Law School Case Brief
United States v. Nosal - 676 F.3d 854 (9th Cir. 2012)
The plain language of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C.S. § 1030, targets the unauthorized procurement or alteration of information, not its misuse or misappropriation. A violation for exceeding authorized access occurs where initial access is permitted but the access of certain information is not permitted. The CFAA, however, does not prohibit the unauthorized disclosure or use of information, but rather unauthorized access.
Defendant David Nosal was a former employee of Korn/Ferry, an executive search firm. Shortly after he left the company, he convinced some of his former colleagues who were still working for Korn/Ferry to help him start a competing business. The employees used their log-in credentials to download source lists, names and contact information from a confidential database on the company's computer, and then transferred that information to Nosal. The employees were authorized to access the database, but Korn/Ferry had a policy that prohibited disclosing confidential information. The government indicted Nosal on twenty counts, including trade secret theft, mail fraud, conspiracy and violations of the Computer Fraud and Abuse Act (CFAA). The CFAA counts charged Nosal with violations of 18 U.S.C.S. § 1030(a)(4), for aiding and abetting the Korn/Ferry employees in exceeding their authorized access with intent to defraud. Nosal filed a motion to dismiss the CFAA counts, arguing that the statute only targeted hackers and not individuals who accessed a computer with authorization and then later misused information they obtained by means of such access. deferral district court agreed and dismissed five counts of the indictment for failure to state an offense pursuant to the CFAA. The government appealed.
Did the court properly dismiss the five counts of indictment for failure to state an offense?
A federal appellate court affirmed the judgment. The court determined that the government's interpretation would transform the CFAA, 18 U.S.C.S. § 1030, from an anti-hacking statute into an expansive misappropriation statute. The term "entitled" in the statutory text referred to how an accessor obtained or altered the information, whereas the employer's computer use policy used "entitled" to limit how the information was used after it was obtained. The court concluded that this was a poor fit with the statutory language. An equally or more sensible reading of "entitled" was as a synonym for "authorized." So read, "exceeds authorized access" would refer to data or files on a computer that one was not authorized to access. Invoking the rule of lenity, the court stated that if there was any doubt about whether Congress intended the CFAA to prohibit the conduct in which Nosal engaged, then the court had to choose the interpretation least likely to impose penalties unintended by Congress. The court, however, noted that the government could prosecute Nosal on the remaining counts of the indictment.
Access the full text case
Not a Lexis Advance subscriber? Try it out for free.
Be Sure You're Prepared for Class