9th Circuit Declines To Apply CFAA To Corporate Computer Use Violations

9th Circuit Declines To Apply CFAA To Corporate Computer Use Violations

SAN FRANCISCO - (Mealey's) Reversing an earlier panel and affirming a lower court, the majority of the en banc Ninth Circuit U.S. Court of Appeals on April 10 held that the phrase "exceeds authorized access" within the Computer Fraud and Abuse Act (CFAA) "is limited to violations of restrictions on access to information, and not restrictions on its use" (United States of America v. David Nosal, No. 10-10038, 9th Cir.; 2012 U.S. App. LEXIS 7151).

(Opinion.  Document #24-120419-033Z.)

The majority opinion, which was written by Chief Judge Alex Kozinski, adopted a narrower interpretation of "exceeds authorized access," stating that this was more in line with Congress' intent in enacting the CFAA to combat hacking.  The majority also stated that adopting a broader interpretation of the phrase could potentially turn any employee's computer use that exceeds an employer's computer use policy into a federal crime.

Judge Barry G. Silverman offered a dissent, which was joined by Judge Richard C. Tallman.

Non-Compete Agreement

From 1996 to 2004, David Nosal was employee of executive search firm Korn/Ferry International.  When Nosal left the firm in October 2004, he signed both a "Separation and General Release Agreement" and an "Independent Contractor Agreement," by which he agreed to act as an independent contractor and to not compete with Korn/Ferry.

However, Nosal made plans to start a competing business shortly thereafter.  He allegedly recruited three Korn/Ferry employees to obtain certain of the firm's trade secrets and proprietary information, including source lists, names and contract information from Korn/Ferry's "Searcher" database.  Korn/Ferry asserts that this is "one of the most comprehensive databases of executive candidates in the world."

Indictment And Dismissal

In June 2008, the U.S. government filed a 20-count superseding indictment against Nosal and one of his accomplices in the U.S. District Court for the Northern District of California.  Counts two through nine of the indictment alleged violation of the CFAA by the Korn/Ferry employees, as well as by Nosal "as an aider and abettor."

Nosal's motion to dismiss the CFAA counts of the indictment was initially denied by the District Court in April 2009, with the court finding that the co-conspirators' access was unauthorized because they acted "knowingly and with intent to defraud."  After the Ninth Circuit subsequently rendered its decision in LVRC Holdings LLC v. Brekka (581 F.3d 1127 [9th Cir. 2009]), Nosal filed a motion to reconsider, which the lower court granted.  Upon reconsideration, the District Court in January 2010 ruled that "[b]ecause the conspirators had authority to obtain information from the Searcher database for legitimate Korn/Ferry business purposes" as the firm's employees, "they did not exceed their authorized access . . . even if they acted with a fraudulent intent."

Thus, the court dismissed counts two and four through seven of the indictment for failure to state a claim.  The government appealed to the Ninth Circuit.  In April 2011, a split Ninth Circuit panel held that even though the co-conspirators had access to the database as employees, they violated the CFAA because they violated Korn/Ferry's access restrictions, which prohibited the disclosure of confidential information.  In June, the court granted Nosal's petition for rehearing en banc.  The case was reheard Dec. 15.

Computer Use Restrictions

The CFAA defines "exceeds unauthorized access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."  Nosal argued that this applies to a hacker, which is "someone who's authorized to access only certain data or files but accesses unauthorized date or files."  The government countered that the disputed phrase "could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information."

The majority held that "[t]he government's interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute."  This would effectively "expand the scope of criminal liability to anyone who uses a computer in violation of computer use restrictions -- which may well include everyone who uses a computer."

Fair Notice

Although the CFAA is susceptible to the government's interpretation, the majority concluded that Nosal's narrower interpretation was "more plausible."  The broader interpretation, the majority said, "would make criminals of large groups of people who would have little reason to suspect that they are committing a federal crime" by using an employer's computer for such activities as sending a personal email, checking a weather report or playing a game.  Such users would not be on fair notice of the criminal laws and penalties, the majority said.

The majority also noted that the broader interpretation could also potentially be applied to Internet users who violate the use agreements for websites, of which they "are only dimly aware."  That could turn activities such as lying about your age or weight on a dating site into a CFAA violation, the majority stated.

Citing United States v. Kozminski (487 U.S. 931 [1988]), the majority declined to adopt the government's interpretation, which would "criminalize a broad range of day-to-day activity."  Instead, the majority applied "the rule of lenity" and adopted the narrower interpretation that the CFAA applies to unauthorized access in the form of hacking and related activities.


Judge Silverman took issue with the majority's characterization of the broader interpretation as potentially pertaining to online game playing or "fibbing on dating sites."  Instead, he contended that the focus of the defendants' CFAA violations was on "stealing an employer's valuable information to set up a competing business with the purloined data."  Nosal and his co-conspirators "knowingly exceeded the access to a protected company computer" of their employer "with the intent to defraud," Judge Silverman said.  The "ridiculing scenarios" proffered in the majority opinion "are not remotely presented by this case," he argued.

Instead, Judge Silverman likened the co-conspirators' actions to a teller's access to a bank's money for legitimate banking purposes, but not for his or her own personal use.  The majority's interpretation of the CFAA "conflicts with the plain language of the statute," he said, noting that none of the other federal circuits has read the act as the majority has.  Instead, other circuits "have explicitly held that employees who knowingly violate clear company computer restrictions agreements 'exceed authorized access' under the CFAA."  Judge Silverman pointed to United States v. John (597 F.3d 263, 271-73 [5th Cir. 2010]) and United States v. Rodriguez (628 F.3d 1258, 1263 [11th Cir. 2010]) as examples of such interpretation.

"[I]t does not advance the ball to consider, as the majority does, the parade of horrible that might occur under different subsections of the CFAA," Judge Silverman said, further holding that "[b]ecause the indictment adequately states the elements of a valid crime, the district court erred in dismissing the charges."

The government is represented by Assistant Attorney General Lanny A. Breuer, Jenny C. Ellison and Jaikumar Ramaswamy of the U.S. Department of Justice in Washington, D.C., and Associate Deputy Attorney General Scott N. Schools and Assistant U.S. Attorney Kyle F. Waldinger of the DOJ in San Francisco.  Dennis P. Riordan, Donald M. Horgan and Ted Sampsell-Jones of Riordan & Horgan in San Francisco represent Nosal.

[Editor's Note:  Lexis subscribers may download the document using the link above. The document(s) are also available at www.mealeysonline.com or by calling the Customer Support Department at 1-800-833-9844.]

For all of your legal news needs, please visit www.lexisnexis.com/mealeys.

Lexis.com subscribers may search all Mealey Publications

Non-subscribers may search for Mealey Publications stories and documents at www.mealeysonline.com or visit www.Mealeys.com.

For more information about LexisNexis products and solutions, connect with us through our corporate site.