The Ninth Circuit recently held that the Computer Fraud and Abuse Act (CFAA) is not limited to computer hackers, but also applies to employees who exceed their "authorized access" set forth in their employer's computer usage policy.

The Ninth Circuit's recent ruling in United States v. Nosal gave California employers a boost of confidence in their ability to protect themselves against employee data theft. Nosal was charged with violations of the CFAA after he attempted to start a competing business by taking a highly confidential database owned by his former employer, exceeding the company's computer usage policy to obtain that information. Nosal sought to have the indictment dismissed, arguing that the CFAA only applied to "computer hackers." The Ninth Circuit disagreed and made clear that the CFAA applies to employees who exceed their "authorized access" set forth in their employer's computer usage policy and that they will be liable for any resulting loss. The CFAA is a criminal statute, but also provides for a civil right of action for persons who are the victims of employee data theft. The Act punishes any person who "knowingly and with intent to defraud accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value."