On December 15, 2011, the 9th Circuit Court of Appeals heard argument en banc in U.S. v. Nosal, 642 F.3d 781 (9th Cir. 2011), reh’g en banc granted (Oct. 27, 2011). As expected, the oral argument focused on the meaning of unauthorized access under the Computer Fraud and Abuse Act. The issue is whether an employee can be prosecuted under the CFAA for accessing his employer’s computer in violation of rules established by the employer restricting access to the company computers. In Nosal, the 9th Circuit had clarified its earlier decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1131 (9th Cir. 2009). A key element to prove either a civil or criminal violation of the CFAA is that the employee accessed the company computer “without authorization” or “exceed[ed] authorized access.”
Brekka had been predicated on the simplistic proposition that employees have permission to access the company computers and, thus, by definition cannot access the company computers without authorization. David Nosal, a Korn/Ferry International executive, was indicted for stealing confidential data from the company computers prior to joining a competitor. Nosal had allegedly recruited “three Korn/Ferry employees to help him start a competing business.” Id. at 782. The indictment charged these employees with “using their user accounts to access the Korn/Ferry computer system.” They then “transferred to Nosal source lists, names, and contact information from the ‘Searcher’ database—a ‘highly confidential and proprietary database of executives and companies’—which was considered by Korn/Ferry ‘to be one of the most comprehensive databases of executive candidates in the world.’” Id.
The district court had initially rejected Nosal’s motion to dismiss the CFAA counts but reversed its decision after the Brekka decision. The government appealed, citing Korn/Ferry’s computer policies that restricted the scope of its employees’ access to the company computers including one that “restricted the use and disclosure of all such information, except for legitimate Korn/Ferry business.” Id. The government argued that, based on these policies, Nosal had exceeded authorized access.
The court agreed, citing the statutory definition of “exceeds authorized access,” which is “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The court held that the word “so” “refers to an accesser who is not entitled to access information in a certain manner.” Id. at 785. Thus, the court held that “an employee ‘exceeds authorized access’ under § 1030 when he or she violates the employer’s computer access restrictions—including use restrictions.” Id. The government stressed this interpretation in its argument to the 9th Circuit.
Nosal distinguished Brekka on the lack of computer policies governing Brekka’s right to access the company computers: “Because LVRC [the employer] had not notified Brekka of any restrictions on his access to the computer, Brekka had no way to know whether—or when—his access would have become unauthorized.” Id at 787. The court concluded that “as long as the employee has knowledge of the employer’s limitations on that authorization, the employee ‘exceeds authorized access’ when the employee violates those limitations.” Id at 788. The full 9th Circuit, however, on October 27, 2011, granted en banc re-consideration to its opinion on October 28, 2011.
The primary argument advanced by Nosal’s counsel was that the CFAA only applies to hacking and that access cannot be unauthorized unless the employee circumvents the technology of the computer. In response to questioning by the court, Nosal’s counsel stated that using another’s password would qualify as a circumvention of the computer’s technology. This argument dismisses as irrelevant any written policies or agreements that limit the scope of an employee’s access to the employer’s computers and the First Circuit’s recognition without reference to the computer’s technology that the “CFAA…is primarily a statute imposing limits on access and enhancing control by information providers.” EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003).
In rebuttal the government rightly pointed out that there is nothing in the language of the statute that limits the definition of authorized access to the circumvention of technology. Given the Supreme Court’s recent admonition to the lower courts in Morrison v. National Australia Bank, Ltd. 130 S.Ct. 2869, 2881(2010) not to add requirements to a statute that are not on its face, this should be a losing argument. The Court in Morrison expressly warned against such “judicial-speculation-made-law-divining what Congress would have wanted if it had thought of the situation before the court.” Id.
Based on the questioning by various members of the court, it appears that its decision in Nosal will not be reversed. You can decide for yourself. The full argument from last week can be heard at the following link: http://www.ca9.uscourts.gov/media/view_video_subpage.php?pk_vid=0000006176