United States v. Nosal: Ninth Circuit Decision Increases Protection Against Employee Computer Data Theft
The U.S. Court of Appeals for the Ninth Circuit has given employers a clear path to increased protection for their trade secrets and other proprietary information in its decision in United States v. Nosal, Case No. 10-10038 (9th Cir. Apr. 28, 2011), holding that an employee who misuses a company computer with fraudulent intent violates theComputer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030 et seq. The CFAA creates both civil and criminal liability for accessing a computer “without authorization” or “exceeding authorized access” and knowingly committing one of several specified unlawful acts.
Rejecting arguments that its interpretation would “make criminals out of millions of employees who might use their work computers for personal use,” the court held that an employee who (1) violates an employer’s use restrictions (2) with an intent to defraud and (3) by that action furthers the intended fraud and obtains something of value, violates the CFAA.
The defendant in Nosal was an executive for Korn/Ferry International, an executive search firm. After he left the company, he allegedly engaged three Korn/Ferry employees to help him start a competing business. The government alleged that the three employees obtained trade secrets and other proprietary information by accessing the Korn/Ferry computer system. The employees had signed agreements that expressly restricted the use and disclosure of Korn/Ferry’s proprietary information to legitimate Korn/Ferry business and warned employees that access to the computer system in violation of the agreement could lead to disciplinary action or criminal prosecution.
Mr. Nosal moved to dismiss the CFAA claims, arguing that the Korn/Ferry employees could not have acted “without authorization” nor could they have “exceeded authorized access,” because the employees had permission to access the computer under certain circumstances. The district court initially rejected Mr. Nosal’s motion to dismiss, holding that accessing a computer “knowingly and with intent to defraud ...renders the access unauthorized or in excess of authorization .”
The Ninth Circuit’s Ruling in Brekka
Not long after the district court denied Mr. Nosal’s motion, the Ninth Circuit decided LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), holding that accessing and emailing company documents for use contrary to the company’s interests alone did not violate the CFAA. This Ninth Circuit ruling led the district court in Nosal to reconsider its decision; after review, it concluded that Brekka compelled dismissal. The district court was not alone. Following Brekka, courts in the Ninth Circuit dismissed a variety of cases on the grounds that the defendant had not exceeded authorized access.1
Brekka and its progeny diverged from cases in the other circuits that considered the issue of whether an employee’s acquisition or use of electronic data for purposes adverse to the company was “without authorization” or “exceeded authorized access” in violation of the CFAA.2 Up until the decision in Brekka, employers in the Ninth Circuit, like those in other circuits, were increasingly relying on CFAA claims, along with claims for trade secret misappropriation, in cases involving an employee’s unauthorized use of company data stored on computers. Among other things, a CFAA claim provides a basis for federal court jurisdiction that might not otherwise be available for a trade secret misappropriation or similar tort claim.
Ninth Circuit Clarification in Nosal
With its decision in Nosal, the Ninth Circuit clarified and substantially limited the application of Brekka, bringing the law in the Ninth Circuit much more in line with interpretations in other circuits (although still not as broad as in the Seventh Circuit). Specifically, the Ninth Circuit in Nosal held that the CFAA’s “exceeds authorized access” provision applies where an employer has placed limitations on the employee’s “permission to use” the computer and the employee has violated or “exceeded” those limitations. The court distinguished Brekka, in which the employee had unfettered access to the company computer and there was no employee agreement prohibiting the employee’s conduct.
In contrast, the employees in Nosal “were subject to a computer use policy that placed clear and conspicuous restrictions on the employees’ access both to the system in general and to [a proprietary] databases in particular.” The court went on to say that “as long as the employee has knowledge of the employer’s limitations on that authorization, the employee ‘exceeds authorized access’ when the employee violates those limitations. It is as simple as that.”
Implications for Employers
The Ninth Circuit’s decision confirms the importance of clear employee policies that specify what access to the company’s computers and computer networks is authorized, and what is not authorized, as well as the importance of routine reminders so that employees are aware of these policies. The decision also reopens the potential in the Ninth Circuit for CFAA claims by employers and the government against employees who have access to company computers for specified purposes, but who access computers for purposes contrary to express policies and commit one of the specified violations.
1. See, e.g., Accenture LLP v. Sidhu, 2010 U.S. Dist. LEXIS 119380 (N.D. Cal. 2010); United States v. Zhang, 2010 U.S. Dist. LEXIS 123003 (N.D. Cal. 2010).
2. See, e.g., EF Cultural Travel BV v. Explorica Inc., 274 F.3d 577 (1st Cir. 2001); United States v. Morris, 928 F.2d 504 (2d Cir. 1991); United States v. John, 597 F.3d 263 (5th Cir. 2010); International Airport Center LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006); United States v. Rodriguez, No. 628 F.3d 1258 (11th Cir. 2010).