United States v. Nosal
930 F. Supp. 2d 1051
N.D. Cal.2013Background
- Indictment charged eight CFAA counts and related misappropriation/conspiracy counts; Nosal en banc decision later addressed CFAA scope.
- Defendant–former Korn/Ferry employee—supposedly accessed Korn/Ferry’s Searcher database with others after leaving employment.
- Second superseding indictment added factual detail to CFAA counts; government argues Nosal permits continuing CFAA theories.
- Judge Patel previously dismissed some CFAA counts under Brekka; Nosal en banc affirmed those dismissals, narrowing CFAA liability.
- Court now considers whether Nosal limits remaining CFAA counts and whether indictment adequately alleges unauthorized access or exceeding authorization.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether Nosal forecloses the remaining CFAA counts. | Nosal supports denying dismissal of CFAA counts. | Nosal limits CFAA liability to hacking, not mere misuse after authorization. | Nosal narrows, but does not wholly foreclose, remaining CFAA counts. |
| How to interpret 'without authorization' and 'exceeds authorized access' under CFAA. | Employer-controlled authorization governs access. | Intent to misuse should redefine authorization. | Authorization depends on employer’s permissions; exceeding access can involve use beyond allowed data. |
| Whether accessing via another's credentials constitutes unauthorized access under §1030(a)(4). | Co-conspirators’ use of passwords violated CFAA. | Authorized access by original user can be used by others with permission. | Using another’s credentials can constitute access without authorization. |
| Whether 'access' includes ongoing use after initial login. | Ongoing queries/downloads after login fall within access. | Access is moment of entry; post-login actions are use, not access. | Access encompasses ongoing use; MJ’s later actions still unauthorised. |
Key Cases Cited
- United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (limits 'exceeds authorized access' to information-use restrictions, not mere access)
- Brekka v. Lions Gate, 581 F.3d 111 (9th Cir. 2009) (authorization depends on employer’s actions; intent irrelevant to access)
- LVRC Holdings LLC v. Brekka, 581 F.3d 112 (9th Cir. 2009) (distinguishes between no permission and permission to access; use of data beyond authorization)