UPDATE: As discussed in this blog post, a panel of the U.S. Court of Appeals for the Ninth Circuit overruled the district court in United States v. Nosal (9th Cir. Apr. 28, 2011).


The debate over the applicability of the Computer Fraud and Abuse Act in cases of alleged employee disloyalty has yielded quite a few rulings over the last several years, and generated a circuit split last September with the Ninth Circuit decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). In that civil action alleging employee theft and misappropriation of trade secrets, the appeals court rejected an expansive interpretation of the CFAA, concluding that an employee’s authorization to access an employer’s computer network is not automatically revoked when the employee is acting in a manner that is disloyal to the employer’s interest. The Ninth Circuit explicitly rejected the contrary reasoning of the Seventh Circuit in International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006). In the Citrin case, Judge Posner authored a panel ruling that under common law agency principles, an employee who breaches the duty of loyalty to an employer thereby lacks authorization within the meaning of the CFAA.

The battleground in those two cases was whether a former employer could bring a civil action under the CFAA against former employees who accessed the employer’s computer network, while still employed, for disloyal purposes. The prize in these and many other such cases is the opportunity for the employer to pursue what what would have otherwise likely been largely a matter of state law in federal court. But the CFAA is primarily a criminal statute, and expansive interpretation could (and has) resulted in federal criminal prosecutions in what have been typically state law cases.

However, the Ninth Circuit’s narrower construction in LVRC v. Brekka ruling has now been applied in  one of those criminal cases, resulting in the dismissal of some but not all of the CFAA charges against one defendant in United States v. Nosal, 3:08-cr-00237-MHP(N.D. Cal. Jan. 6, 2009)

David Nosal was a former employee of an executive search firm. He is accused in a multi-count indictment of having conspired with other employees of the firm to misappropriate the firm’s trade secrets in order to use the information to start a rival search firm. According to the indictment, the other employees used their accounts and passwords on Nosal’s behalf, without authorization and in excess of their authorization, to access and copy proprietary information to be used in connection with the establishment of the new firm. Last spring, Nosal sought dismissal of the CFAA charges on the ground that the statute does not cover misuse or misappropriation of information obtained with permission, but Judge Patel of the Northern District of California, in a ruling prior to LVRC v. Brekka, lined up with the Seventh Circuit position on the issue. She declined to dismiss the charges, ruling that the indictment sufficiently alleged that Nosal’s co-conspirators engaged in "knowing access of electronic records for uses outside their intended purpose," and that access was "not only purposeful, but also with the intent to defraud, and that confidential and proprietary information was both taken and used to further the intended fraud, i.e., to advance Nosal’’s own executive search activities, to the detriment of" the former employer.

After LVRC v. Brekka was decided, Nosal moved for reconsideration of Judge Patel’s prior ruling, and this time Judge Patel ruled that the government could not establish either that Nosal’s access to the employer’s computer (via the acts of his alleged co-conspirators) was "without authorization" or that it "exceeded authorized access." The government apparently conceded that the allegation that the access was "without authorization" could not survive LVRC v. Brekka, but dug in its heels and argued that it could still be argued that the employees’ conduct "exceeded authorized access," based upon their disloyal purpose.

Judge Patel pointed out that while the opinion in LVRC v. Brekka focused on the term "without authorization," the logic of the opinion equally applied to the term "exceeds authorized access." She reasoned that under LVRC v. Brekka, "intent and authorization are independent elements of the CFAA," and that the employee’s intent in accessing an employer’s computer "is irrelevant in determining whether an individual has permission or is authorized to access the computer." She also rejected the argument that the employees exceeded their authorized access based on language in the employer’s confidentiality and computer use policies. While there was some language in the Ninth Circuit ruling suggesting that an employer might be able to rely upon such language in defining authorized access, that language could not survive an examination of the statutory definition:

An individual only "exceeds authorized access" if he has permission to access a portion of the computer system but uses that access to "obtain or alter information in the computer that [he or she] is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6) (emphasis added). There is simply no way to read that definition to incorporate corporate policies governing use of information unless the word alter is interpreted to mean misappropriate. Such an interpretation would defy the plain meaning of the word alter, as well as common sense. A person does not necessarily alter information on a computer when they access it with a nefarious intent. Furthermore, the government’s proposed interpretation of "exceeds authorized access" would create an uncomfortable dissonance within section 1030(a)(4). Pursuant to the government’s reading of the statute, an individual’s intent would be irrelevant in determining whether that person accessed a computer "without authorization," but as long as the company had policies governing the use of the information stored in its computer system, that same individual’s intent could be dispositive in determining whether they "exceed[ed] authorized access."

Nosal still isn’t off the hook on this indictment by any means. Judge Patel refused to dismiss several CFAA charges based on alleged access by Nosal’s co-conspirators after they left the employer. And, although mail fraud charges were dismissed, there are also remaining federal trade secret theft and misappropriation charges, as well as conspiracy charges.

The implications of the Nosal case for exceedingly broad interpretation of the CFAA were noticed early in the game by Prof. Orin Kerr, a well-recognized authority on this subject, who was prominently on the team that successfully represented Lori Drew in the so-called MySpace suicide case, which also involved an expansive government interpretation of the CFAA in a criminal prosecution. Prof. Kerr blogged about the government’s legal theory in Nosal that "an employer who uses an employer’s computer with a bad motive is a criminal"prior to Judge Patel’s first ruling on the issue. Prof. Kerr has also authored a recent article on the topic of CFAA application in criminal cases, a must-read for anyone interested in or concerned about this topic.