United States v. Nosal

United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) was a United States Court of Appeals for the Ninth Circuit decision dealing with the scope of criminal prosecutions of former employees under the Computer Fraud and Abuse Act (CFAA). The Ninth Circuit's first ruling (Nosal I) established that employees have not "exceeded authorization" for the purposes of the CFAA if they access a computer in a manner that violates the company's computer use policies&mdash;if they are authorized to access the computer and do not circumvent any protection mechanisms.

On April 24, 2013, U.S. Attorney Melinda Haag announced that Nosal was convicted by a federal jury of all charges contained in a six-count indictment. Nosal appealed his conviction to the Ninth Circuit. On July 5, 2016, a three-judge panel held 2-1 that Nosal had acted "without authorization" and affirmed his conviction. In this second decision (Nosal II), the Ninth Circuit attempted to clarify the meaning of "without authorization" in the context of the CFAA.

Background
In October 2004, David Nosal resigned from his position at Korn/Ferry, an executive search and recruiting company. As part of his separation agreement, Nosal agreed to serve as an independent contractor for Korn/Ferry and not to compete with them for one year; in exchange, Korn/Ferry agreed to compensate Nosal with two lump-sum payments and twelve monthly payments of $25,000. A few months after leaving Korn/Ferry, Nosal solicited three Korn/Ferry employees to help him start a competing executive search business. Before leaving the company, the employees downloaded a large volume of "highly confidential and proprietary" data from Korn/Ferry's computers, including source lists, names, and contact information for executives.

On June 26, 2008, Nosal and the three employees were indicted by the federal government on twenty counts of violations of the Computer Fraud and Abuse Act. The government alleged that the defendants "knowingly and with intent to defraud" exceeded authorized access to Korn/Ferry's computers.

Nosal appealed the indictment, claiming that the CFAA was "aimed primarily at computer hackers" and that it "does not cover employees who misappropriate information or who violate contractual confidentiality agreements". Nosal further argued that the employees were, in principle, permitted to access the information in their role as Korn/Ferry employees, and thus they did not "act without authorization" or "exceed authorized access" as written in Section (a)(4) of the CFAA.

After initially rejecting these arguments, the district court eventually agreed with Nosal and dismissed the five counts of the indictment arising from Section (a)(4). The government appealed this decision, arguing that Nosal and his accomplices did indeed exceed authorized access because they violated the company's computer access policies, which restricted the "use and disclosure of all [database] information, except for legitimate Korn/Ferry business".

Court case
The case was based heavily on the Ninth Circuit's interpretation of language in the CFAA statute, especially Section (a)(4), under which the more serious charges against the defendants stemmed.

Section (a)(4) of the CFAA makes liable anyone who "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value." Neither party disputed that Nosal's accomplices were authorized to access Korn/Ferry computers, so the case hinged on whether or not they exceeded their authorized access when they downloaded the information for fraudulent purposes.

The Ninth Circuit Court relied on their earlier decision in LVRC Holdings v. Brekka, which centered on an employee who transferred business documents from his employer's computer to his personal email account and was later sued by the employer under a civil provision in the CFAA. In their ruling for that case, the court emphasized a distinction between the phrases "without authorization" and "exceeding authorized access" from CFAA Section (a)(4), and in so doing, provided an interpretation of the statutory language. They wrote, "an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has 'exceed[ed] authorized access.' On the other hand, a person who uses a computer 'without authorization' has no rights, limited or otherwise, to access the computer in question."

The court adopted this interpretation and expanded its scope, ruling that an employee "exceeds authorized access" under the CFAA when they use a computer in way that violates an employer's access restrictions&mdash;including policies governing how information on the computer may be used.

Regarding the question of how to determine when a violation occurs, the court rejected the approach used in International Airport Centers v. Citrin, which asserted that an employee loses authorization when he or she "violates a state law duty of loyalty because...the employee's actions [terminate] the employer-employee relationship 'and with it his [or her] authority to access the [computer]'".

Instead, the court cited their finding from Brekka that for purposes of the CFAA, it is the action of the employer that determines whether an employee is authorized to access the computer. They decided that, as a logical extension of this finding, the question of whether an employee "exceeds authorized access" is likewise determined by the employer's actions, including (but not limited to) the promulgation of computer use restrictions. Since Korn/Ferry indeed had such computer use restrictions, which the defendants violated when they accessed the executive database for fraudulent purposes, the Ninth Circuit court reversed the district court's decision and remanded the district court to reinstate the five counts under Section (a)(4).

Dissent
Judge Campbell dissented, arguing that the court's decision renders the CFAA's provisions unconstitutionally vague, since computer use policies are not written "with the definiteness or precision that would be required for a criminal statute" and they can be changed without notice. The ruling, she argued, places an undue burden on employees to stay current on such policies in order to protect themselves against possible criminal prosecution.

Impact and criticism
Nosal argued that the ruling would make criminals out of millions of employees who use their work computer to do trivial tasks such as checking basketball scores on the internet or reading personal email&mdash;behaviors that (technically) violate typical computer use policies. Many online law pundits expressed similar concerns, fearing that one could be prosecuted under federal law for violating a website's terms of service&mdash;for example, lying about one's age on Facebook.

The court defended its ruling, noting that such benign behaviors lack the requisite conditions of "intent to defraud" and "furthering fraud by obtaining something of value" as required for prosecution under CFAA Section (a)(4). However, other provisions in the CFAA do not include such requirements, so the current ruling may still admit prosecution of trivial behaviors that had previously been considered out of the scope of the CFAA.

Follow up
On October 27, 2011, the Ninth Circuit agreed to rehear the case en banc. The new case was presented in front of the entire Ninth Circuit panel on December 15, 2011, in San Francisco. The result of the hearing was published April 10, 2012, and states that the court chose a narrow interpretation of the CFAA, holding that the phrase "exceeds authorized access" in the CFAA does not extend to violations of use restrictions.

External references
Parties Articles En banc hearing 2013
 * David Nosal at Nosal Partners
 * Korn/Ferry International
 * List of documents related to CFAA
 * Electronic Frontier Foundation web page about the case
 * Shawn E. Tuma: "What does the CFAA mean and why should I care?" - A Primer on the Computer Fraud and Abuse Act for Civil Litigator
 * Dale C. Campbell: Seventh and Ninth circuits split on what constitutes without authorization within the meaning of the CFAA
 * Nick Akerman's article of the en banc hearing on December 15th
 * Video recording of United States v Nosal en banc hearing.
 * Orin Kerr discussing the "en banc" hearing follow-up article by Kerr
 * Ninth Circuit Ruling Trimming CFAA Claims for Misappropriation Reminds Employers that Technical Network Security is the First Defense
 * Nosal Convicted of Computer Fraud and Abuse Act Crime Despite His Ninth Circuit Win
 * Man Convicted of Hacking Despite Not Hacking