Background
In October 2004, David Nosal resigned from his position at Korn/Ferry, an executive search and recruiting company. As part of his separation agreement, Nosal agreed to serve as an independent contractor for Korn/Ferry and not to compete with them for one year; in exchange, Korn/Ferry agreed to compensate Nosal with two lump-sum payments and twelve monthly payments of $25,000. A few months after leaving Korn/Ferry, Nosal solicited three Korn/Ferry employees to help him start a competing executive search business. Before leaving the company, the employees downloaded a large volume of "highly confidential and proprietary" data from Korn/Ferry's computers, including source lists, names, and contact information for executives. On June 26, 2008, Nosal and the three employees were indicted by the federal government on twenty counts of violations of the Computer Fraud and Abuse Act. The government alleged that the defendants "knowingly and with intent to defraud" exceeded authorized access to Korn/Ferry's computers. Nosal appealed the indictment, claiming that the CFAA was "aimed primarily at computer hackers" and that it "does not cover employees who misappropriate information or who violate contractual confidentiality agreements". Nosal further argued that the employees were, in principle, permitted to access the information in their role as Korn/Ferry employees, and thus they did not "act without authorization" or "exceed authorized access" as written in Section (a)(4) of the CFAA. After initially rejecting these arguments, the district court eventually agreed with Nosal and dismissed the five counts of the indictment arising from Section (a)(4). The government appealed this decision, arguing that Nosal and his accomplices did indeed exceed authorized access because they violated the company's computer access policies, which restricted the "use and disclosure of all atabaseinformation, except for legitimate Korn/Ferry business".Court case
The case was based heavily on the Ninth Circuit's interpretation of language in the CFAA statute, especially Section (a)(4), under which the more serious charges against the defendants stemmed. Section (a)(4) of the CFAA makes liable anyone who "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value."The Computer Fraud and Abuse Act Neither party disputed that Nosal's accomplices were authorized to access Korn/Ferry computers, so the case hinged on whether or not they ''exceeded'' their authorized access when they downloaded the information for fraudulent purposes. The Ninth Circuit Court relied on their earlier decision in '' LVRC Holdings v. Brekka'', which centered on an employee who transferred business documents from his employer's computer to his personal email account and was later sued by the employer under a civil provision in the CFAA. In their ruling for that case, the court emphasized a distinction between the phrases "without authorization" and "exceeding authorized access" from CFAA Section (a)(4), and in so doing, provided an interpretation of the statutory language. They wrote, "an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has 'exceed dauthorized access.' On the other hand, a person who uses a computer 'without authorization' has no rights, limited or otherwise, to access the computer in question." The court adopted this interpretation and expanded its scope, ruling that an employee "exceeds authorized access" under the CFAA when they use a computer in way that violates an employer's access restrictions—including policies governing how information on the computer may be ''used''. Regarding the question of how to determine when a violation occurs, the court rejected the approach used in '' International Airport Centers v. Citrin'', which asserted that an employee loses authorization when he or she "violates a state law duty of loyalty because...the employee's actions erminatethe employer-employee relationship 'and with it hisDissent
Judge Campbell dissented, arguing that the court's decision renders the CFAA's provisions unconstitutionally vague, since computer use policies are not written "with the definiteness or precision that would be required for a criminal statute" and they can be changed without notice. The ruling, she argued, places an undue burden on employees to stay current on such policies in order to protect themselves against possible criminal prosecution.Impact and criticism
Nosal argued that the ruling would make criminals out of millions of employees who use their work computer to do trivial tasks such as checking basketball scores on the internet or reading personal email—behaviors that (technically) violate typical computer use policies. Many online law pundits expressed similar concerns, fearing that one could be prosecuted under federal law for violating a website's terms of service—for example, lying about one's age on Facebook. The court defended its ruling, noting that such benign behaviors lack the requisite conditions of "intent to defraud" and "furthering fraud by obtaining something of value" as required for prosecution under CFAA Section (a)(4). However, other provisions in the CFAA do not include such requirements, so the current ruling may still admit prosecution of trivial behaviors that had previously been considered out of the scope of the CFAA.Follow up
On October 27, 2011, the Ninth Circuit agreed to rehear the case '' en banc''. The new case was presented in front of the entire Ninth Circuit panel on December 15, 2011, in San Francisco. The result of the hearing was published April 10, 2012, and states that the court chose a narrow interpretation of the CFAA, holding that the phrase "exceeds authorized access" in the CFAA does not extend to violations of use restrictions.See also
References
{{ReflistExternal references
Parties