Ninth Circuit Gives a Narrow Interpretation of What Constitutes a Violation of the Computer Fraud and Abuse Act


On March 22, 2012, Patton Boggs LLP posted a client alert (available here) on the antihacking Computer Fraud and Abuse Act (CFAA), discussing that different federal courts were split on whether the CFAA imposes liability on employees who have permission to access computerized information but use the permitted access for an improper purpose. One of the cases discussed in that alert was United States v. Nosal, 642 F.3d 781 (9th Cir. 2011), a panel decision holding that employees who properly access information but then use the information contrary to the employer’s policies or against the employer’s interests “exceeds authorized access” and violates the CFAA.

The full Ninth Circuit agreed to rehear the case, and in an April 11 ruling, a majority held that the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use. The majority gave a narrow interpretation to the statutory phrase “exceeds authorized access.” As a result of this decision, someone who is authorized to access only certain data or files but accesses other data or files would violate the CFAA. In his opinion for the Court, Chief Judge Kozinski gave an example of how a violation could occur: “For example, assume an employee is permitted to access only product information on the company’s computer but accesses customer data: He would ‘exceed[] authorized access’ if he looks at the customer lists.”

Please see full alert below for more information.

LOADING PDF: If there are any problems, click here to download the file.