United States v. Nosal

10-10038
June 26, 2008
Federal Court
9th Circuit
United States Court of Appeals for the Ninth Circuit

On April 10, 2012, Chief Judge Alex Kozinski, writing for the Ninth Circuit Court of Appeals (en banc), issued a final decision in the case United States v. Nosal, narrowly interpreting the scope of the Computer Fraud and Abuse Act (CFAA). Chief Judge Kozinski’s opinion made clear his unwillingness to expand the reach of the CFAA for fear of criminalizing a wide range of seemingly innocuous behavior that Congress did not intend.

The particular facts of this case are not nearly as significant as the question of law and statutory interpretation presented, but briefly, the United States government brought charges against defendant David Nosal and his alleged accomplices for violations of the CFAA. Nosal was a former employee of executive search firm, Korn/Ferry International, while his suspected co-conspirators were current employees of the firm. The twenty-count superseding indictment alleged that current Korn/Ferry employees transferred confidential and proprietary information to Nosal from a confidential database of executives and companies, which was developed and maintained by Korn/Ferry and considered to be of great value to the company as against competitors.

The legal question presented was whether the employees “exceeded [their] authorized access” to the company computer system, within the meaning of the CFAA, when they transmitted confidential Korn/Ferry information to Nosal in violation of their employer’s computer use restrictions. The district court denied Nosal’s motion to dismiss the indictment at first, but later dismissed most of the counts against him after granting his motion to reconsider in light of the holding in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). However, a 2-1 panel decision of the Court of Appeals for the Ninth Circuit reversed the district court and reinstated counts of the indictment. The majority found factual distinctions from the present case to Brekka and held that “under the CFAA, an employee accesses a computer in excess of his or her authorization when that access violates the employer’s access restrictions.” 642 F.3d at 789.

On October 27, 2011, the Ninth Circuit Court of Appeals granted Nosal’s petition for rehearing en banc, clarifying that the previous three-judge panel decision would hold no precedential value. Oral arguments were heard on December 15, 2011, and despite the circuit split now created over the scope of the CFAA, the en banc court affirmed the district court’s dismissal of several counts of the indictment. The April 10, 2012 decision held that “exceeds authorized access” in the CFAA pertains to violations of restrictions on access to information, and not restrictions on its use.

United States
David Nosal
Other federal statute

Filings from this case

Case Report

Case Report: United States v. Nosal

On October 27, 2011, the United States Court of Appeals for the Ninth Circuit granted a rehearing en banc of the appellate decision in United States v. Nosal, 642 F.3d 781 (9th Cir. 2011), and on April 10, 2012, a decision was rendered in favor of Nosal.

This case centered on the scope of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030 et seq, specifically the construction of the statutory phrase “exceeds authorized access.” Although primarily a criminal anti-hacking statute, the CFAA also created a private right of action under § 1030(g). Nosal concerned a prosecution under § 1030(a)(4), however considering the implications for the civil as well as criminal contexts, the legal discussion necessarily looked beyond the specific facts of the case at hand.

Factual Background – Indictment Allegations Against Nosal

Defendant David Nosal was employed by executive search firm Korn/Ferry International from approximately April 1996 until October 2004. Upon his departure, Nosal agreed to work as an independent contractor for Korn/Ferry, and as a condition of his employment, executed a one-year non-compete agreement. Notwithstanding this contract, Nosal started a rival business shortly thereafter and solicited current Korn/Ferry employees to aid him in his competitive business efforts.

In June 2008 the government filed a twenty-count superseding indictment against Nosal, charging in part that Nosal, as an aider and abettor, violated § 1030(a)(4). That section provides that anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value” is subject to criminal punishment as outlined in subsection (c). The allegations against Nosal stemmed from confidential information Korn/Ferry employees transmitted to him, which they had gathered from an exclusive computer database developed and maintained by their employer. Specifically, the indictment alleged that for the purpose of defrauding Korn/Ferry and assisting Nosal to develop a competing business, his co-conspirators exceeded their authorized access to Korn/Ferry’s database when they transferred confidential and proprietary information to Nosal, including source lists, names, and contact information.

District Court Reconsideration and Dismissal

Nosal moved to dismiss the indictment, arguing that the CFAA was not intended to prosecute employees who misappropriate information or violate contractual obligations, but rather was targeted at computer hackers. Nosal further asserted that the Korn/Ferry employees had permission to access the company computer and the information therein and thus could not have acted “without authorization” nor could they have “exceeded authorized access.” Nosal, 642 F.3d at 783.

In deciding Nosal’s motion, the district court identified two divergent lines of case law that had emerged on the subject. Id. at 784. An approach taken by some courts broadly construed the CFAA to encompass employees who “acted with adverse or nefarious interests,” such that their once “authorized” access was rendered ineffectual by their disloyal actions. Id. (internal citation omitted). Other courts have constrained the inquiry to whether access was authorized in the first place, and thus restricted the applicability of the CFAA to “outsiders” such as computer hackers and electronic trespassers. Id. The first, fifth, seventh and eleventh circuits have addressed the question of authorization under the CFAA and have all reached different conclusions over what the source of authorization should be, yet all still err on the side of broad construction.

Initially, the district court took the inclusive approach, reasoning that the Korn/Ferry employees’ fraudulent intent rendered their access unauthorized. Soon after denying Nosal’s motion, however, the Ninth Circuit Court of Appeals decided a case that contemplated the statutory significance of the phrase “without authorization.” In light of the holding in that case, LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), the district court granted Nosal’s motion to reconsider and, citing Brekka, later dismissed multiple counts of the indictment against him. The district court retreated from its earlier stance on the importance of “intent” to the CFAA; upon reconsideration, the court deemed intent irrelevant for determining whether someone “exceeds authorized access.” 642 F.3d at 784-85.

The United States Appeals to the Ninth Circuit Court of Appeals

The first issue the Court of Appeals tackled in its de novo review was a matter of statutory interpretation. Starting with the plain language of § 1030, the court identified that subsection (e) defines “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Nosal, 642 F.3d at 785 (quoting 18 U.S.C. § 1030(e)(6)) (emphasis in opinion). The government asserted that Nosal’s interpretation of the statute was illogical since it would have effectively “render[ed] superfluous the word ‘so’ in the statutory definition.” 642 F.3d at 785. The court agreed that it was unwilling to disregard Congressional action by not giving effect to the “full” definition. Id. at 786. Therefore, the focus of the statute is on the specific access limitations and whether a person is authorized to access certain information will depend on the specific manner in which they do so.

The government also argued on appeal that Brekka actually counseled in its favor. The court agreed that, contrary to the position taken by the lower court, Brekka was not dispositive of the issue in Nosal, and if anything, supported the government’s contentions. The court framed its ultimate decision as “simply an application of Brekka’s reasoning”: “[W]e held that ‘an employer gives an employee authorization to access a company computer when the employer gives the employee permission to use it.’ Therefore, the only logical interpretation of ‘exceeds authorized access’ is that the employer has placed limitations.” 642 F.3d at 787. (internal citation omitted) (emphasis in original). The factual distinctions between the present case and Brekka—namely, in the latter case the employee had unrestricted access to the company computer and was also not constrained by any written employment agreements or employer policies that would have prohibited his actions—provided sufficient ground to hold Nosal accountable where Brekka was not.

Rehearing En Banc

With the support of amicus briefs from interested organizations such as the Electronic Frontier Foundation, Nosal petitioned the circuit for rehearing en banc. Nosal’s petition argued that the majority’s definition of “exceeds authorized access” misconstrued the statutory definition by importing elements of misappropriation theory. Nosal further advocated for restricting the scope of § 1030 to its original anti-hacker focus.

Even prior to the decision to grant rehearing, this case had already garnered atypical amounts of attention from the legal community, academic commenters, and had even spurred Congressional action to redefine provisions in the Act. However the court interpreted “exceeds authorized access” in (a)(4) would necessarily apply to the rest of the statute, including those provisions lacking a specific intent requirement. Thus, circuits embracing the broad construction advocated by the government would risk criminalizing millions of Americans’ online activities for mere violations of a website’s Terms of Service.

The importance of this case did not escape the circuit’s attention—en banc review was granted on October 27, 2011. Chief Judge Alex Kozinski’s order clarified that the previous three-judge panel opinion would not hold precedential value for any court in the circuit and should not be cited. Oral arguments commenced December 15, 2011, and a final decision was rendered April 10, 2012. Chief Judge Kozinski affirmed the district court’s dismissal of criminal counts against Nosal, expressing disbelief that Congress would have intended to criminalize such innocuous behavior as violating a site’s Terms of Service. His narrower interpretation restricts “exceeds authorized access” to restrictions on access of information to which one is not entitled, instead of blanket restrictions on use.

This Ninth Circuit decision creates a pretty clear division among the circuits over the interpretation of the CFAA, and thus it would not be surprising to see this case go all the way up to the Supreme Court of the United States.