In United States v. Nosal, the Ninth Circuit Court of Appeals was asked to determine the boundaries of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. It ultimately concluded that violations of an employer’s computer use policy did not amount to “exceeding authorized access” under the CFAA
The Facts of the Case
After leaving his job at an executive search firm, David Nosal convinced some of his former colleagues to help him start a competing business. The employees used their login credentials to download source lists, names, and contact information from a confidential company database, and then transferred that information to Nosal. The employees were authorized to access the database, but the company had a policy that forbade disclosing confidential information.
The government indicted Nosal on a number of charges, including violations of the CFAA. The government contended that Nosal had aided and abetted the employees in “exceed[ing their] authorized access” with intent to defraud. The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
Nosal filed a motion to dismiss the CFAA counts, arguing that the statute targets only hackers, not individuals who access a computer with authorization but then misuse information they obtain by means of such access.
The Court’s Decision
The Ninth Circuit agreed with Nosal that CFAA was intended to fight hacking rather than to “criminalize any unauthorized use of information obtained from a computer.” In so ruling, the court rejected the government’s broad interpretation of “exceeds authorized access.”
The government had argued that the language could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information. For example, an employee may be authorized to access customer lists in order to do his job but not to send them to a competitor.
The court concluded that Congress did not intend for such a broad interpretation of the CFAA. It noted, “The government’s construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.”
However, the Ninth Circuit may not have the final word on this issue. The government is still deciding whether to file a writ of certiorari with the U.S. Supreme Court.