highly confidential and proprietary database of executives and companies.” The indictment charged the three employees under § 1030(a)(4) and Nosal as an aider and abettor.
Following the Ninth Circuit’s ruling in LVRC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), the District Court had dismissed all CFAA claims against the Nosal defendants. In Brekka the defendant transferred files from his employer’s computer to his personal machine, and later used the files for disloyal reasons. The plaintiff did not have an employment agreement or give guidelines to the defendant prohibiting the transfer of Plaintiff’s computer files to personal computers. Under those circumstances, the Court found that, “because Brekka was authorized to use [Plaintiff’s] computers while he was employed [by Plaintiff], he did not access a computer ‘without authorization’ in violation of § 1030(a)(2) or § 1030(a)(4) when he emailed documents to himself and to his wife prior to leaving [Plaintiff’s company]. Nor did emailing the documents ‘exceed authorized access,’ because [Defendant] was entitled to obtain the documents.” Id. at 1129. Moreover, the Ninth Circuit noted that, “[n]o language in the CFAA supports [Plaintiff’s] argument that authorization to use a computer ceases when an employee resolves to use the computer contrary to the employer’s interest.” Id.
Today, the Ninth Circuit reversed the District Court, reinstated the charges against the Nosal defendants, and distinguished its earlier ruling in Brekka. The Court first looked at the text of the CFAA, which provides that “ ‘exceeds authorized access’ means ‘to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.’” Id. at 10 (citing 10 U.S.C. § 1030(a)(4) (emphasis added in original)). In doing so, it focused on the use of the word “so” in the statute, which it found to mean “in a manner or way that is indicated or suggested.” Id. at 10. It then reasoned that that “Because the statute refers to an accesser who is not entitled to access information in a certain manner, whether someone has exceeded authorized access must be defined by those access limitations.” Slip Op. at 10.
In applying this reasoning to Nosal’s case, the court noted that employees “were subject to a computer use policy that placed clear and conspicuous restrictions on the employees’ access both to the system in general and to the [confidential] database in particular. By using their authorized access to defraud [their employer] in violation of [their employer’s] access restrictions, Nosal’s accomplices certainly had fair warning that they were subjecting themselves to criminal liability.” Id. at 14. To the contrary, the defendant in Brekka had unfettered access to the computer system since there was no employer/employee agreement about computer use.
Finally, the Ninth Circuit rejected the Defendants’ argument that its “decision will make criminals out of millions of employees who might use their work computers for personal use” by noting that “subsection (a)(4) does not criminalize mere violation of an employer’s use restrictions. Rather, an employee violates this subsection if the employee (1) violates an employer’s restriction on computer access, (2) with an intent to defraud, and (3) by that action ‘furthers the intended fraud and obtains anything of value.’ 18 U.S.C. § 1030(a)(4) (emphasis added).” The facts of Nosal as alleged satisfied the motion to dismiss standard on these elements.
Judge Campbell’s dissent points to other sections of the CFAA with the same language as § 1030(a)(4), but without the intent to defraud limitation. As Judge Campbell notes, § 1030(a)(2)(C) provides: “a person who ‘intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer,’ is guilty of a crime, where a ‘protected computer’ includes any computer connected to the internet…” Id. at 17-18 (quoting § 1030(a)(2)(C)). Thus, “under the majority’s interpretation, any person who obtains information from any computer connected to the internet, in violation of her employer’s computer use restrictions, is guilty of a federal crime under § 1030(a)(2)(C).” This reading, as Judge Campbell observes, seems at odds with the Central District’s decision in United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009). The Drew case involved a Missouri housewife who used a social networking service to harass a minor who subsequently killed herself. The housewife was charged in the Central District of California, where the social network’s servers were located, with a CFAA violation for misusing the service in violation of its posted Terms of Service. The Central District dismissed the charges against that defendant on the grounds that § 1030(a)(C)(2) would be unconstitutionally vague “if every [breach of an Internet website’s terms of service] does qualify [as a violation of the CFAA].” Id. at 19 (citing Drew, 259 F.R.D. at 467 (alterations in original)).