U.S. v. Nosal

• Decision Date: 28 April 2011
• Docket Number: No. 10–10038.,10–10038.
• Citation: 642 F.3d 781,32 IER Cases 271
• Parties: UNITED STATES of America, Plaintiff–Appellant,v.David NOSAL, Defendant–Appellee.
• Court: U.S. Court of Appeals — Ninth Circuit

642 F.3d 781

32 IER Cases 271

11 Cal. Daily Op. Serv. 4949

UNITED STATES of America, Plaintiff–Appellant,

v.David NOSAL, Defendant–Appellee.

No. 10–10038.

United States Court of Appeals, Ninth Circuit.

Argued and Submitted Feb. 14, 2011.Filed April 28, 2011.

Jenny C. Ellickson, Jaikumar Ramaswamy, Lanny A. Breuer, Scott N. Schools, and Kyle F. Waldinger, United States Department of Justice, Washington, D.C., for the plaintiff-appellant.Dennis P. Riordan, Riordan & Horgan, San Francisco, CA, for the defendant-appellee.Appeal from the United States District Court for the Northern District of California, Marilyn H. Patel, Senior District Judge, Presiding. D.C. No. 3:08–cr–00237–MHP–1.Before: DIARMUID F. O'SCANNLAIN and STEPHEN S. TROTT, Circuit Judges, and TENA CAMPBELL, District Judge.^*

OPINIONTROTT, Circuit Judge:

The United States appeals from the district court's dismissal of several counts of an indictment charging David Nosal with, inter alia, numerous violations of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. ¹ Subsection (a)(4), the subsection under which Nosal was charged, subjects to punishment anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.” Id. § 1030(a)(4). The indictment alleges that Nosal's co-conspirators exceeded their authorized access to their employer's computer system in violation of § 1030(a)(4) by obtaining information from the computer system for the purpose of defrauding their employer and helping Nosal set up a competing business.

The district court relied on our decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir.2009), in determining that an employee does not exceed authorized access to a computer by accessing information unless the employee has no authority to access the information under any circumstances—in other words, an employer's restrictions on the use of the computer or of the information stored on that computer are irrelevant to determining whether an employee has exceeded his or her authorization. The government contends, on the other hand, that Brekka counsels in favor of its interpretation of the statute—that an employee exceeds authorized access when he or she obtains information from the computer and uses it for a purpose that violates the employer's restrictions on the use of the information.

We have jurisdiction under 18 U.S.C. § 3731, and we agree with the government. Although we are mindful of the concerns raised by defense counsel regarding the criminalization of violations of an employer's computer use policy, we are persuaded that the specific intent and causation requirements of § 1030(a)(4) sufficiently protect against criminal prosecution those employees whose only violation of employer policy is the use of a company computer for personal—but innocuous—reasons. We therefore reverse and remand to the district court with instructions to reinstate Counts 2, 4, 5, 6, and 7.

IBackground

For purposes of our review, the indictment's allegations must be taken as true. United States v. Fiander, 547 F.3d 1036, 1041 n. 3 (9th Cir.2008).

AThe Allegations Against Nosal

From approximately April 1996 to October 2004, Nosal worked as an executive for Korn/Ferry International (“Korn/Ferry”), an executive search firm. When Nosal left Korn/Ferry in October 2004, he signed a Separation and General Release Agreement and an Independent Contractor Agreement. Pursuant to these contracts, Nosal agreed to serve as an independent contractor for Korn/Ferry and not to compete with Korn/Ferry for one year. In return, Korn/Ferry agreed to pay Nosal two lump-sum payments in addition to twelve monthly payments of $25,000.

Shortly after leaving his employment, Nosal engaged three Korn/Ferry employees to help him start a competing business. The indictment alleges that these employees obtained trade secrets and other proprietary information by using their user accounts to access the Korn/Ferry computer system. Specifically, the employees transferred to Nosal source lists, names, and contact information from the “Searcher” database—a “highly confidential and proprietary database of executives and companies”—which was considered by Korn/Ferry “to be one of the most comprehensive databases of executive candidates in the world.”

Paragraphs 9–11 of the indictment describe Korn/Ferry's efforts to keep its database secure:

9. Korn/Ferry undertook considerable measures to maintain the confidentiality of the information contained in the Searcher database. These measures included controlling electronic access to the Searcher database and controlling physical access to the computer servers that contained the database. Korn/Ferry employees received unique usernames and created passwords for use on the company's computer systems, including for use in accessing the Searcher database. These usernames and passwords were intended to be used by the Korn/Ferry employee only.

10. Korn/Ferry required all of its employees ... to enter into agreements that both explained the proprietary nature of the information disclosed or made available to Korn/Ferry employees (including the information contained in the Searcher database) and restricted the use and disclosure of all such information, except for legitimate Korn/Ferry business....

11. Among other additional measures, Korn/Ferry also declared the confidentiality of the information in the Searcher database by placing the phrase “Korn/Ferry Proprietary and Confidential” on every Custom Report generated from the Searcher database. Further, when an individual logged into the Korn/Ferry computer system, that computer system displayed the following notification, in sum and substance:

This computer system and information it stores and processes are the property of Korn/Ferry. You need specific authority to access any Korn/Ferry system or information and to do so without the relevant authority can lead to disciplinary action or criminal prosecution....

(emphasis added) (third alteration in original).

BDistrict Court Proceedings

On June 26, 2008, the government filed a twenty-count superseding indictment against Nosal and one of his accomplices. Counts 2 through 9 of the indictment allege that the Korn/Ferry employees who conspired with Nosal—and Nosal himself as an aider and abettor—violated § 1030(a)(4).

Nosal filed a motion to dismiss the indictment. He argued “that the CFAA was aimed primarily at computer hackers and that the statute does not cover employees who misappropriate information or who violate contractual confidentiality agreements by using employer-owned information in a manner inconsistent with those agreements.” In other words, the Korn/Ferry employees could not have acted “without authorization,” nor could they have “exceed[ed] authorized access,” because they had permission to access the computer and its information under certain circumstances.

Recognizing that the question was one of first impression in the Ninth Circuit, the district court described the “two lines of diverging case law on this issue”:

Some courts, including two courts of appeal, have broadly construed the CFAA to hold an employee acting to access an employer's computer to obtain business information with intent to defraud, i.e., for their own personal benefit or the benefit of a competitor, act “without authorization” or “exceed authorization” in violation of the statute. These courts have generally held that authorized access to a company computer terminated once an employee acted with adverse or nefarious interests and against the duty of loyalty imposed on an employee in an agency relationship with his or her employer or former employer.

Other courts have refused to hold employees with access and nefarious interests within the statute, concluding that a violation for accessing a protected computer “without authorization” or in “excess of authorized access” occurs only when initial access or the access of certain information is not permitted in the first instance. Those courts have generally reasoned that the CFAA is intended to punish computer hackers, electronic trespassers and other “outsiders” but not employees who abuse computer access privileges to misuse information derived from their employment.

(citations omitted) (emphasis added).

At first, the district court rejected Nosal's argument, holding that a person's accessing a computer “knowingly and with intent to defraud ... renders the access unauthorized or in excess of authorization.” Thus, the court refused to dismiss Counts 2 through 9 of the superseding indictment.²

After the district court denied Nosal's motion to dismiss, however, we decided LVRC Holdings LLC v. Brekka, which considered the construction of the phrase “without authorization.” Nosal then filed a motion to reconsider, arguing that Brekka required dismissal of the CFAA counts. The district court agreed with Nosal as to most of the counts and dismissed Counts 2 and 4–7. In doing so, the court held that the Brekka decision compelled the dismissal and that the phrase “exceeds authorized access” as used in § 1030 means having permission to access a portion of a computer (or certain information on a computer), but accessing a different portion of the computer (or different information on the computer) that the employee is not entitled to access under any circumstances.

The district court stated that intent is irrelevant in determining whether a person exceeds authorized access, even if an employee's access to the computer is expressly limited by the employer's use restrictions. The district court gave as an example the following hypothetical:

[I]f a person is authorized to access the “F” drive on a computer or network but is not authorized to access the “G” drive of that same computer or network, the individual would “exceed authorized access” if...