United States v. Nosal
676 F.3d 854
9th Cir.2012Background
- Nosal, former Korn/Ferry employee, helped co-conspirators access a confidential database to aid a competing business.
- The employees were authorized to access the database but Korn/Ferry prohibited disclosing confidential information.
- Nosal was indicted on CFAA counts (a4) alleging access with intent to defraud and to exceed authorized access.
- The district court dismissed counts 2 and 4–7 after Brekka narrowed the CFAA's interpretation; the government appealed.
- The Ninth Circuit adopts a narrow reading of 'exceeds authorized access,' limiting it to access restrictions, not use restrictions; the court affirms dismissal of the cited counts while allowing other charges to proceed.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Is 'exceeds authorized access' under CFAA limited to access restrictions? | Nosal argues for a narrow reading. | Government advocates a broad interpretation. | Yes; the phrase is narrowly construed to cover only access restrictions. |
| Must the CFAA be read consistently across subsections? | Nosal supports uniform meaning across §1030 parts. | Government urges different readings for different subsections. | The term 'exceeds authorized access' has the same meaning throughout §1030. |
| Would broad interpretation criminalize ordinary private-use policy violations? | Nosal warns of widespread criminalization of ordinary conduct. | Government contends broad use restrictions can yield crimes. | Broad interpretation would unduly criminalize ordinary computer use. |
| Do private-use policies drive criminal liability under CFAA? | Nosal contends such policies should not create CFAA crimes. | Government argues policy violations could trigger liability. | Narrow interpretation avoids turning private policies into federal crimes. |
Key Cases Cited
- Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962 (D. Ariz. 2008) (supports narrow CFAA reading focused on access, not misuse)
- LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) (defines 'exceeds authorized access' as accessing information not entitled to obtain)
- Orbit One Commc'ns, Inc. v. Numerex Corp., 692 F. Supp. 2d 373 (S.D.N.Y. 2010) (cites narrow CFAA interpretation)
- Diamond Power Int'l, Inc. v. Davidson, 540 F. Supp. 2d 1322 (N.D. Ga. 2007) (limits CFAA to access, not misuse)
- Int'l Ass'n of Machinists & Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479 (D. Md. 2005) (rejects broad misappropriation reading)
- United States v. Santos, 553 U.S. 507 (2008) (principle of narrowly construe ambiguous criminal statutes)
- United States v. Brekka, 581 F.3d 1127 (9th Cir. 2009) (relevant to 'exceeds authorized access' interpretation)