By Burt Rose
United STATES OF AMERICA, Appellant,v. DAVID NOSAL, Appellee, No. 10-10038, 2012 WL 1176119 (4/10/12)
Many employers have adopted policies prohibiting the use of work computers for nonbusiness purposes. The question presented in this case was whether an employee who violates such a policy commits a federal crime. According to this court, the answer is no.
David Nosal used to work for Korn/Ferry, an executive search firm. Shortly after he left the company, he convinced some of his former colleagues who were still working for Korn/Ferry to help him start a competing business. The employees used their log-in credentials to download source lists, names and contact information from a confidential database on the company’s computer, and then transferred that information to Nosal. The employees were authorized to access the database, but Korn/Ferry had a policy that forbade disclosing confidential information. The government indicted Nosal on twenty counts, including trade secret theft, mail fraud, conspiracy and violations of the the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(4). The CFAA counts charged Nosal with aiding and abetting the Korn/Ferry employees in “exceeding their authorized access” with intent to defraud.
Nosal filed a motion to dismiss the CFAA counts, arguing that the statute targets only hackers, not individuals who access a computer with authorization but then misuse information they obtain by means of such access. The district court granted the defense motion to dismiss these charges and the Government appealed.
18 US Code 1030 states, in relevant part:
(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . .shall be punished . . .
18 U.S.C. § 1030(e)(6) defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
Nosal was charged with stealing his former employer’s valuable information in order to set up a competing business with the purloined data, knowing such access and use were prohibited by the defendant’s employment contract. The indictment charged that Nosal and his co-conspirators knowingly exceeded the access to a protected company computer they were given by the firm that employed them, that they did so with the intent to defraud and that they stole the victim’s valuable proprietary information by means of that fraudulent conduct in order to profit from using it.
However, the Court en banc per Chief Judge Alex Kozinski held that the phrase “exceeds authorized access” in the CFAA does not extend to violations of use restrictions. This is a statute whose general purpose is to punish hacking—the circumvention of technological access barriers—not misappropriation of trade secrets—a subject Congress has dealt with elsewhere. Therefore, the Court held that “exceeds authorized access” in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use under 18 U.S.C. § 1030(a)(4). Thus the decision of the district court was affirmed.