The Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, has been characterized as a federal trade secrets statute. While the characterization is far from rigorous, it is true that the CFAA provides for civil remedies and criminal penalties in some instances where a “protected computer” is accessed “without authorization or exceeding authorized access.” The boundaries of “without authorization or exceeding authorized access” have been the subject of much litigation.
In April 2011, a panel of the Ninth Circuit in United States v. Nosal addressed whether the defendant, David Nosal, and his accomplices could be prosecuted for “exceed[ing] authorized access” of his company’s computers. Nosal, who recently had left the executive search firm of Korn/Ferry International (“KFI”), allegedly aided and abetted the activities of three remaining KFI employees, who allegedly had used their company computer user accounts to transfer to Nosal source lists, names, and and contact information from the company’s database of executive candidates. The Ninth Circuit held the prosecution could proceed, rejecting Nosal’s argument that the employees could not have acted without authorization, or exceeded authorized access, because they had permission from KFI to access the computers and information therein under certain (albeit different) circumstances.
Nosal provoked a dissent, and an outcry, that under its reasoning, garden variety violators of employer computer use policies may now be subjected to criminal prosecution under a separate, more general CFAA provision barring “exceed[ing] authorized access, and thereby obtain[ing] . . . information from any protected computer if the conduct involved an interstate communication . . . .”
On October 27, 2011, the Ninth Circuit ordered rehearing en banc of the panel decision in Nosal, and further ordered that the panel decision not be cited as precedent or to any Ninth Circuit court.
There is at least a reasonable argument that the panel properly construed the CFAA provisions at issue. It will be interesting to see how the Ninth Circuit ultimately decides the appeal, especially as compared to its arguably more restrictive reading of the CFAA in LVRC Holdings v. Brekka (2009). After all, where the boundaries of “without authorization or exceeding authorized access” lie may make a big difference in whether a company that has been victimized by improper access or misuse of its computers can seek redress under the CFAA’s civil liability provisions.