United States v. Nosal

Citations: 661 F.3d 1180; 2011 WL 5109831Docket: 10-10038

Court: Court of Appeals for the Ninth Circuit; April 28, 2011; Federal Appellate Court

Original Court Document: View Document

Combined Opinion SummaryCombined Opinion Original

EnglishEspañolSimplified EnglishEspañol Fácil

The United States Court of Appeals for the Ninth Circuit addresses an appeal by the United States against the dismissal of several counts from an indictment involving David Nosal, who is charged with violations of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. The key provision under scrutiny, § 1030(a)(4), penalizes unauthorized access to a protected computer with the intent to defraud. The indictment claims that Nosal's co-conspirators exceeded their authorized access to their employer's computer system to obtain information for the purpose of defrauding the employer and aiding Nosal in establishing a competing business.

The district court's ruling relied on the precedent set in LVRC Holdings LLC v. Brekka, which stated that an employee does not exceed authorized access unless they have no authority to access the information under any circumstances. In contrast, the government argues that exceeding authorized access occurs when an employee obtains information for purposes that violate employer restrictions, regardless of access permissions.

The court acknowledges concerns regarding the potential criminalization of mere policy violations but concludes that the specific intent and causation requirements of § 1030(a)(4) adequately protect employees whose actions only involve innocuous personal use of company resources. Consequently, the court reverses the district court's decision and remands the case with instructions to reinstate specific counts of the indictment against Nosal.

Background details indicate that Nosal worked as an executive for Korn/Ferry International and had signed agreements prohibiting competition for one year after leaving. Following his departure, he allegedly engaged Korn/Ferry employees to access proprietary information unlawfully to facilitate his competing business.

Employees transferred confidential information from Korn/Ferry's "Searcher" database, which is described as a highly proprietary and comprehensive resource for executive candidate data. Korn/Ferry implemented significant security measures to protect this database, including strict control over electronic and physical access, unique usernames and passwords for employees, and mandatory confidentiality agreements outlining the proprietary nature of the information. The database's confidentiality was further reinforced by labeling reports as "Korn/Ferry Proprietary and Confidential" and displaying a warning message upon logging into the system, indicating that unauthorized access could result in disciplinary action or prosecution.

In the district court proceedings, the government filed a twenty-count superseding indictment against Nosal and an accomplice, with specific counts alleging violations of the Computer Fraud and Abuse Act (CFAA). Nosal's motion to dismiss argued that the CFAA primarily targets hackers and does not apply to employees misappropriating information under contractual confidentiality agreements, as they had authorized access to the system. The district court acknowledged this as a novel issue in the Ninth Circuit, noting divergent case law. Some courts have interpreted the CFAA broadly, holding that employees acting with fraudulent intent violate the statute once they act against their employer's interests. Conversely, other courts maintain that violations occur only when access to a computer or specific information is initially unauthorized.

Courts interpret the Computer Fraud and Abuse Act (CFAA) as primarily targeting external hackers rather than employees misusing access privileges. Initially, the district court rejected Nosal's argument, asserting that access with intent to defraud is unauthorized. However, following the ruling in LVRC Holdings LLC v. Brekka, Nosal successfully argued for dismissal of certain CFAA counts. The district court found that "exceeds authorized access" pertains to accessing areas of a computer for which an employee lacks permission, regardless of intent. For instance, accessing a restricted drive (e.g., "G" drive) constitutes exceeding authorized access, while violations of use restrictions on an authorized drive (e.g., "F" drive) do not. Since the conspirators could access the Searcher database for legitimate purposes, their actions did not exceed authorization. The government appealed, and the court upheld that access after employment termination could be unauthorized. The appeal centers on whether the accomplices exceeded authorized access by accessing information under limited circumstances. The court concluded that exceeding authorization occurs when employees violate their employer's access restrictions. The CFAA addresses various computer crimes, primarily focusing on unauthorized access and subsequent prohibited actions.

The federal statute in question penalizes individuals who knowingly and with intent to defraud access a protected computer without authorization or exceed authorized access, provided their actions further the intended fraud and result in obtaining something of value, unless the value is less than $5,000 in a year. The statute does not define "without authorization," but it clarifies that "exceeds authorized access" refers to accessing a computer legitimately but using that access to obtain or alter information that one is not entitled to access in that manner. The interpretation of "so" in the statutory definition underscores the necessity of adhering to the specified limitations of access. It is emphasized that all provisions of the statute must be given effect to avoid rendering any part meaningless.

In a related case, Brekka's actions—emailing business documents to personal accounts during negotiations for ownership of his employer, LVRC Holdings—were scrutinized. LVRC argued that Brekka acted without authorization as he acted against the employer's interests. The Seventh Circuit's precedent, which states that an employee loses authorization when acting contrary to the employer's interests, was rejected. Instead, it was determined that an employee's authorization is contingent on the employer's actions; if the employer has not revoked access rights, the employee cannot reasonably know that personal use of the computer constitutes a criminal violation. Thus, the employer's actions dictate the authorization status of the employee under the Computer Fraud and Abuse Act (CFAA).

Interpreting a criminal statute in an unexpected manner is improper, as established in Brekka, 581 F.3d 1135. The lack of employer notification regarding the revocation of access raises concerns about an employee's ability to know when their authorization has been revoked. This principle underscores the application of the rule of lenity, which emphasizes clarity and construes ambiguities against the government. Since Brekka was not informed of any restrictions on his computer access, he had no means to determine if his access was unauthorized, allowing him to be considered authorized as long as he had some permission to use the computer, regardless of fraudulent intent.

The interpretation of "without authorization" is limited to scenarios where there is no authorization whatsoever to access a computer, while "exceeds authorized access" applies when an employee surpasses the limits of their granted permissions. Accepting that accessing a computer for unauthorized purposes constitutes accessing it "without authorization" would negate the distinction between the two phrases. In Brekka, the ruling clarified that an employer's decisions regarding access define an employee's authorization status.

In this case, Brekka did not exceed his access since there were no written restrictions or guidelines prohibiting his actions. Conversely, Korn/Ferry employees were bound by explicit computer use policies that restricted access to certain systems. By violating these restrictions, Nosal’s accomplices acted with clear awareness of their potential criminal liability. Therefore, the rule of lenity does not justify disregarding statutory language, as the employer's authority to determine authorization is firmly established by Brekka.

An employee exceeds their authorized access when they violate known limitations set by their employer regarding computer access, particularly in cases where fraudulent intent is involved. Various circuit courts, including the Fifth and Eleventh Circuits, have affirmed that accessing information contrary to employer restrictions constitutes exceeding authorized access under the Computer Fraud and Abuse Act (CFAA). For instance, in United States v. John, an employee accessed confidential information to commit fraud, which the court deemed as exceeding authorized access. Similarly, the Eleventh Circuit ruled that an employee improperly accessed personal information for non-business reasons, violating explicit employer restrictions. Unlike the Brekka case, where no restrictions were in place, the current context involves clear prohibitions communicated to the employee. The CFAA does not criminalize mere violations of access restrictions; it requires a violation with fraudulent intent that furthers a scheme to obtain value. Thus, merely using a work computer for personal tasks does not constitute a crime under § 1030(a)(4). The conclusion reaffirms that exceeding authorized access occurs when an employee disregards access limitations imposed by the employer. The district court's decision is reversed, and the case is remanded for reinstatement of specific counts of the indictment. A dissenting opinion argues that this interpretation of the CFAA may not align with Congressional intent and raises concerns about vagueness in the statute.

The majority emphasizes that the intent requirement of 18 U.S.C. § 1030(a)(4) prevents criminalizing ordinary employee behavior, such as personal use of work computers. An employee only violates subsection (a)(4) if they (1) breach an employer's access restrictions, (2) possess intent to defraud, and (3) further that fraud to obtain value. This interpretation distinguishes the case from hypothetical scenarios where mere violations of usage policies would constitute crimes. The statute's language, particularly "exceeds authorized access," is consistent across provisions, including the broader § 1030(a)(2)(C), which lacks an intent requirement. Under this broader provision, accessing a computer in violation of employer restrictions could constitute a federal crime, as illustrated by the example of Mr. Nosal accessing a proprietary database for non-business purposes.

The void-for-vagueness doctrine mandates that penal statutes clearly define offenses to avoid arbitrary enforcement. The majority's interpretation risks criminalizing actions based on vague employer policies, which may not provide clear notice of prohibited conduct. This interpretation also allows employers to impose criminal liability simply by stating that access ends upon a breach of loyalty, effectively integrating private policies into federal law. Furthermore, since computer use policies can change without notice, employees would need to constantly update their knowledge of these policies to avoid potential criminal liability. The majority attempts to mitigate this by stating that employees must have knowledge of their employer's restrictions to exceed authorized access, a requirement not explicitly present in the statute.

In United States v. Drew, the district court examined whether an intentional breach of a website's terms of service alone constitutes a misdemeanor violation of the Computer Fraud and Abuse Act (CFAA) and whether such an interpretation would survive constitutional scrutiny for vagueness. The court found that the government's interpretation would render § 1030(a)(2)(C) unconstitutionally vague, as it would allow for any breach of terms of service to be criminally prosecuted without clear limitations, potentially leading to arbitrary enforcement by federal entities. 

The court emphasized that the interpretation of "exceeds authorized access" should align with Congress's intent to address computer hacking, suggesting that it should apply only when someone uses authorized access to obtain or alter information they are not entitled to access. This interpretation aligns with prior case law and the legislative history indicating that the CFAA was designed to tackle unique computer crimes rather than acts of fraud that could occur through computer use. The dissenting opinion contended that the majority's reading mischaracterizes the CFAA's intent and scope, as it would criminalize conduct that was not meant to be covered by the statute.