Employers in the Ninth Circuit this week lost the Computer Fraud and Abuse Act (CFAA) as a weapon against employees who misuse information they had authorization to access.

In United States v. Nosal, an en banc panel of the Ninth Circuit held in a 9-2 vote that criminal liability under the CFAA is limited to persons violating employer-placed restrictions on access to company information, not use restrictions. The court essentially confined the statute to what is colloquially known as computer “hacking,” rather than more widespread violations of computer use policies. While the Nosal case arose in a criminal context, the court’s interpretation of the CFAA is equally applicable in private civil actions under the Act.

The defendant, David Nosal, a former employee of executive recruiting firm Korn/Ferry International, was indicted on charges of conspiring with two former co-workers while they still worked for the firm to obtain secret source lists, names, and contact information from the firm’s password-protected, confidential database. Nosal then allegedly used this information to operate a competing business.

As a former employee, Nosal did not have access to Korn/Ferry’s database, but the co-workers had access through their firm-assigned usernames and passwords. Korn/Ferry had required the co-workers to sign an agreement that restricted the use and disclosure of information in the database to legitimate Korn/Ferry business. Upon logging into the database, the co-workers were notified that the information was the firm’s property and that unauthorized access could lead to disciplinary action and criminal prosecution.

Nosal was indicted on 20 counts, including trade secret theft, mail fraud, conspiracy, and violating subsection 1030(a)(4) of the CFAA. The provision of the CFAA at issue applies to anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.” The government specifically accused Nosal of aiding and abetting his co-workers in “exceed[ing their] authorized access” to the Korn/Ferry database.

In the district court, Nosal moved to dismiss the CFAA charges by arguing that the law applies only to computer hackers and not to those who access a computer with authorization, as his co-workers had done. The trial judge initially rejected this argument, but switched course upon reconsidering Nosal’s motion in light of the Ninth Circuit’s opinion in LVRC Holdings LLC v. Brekka, which rejected the imposition of CFAA liability on an employee who e-mailed his employer’s proprietary documents to his personal computer for use in a competing business. The Nosal district court interpreted Brekka as excluding usage violations from constituting activity that “exceeds authorized access” under the CFAA, and dismissed those charges against Nosal.

The Ninth Circuit rejected the government’s appeal. Chief Judge Alex Kozinski wrote for the majority that the “exceeds authorized access” clause of the CFAA does not criminalize violations of information use restrictions. Judge Kozinski reasoned that the government’s broad interpretation of the phrase “would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute…. If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions—which may well include everyone who uses a computer—we would expect it to use language better suited to that purpose.”

Judge Kozinksi took particular issue with criminal liability under the CFAA turning on “vagaries of private [use] policies that are lengthy, opaque, subject to change and seldom read.” Importantly, in affirming the dismissal of the CFAA counts, the court stated that the government could still prosecute Nosal on the remaining counts, including his alleged violation of the federal trade secrets statute.

In dissent Judge Barry Silverman, joined by Judge Richard Tallman, opined that the CFAA contemplated both unauthorized access and misuse of proprietary information. He criticized the majority’s “parade of horribles” as “ridiculous scenarios,” and for conflicting with other circuit courts’ interpretations of the CFAA. Judge Kozinski clearly disagreed on the latter point, as the majority opinion stated that it was joining “the growing number of courts that have reached the same conclusion … that the plain language of the CFAA ‘target[s] the unauthorized procurement or alteration of information, not its misuse or misappropriation.’” The majority opinion did appear to acknowledge, however, that the Fifth, Seventh, and Eleventh circuits have broadly interpreted the CFAA to criminalize private use restriction violations. Other circuits have not reached the issue.

While the Nosal decision limits the CFAA as an avenue for an employer to deter former employees from data theft through both criminal and civil suits in the Ninth Circuit, such limits do not likely apply in the Fifth, Seventh, and Eleventh circuits, and remain uncertain in the circuits that have not yet squarely addressed the issue. Employers should therefore continue to maintain use restrictions and log-in notifications similar to those utilized by Korn/Ferry in the event their jurisdiction does not follow Nosal, while ensuring that access restrictions are sufficiently stringent. Lastly, the potential weakening of the CFAA by courts choosing to follow Nosal serves to highlight the importance of taking appropriate measures to protect valuable proprietary information as trade secrets, the theft of which remains prosecutable under the federal trade secrets statute and various state laws.

For further information about the company access and use restrictions in light of the CFAA, or how to best protect your company’s trade secrets and confidential information, please contact Robert R. Baron, Jr., at 215.864.8335 or baron@ballardspahr.com; Brian W. LaCorte at 602.798.5449 or lacorteb@ballardspahr.com; Jonathon A. Talcott at 602.798.5485 or talcottj@ballardspahr.com; or the member of Ballard’s Spahr’s Labor and Employment Group or Intellectual Property Litigation Group with whom you work.

Copyright © 2012 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.