Citation[]
United States v. Nosal, 642 F.3d 781 (9th Cir. 2011) (full-text).
Factual Background[]
Defendant Nosal worked as an executive for Korn/Ferry, an executive search firm, for approximately eight years. When Nosal left in 2004, he signed a Separation and General Release Agreement and Independent Contractor Agreement, wherein he agreed to serve as an independent contractor to Korn/Ferry and not to compete with Korn/Ferry for one year. In exchange, Korn/Ferry agreed to pay Nosal two lump-sum payments in addition to twelve monthly payments of $25,000.
Shortly after leaving his employment, Nosal engaged three current Korn/Ferry employees to help him start a competing business. The indictment alleges that these employees obtained trade secrets and other proprietary information by using their user accounts to access the Korn/Ferry computer system. Specifically, the employees transferred to Nosal source lists, names, and contact information from the “Searcher” database, a "highly confidential and proprietary database of executives and companies."
Trial Court Proceedings[]
The district court, relying on LVRC Holdings LLC v. Brekka,[1] dismissed several counts of the indictment, inter alia, numerous violations of the Computer Fraud and Abuse Act (CFAA).
Appellate Court Proceedings[]
The Ninth Circuit Court of Appeals reversed the district court’s dismissal, and held that "an employee 'exceeds authorized access under § 1030 when he or she violates the employer’s computer access restrictions — including use restrictions.'"
The CFAA prohibits a number of different computer crimes, the majority of which involve accessing computers without authorization or in excess of authorization, and then taking specified forbidden actions, ranging from obtaining information to damaging a computer or computer data. The CFAA is generally used to target computer hackers and other third-party criminals who attempt to target sensitive information to which they have no right of access. The CFAA has been increasingly invoked against individuals with some right of access, such as employees, who exceed the authority granted to them by their employers. There have also been attempts to expand the coverage of the CFAA to ordinary violations of an online service providers terms of use.
While the CFAA does not define the phrase “without authorization,” it does state that “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”[2] In determining the plain meaning of this portion of the statute, the court determined that someone has exceeded authorized access when they overstep limitations imposed on their access, such as by computer-use or other employment policies.
In Brekka, the court held that it is the employer’s actions that determine whether an employee acts without authorization to access a computer in violation of §1030. Specifically, Brekka was an employee who was negotiating the purchase of an interest in his employer’s business. During the course of these negotiations, Brekka emailed several business documents to his and his wife’s personal email accounts. After negotiations broke down, and Brekka left his job, his former employer sued Brekka alleging that the emails Brekka sent to himself constituted a violation of §1030(g), which allows for a private right of action under the CFAA.
To decide Brekka, the Ninth Circuit rejected the Seventh Circuit’s approach to this type of action, namely, that any act by an employee that violates their duty of loyalty to their employer is necessarily an act "without authorization." Instead, the Ninth Circuit held that an employer must notify an employee of its intent to rescind an employee’s, or former employee’s, access to a computer. Because the CFAA provides for criminal penalties, the Brekka court determined that an employee should have such explicit notice before any violations can be said to have occurred.
In Brekka, the employer did not have the employee sign an employment agreement and there were no formal computer use policies in place. In the present case, however, there was a clear computer use policy that placed conspicuous restrictions on an employee’s access both to the system in general and to the specific database in question. All of Korn/Ferry’s employees had signed a written agreement outlining the company’s computer use policy and acknowledging that certain information was considered protected and proprietary. Korn/Ferry also took considerable steps to maintain the confidentiality of its information by issuing unique access accounts and passwords and labeling all sensitive information as confidential or proprietary. Nosal’s accomplices were in violation of specific provisions of the company’s computer use policy and therefore had "fair warning that they were subjecting themselves to criminal liability."
The Court of Appeals reversed the district court’s dismissal of the indictment based on the CFAA and held that Nosal and his accomplices had exceeded their authorized access when they violated Kern/Ferry’s computer use policy. The case was remanded to the district court with instructions to reinstate the dismissed counts of the indictment.
In summary, the CFAA does not criminalize the use of work computers by employees for personal use, or other innocuous uses by employees, whether or not their employer has a computer use policy strictly prohibiting such use. An employee violates the CFAA only where (1) they violate an employer’s restriction on computer access, (2) with an intent to defraud, and (3) by that action “furthers the intended fraud and obtains anything of value.”[3]