United States v. Nosal, 642 F.3d 781

Nosal was a Korn/Ferry executive who left to start a competing business and was alleged to have aided co-conspirators in obtaining Korn/Ferry’s proprietary data via the Searcher database.
Korn/Ferry protected its database with access controls, user IDs, passwords, confidentiality agreements, and notices warning of restricted access and potential criminal penalties.
Counts 2–9 alleged that Nosal and co-conspirators violated § 1030(a)(4) by using authorized access to obtain information for fraudulent purposes, contrary to employer restrictions.
The district court rejected Nosal’s argument that Brekka required dismissal, instead holding that an authorized user could still violate § 1030(a)(4) through fraudulent use.
After the Ninth Circuit decided LVRC Holdings LLC v. Brekka, Nosal moved to reconsider, and the district court dismissed Counts 2 and 4–7, adopting Brekka’s interpretation that ‘exceeds authorized access’ requires access to information the employee is not entitled to obtain under any circumstances.
The government appealed, and the Ninth Circuit ultimately held that an employee exceeds authorized access when they violate employer-imposed use restrictions, and remanded to reinstate Counts 2 and 4–7.

Issue	Plaintiff's Argument	Defendant's Argument	Held
Does CFAA § 1030(a)(4) cover a violation by an employee who exceeds authorization by using information in contravention of employer use restrictions?	Nosal argues Brekka controls and excludes use-restriction violations from § 1030(a)(4).	The government contends that exceeding authorized access includes violations of employer use restrictions when used to fraudulently obtain information.	Yes; employer restrictions define authorization and violation of those restrictions violates § 1030(a)(4).
Should Brekka govern the interpretation of 'without authorization' or 'exceeds authorized access' for this case?	Nosal relies on Brekka to limit 'exceeds authorized access' to those with no authorization at all.	The government argues Brekka is distinguishable and its reasoning supports defining excess authorization by employer restrictions.	No; Brekka informs, but the court adopts the broader reading that employer restrictions control 'exceeds authorized access.'
Are the district court’s concerns about breadth and potential criminalization of ordinary employee conduct addressed?	Nosal warns the approach could criminalize routine personal use of work computers.	The majority emphasizes necessary intent and causation requirements to avoid over-criminalization.	The statute’s intent and causation requirements prevent overreach; the conduct here satisfies § 1030(a)(4).

LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir.2009) (employer determines authorization; 'exceeds' means violating access restrictions)
United States v. John, 597 F.3d 263 (5th Cir.2010) (exceeds authorized access when user knows restrictions and commits fraud)
United States v. Rodriguez, 628 F.3d 1258 (11th Cir.2010) (distinguishes Brekka; unauthorized personal use tied to not authorized for nonbusiness purpose)
EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir.2001) (employee duty of confidentiality as indicator of access limitations)
International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir.2006) (Citrin-based approach to loyalty duties and access termination)
Perrin v. United States, 444 U.S. 37 (Supreme Court 1979) (statutory interpretation principle about giving effect to all provisions)