Cybercrime Under The CFAA: It Depends on the Jurisdiction

On Behalf of | Apr 20, 2012 | Employment Law |

In a decision filed on April 10, 2012, the Ninth Circuit in United States of America v. Nosal, No. 10-10038 (9th Cir. 2012), put itself squarely in conflict with the Fifth, Eleventh and Seventh Circuits by holding that the district court properly dismissed a portion of the government’s indictment against David Nosal charging him with a violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030(a)(4) by knowingly and with intent to defraud accessing or exceeding access of a computer in contravention of a written company policy in order to obtain confidential company information to start a competing business.

18 U.S.C. § 1030(a)(4) states

(a) Whoever-

(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value…

Shall be punished.

Nosal left an executive search firm but convinced some of his colleagues still working there to use their log-in credentials to download source lists, names and contact information from a confidential database on the company’s computer, then transferring that data to Nosal. The employer had a policy which forbade disclosing confidential information, and the opening screen of the database contained the warning: “This product is intended to be used by Korn/Ferry employees for work on Korn/Ferry business only.”

The government indicted Nosal on 20 counts, including the CFAA for aiding and abetting the KF employees in exceeding their authorized access with intent to defraud. Nosal filed a motion to dismiss this portion of the indictment, arguing that the CFAA only targets hackers, not persons who access a computer with authorization but then misuse the information they obtain through such access. The district court initially declined to dismiss, but reconsidered in light of the 9th Circuit’s decision in LVRC Holdings, LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), which narrowly construed the phrases “without authorization” and “exceeds authorized access” in the CFAA.

The 9th Circuit rejected the government’s interpretation of “exceeds authorized access” because it would make every violation of a private computer use policy a federal crime. The Court expressly noted its decision was contrary to the decisions of the 5th Circuit, 11th and 7th Circuits, and urged them to reconsider their holdings. See United States v. John, 597 F.3d 263 (5th Cir. 2010); United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006). According to the 9th Circuit, “the plain language of the CFAA ‘target[s] the unauthorized procurement or alteration of information, not its misuse or misappropriation.'” Thus, “exceeds authorized access” in the CFAA is limited to violations of restrictions on accessto information, not restrictions on its use. The dissent argued the majority’s interpretation conflicts with the plain language of the statute.

A district court in Minnesota recently granted a motion to dismiss a similar indictment under the CFAA. See Walsh Bishop Assoc., Inc. v. O’Brien, CA 11-2673 (D. Minn. Feb. 28, 2012).

In United States v. John, the 5th Circuit held a Citigroup employee exceeded her authorized access in violation of 18 U.S.C. § 1030 (a)(2), by accessing confidential customer information in violation of her employer’s computer use restrictions and used that information to commit fraud. The 5thCircuit indicated that “[a]n employee would ‘exceed authorized access’ if he or she used that access to obtain or steal information as part of a criminal scheme. 597 F.3d at 271.

The CFAA provides civil remedies in the event the plaintiff can show economic damages aggregating at least $5,000 in value during any 1 year period. See 18 U.S.C. § 1030(c)(4)(A)(i)(1) and (g). In Meats by Linz Inc. v. Dear, 2011 WL 1515028 (N.D.Tex. Apr. 20, 2011), Judge Fitzwater denied a former employee’s motion to dismiss the CFAA count against him where it was alleged that immediately before resigning his position as general manager, Dear accessed a password-protected hard drive from a remote computer to download a gross profit report which listed company customers, with pricing, cost of goods sold and profit margin for each customer. He then, in violation of a confidentiality agreement and restrictive covenant agreement, began soliciting customers for a direct competitor. In seeking to dismiss the CFAA count, he maintained he had authorization to access the report and did not exceed his authority by accessing it or downloading it. Rejecting the argument and denying the motion to dismiss, the Court noted pursuant to the John decision, the 5thCircuit has interpreted the CFAA to encompass limits placed on the use of information obtained by permitted access to a computer system and data available on that system.


It is obviously important to analyze the jurisdiction to determine whether unauthorized use of confidential data accessed through a computer states a criminal and/or civil claim under the CFAA. In jurisdictions such as Texas, in situations where there has been unauthorized access of confidential data via a computer system, consideration should be given to including a count under the CFAA if it is clear that there has been an economic loss which exceeds $5000 in a 1 year period. The presence of such a claim may be persuasive to a court in granting injunctive relief to prevent further access and use of the misappropriated data.

There are also federal and state trade secrets theft statutes which may form an additional claim if the data taken and misappropriated by the employee meets the definition of a trade secret, proprietary information that provides a competitive advantage to its owner. See, 18 U.S.C. § 1832(a); Texas Penal Code § 31.03.