On April 10, 2012, the Ninth Circuit filed its opinion in United States v. Nosal, holding that a former employee cannot be held criminally liable under federal law for receiving confidential company data and information from his former coworkers in violation of company policy. United States v. Nosal, No. 10-10038, 2012 BL 89201 (9th Cir. Apr. 10, 2012), available at http://articles.law360.s3.amazonaws.com/0328000/328700/10-10038.pdf. The court held that it is not a federal crime under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, for an employee to violate an employer’s prohibition against using work computers for nonbusiness purposes, or for a user to violate the terms of a website in the way most users probably do on a regular basis.
In this case, Nosal left his employer and then convinced some of his former coworkers to join him in starting a competing business. These coworkers, who were still working for the employer at the time, accessed confidential company information and sent it to Nosal, flouting the employer’s policy. The government charged Nosal criminally on various grounds, “including trade secret theft, mail fraud, conspiracy and violations of the CFAA.” Id. at 3859. The Ninth Circuit held that the CFAA-based charges had to be dismissed because the coworkers did have authorization to access the confidential information that they accessed—though those employees exceeded their authority in accessing the information for purposes of competing with their employer. The government was still free to pursue the non-CFAA counts of the indictment (which included mail fraud and theft of trade secrets). Id. at 3873.
The court said that the CFAA should be interpreted narrowly and that it criminalizes unauthorized access to computerized information (“hacking,” see http://definitions.uslegal.com/c/computer-hacking/ (last accessed Apr. 13, 2012)), but not unauthorized use when the user legitimately has access (as employees have access to their employer’s information). The Ninth Circuit explained that when Congress enacted the CFAA, it was seeking to criminalize hacking, not all misappropriation of computerized information.
Although not raised by the facts of the case, the court was also worried about unintentional violations of website policies, since these policies are frequently both surprisingly stringent and largely unread. The court explained, for example, that “[u]nder the government’s proposed [broad] interpretation of the CFAA, posting for sale an item prohibited by Craigslist’s policy, or describing yourself [on a dating website] as ‘tall, dark and handsome,’ when you’re actually short and homely, will earn you a handsome orange jumpsuit.” Id. at 3869. Instead, the court went with the narrower, “computer hacking” reading.
Chief Judge Kozinski’s majority opinion noted that the decision created a split in the circuits, as it was contrary to earlier decisions from the Fifth, Seventh and Eleventh Circuits. Id. at 3870-71. This increases the likelihood that the United States Supreme Court will take up the issue of the proper interpretation of the CFAA.