Computer Fraud and Abuse Act | Did the Ninth Circuit Blow It?

by Downs Rachlin Martin PLLC

[author: Walter Judge]

Access Denied, Computer Fraud and Abuse ActDid the Ninth Circuit “blow it” when it snubbed other courts and held that “exceeding authorized access” under the Computer Fraud and Abuse Act (CFAA) means nothing less than “hacking?”

In a recent decision, U.S. v. Nosal, the full Court challenged the prevailing understanding of computer crime law by taking a narrow view of the phrase “exceeds authorized access” – which is defined in the CFAA as accessing a computer that you’re allowed to access but then obtaining or altering particular information in that computer that you’re not allowed to obtain or alter.  With this 9-2 en banc decision, the Court held that Nosal, a former employee of the executive search firm Korn/Ferry, could not be liable under the CFAA for stealing his former employer’s confidential information to start a competing firm.  (The decision does not address other criminal charges against Nosal.)

The CFAA was enacted by Congress in 1984 to address computer misuse.  In a nutshell, under the Act, it is both criminally and civilly illegal to access a computer either:  a) without authorization, or b) with authorization but in a way that “exceeds authorized access.”  The lack of a clear definition regarding what constitutes “exceeding authorized access” has spawned a significant number of court decisions, the vast majority of which involve claims by an employer against an ex-employee who, before quitting or being terminated, accessed the employer’s computer system to obtain information that the employer contends the employee should not have obtained.

The nub of these decisions involves the argument by the employer that the accused, although an employee at the time of access, had no right to access the particular information or no right even to enter that area of the employer’s computer system.  Previously, most courts have sided with the employer, giving a broad interpretation to the phrase “exceeds authorized access” and holding that the employee may have had certain rights to use the employer’s computer system, but didn’t have the right to access the particular information.

For example, employees were found to have “exceeded authorized access” in U.S. v. John, when a bank employee accessed confidential customer information; in U.S. v. Rodriguez, when a government employee used the government’s computers to learn personal information about former or potential girlfriends; in U.S. v. Teague, when an employee of a government contractor accessed a government database to obtain President Obama’s student loan records; and in International Airport Centers, LLC v. Citrin, when an employee downloaded and installed a data-deletion program onto his employer’s laptop after he quit, but before returning the computer.

The Nosal Decision

As I mentioned previously, Nosal left Korn/Ferry, then enlisted employees still working for the company to send him client contact information to use to start a competing business.  The trial court dismissed the CFAA charge, holding that “exceeding authorized access” within the context of the CFAA does not mean merely violating a company’s computer use policies.  The government appealed.  A panel of the Ninth Circuit reversed, finding that the phrase “exceeds authorized access” includes the conduct that Nosal was charged with.  Nosal appealed, and the full Ninth Circuit reversed again, reinstating the trial court’s dismissal and confirming that, in its view, “exceeding authorized access” does not include merely violating computer use restrictions.

The Court explained that, in its view, Congress enacted the CFAA to address hacking activities and, while Nosal did not have Korn/Ferry’s permission to access and obtain its client contact information, he did not hack – i.e., break into – Korn/Ferry’s computers to achieve his nefarious purpose.  The Court hypothesized that, under the broad interpretation of the phrase “exceeds authorized access,” any employee who uses a company’s computer to play online games, shop, watch sports highlights, check Facebook, or watch a YouTube video could be found to have violated the CFAA.

In a dissent, two judges of the Ninth Circuit took the majority to task for trivializing the issue of computer misuse by comparing Nosal’s serious misconduct to an employee playing computer games on the company computer.  The judges complained that the majority parsed the CFAA in a “hyper-complicated” way and ignored the sensible interpretations of the statute reached by a majority of other courts.

In my opinion, the Ninth Circuit blew it.  Its decision in Nosal not only contradicts numerous trial court decisions, but also bucks at least five U.S. Circuit Courts of Appeal – the First, Fifth, Seventh, Eighth, and Eleventh.  The Ninth Circuit’s decision sets the stage for a U.S. Supreme Court decision to resolve a lopsided split among the Circuits that currently runs strongly in favor of the broad reading of the phrase “exceeds authorized access,” or action by Congress to amend CFAA to clarify exactly what that phrase means.

Stay tuned.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Downs Rachlin Martin PLLC | Attorney Advertising

Written by:

Downs Rachlin Martin PLLC

Downs Rachlin Martin PLLC on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.