United States v. Nosal
|United States of America v. David Nosal|
|Court||United States Court of Appeals for the Ninth Circuit|
|Full case name||United States of America v. David Nosal|
|Argued||February 14th 2011|
|Decided||April 28th 2011|
|The court held that employees who violate the computer use policies of their employers have not "exceeded their authorization" for the purposes of prosecution under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030.|
|Judge(s) sitting||Diarmuid F. O’Scannlain, Stephen S. Trott, and Tena Campbell|
|Majority||Judge O’Scannlain, Judge Trott|
|Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030|
United States v. Nosal is a ruling from the United States Court of Appeals for the Ninth Circuit which holds that employees can not be criminally prosecuted under the Computer Fraud and Abuse Act (CFAA) for violating their employer’s computer use policies. In particular, the ruling establishes that employees have not "exceeded authorization" for the purposes of the CFAA if they access a computer in a manner that violates the company's computer use policies— if they are authorized to access the computer and do not circumvent any protection mechanisms.
On April 24, 2013, U.S. Attorney Melinda Haag announced that Nosal was convicted by a federal jury of all charges contained in a six-count indictment. The defense announced that it intended to appeal this decision too, making the Ninth Circuit, address the scope of the CFAA yet again.
In October 2004, David Nosal resigned from his position at Korn/Ferry, an executive search and recruiting company. As part of his separation agreement, Nosal agreed to serve as an independent contractor for Korn/Ferry and not to compete with them for one year; in exchange, Korn/Ferry agreed to compensate Nosal with two lump-sum payments and twelve monthly payments of $25,000. A few months after leaving Korn/Ferry, Nosal solicited three Korn/Ferry employees to help him start a competing executive search business. Before leaving the company, the employees downloaded a large volume of "highly confidential and proprietary" data from Korn/Ferry's computers, including source lists, names, and contact information for executives.
On June 26, 2008, Nosal and the three employees were indicted by the federal government on twenty counts of violations of the Computer Fraud and Abuse Act. The government alleged that the defendants "knowingly and with intent to defraud" exceeded authorized access to Korn/Ferry's computers.
Nosal appealed the indictment, claiming that the CFAA was "aimed primarily at computer hackers" and that it "does not cover employees who misappropriate information or who violate contractual confidentiality agreements". Nosal further argued that the employees were, in principal, permitted to access the information in their role as Korn/Ferry employees, and thus they did not "act without authorization" or "exceed authorized access" as written in Section (a)(4) of the CFAA.
After initially rejecting these arguments, the district court eventually agreed with Nosal and dismissed the five counts of the indictment arising from Section (a)(4). The government appealed this decision, arguing that Nosal and his accomplices did indeed exceed authorized access because they violated the company's computer access policies, which restricted the "use and disclosure of all [database] information, except for legitimate Korn/Ferry business".
The case was based heavily on the Ninth Circuit's interpretation of language in the CFAA statute, especially Section (a)(4), under which the more serious charges against the defendants stemmed.
Section (a)(4) of the CFAA makes liable anyone who "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value." Neither party disputed that Nosal's accomplices were authorized to access Korn/Ferry computers, so the case hinged on whether or not they exceeded their authorized access when they downloaded the information for fraudulent purposes.
The Ninth Circuit Court relied on their earlier decision in LVRC Holdings v. Brekka, which centered on an employee who transferred business documents from his employer's computer to his personal email account and was later sued by the employer under a civil provision in the CFAA. In their ruling for that case, the court emphasized a distinction between the phrases "without authorization" and "exceeding authorized access" from CFAA Section (a)(4), and in so doing, provided an interpretation of the statutory language. They wrote, "an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has 'exceed[ed] authorized access.' On the other hand, a person who uses a computer 'without authorization' has no rights, limited or otherwise, to access the computer in question."
The court adopted this interpretation and expanded its scope, ruling that an employee "exceeds authorized access" under the CFAA when they use a computer in way that violates an employer's access restrictions—including policies governing how information on the computer may be used.
Regarding the question of how to determine when a violation occurs, the court rejected the approach used in International Airport Centers v. Citrin, which asserted that an employee loses authorization when he or she "violates a state law duty of loyalty because...the employee's actions [terminate] the employer-employee relationship 'and with it his [or her] authority to access the [computer]'".
Instead, the court cited their finding from Brekka that for purposes of the CFAA, it is the action of the employer that determines whether an employee is authorized to access the computer. They decided that, as a logical extension of this finding, the question of whether an employee "exceeds authorized access" is likewise determined by the employer's actions, including (but not limited to) the promulgation of computer use restrictions. Since Korn/Ferry indeed had such computer use restrictions, which the defendants violated when they accessed the executive database for fraudulent purposes, the Ninth Circuit court reversed the district court's decision and remanded the district court to reinstate the five counts under Section (a)(4).
Judge Campbell dissented, arguing that the court's decision renders the CFAA's provisions unconstitutionally vague, since computer use policies are not written "with the definiteness or precision that would be required for a criminal statute" and they can be changed without notice. The ruling, she argued, places an undue burden on employees to stay current on such policies in order to protect themselves against possible criminal prosecution.
Impact and criticism
Nosal argued that the ruling would make criminals out of millions of employees who use their work computer to do trivial tasks such as checking basketball scores on the internet or reading personal email—behaviors that (technically) violate typical computer use policies. Many online law pundits expressed similar concerns, fearing that one could be prosecuted under federal law for violating a website's terms of service—for example, lying about one's age on Facebook.
The court defended their ruling, noting that such benign behaviors lack the requisite conditions of "intent to defraud" and "furthering fraud by obtaining something of value" as required for prosecution under CFAA Section (a)(4). However, other provisions in the CFAA do not include such requirements, so the current ruling may still admit prosecution of trivial behaviors that had previously been considered out of the scope of the CFAA.
On October 27, 2011, the Ninth Circuit agreed to rehear the case en banc. The new case was presented in front of the entire Ninth Circuit panel on December 15, 2011 in San Francisco. The result of the hearing was published April 10, 2012 and states that the court chose a narrow interpretation of the CFAA, holding that the phrase “exceeds authorized access” in the CFAA does not extend to violations of use restrictions.
- LVRC Holdings LLC v. Brekka
- International Airport Centers, L.L.C. v. Citrin
- Lee v. PMSI, Inc.
- EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003)
- United States v. Fiander, 547 F.3d 1036, 1041 n.3 (9th Cir. 2008)
- United States v. Boren, 278 F.3d 911, 913 (9th Cir. 2002)
- United States v. Nosal, United States v. Nosal 642 F.3d 781 (9th Cir. 2011).
- "Executive Recruiter David Nosal Convicted of Computer Intrusion and Trade Secret Charges." (Archive) Federal Bureau of Investigation. Retrieved on June 19, 2013.
- Guilty Verdict In Critical Computer Fraud And Abuse Act Trial
- Akerman, Nick (2011-12-19). "U.S. v. Nosal Re-Argued Before the 9th Circuit". Computer Fraud/Data Protection. Retrieved 2012-03-19.
- The Computer Fraud and Abuse Act 18 U.S.C. § 1030
- LVRC Holdings v. Brekka, 581 F.3d 1127 (9th Cir. 2009).
- International Airport Centers v. Citrin, 440 F.3d 418 (7th Cir. 2006).
- Akerman, Nick (2011-12-21). "Can You Go to Jail for Lying on Facebook?". Computer Fraud/Data Protection. Retrieved 2012-03-19.
- Marsh, John (2011-11-23). "Better Read the Fine Print: Are We All at Risk Under the Computer Fraud and Abuse Act?". Hahn Loeser. Retrieved 2012-03-19.
- United States v. Nosal (en banc), 661 F.3d 1180 (9th Cir. 2011).
- United States v. Nosal (en banc) opinion (9th Cir. 2012). Text
- List of documents related to CFAA
- Electronic Frontier Foundation web page about the case
- Shawn E. Tuma: "What does the CFAA mean and why should I care?" - A Primer on the Computer Fraud and Abuse Act for Civil Litigator
- Dale C. Campbell: Seventh and Ninth circuits split on what constitutes without authorization within the meaning of the CFAA
En banc hearing
- Nick Akerman's article of the en banc hearing on December 15th
- Video recording of United States v Nosal en banc hearing.
- Orin Kerr discussing the "en banc" hearing follow-up article by Kerr
- Ninth Circuit Ruling Trimming CFAA Claims for Misappropriation Reminds Employers that Technical Network Security is the First Defense