The Software IP Report

Ninth Circuit Affirms Narrow Construction of “exceeds authorized access” in the CFAA

By Charles Bieneman

Categories: State and Federal Statutes, The Software IP Report

The Ninth Circuit has affirmed that the phrase “exceeds authorized access” in the Computer Fraud and Abuse Act (CFAA) should be read to cover only accessing prohibited files, rather than making unauthorized use of files to which one had been permitted access.  United States v. Nosal, No. 10-10038 (9th Cir. Apr. 10, 2012).  In a colorful opinion authored by Chief Judge Alex Kozinski, writing for nine of his colleagues on an eleven-judge panel, the court held “that the phrase ‘exceeds authorized access’ in the CFAA does not extend to violations of use restrictions.”

The criminal defendant, Nosal, had left the Korn/Ferry recruiting firm, and then had enticed former colleagues still employed by Korn/Ferry to steal confidential information to be used in starting a competing business.  Korn/Ferry had authorized these employees to access the database including the information, but “had a policy that forbade disclosing confidential information.”  Nosal was indicted on 20 counts, including violations of 18 U.S.C. § 1030(a)(4) of the CFAA “for aiding and abetting the Korn/Ferry employees in ‘exceed[ing] their] authorized access’ with intent to defraud.”

The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”  18 U.S.C. § 1030(e)(6).  With that definition in mind, consider that Subsection 1030(a)(4) of the CFAA makes it a crime to:

knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.

Following LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), the trial court had dismissed the CFAA counts against Nosal.  Under the reasoning of Brekka, “exceeds authorized access” could “incorporate corporate policies governing use of information” only if “the word alter is interpreted to mean misappropriate,” which “would defy the plain meaning of the word alter, as well as common sense.”  The Ninth Circuit in Nosal reaffirmed this reading of the statute.

After discussing, and dismissing, several of the government’s proposed statutory constructions, the court addressed the government’s contention that the phrase “exceeds authorized access” could be construed more broadly solely for Subsection 1030(a)(4).  The court did not agree.  The phrase “exceeds authorized access” is used “five times in the first seven subsections of the CFAA.”  Because Congress had “provided a single definition . . . for all iterations of the statutory phrase,” it was impossible to give “a different interpretation to each.”  Moreover, the court noted that “the broadest provision is subsection 1030(a)(2)(C), which makes it a crime to exceed authorized access of a computer connected to the Internet without any culpable intent.”  (Emphasis in original.)

Because the definition of “exceeds authorized access” extends across the CFAA, adopting “the government’s proposed interpretation” of the phrase would mean that “millions of unsuspecting individuals would find that they are engaging in criminal conduct.”  Examples of such potentially criminal conduct would include using work computers for personal use or visiting even innocuous entertainment websites from a work computer.  Further, many Web services, such as Google and Facebook, just to name a few identified by Judge Kozinski, have very onerous use policies which users could easily (and probably unknowingly) violate.  Thus, rather than trusting the government to use sound discretion, and to not “prosecute minor violations,” the court narrowly construed the statute.

Further, the court “remained[ed] unpersuaded by the decisions of [its] sister circuits that interpret the CFAA broadly to cover violations of corporate computer use restrictions or violations of a duty of loyalty.”  (A prior post on this blog discusses different courts’ approaches to CFAA liability.)  Looking at “only at the culpable behavior of the defendants before them,” other circuit courts had “failed to consider the effect on millions of ordinary citizens caused by the statute’s unitary definition of ‘exceeds authorized access.'”  Here, then, is an issue on which a circuit split could not be clearer.

Judge Silverman, joined by Judge Tallman, dissented, arguing that “the majority does a good job of knocking down strawmen,” but avoided punishing someone who stole “an employer’s valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants’ employment contracts.”  According to Judge Silverman, “[t]he majority . . . takes a plainly written statute and parses it in a hyper-complicated way that distorts the obvious intent of Congress.”  Judge Silverman would have construed “exceeds authorized access” to cover violations of computer-use policies, and thought that “the indictment adequately states the elements of a valid crime.”