On October 27, 2011, the United States Court of Appeals for the Ninth Circuit agreed to rehear the appeal in United States v. Nosal, 642 F.3d 781 (9th Cir. Apr. 28, 2011). Nosal involves a prosecution under the Computer Fraud and Abuse Act for alleged employee theft of confidential data from an employer’s network for the benefit of a competitor. The circumstances under which an insider with a disloyal purpose, such as an employee who has permission to use the employer’s network resources, can be charged either civilly or criminally under the CFAA with unauthorized access to a network, or access exceeding authorization, has been the subject of disagreement in the federal courts.
As we wrote last April, the panel in Nosal ruled that an employee exceeds authorized access within the meaning of the CFAA “when he or she obtains information from the computer and uses it for a purpose that violates the employer’s restrictions on the use of the information.” The Nosal ruling narrowly interpreted a prior Ninth Circuit panel opinion in a civil action under the CFAA, LVRC Holdings, LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). (See prior blog post here.) There, a different panel ruled that under the plain language of the CFAA, an act of disloyalty to an employer, e.g., access to a employer’s network for purposes of providing data to a competitor, does not render the employee’s access unauthorized within the meaning of the CFAA.
The key distinction that the panel in Nosal made from the facts of LVRC v. Brekka, was the existence in Nosal of “a computer use policy that placed clear and conspicuous restrictions on the employees’ access” both to employer’s computer system in general and to specific data in question. No such agreement was in place in LVRC v. Brekka.
The implications of the issues in LVRC v. Brekka and Nosal go beyond the employer-employee context. In its Amicus Brief filed urging the Ninth Circuit to rehear the Nosal case en banc, the Electronic Frontier Foundation argued that the panel opinion in Nosal would criminalize routine, mundane acts committed by Internet users that were deemed to violate provisions in broadly written Internet Terms of Service.
It is important to note that other federal courts of appeal have upheld broad readings of the CFAA in the employee-employer context. In the civil context, see, e.g., International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006); and in the criminal context, see, e.g., United States v. John, 597 F.3d 263 (5th Cir. 2010), United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010).
Oral argument in the rehearing en banc is scheduled for some time in the week of December 12, 2011.