Statutory Interpretation - Computer Fraud and Abuse Act - Ninth Circuit Holds That Employees' Unauthorized Use of Accessible Information Did Not Violate the CFAA

Article excerpt

In 1986, Congress passed the Computer Fraud and Abuse Act (1) (CFAA) to address the growing problem of intentional trespass into others' computer files, (2) known as "hacking." One of the CFAA's provisions, [section] 1030(a)(4), targets individuals who access a computer "without authorization" or "exceed[] authorized access," provided that certain fraud and materiality requirements are met. (3) Another provision of the statute, [section] 1030(a)(2)(C), sweeps far more broadly by omitting the fraud and materiality requirements. (4) Under the CFAA, a person "exceeds authorized access" if she accesses a computer "with authorization" and uses the access "to obtain or alter information in the computer that [she] is not entitled so to obtain or alter." (5) The scope of this definition, and of the CFAA more generally, has been widely debated. (6)

Recently, in United States v. Nosal, (7) the Ninth Circuit, sitting en banc, held that defendant employees did not "exceed[] authorized access" bytransmitting confidential information in violation of company policy. (8) The court interpreted the phrase "exceeds authorized access" to target only restrictions on access to information, not limitations on its use. (9) That is, an employee can exceed her authorized access only if she is either barred from the information altogether or accesses it in an impermissible manner. (10) The majority multiplied two canons of statutory interpretation -- the presumption of consistent usage and the avoidance canon -- to select an interpretation of "exceeds authorized access" that would resolve the concern that [section] 1030(a)(2)(C) may be unconstitutionally vague. Neither canon alone was determinative; the majority's interpretation emerged only when the presumption of consistent usage created an interpretive problem and the avoidance canon re-solved it. Nosal's "multiplying canons" technique is a potentially powerful tool of statutory interpretation, and future scholarship should explore its merits. Yet even if sensible, this technique did not achieve the majority's goal in Nosal: [section] 1030(a)(2)(C) remains vulnerable to constitutional attack.

From approximately April 1996 to October 2004, David Nosal worked at Korn/Ferry International (KFI), an executive search firm. (11) Shortly after leaving the firm to start a competing business, Nosal convinced his former coworkers to use their account credentials to download information from a confidential database on KFI's computer system and transfer that information to Nosal. (12) The coworkers had authorization to access the database, but KFI's policy forbade disclosure of confidential information. (13) The government charged Nosal with, inter alia, violations of [section] 1030(a)(4) for aiding and abetting his former coworkers in "exceeding [their] authorized access" with intent to defraud. (14) Nosal filed a motion to dismiss the indictment, arguing that the CFAA targeted hacking, not misuse of information obtained with permission. (15)

The district court initially denied Nosal's motion, holding that accessing a computer "knowingly and with the intent to defraud ... renders the access unauthorized or in excess of authorization." (16) The court determined that the CFAA was unambiguous and refused to apply the rule of lenity. (17) However, the court reconsidered Nosal's motion in light of the Ninth Circuit's intervening decision in LVRC Holdings LLC v. Brekka, (18) in which the Ninth Circuit narrowly interpreted the phrases "without authorization" and "exceeds authorized access." On reconsideration, the court held that an employee "exceeds authorized access" only if she does not have permission to access the information for any reason. (19) The court dismissed five CFAA counts against Nosal, (20) and the government appealed. (21)

The Ninth Circuit initially reversed and remanded. (22) The court held that an employee "exceeds authorized access" when she "violates the employer's computer access restrictions -- including use restrictions. …