Expanded Protection Against Employee Computer Data Theft Under Computer Fraud and Abuse Act
In a decision of first impression, the U.S. Court of Appeals for the Ninth Circuit held that an employee “exceeds authorized access” under the federal Computer Fraud and Abuse Act (CFAA) when the employee obtains information from an employer’s computer system and uses that information for a purpose that violates the employer’s restrictions on the use of that information. United States v. Nosal, Case No. 10-10038 (9th Cir., Apr. 28, 2011) (Trott, J.) (Campbell, J. dissenting).
The CFAA imposes both civil and criminal liability for accessing a computer “without authorization” or “exceeding authorized access” and then taking certain forbidden actions, ranging from obtaining information to damaging a computer or computer data. Defendant David Nosal is a former employee of executive search agency Korn/Ferry International. In breach of several formal agreements with Korn/Ferry, after leaving the firm Nosal asked three employees to help him in starting a competing business. These employees obtained trade secrets—including source lists, names and contact information—from a proprietary database of executives and companies maintained under tight security by Korn/Ferry. Subsequently, the government filed a 21-count indictment against Nosal and one of his accomplices for, among other things, violation of the section of the CFAA prohibiting unauthorized access to a protected computer with intent to defraud. Nosal filed a motion to dismiss the indictment, arguing that the Korn/Ferry employees could not have acted “without authorization” nor could they have “exceeded authorized access” to violate the CFAA because they possessed permission to access the computer and its information under certain circumstances. The district court rejected Nosal’s argument and denied his motion to dismiss, finding that a person’s accessing a computer “knowingly and with intent to defraud … renders the access unauthorized or in excess of authorization.”
After the district court denied Nosal’s motion to dismiss, the 9th Circuit decided LVRC Holdings v. Brekka, which considered the construction of the phrase “without authorization” contained in the CFAA. In Brekka, the 9th Circuit held that an employee cannot access “without authorization” under § 1030(a)(4) of the CFAA unless the employee has no authority to access the information under any circumstances. Nosal then filed a motion to reconsider. In light of Brekka, the district court partially granted Nosal’s motion as to the counts against defendants stemming from alleged access to the former employer’s computer system during their employment. Because Nosal’s conspirators possessed the authority to obtain information from Korn/Ferry’s database for legitimate business purposes, the district court determined that they did not exceed their authorized access by doing so, even if they acted with a fraudulent intent. The government appealed.
On appeal, the 9th Circuit considered whether the defendant conspirators could have exceeded their authorized access to the Korn/Ferry computer system—and thus violated the CFAA—by accessing information that they were entitled to access under limited circumstances. Section 1030(a)(4) prohibits both access “without authorization” and access “exceed[ing] authoriz[ation].” Agreeing with the government that interpreting the two phrases the same way would render superfluous the statutory language, the 9th Circuit held that the phrase “exceeds authorized access” includes access violating the employer’s access restrictions, which may include restrictions on the employee’s use of the computer or of the information contained in that computer. Accordingly, the 9th Circuit reversed the district court’s decision and remanded with instructions to reinstate the criminal counts in the superseding indictment.
The dissent expressed concern that they key phrase of the CFAA relied upon by the majority, “exceeds authorized access,” possesses a much broader meaning in other parts of the statute, notably, in those without an intent requirement. Thus, extension of the majority’s interpretation of the phrase to other sections of the statute may subject persons to criminal liability for obtaining information from an employer’s computer in violation of the employer’s computer use restrictions, despite a lack of intent.