SAN FRANCISCO - (Mealey's) Reversing an earlier panel and
affirming a lower court, the majority of the en banc Ninth Circuit U.S. Court
of Appeals on April 10 held that the phrase "exceeds authorized access" within
the Computer Fraud and Abuse Act (CFAA) "is limited to violations of restrictions
on access to information, and not restrictions on its use" (United States of
America v. David Nosal, No. 10-10038, 9th Cir.; 2012 U.S. App. LEXIS 7151).
(Opinion. Document #24-120419-033Z.)
The majority opinion, which was written by Chief Judge Alex
Kozinski, adopted a narrower interpretation of "exceeds authorized access,"
stating that this was more in line with Congress' intent in enacting the CFAA
to combat hacking. The majority also stated that adopting a broader
interpretation of the phrase could potentially turn any employee's computer use
that exceeds an employer's computer use policy into a federal crime.
Judge Barry G. Silverman offered a dissent, which was joined by
Judge Richard C. Tallman.
From 1996 to 2004, David Nosal was employee of executive search
firm Korn/Ferry International. When Nosal left the firm in October 2004,
he signed both a "Separation and General Release Agreement" and an "Independent
Contractor Agreement," by which he agreed to act as an independent contractor
and to not compete with Korn/Ferry.
However, Nosal made plans to start a competing business shortly
thereafter. He allegedly recruited three Korn/Ferry employees to obtain
certain of the firm's trade secrets and proprietary information, including
source lists, names and contract information from Korn/Ferry's "Searcher"
database. Korn/Ferry asserts that this is "one of the most comprehensive
databases of executive candidates in the world."
Indictment And Dismissal
In June 2008, the U.S. government filed a 20-count superseding
indictment against Nosal and one of his accomplices in the U.S. District Court
for the Northern District of California. Counts two through nine of the
indictment alleged violation of the CFAA by the Korn/Ferry employees, as well
as by Nosal "as an aider and abettor."
Nosal's motion to dismiss the CFAA counts of the indictment was
initially denied by the District Court in April 2009, with the court finding
that the co-conspirators' access was unauthorized because they acted "knowingly
and with intent to defraud." After the Ninth Circuit subsequently
rendered its decision in LVRC Holdings LLC v. Brekka (581 F.3d 1127 [9th Cir.
2009]), Nosal filed a motion to reconsider, which the lower court
granted. Upon reconsideration, the District Court in January 2010 ruled
that "[b]ecause the conspirators had authority to obtain information from the
Searcher database for legitimate Korn/Ferry business purposes" as the firm's
employees, "they did not exceed their authorized access . . . even if they
acted with a fraudulent intent."
Thus, the court dismissed counts two and four through seven of the
indictment for failure to state a claim. The government appealed to the
Ninth Circuit. In April 2011, a split Ninth Circuit panel held that even
though the co-conspirators had access to the database as employees, they
violated the CFAA because they violated Korn/Ferry's access restrictions, which
prohibited the disclosure of confidential information. In June, the court
granted Nosal's petition for rehearing en banc. The case was reheard Dec.
Computer Use Restrictions
The CFAA defines "exceeds unauthorized access" as "to access a
computer with authorization and to use such access to obtain or alter
information in the computer that the accesser is not entitled so to obtain or
alter." Nosal argued that this applies to a hacker, which is "someone
who's authorized to access only certain data or files but accesses unauthorized
date or files." The government countered that the disputed phrase "could
refer to someone who has unrestricted physical access to a computer, but is
limited in the use to which he can put the information."
The majority held that "[t]he government's interpretation would
transform the CFAA from an anti-hacking statute into an expansive
misappropriation statute." This would effectively "expand the scope of
criminal liability to anyone who uses a computer in violation of computer use
restrictions -- which may well include everyone who uses a computer."
Although the CFAA is susceptible to the government's
interpretation, the majority concluded that Nosal's narrower interpretation was
"more plausible." The broader interpretation, the majority said, "would
make criminals of large groups of people who would have little reason to
suspect that they are committing a federal crime" by using an employer's
computer for such activities as sending a personal email, checking a weather
report or playing a game. Such users would not be on fair notice of the
criminal laws and penalties, the majority said.
The majority also noted that the broader interpretation could
also potentially be applied to Internet users who violate the use agreements
for websites, of which they "are only dimly aware." That could turn
activities such as lying about your age or weight on a dating site into a CFAA
violation, the majority stated.
Citing United States v. Kozminski (487 U.S. 931 ), the
majority declined to adopt the government's interpretation, which would
"criminalize a broad range of day-to-day activity." Instead, the majority
applied "the rule of lenity" and adopted the narrower interpretation that the
CFAA applies to unauthorized access in the form of hacking and related
Judge Silverman took issue with the majority's characterization
of the broader interpretation as potentially pertaining to online game playing
or "fibbing on dating sites." Instead, he contended that the focus of the
defendants' CFAA violations was on "stealing an employer's valuable information
to set up a competing business with the purloined data." Nosal and his
co-conspirators "knowingly exceeded the access to a protected company computer"
of their employer "with the intent to defraud," Judge Silverman said. The
"ridiculing scenarios" proffered in the majority opinion "are not remotely
presented by this case," he argued.
Instead, Judge Silverman likened the co-conspirators' actions to
a teller's access to a bank's money for legitimate banking purposes, but not
for his or her own personal use. The majority's interpretation of the
CFAA "conflicts with the plain language of the statute," he said, noting that
none of the other federal circuits has read the act as the majority has.
Instead, other circuits "have explicitly held that employees who knowingly
violate clear company computer restrictions agreements 'exceed authorized access'
under the CFAA." Judge Silverman pointed to United States v. John (597
F.3d 263, 271-73 [5th Cir. 2010]) and United States v. Rodriguez (628 F.3d
1258, 1263 [11th Cir. 2010]) as examples of such interpretation.
"[I]t does not advance the ball to consider, as the majority
does, the parade of horrible that might occur under different subsections of
the CFAA," Judge Silverman said, further holding that "[b]ecause the indictment
adequately states the elements of a valid crime, the district court erred in
dismissing the charges."
The government is represented by Assistant Attorney General
Lanny A. Breuer, Jenny C. Ellison and Jaikumar Ramaswamy of the U.S. Department
of Justice in Washington, D.C., and Associate Deputy Attorney General Scott N.
Schools and Assistant U.S. Attorney Kyle F. Waldinger of the DOJ in San
Francisco. Dennis P. Riordan, Donald M. Horgan and Ted Sampsell-Jones of
Riordan & Horgan in San Francisco represent Nosal.
[Editor's Note: Lexis
subscribers may download the document using the link above. The document(s) are
also available at www.mealeysonline.com or by
calling the Customer Support Department at 1-800-833-9844.]
For all of your legal news needs, please visit www.lexisnexis.com/mealeys.
Lexis.com subscribers may search all
Non-subscribers may search for Mealey
Publications stories and documents at www.mealeysonline.com
or visit www.Mealeys.com.
information about LexisNexis products and solutions, connect with us through
our corporate site.