United States v. Nosal

United States v. Nosal, 676 F.3d 854 (9th Cir. 2012)[1] was a United States Court of Appeals for the Ninth Circuit decision dealing with the scope of criminal prosecutions of former employees under the Computer Fraud and Abuse Act (CFAA). The Ninth Circuit's first ruling (Nosal I) established that employees have not "exceeded authorization" for the purposes of the CFAA if they access a computer in a manner that violates the company's computer use policies—if they are authorized to access the computer and do not circumvent any protection mechanisms.

United States of America v. David Nosal
CourtUnited States Court of Appeals for the Ninth Circuit
Full case name United States of America v. David Nosal
ArguedFebruary 14th 2011
DecidedApril 28th 2011
Holding
The court held that employees who violate the computer use policies of their employers have not "exceeded their authorization" for the purposes of prosecution under the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030.
Court membership
Judges sittingDiarmuid F. O'Scannlain, Stephen S. Trott, and Tena Campbell
Case opinions
MajorityJudge O'Scannlain, Judge Trott
DissentJudge Campbell
Laws applied
Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030

On April 24, 2013, U.S. Attorney Melinda Haag announced that Nosal was convicted by a federal jury of all charges contained in a six-count indictment.[2] Nosal appealed his conviction to the Ninth Circuit.[3] On July 5, 2016, a three-judge panel held 2-1 that Nosal had acted "without authorization" and affirmed his conviction. In this second decision (Nosal II), the Ninth Circuit attempted to clarify the meaning of "without authorization" in the context of the CFAA.[4]

Background

edit

In October 2004, David Nosal resigned from his position at Korn/Ferry, an executive search and recruiting company. As part of his separation agreement, Nosal agreed to serve as an independent contractor for Korn/Ferry and not to compete with them for one year; in exchange, Korn/Ferry agreed to compensate Nosal with two lump-sum payments and twelve monthly payments of $25,000.[1] A few months after leaving Korn/Ferry, Nosal solicited three Korn/Ferry employees to help him start a competing executive search business. Before leaving the company, the employees downloaded a large volume of "highly confidential and proprietary" data from Korn/Ferry's computers, including source lists, names, and contact information for executives.[1]

On June 26, 2008, Nosal and the three employees were indicted by the federal government on twenty counts of violations of the Computer Fraud and Abuse Act. The government alleged that the defendants "knowingly and with intent to defraud" exceeded authorized access to Korn/Ferry's computers.

Nosal appealed the indictment, claiming that the CFAA was "aimed primarily at computer hackers" and that it "does not cover employees who misappropriate information or who violate contractual confidentiality agreements".[1] Nosal further argued that the employees were, in principle, permitted to access the information in their role as Korn/Ferry employees, and thus they did not "act without authorization" or "exceed authorized access" as written in Section (a)(4) of the CFAA.[1]

After initially rejecting these arguments, the district court eventually agreed with Nosal and dismissed the five counts of the indictment arising from Section (a)(4).[1] The government appealed this decision, arguing that Nosal and his accomplices did indeed exceed authorized access because they violated the company's computer access policies, which restricted the "use and disclosure of all [database] information, except for legitimate Korn/Ferry business".[5]

Court case

edit

The case was based heavily on the Ninth Circuit's interpretation of language in the CFAA statute, especially Section (a)(4), under which the more serious charges against the defendants stemmed.

Section (a)(4) of the CFAA makes liable anyone who "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value."[6] Neither party disputed that Nosal's accomplices were authorized to access Korn/Ferry computers, so the case hinged on whether or not they exceeded their authorized access when they downloaded the information for fraudulent purposes.

The Ninth Circuit Court relied on their earlier decision in LVRC Holdings v. Brekka,[7] which centered on an employee who transferred business documents from his employer's computer to his personal email account and was later sued by the employer under a civil provision in the CFAA. In their ruling for that case, the court emphasized a distinction between the phrases "without authorization" and "exceeding authorized access" from CFAA Section (a)(4), and in so doing, provided an interpretation of the statutory language. They wrote, "an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has 'exceed[ed] authorized access.' On the other hand, a person who uses a computer 'without authorization' has no rights, limited or otherwise, to access the computer in question."[7]

The court adopted this interpretation and expanded its scope, ruling that an employee "exceeds authorized access" under the CFAA when they use a computer in way that violates an employer's access restrictions—including policies governing how information on the computer may be used.[7]

Regarding the question of how to determine when a violation occurs, the court rejected the approach used in International Airport Centers v. Citrin,[8] which asserted that an employee loses authorization when he or she "violates a state law duty of loyalty because...the employee's actions [terminate] the employer-employee relationship 'and with it his [or her] authority to access the [computer]'".[1]

Instead, the court cited their finding from Brekka that for purposes of the CFAA, it is the action of the employer that determines whether an employee is authorized to access the computer. They decided that, as a logical extension of this finding, the question of whether an employee "exceeds authorized access" is likewise determined by the employer's actions, including (but not limited to) the promulgation of computer use restrictions. Since Korn/Ferry indeed had such computer use restrictions, which the defendants violated when they accessed the executive database for fraudulent purposes, the Ninth Circuit court reversed the district court's decision and remanded the district court to reinstate the five counts under Section (a)(4).

Dissent

edit

Judge Campbell dissented, arguing that the court's decision renders the CFAA's provisions unconstitutionally vague, since computer use policies are not written "with the definiteness or precision that would be required for a criminal statute" and they can be changed without notice. The ruling, she argued, places an undue burden on employees to stay current on such policies in order to protect themselves against possible criminal prosecution.[1]

Impact and criticism

edit

Nosal argued that the ruling would make criminals out of millions of employees who use their work computer to do trivial tasks such as checking basketball scores on the internet or reading personal email—behaviors that (technically) violate typical computer use policies. Many online law pundits expressed similar concerns, fearing that one could be prosecuted under federal law for violating a website's terms of service—for example, lying about one's age on Facebook.[9][10]

The court defended its ruling, noting that such benign behaviors lack the requisite conditions of "intent to defraud" and "furthering fraud by obtaining something of value" as required for prosecution under CFAA Section (a)(4).[1] However, other provisions in the CFAA do not include such requirements, so the current ruling may still admit prosecution of trivial behaviors that had previously been considered out of the scope of the CFAA.

Follow up

edit

On October 27, 2011, the Ninth Circuit agreed to rehear the case en banc. The new case was presented in front of the entire Ninth Circuit panel on December 15, 2011, in San Francisco.[11] The result of the hearing was published April 10, 2012, and states that the court chose a narrow interpretation of the CFAA, holding that the phrase "exceeds authorized access" in the CFAA does not extend to violations of use restrictions.[12]

See also

edit

References

edit
  1. ^ a b c d e f g h i United States v. Nosal, United States v. Nosal 642 F.3d 781 (9th Cir. 2011).
  2. ^ "Executive Recruiter David Nosal Convicted of Computer Intrusion and Trade Secret Charges." (Archive) Federal Bureau of Investigation. Retrieved on June 19, 2013.
  3. ^ Guilty Verdict In Critical Computer Fraud And Abuse Act Trial
  4. ^ “United States v. Nosal” (“Nosal II”) Decision ~ Ninth Circuit
  5. ^ Akerman, Nick (December 19, 2011). "U.S. v. Nosal Re-Argued Before the 9th Circuit". Computer Fraud/Data Protection. Retrieved March 19, 2012.
  6. ^ The Computer Fraud and Abuse Act 18 U.S.C. § 1030
  7. ^ a b c LVRC Holdings v. Brekka, 581 F.3d 1127 (9th Cir. 2009).
  8. ^ International Airport Centers v. Citrin, 440 F.3d 418 (7th Cir. 2006).[dead link]
  9. ^ Akerman, Nick (December 21, 2011). "Can You Go to Jail for Lying on Facebook?". Computer Fraud/Data Protection. Retrieved March 19, 2012.
  10. ^ Marsh, John (November 23, 2011). "Better Read the Fine Print: Are We All at Risk Under the Computer Fraud and Abuse Act?". Hahn Loeser. Archived from the original on January 25, 2013. Retrieved March 19, 2012.
  11. ^ United States v. Nosal (en banc), 661 F.3d 1180 (9th Cir. 2011).
  12. ^ United States v. Nosal (en banc) opinion (9th Cir. 2012), Text.

External references

edit

Parties

Articles

En banc hearing

2013