Ninth Circuit: Employees do not Violate the CFFA when Violating Computer use Restrictions

The Ninth Circuit Court of Appeals recently issued an opinion concerning employee violations of the Computer Fraud and Abuse Act.

In United States v. Nosal, No. 10-10038 (9th Cir. April 10, 2012), a majority of the eleven Court of Appeals judges who reviewed the case endorsed a singular interpretation of the Computer Fraud and Abuse Act. 18 U.S.C. 1030. ("CFAA").

The defendant-appellee, Nosal, was charged with twenty counts of criminal law violations, including several counts accusing him of violating the CFAA, among other laws. The facts which led to his multiple indictments are somewhat unremarkable within the context of CFAA litigation. After departing from his former employer, Nosal cajoled some of his former colleagues to use their log-in codes at work to procure and download contact database information and then transfer it to him. While the cooperating employees had authority to access the database in question, their employer had a policy that directly forbade the disclosure of confidential information. In addition, the employees who conveyed the digital data in question to Nosal also saw an opening screen which stated, "[T]his product is intended to be used by [Employer's] employees for work on [Employer's] business only." The Ninth Circuit did not criticize the wording of the employer's computer use policies. Rather, it disagreed with other courts who have read violations of computer use restrictions as constituting CFAA violations. For example, the Nosal dissent cites two directly contrary opinions from the Fifth and 11th Circuits, along with an opinion from the Third Circuit that applies the same reasoning (See, e.g. U.S. v. John, 597 F.3d 263, 271-73 (5th Cir. 2010); U.S. v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010); U.S. v. Teague, 646 F.3d 1119, 1121-22 (8th Cir. 2011).) This logjam at the Court of Appeals suggests that action may be taken by Congress, even if the Supreme Court does not exercise or receive the opportunity to review the decision in Nosal.

So what did Nosal do to currently prevail? He moved to dismiss the CFAA counts on the grounds that the statute is aimed at hackers, and does not cover persons who, with authorization, access a computer, and then misuse data they procure through such access. While Nosal first lost on his motion, he then moved the District Court to reconsider based on LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). The significance of the Brekka opinion is that the Ninth Circuit therein held that it would interpret the CFAA under the plain meaning rule, which allows for the Court to refer to dictionary definitions when determining whether an employer has granted an employee "authorization" to use its computers, including its networks.  As a result, in Brekka, the Ninth Circuit stressed that a substantial distinction exists between an employee who exceeded his authorized access from an employee who lacked any rights or authorization to access an employer's computers or networks. The Ninth Circuit signaled in Brekka that the status of the CFAA as a criminal law means that the CFAA cannot be interpreted in surprising ways, and that any ambiguities had to be construed against the government. In Santos, within the context of criminal law, the Supreme Court explained that the rule of lenity applies to resolve and interpret any ambiguous terms in a criminal statute so as to give the defendant the benefit of the doubt.

So how does all this roll back to the Ninth Circuit's action in Nosal? Previously, in the same case involving Nosal, a three-judge panel of the Ninth Circuit held that "under the CFAA, an employee accesses a computer in excess of his or her authorization when that access violates the employer's access restrictions, which may include restrictions on the employee's use of the computer or of the information contained in that computer." The three-judge panel of the Ninth Circuit had reinstated the CFAA counts of the indictment against Nosal.

Now the en banc panel of the Ninth Circuit has disagreed and affirmed the dismissal of the CFAA counts against Nosal. "Instead, we hold that the phrase 'exceeds authorized access' in the CFAA does not extend to violations of use restrictions." Therefore, as of today in the Ninth Circuit, the government cannot prosecute a current or former employee for violating workplace computer use restrictions, and an employer cannot use such a prosecution in pursuit of its own civil law remedies. Still, in light of the variance the Ninth Circuit has now demonstrated when compared with other Circuits of the U.S. Court of Appeals, no employer should expect that the latest round in Nosal is governing law outside of the geographic scope for the Ninth Circuit, until another Circuit, the Supreme Court, or Congress agrees with the opinion and holding.