On April 10, 2012, the Ninth Circuit en banc decision in United States v. Nosal was published,[1] resolving the question of how a person “exceeds authorized access” under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. The CFAA prohibits a person from “exceed[ing] authorized access” and thereby obtaining “information” from a computer “used in or affecting interstate or foreign commerce.”[2] In Nosal, the issue was whether an employee who violated his employer’s “policies prohibiting the use of work computers for nonbusiness purposes” violated the CFAA.[3] In a pithy decision by Chief Judge Alex Kozinski, the Ninth Circuit ruled that the phrase “exceeds authorized access” was not meant to criminalize an employee exceeding his employer’s computer use policies by “g-chatting with friends, playing games, shopping or watching sports highlights” on his work computer, but rather was intended to criminalize “hacking” into an employer’s computer system to access information contained in areas beyond the employee’s access level.[4] 

This ruling signifies a greater split among the circuit courts and significantly limits federal jurisdiction for certain trade secret misappropriation cases involving electronic information in the Ninth Circuit. Because the CFAA includes a civil component allowing federal question jurisdiction over claims involving more than $5000 in damages,[5] many companies have used the CFAA both as a means to establish federal jurisdiction over essentially trade secret claims, but also as another powerful weapon to use against violators. At least in the Ninth Circuit, use of the CFAA in trade secret cases is now vastly diminished.

Background

The facts in Nosal are similar to many trade secret misappropriation cases involving current or former employees. Nosal worked for the international executive search firm Korn/Ferry but decided to leave and start his own competing business. In the process of leaving, Nosal conspired with several fellow employees to download the names and contact information of potential clients and prospects from Korn/Ferry’s confidential database. Nosal and his fellow employees were authorized to access that database, but such access was required to be used only for company business. Such access was not intended for other purposes, including use as source material to start a competing business.[6] The government charged Nosal with 20 counts, including a violation of the CFAA for “exceed[ing] authorized access” of Korn/Ferry’s database with the intent to defraud. The district court dismissed the CFAA count finding that the CFAA was not broad enough to reach such claims over an employee who had been authorized to access that information. A three-judge panel of the Ninth Circuit reversed the district court’s finding, but that ruling was short-lived as the Ninth Circuit granted en banc review. 

The Ninth Circuit’s En Banc Opinion

After hearing oral argument staking out the scope of the “exceeds authorized access” prong of the CFAA, the Ninth Circuit determined that the “CFAA does not extend to violations of use restrictions.” The Court noted that the “general purpose [of the CFAA] is to punish hacking – the circumvention of technological barriers – not misappropriation of trade secrets.”[7] The Court also expressed significant concerns regarding the broad reading of the CFAA advocated by the government, noting that it would create federal criminal liability based not on federal statute, but rather on employer computer use restrictions or even on a website’s Terms of Use statement. For example, the Court was concerned that a violation of the Terms of Use of the online dating service eHarmony, which prohibits the providing of “inaccurate, misleading or false information to eHarmony or any other user,” could result in criminal liability for someone who “describ[ed himself] as ‘tall, dark and handsome,’ when [he was] actually short and homely.”[8] Even though the government confirmed it would not actually prosecute a person for these purported “crimes,” the panel raised concerns that a violation of the CFAA would simply be in the hands of a federal prosecutor.

Practical Implications

The Nosal decision creates a circuit split regarding whether an employee violating her employer’s computer use restrictions is subject to the CFAA. The Fifth, Seventh, and Eleventh Circuits have “interpret[ed] the CFAA broadly to cover violations of corporate computer use restrictions or violations of a duty of loyalty.”[9] The Ninth Circuit rejected that view. Depending on the jurisdiction, the CFAA may no longer be an effective tool to prevent the misuse of a company’s electronic trade secrets. 

Additionally, the Nosal decision makes clear that computer use restrictions are necessary but not sufficient to protect confidential, electronic information. In addition to use restrictions, companies should limit access to sensitive information on a need-to-know basis instead of merely limiting the appropriate use of that information. Limiting access to confidential information will not only decrease the possibility of misappropriation, but should also preserve use of the CFAA as a litigation tool even under the narrow view of the “without authorization” prong in the case of an employee who misuses electronic information they were not authorized to access.

---