Did the Ninth Circuit “blow it” when it snubbed other courts and held that “exceeding authorized access” under the Computer Fraud and Abuse Act (CFAA) means nothing less than “hacking?”
In a recent decision, U.S. v. Nosal, the full Court challenged the prevailing understanding of computer crime law by taking a narrow view of the phrase “exceeds authorized access” – which is defined in the CFAA as accessing a computer that you’re allowed to access but then obtaining or altering particular information in that computer that you’re not allowed to obtain or alter. With this 9-2 en banc decision, the Court held that Nosal, a former employee of the executive search firm Korn/Ferry, could not be liable under the CFAA for stealing his former employer’s confidential information to start a competing firm. (The decision does not address other criminal charges against Nosal.)
The CFAA was enacted by Congress in 1984 to address computer misuse. In a nutshell, under the Act, it is both criminally and civilly illegal to access a computer either: a) without authorization, or b) with authorization but in a way that “exceeds authorized access.” The lack of a clear definition regarding what constitutes “exceeding authorized access” has spawned a significant number of court decisions, the vast majority of which involve claims by an employer against an ex-employee who, before quitting or being terminated, accessed the employer’s computer system to obtain information that the employer contends the employee should not have obtained.
The nub of these decisions involves the argument by the employer that the accused, although an employee at the time of access, had no right to access the particular information or no right even to enter that area of the employer’s computer system. Previously, most courts have sided with the employer, giving a broad interpretation to the phrase “exceeds authorized access” and holding that the employee may have had certain rights to use the employer’s computer system, but didn’t have the right to access the particular information.
For example, employees were found to have “exceeded authorized access” in U.S. v. John, when a bank employee accessed confidential customer information; in U.S. v. Rodriguez, when a government employee used the government’s computers to learn personal information about former or potential girlfriends; in U.S. v. Teague, when an employee of a government contractor accessed a government database to obtain President Obama’s student loan records; and in International Airport Centers, LLC v. Citrin, when an employee downloaded and installed a data-deletion program onto his employer’s laptop after he quit, but before returning the computer.
The Nosal Decision
As I mentioned previously, Nosal left Korn/Ferry, then enlisted employees still working for the company to send him client contact information to use to start a competing business. The trial court dismissed the CFAA charge, holding that “exceeding authorized access” within the context of the CFAA does not mean merely violating a company’s computer use policies. The government appealed. A panel of the Ninth Circuit reversed, finding that the phrase “exceeds authorized access” includes the conduct that Nosal was charged with. Nosal appealed, and the full Ninth Circuit reversed again, reinstating the trial court’s dismissal and confirming that, in its view, “exceeding authorized access” does not include merely violating computer use restrictions.
The Court explained that, in its view, Congress enacted the CFAA to address hacking activities and, while Nosal did not have Korn/Ferry’s permission to access and obtain its client contact information, he did not hack – i.e., break into – Korn/Ferry’s computers to achieve his nefarious purpose. The Court hypothesized that, under the broad interpretation of the phrase “exceeds authorized access,” any employee who uses a company’s computer to play online games, shop, watch sports highlights, check Facebook, or watch a YouTube video could be found to have violated the CFAA.
In a dissent, two judges of the Ninth Circuit took the majority to task for trivializing the issue of computer misuse by comparing Nosal’s serious misconduct to an employee playing computer games on the company computer. The judges complained that the majority parsed the CFAA in a “hyper-complicated” way and ignored the sensible interpretations of the statute reached by a majority of other courts.
In my opinion, the Ninth Circuit blew it. Its decision in Nosal not only contradicts numerous trial court decisions, but also bucks at least five U.S. Circuit Courts of Appeal – the First, Fifth, Seventh, Eighth, and Eleventh. The Ninth Circuit’s decision sets the stage for a U.S. Supreme Court decision to resolve a lopsided split among the Circuits that currently runs strongly in favor of the broad reading of the phrase “exceeds authorized access,” or action by Congress to amend CFAA to clarify exactly what that phrase means.