United States v. Nosal

Citations: 642 F.3d 781; 32 I.E.R. Cas. (BNA) 271; 2011 U.S. App. LEXIS 8660; 2011 WL 1585600Docket: No. 10-10038

Court: Court of Appeals for the Ninth Circuit; April 28, 2011; Federal Appellate Court

Lead Opinion AnalysisLead Opinion SummaryLead Opinion OriginalDissent AnalysisDissent Original

Narrative Opinion Summary

The case involves an appeal by the United States against the district court's dismissal of several counts of an indictment against an individual charged with violations of the Computer Fraud and Abuse Act (CFAA). The defendant, a former employee of a company, was accused of conspiring with current employees to access the company's protected computer system beyond their authorized permissions to gather information for a competing business. The district court dismissed the charges, interpreting the CFAA based on a precedent that an employee does not exceed authorized access unless they lack any access authority. However, the appellate court reversed this decision, emphasizing that exceeding authorized access occurs when an employee violates employer-imposed restrictions, even if they initially have permission to access certain information. The court concluded that the CFAA's intent and causation requirements protect against criminalizing minor policy violations and reinstated the dismissed counts, directing further proceedings. The court's decision is significant in clarifying the scope of 'exceeds authorized access' under the CFAA, affirming the employer's role in defining access boundaries and addressing the potential for criminal liability when employees act with fraudulent intent to gain value.

Legal Issues Addressed

Application of the Rule of Lenitysubscribe to see similar legal issues

Application: The court considered the rule of lenity, resolving ambiguities in criminal statutes against the government, but found clear employer restrictions sufficient to determine unauthorized access.

Reasoning: The principle of lenity was applied, emphasizing that criminal statutes should be interpreted narrowly and ambiguities resolved against the government.

Employer's Authority to Define Accesssubscribe to see similar legal issues

Application: The court acknowledged that employers have the authority to define and restrict employee access, and violations of these restrictions may constitute exceeding authorized access.

Reasoning: An employee who is aware of their employer's limitations on access exceeds their authorization when they violate these restrictions.

Intent and Fraud under CFAA § 1030(a)(4)subscribe to see similar legal issues

Application: The court clarified that criminal liability under § 1030(a)(4) requires violations of access restrictions, fraudulent intent, and furtherance of fraud to obtain value.

Reasoning: Criminal liability arises only when an employee (1) violates access restrictions, (2) possesses fraudulent intent, and (3) furthers that fraud to obtain something of value.

Interpretation of 'Exceeds Authorized Access' under CFAAsubscribe to see similar legal issues

Application: The court applied the interpretation that an employee exceeds authorized access when they violate employer-imposed restrictions on access, even if they have legitimate access for certain purposes.

Reasoning: The statute does not define 'without authorization,' but it specifies that 'exceeds authorized access' entails using authorized access to obtain or alter information that the user is not entitled to access in that manner.