richard: united states v. nosal and the cfaa

421

United States v. Nosal and the CFAA: What Does DailySudoku.com Have to Do

with Computer Fraud?

KEITH RICHARD

ABSTRACT

nacted in 1986, the Computer Fraud and Abuse Act has generated substantial controversy over the meaning of “authorization.” The Ninth Circuit’s decision in United States v. Nosal added another

chapter to the controversy. Despite the fact the defendant misappropriated valuable company data beyond the authorization defined in computer data use policies, the court dismissed the CFAA charges, citing concerns that employer-defined authorization would criminalize innocent computer use at work. In fact, egregious instances of employee misconduct warrant prosecution. While blanket criminalization of use agreements should give one pause, the choice is not between prosecuting either all offenders or no offenders. The statutory provision of the CFAA at issue in Nosal articulates a clear standard without vagueness or notice concerns. Culpable employees who cause substantial economic harm to former employers with knowledge, intent, and notice of the potential liability may be prosecuted, and the rest of the world need not fear prison for innocuous computer use. Employers must be permitted to contractually define the boundaries of computer access, and allowing CFAA claims based upon employer use agreements—with clear intent and notice qualifications—would eliminate the Nosal court’s concerns and ensure effective prosecution and deterrence of cybercrime.

Candidate for Juris Doctor, New England Law | Boston 2014. B.A., Political Science

and History, summa cum laude, University of Massachusetts, Amherst 2009. I hereby dedicate

this Comment to paranoid androids and the wild west.

E

422 New England Law Review v. 48 | 421

INTRODUCTION

Do you use a computer at work? Do you ever take a moment to send a personal email or check a non-work related website? If so, you could find yourself the subject of a criminal prosecution under a broad interpretation of the Computer Fraud and Abuse Act, at least according to the Ninth Circuit Court of Appeals in United States v. Nosal.1

Enacted in 1986, the Computer Fraud and Abuse Act (“CFAA”) changed the landscape of computer and Internet law, producing conflicting jurisprudential outcomes and substantial scholarly debate surrounding prosecution and liability for computer-related offenses.2 The controversy centers upon the statutory meaning of “authorization” and whether Congress intended to target misappropriation or only “hacking.”3

Nosal involved a former employee of an international executive search firm Korn/Ferry (“KF”) who enlisted the help of current KF employees to download information to use for a competing business.4 Nosal was indicted on twenty criminal counts, including violations of the CFAA for aiding and abetting the employees in exceeding their authorized access.5

The KF employees had signed agreements that restricted the use and disclosure of company data, and, with each login to a company computer, bypassed a notice informing them that accessing unauthorized information could result in criminal prosecution.6 Despite notice of potential criminal liability and clear intent to pass on confidential and valuable information, the court dismissed the CFAA charges.7 The court held that “exceed[ing] authorized access” does not extend criminal liability to a violation of company computer use restrictions, basing its decision largely on the perceived effect a broader interpretation would have on innocent computer

1 See 676 F.3d 854, 860 (9th Cir. 2012). 2 See, e.g., Orin S. Kerr, Cybercrime's Scope: Interpreting “Access” and “Authorization” in

Computer Misuse Statutes, 78 N.Y.U. L. REV. 1596, 1598–99 (2003) (“[T]hese cases threaten a

dramatic and potentially unconstitutional expansion of criminal liability in cyberspace.”); Reid

Skibell, Cybercrimes & Misdemeanors: A Reevaluation of the Computer Fraud and Abuse Act, 18

BERKELEY TECH. L.J. 909, 911 (2003) (arguing the CFAA “structure results in over-

criminalization”); Peter A. Winn, The Guilty Eye: Unauthorized Access, Trespass and Privacy, 62

BUS. LAW. 1395, 1404 (2007) (stating the CFAA definition of “unauthorized access” puts people

on notice of conduct that is prohibited by the Act). 3 See Kyle W. Brenton, Trade Secret Law and the Computer Fraud and Abuse Act: Two Problems

and Two Solutions, 2009 U. ILL. J.L. TECH. & POL’Y 429, 436, 452–54 (2009). 4 See 676 F.3d at 856. 5 Id. 6 Id. at 866 (Silverman, J., dissenting). 7 See id. at 864 (majority opinion).

2014 United States v . Nosal and the CFAA 423

use.8

This Comment argues that employees who abuse their access to data can “exceed authorization” as contemplated by the CFAA. The Nosal court criticized courts that interpreted the CFAA broadly to find liability, stating they “looked only at the culpable behavior of the defendants before them.”9 In fact, such culpable behavior should be the focus of a court’s inquiry.10 While the majority opinion devoted substantial analysis to imagining a world in which innocent workplace procrastination and Internet surfing could result in criminal prosecution, clear and egregious instances of employee misconduct warrant prosecution.11

Surely blanket criminalization of use agreements should give one pause.12 The choice, however, is not between prosecuting either all offenders or no offenders. The statutory provision of the CFAA at issue in Nosal articulated a clear standard that was not susceptible to the vagueness concerns expressed by the court.13 Culpable employees who cause substantial economic harm to former employers with knowledge, intent, and notice of the potential liability should be prosecuted; the rest of the world need not fear prison for innocuous computer use.14 Courts should therefore recognize CFAA claims under employee use agreements, allowing employers to contractually define employees’ computer access limits.15 Effective prosecution and deterrence of cybercrime depends upon such an interpretation of the law.16 Going forward, clear intent and notice qualifications would effectively eliminate the concerns raised by the Nosal

8 See id. at 862–63. 9 Id. at 862.

10 Nosal, 676 F.3d at 864 (Silverman, J., dissenting). 11 Cf. id. at 860–62 (majority opinion). 12 See Ryan Patrick Murray, Comment, Myspace-ing Is Not A Crime: Why Breaching Terms of

Service Agreements Should Not Implicate the Computer Fraud and Abuse Act, 29 LOY. L.A. ENT. L.

REV. 475, 483–99 (2009). 13 See Nosal, 676 F.3d at 864 (Silverman, J., dissenting) (explaining that under 18 U.S.C. §

1030(a)(4) of the CFAA, a defendant must possess “both the requisite mens rea and the specific

intent to defraud” to be subject to prosecution). 14 But see id. at 860 (majority opinion) (“[S]udoku enthusiasts should stick to the printed

puzzles, because visiting www.dailysudoku.com from their work computers might give them

more than enough time to hone their sudoku skills behind bars.”). 15 See infra Parts III.B.3 and IV. 16 Cybercrime: Updating the Computer Fraud and Abuse Act to Protect Cyberspace and Combat

Emerging Threats: Hearing Before the S. Judiciary Comm., 112th Cong. 7 (2011) [hereinafter

Cybercrime] (statement of James A. Baker, Associate Deputy Att’y Gen. of the United States),

available at http://www.justice.gov/ola/testimony/112-1/09-07-11-odag-baker-testimony-re-

cybercrime.pdf.


majority.17

Part I of this Comment discusses the CFAA and several theories that have emerged from cases interpreting the meaning of “authorization” in the employment context. Part II summarizes and discusses the majority opinion in United States v. Nosal. Part III argues that the court’s eagerness to attack the undesirable consequences of construing the CFAA broadly effectively diverted the majority opinion from applying the law to the facts. Part IV explains why contract-defined authorization need not lead to the disastrous results predicted by the majority opinion.

I. Background

A. The Computer Fraud and Abuse Act (CFAA)

Faced with the growing problem of computer crime, Congress passed the CFAA in 1986.18 In broad strokes, the Act prohibits knowing or intentional access of a computer without authority or in excess of authorization; several provisions relate specifically to causing damage,19 while other provisions address fraud,20 extortion,21 or otherwise wrongfully obtaining confidential or protected data and information.22 Originally a criminal statute, Congress amended the CFAA in 1994 to include a civil cause of action with compensatory and injunctive remedies.23 Thereafter, employers brought an increasing number of CFAA claims against employees for accessing and misusing sensitive company information.24

The CFAA controversy swirls around legislative meaning as courts struggle to discern whether Congress intended “authorization” to be construed broadly, creating liability for misappropriation, or more

17 See id. 18 See 1 LAWRENCE M. SALINGER, ENCYCLOPEDIA OF WHITE COLLAR & COMPUTER CRIME 189

(2005). 19 18 U.S.C. § 1030(5)(A) (2012) (“[K]nowingly caus[ing] the transmission of a program,

information, code, or command, and as a result of such conduct, intentionally caus[ing] damage

without authorization, to a protected computer.”). 20 § 1030(a)(4). 21 § 1030(a)(7). 22 § 1030(a)(1)–(a)(2)(A). 23 See Kerr, supra note 2, at 1598 & n.11 (citing 18 U.S.C. § 1030(g) (2006)). 24 See, e.g., Pac. Aerospace & Elecs., Inc. v. Taylor, 295 F. Supp. 2d 1188, 1196 (E.D. Wash.

2003) (observing employers increasingly utilize civil remedies under the CFAA to sue

employees who, upon leaving to work for a competitor, take valuable business information

obtained through the computer systems); see also P.C. Yonkers, Inc. v. Celebrations the Party &

Seasonal Superstore, LLC, 428 F.3d 504, 510 (3d Cir. 2005) (concluding, contrary to the lower

court, that the CFAA contains civil remedies including injunctive relief for plaintiff employer).


narrowly, covering only instances of “hacking.”25 The CFAA defines the phrase “exceed authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter,”26 while “without authorization” is left undefined.27

The CFAA contemplates both computer user insiders, who may not exceed the authorization granted, and outsiders, who have no access privileges at all.28 Access by outsiders would be considered hacking, or “surreptitiously break[ing] into the computer, network, servers, or database of another person or organization.”29 Misappropriation, potentially committed by insiders (as in Nosal),30 is defined as “[t]he common-law tort of using the noncopyrightable information or ideas that an organization collects and disseminates for a profit to compete unfairly against that organization . . . .”31 Simply put, a strictly anti-hacking statute would strictly cover unauthorized outsiders and insiders authorized to view only limited data who go beyond those limits.32 A broader statute would look not just to the content accessed, but also the purpose of the access, thereby covering improper use of information by an employee who technically had authorization to view the data but abused the privilege.33 Numerous courts delved into the legislative history and reached different conclusions, resulting in the current circuit split.34

25 Compare Hewlett-Packard Co. v. Byd:Sign, Inc., No. 6:05-CV-456, 2007 WL 275476, at *13

(E.D. Tex. Jan. 25, 2007) (recognizing a CFAA claim for exceeding authorized access where

employee misappropriated data to which they had access), with Int’l Ass’n of Machinists &

Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479, 498 (D. Md. 2005) (concluding that

an employee with full authorization who misappropriated data did not “exceed” authorization

to incur liability under the CFAA). 26 § 1030(e)(6). 27 EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 582 n.10 (1st Cir. 2001) (“Congress

did not define the phrase ‘without authorization,’ perhaps assuming that the words speak for

themselves. The meaning, however, has proven to be elusive.”). 28 United States v. Phillips, 477 F.3d 215, 219 (5th Cir. 2007). 29 BLACK'S LAW DICTIONARY 780 (9th ed. 2009). 30 See United States v. Nosal, 676 F.3d 854, 856 (9th Cir. 2012). 31 BLACK'S LAW DICTIONARY, supra note 28, at 1088. 32 See Brenton, supra note 3, at 454. 33 See id. 34 Compare WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 207 (4th Cir. 2012)

(interpreting the CFAA narrowly to conclude the statute criminalizes hacking, not

misappropriation), and Nosal, 676 F.3d at 863 (interpreting CFAA narrowly and declining to

find a CFAA violation), with United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010)

(finding knowing breach of employee contract satisfied broad reading of authorization under

CFAA), and Int’l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 421 (7th Cir. 2006) (interpreting

CFAA broadly to find employee’s authorization terminated upon a breach of loyalty to the


What did Congress intend? Upon examining legislative history, one commentator suggested Congress conceptualized computer crime like common-law trespass and thereby sought to target only hacking offenses.35 Another commentator countered that Congress actually used the comparison to characterize data as a form of property, which naturally could be “stolen” by both outside hackers and insiders.36 Evidence in the congressional record supports misappropriation:

Any enforcement action in response to criminal conduct indirectly or directly related to computers must rely upon a statutory restriction dealing with some other offense. This requires the law enforcement officer, initially the agent, and then the prosecutor, to attempt to create a “theory of prosecution” that somehow fits what may be the square peg of computer fraud into the round hole of theft, embezzlement or even the illegal conversion of trade secrets.37

After a thorough review of legislative history, one court identified congressional concern for intellectual property rights and the apparent intent to punish those who use computers illegally for commercial advantage to conclude the “plain meaning of the statute” supports a broad reading covering misappropriation.38 Another court, however, examined the same “plain language” to conclude the Act covers only hacking.39 Hinting at misappropriation, Congress specifically identified the “abuse” of one’s computer authority to obtain information for “commercial advantage or personal financial gain” as grounds for elevating a misdemeanor offense to a felony.40

B. Cases Interpreting “Authorization”

The cases leading up to Nosal reflect a burgeoning jurisprudential divide as to whether employees who abuse their computer access privileges for commercial and financial gain “exceed authorized access,” subjecting them to liability under the CFAA.41 Two major theories of “authorization” emerged.42 Applying agency-based theory, some courts have held

employer and violated the statute). 35 See Kerr, supra note 2, at 1617, 1630–31 (discussing congressional reports and testimony

comparing computer crime to breaking and entering). 36 Winn, supra note 2, at 1403–04. 37 S. REP. NO. 99-432, at 14 (1986), reprinted in 1986 U.S.C.C.A.N. (99 Stat. 432) 2479, 2491–92

(emphasis added). 38 See Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121, 1129

(W.D. Wash. 2000). 39 Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 965 (D. Ariz. 2008). 40 S. REP. NO. 104-357, at 8 (1996). 41 See infra Part I.B.1–2. 42 See Orin S. Kerr, Vagueness Challenges to the Computer Fraud and Abuse Act, 94 MINN. L.


employees’ authorization terminated upon a breach of fiduciary duty to the employer.43 Thus, at the moment an employee’s allegiance turns against the employer, the employee’s authorization is effectively revoked.44 Applying contract-based theory, other courts held that a knowing breach of company policy or an employment contract constituted “exceed[ing] authorized access.”45 In cases applying either theory, the employees technically had access to the subject data for their jobs, but abused the privileges for some improper purpose.46

1. CFAA Claims Under Agency Theory

In Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., the defendant engaged in a targeted scheme to acquire a competitor’s trade secrets and business plans by enlisting the services of employees via email and eventually hiring them away one by one.47 The court applied § 112 of the Restatement (Second) of Agency to find the employee exceeded his authorized access: “Unless otherwise agreed, the authority of an agent terminates if, without knowledge of the principal, he acquires adverse interests or if he is otherwise guilty of a serious breach of loyalty to the principal.”48 The Seventh Circuit endorsed the Shurgard agency theory in International Airport Centers v. Citrin.49 Despite characterizing the distinction between “without authorized access” and “exceeds authorized access” as “paper thin,” Judge Posner nonetheless found an employee’s authorization terminated upon his violation of loyalty.50 Outside the Seventh Circuit, however, several courts have outright rejected the agency theory.51

REV. 1561, 1562 (2010) [hereinafter Vagueness Challenges]; Garrett D. Urban, Note, Causing

Damage Without Authorization: The Limitations of Current Judicial Interpretations of Employee

Authorization Under the Computer Fraud and Abuse Act, 52 WM. & MARY L. REV. 1369, 1372 (2011). 43 See Int’l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 420–21 (7th Cir. 2006); Shurgard, 119

F. Supp. 2d at 1125. 44 See Citrin, 440 F.3d at 420; Shurgard, 119 F. Supp. 2d at 1125. 45 See, e.g., United States v. John, 597 F.3d 263, 272 (5th Cir. 2010); United States v.

Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010). 46 See John, 597 F.3d at 272 (holding that an employee may have authorization to access

data, but not unfettered authority to use that data for any purpose such as committing financial

fraud); Citrin, 440 F.3d at 421 (acknowledging employee had authorization to view data but

rejecting employee’s argument that he had authorization to delete and manipulate data to serve

his own interests). 47 Shurgard, 119 F. Supp. 2d at 1123. 48 Id. at 1125 (quoting RESTATEMENT (SECOND) OF AGENCY § 112 (1958)). 49 See Citrin, 440 F.3d at 421. 50 Id. 51 Accord Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 967 (D. Ariz. 2008); Black &

Decker (US), Inc. v. Smith, 568 F. Supp. 2d 929, 934 (W.D. Tenn. 2008); see WEC Carolina Energy


2. Contract-Based CFAA Claims

Other courts look to employment contracts and computer use agreements to determine whether employees exceeded their authorized access.52 Employers have strong incentives to carefully draft agreements with employees regarding computer access—employers may contractually protect valuable company data from falling into unauthorized hands53 and shield themselves from vicarious liability imputed through new hires who transfer data from their former companies.54

EF Cultural Travel BV v. Explorica, Inc. involved a former employee of a travel agency (“EF”) who, using his knowledge of EF, helped develop a “scraper program” designed to collect data from the website in an effort to undercut prices for his competing business.55 The court found the employee exceeded his authorized access as defined in a broad confidentiality agreement barring any disclosure “which might reasonably be construed to be contrary to the interests of EF.”56 In United States v. John, a Citigroup employee gathered confidential client account information as part of a financial fraud scheme that violated established company policies.57 The John court cited EF Cultural Travel BV and clarified that had the defendants in that case faced criminal rather than civil liability, the court would have been hesitant to impute liability for merely violating a confidentiality agreement.58 But given the John defendant’s intentional financial fraud that violated known company policy, the court had no such apprehensions.59

Solutions LLC v. Miller, 687 F.3d 199, 206 (4th Cir. 2012) (stating that endorsing an agency

theory under the CFAA would create effects unintended by Congress); Lockheed Martin Corp.

v. Speed, No. 6:05-CV-1580-ORL-31, 2006 WL 2683058, at *4 (M.D. Fla. Aug. 1, 2006) (rejecting

reliance upon the Restatement to find meaning where the “plain language of the statute is

sufficient to interpret” its terms). 52 See, e.g., United States v. John, 597 F.3d 263, 272 (5th Cir. 2010); United States v.

Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010); EF Cultural Travel BV v. Explorica, Inc., 274

F.3d 577, 581 (1st Cir. 2001); Hewlett-Packard Co. v. Byd:Sign, Inc., No. 6:05-CV-456, 2007 WL

275476, at *13 (E.D. Tex. Jan. 25, 2007). 53 See, e.g., Hewlett-Packard Co., 2007 WL 275476, at *12–13 (denying defendant’s motion to

dismiss on CFAA claims where employees contracted not to disclose company data or use

company systems and data for personal gain). 54 Victoria A. Cundiff, Reasonable Measures to Protect Trade Secrets in a Digital Environment,

49 IDEA 359, 387 (2009). 55 274 F.3d at 579–80. 56 Id. at 583–84. 57 See 597 F.3d at 271–72. 58 See id. at 272. 59 See id. at 271 (“[T]he user knows or reasonably should know that he or she is not

authorized to access a computer and information obtainable from that access in furtherance of

or to perpetrate a crime.”).


Indeed, other courts have applied contract-based authorization in criminal proceedings, finding that employment contracts may determine the scope and purpose of an employee’s computer access.60

The Ninth Circuit heard a civil CFAA claim in LVRC Holdings LLC v. Brekka.61 There, the defendant Brekka emailed documents to himself and retained them after leaving the company.62 The court expressly rejected agency theory and interpreted the CFAA’s “plain meaning” to reject the contention that breaching a duty of loyalty revokes authorization under the statute.63 The court applied the rule of lenity and dismissed the charges.64 Reasoning that Brekka had authorization to view and use the documents while an employee and had not signed a confidentiality agreement or other contract requiring that he destroy the documents post-employment, the court affirmed summary judgment dismissing the employer’s claims.65

3. The Rule of Lenity and Void for Vagueness Doctrine

In addition to Brekka, several cases have applied the lenity and void for vagueness doctrines to dismiss CFAA charges or claims against a defendant.66 Both are doctrines of statutory construction that aim to guard against criminally prosecuting individuals for crimes without adequate notice.67 To pass a “void for vagueness” test, statutes must provide “sufficient definiteness that ordinary people can understand what conduct

60 See United States v. Tolliver, 451 F. App’x 97, 99–104 (3d Cir. 2011) (affirming conviction

of defendant employee who accessed customer bank accounts for a nonbusiness purpose

exceeding her authorized access under 18 U.S.C. § 1030(a)(2)(A)); United States v. Rodriguez,

628 F.3d 1258, 1263 (11th Cir. 2010) (holding that Social Security Administration employee

exceeded authorized access by viewing database information for “nonbusiness reasons,”

including, inter alia, looking up records on former wives and girlfriends); United States v.

Czubinski, 106 F.3d 1069, 1078–79 (1st Cir. 1997) (affirming lower court finding that former IRS

employee exceeded authorized access, but dismissing the CFAA claim under § 1030(a)(4)

because the defendant did not obtain “anything of value”). 61 581 F.3d 1127, 1129 (9th Cir. 2009). 62 Id. at 1129–30. 63 Id. at 1134–35. 64 See id. 65 See id. at 1132, 1137. 66 See Brekka, 581 F.3d at 1134 (citing cases). The court interpreted the statute in favor of the

accused, finding that in the absence of express revocation of authorization by an employer, an

employee would not expect to incur criminal liability for breaching a state-law duty to his

employer by emailing proprietary documents to himself. Id. at 1135; see, e.g., United States v.

Drew, 259 F.R.D. 449, 467 (C.D. Cal. 2009) (applying void for vagueness doctrine where

imposing criminal liability for intentionally breaching a social network site’s terms of use would

be a surprising and untenable interpretation of the statute). 67 See infra notes 68–73 and accompanying text.


is prohibited and in a manner that does not encourage arbitrary and discriminatory enforcement.”68 Courts require statutes to provide “relatively clear guidelines as to prohibited conduct” and “objective criteria” to gauge whether the conduct at issue violates its provisions.69 The rule of lenity applies an interpretative model to allay notice concerns and “requires courts to limit the reach of criminal statutes to the clear import of their text and construe any ambiguity against the government.”70 The Supreme Court pronounced: “The rule of lenity applies only if, after seizing everything from which aid can be derived . . . we can make no more than a guess as to what Congress intended. To invoke the rule, we must conclude that there is a grievous ambiguity or uncertainty.”71 Courts applying these doctrines have dismissed CFAA claims72 and vacated convictions.73

II. United States v. Nosal: The Court’s Opinion

A. Facts and Procedural History

After David Nosal left KF to start his own competing executive search firm, he approached several former KF colleagues for information to use for his commercial advantage.74 Nosal convinced the employees to log on to KF databases where they downloaded names, contacts, and other proprietary data—all in clear violation of company policy prohibiting the distribution of confidential company information.75 “The government indicted Nosal on twenty counts, including trade secret theft, mail fraud, conspiracy, and violations of the CFAA . . . [under] 18 U.S.C. § 1030(a)(4) for aiding and abetting the Korn/Ferry employees in ‘exceed[ing their] authorized access’ with intent to defraud.”76

The trial court, on reconsideration following the Brekka decision, dismissed some, but not all claims against Nosal.77 The government appealed.78 Sitting as a panel, the Ninth Circuit originally reversed the lower

68 Kolender v. Lawson, 461 U.S. 352, 357 (1983). 69 Drew, 259 F.R.D. at 463 (citing Gonzales v. Carhart, 550 U.S. 124 (2007) (internal citation

omitted)). 70 Brekka, 581 F.3d at 1135 (quoting United States v. Romm, 455 F.3d 990, 1001 (9th Cir. 2006)). 71 Muscarello v. United States, 524 U.S. 125, 138–39 (1998) (citations and internal quotation

marks omitted). 72 E.g., Brekka, 581 F.3d at 1134–35. 73 E.g., Drew, 259 F.R.D. at 467–68. 74 See United States v. Nosal, 676 F.3d 854, 856 (9th Cir. 2012). 75 See id. 76 Id. 77 United States v. Nosal, No. C 08-0237 MHP, 2010 WL 934257, at *8–9 (N.D. Cal. Jan. 6,

2010), aff'd, 676 F.3d 854 (9th Cir. 2012). 78 United States v. Nosal, 642 F.3d 781, 785 (9th Cir. 2011), aff’d en banc, 676 F.3d 854 (9th Cir.


court, distinguishing Brekka and emphasizing that an employee can indeed exceed authorized access if defined by a user agreement.79 A majority of justices on the Ninth Circuit thereafter voted to rehear the case en banc.80

B. The Ninth Circuit En Banc Decision

The opinion opened by observing the integral nature of computers today: “We use them for work; we use them for play. Sometimes we use them for play at work.”81 The question, as the court saw it, was whether user agreements could be used to criminalize innocuous Internet use.82 “This,” the court answered, “depends on how broadly we read the [CFAA].”83

The court first considered the competing interpretations of “exceeds authorized access.”84 The statutory definition states: “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”85 The government argued “exceeds authorized access” could apply to those who have unrestricted access, but limited privileges to use the information, interpreting “entitled” to mean “furnish with a right.”86 The KF use policies placed limits upon those rights, and therefore covered circumstances where employees exceeded their authorization.87 Rejecting the argument as “a poor fit for the statutory language,” the court observed “entitled” could just as persuasively mean “authorized.”88 The court rebuffed further efforts by the prosecution to parse words, declaring: “[i]f Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions . . . we would expect it to use language better suited to that purpose.”89

The court decided the narrow definition was more plausible because some legislative history suggested Congress intended to police hacking.90 The court balked at the consequences of a broad reading that would make the CFAA an “expansive misappropriation statute” and “sweeping Internet-

2012). 79 Nosal, 642 F.3d at 789. 80 United States v. Nosal, 661 F.3d 1180, 1180 (9th Cir. 2011) (ordering rehearing en banc). 81 Nosal, 676 F.3d at 856. 82 Id. 83 Id. 84 See id. 85 Id. (citing 18 U.S.C. § 1030(e)(6) (2006)). 86 Id. at 857. 87 See Nosal, 676 F.3d at 857. 88 Id. 89 Id. 90 Id. at 858.


policing mandate” that “would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.”91

The court also rejected a broad definition on several practical grounds.92 First, allowing employers to define the scope of their employees’ access through use agreements and contracts could criminalize innocuous use or result in employers threatening prosecution as a pretext to push troublesome employees out the door.93 Second, computer users agree to terms of service that are rarely read, much less understood.94 Basing criminal liability upon these agreements would raise a number of notice and privacy concerns by prosecuting innocent surfing “simply because a computer is involved.”95 With gratuitous references to popular Internet sites that will likely ring hollow with readers in the near future, the court trotted out example after example of perils that would flow from a broad definition: “sudoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their sudoku skills behind bars.”96 Noting eHarmony’s terms of use prohibit misrepresentations, the court invoked more hyperbolic jail images: “describing yourself as ‘tall, dark and handsome,’ when you’re actually short and homely, will earn you a handsome orange jumpsuit.”97

The court concluded by expressly rejecting precedents in the Fifth, Seventh, and Eleventh Circuits,98 and instead elected to “continue to follow in the path blazed by Brekka” by holding that the CFAA, construed narrowly, does not cover misappropriation.99

91 Id. at 857–59. 92 See id. at 859. 93 See Nosal, 676 F.3d at 860. 94 See id. 95 Id. 96 Id. 97 Id. at 862. 98 See United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010) (finding that the use

of the information was irrelevant if obtained without proper authorization); United States v.

John, 597 F.3d 263, 272 (5th Cir. 2010) (stating that “exceeds authorized access” may include

exceeding purposes that are “authorized”); Int’l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 421

(7th Cir. 2006) (finding that defendant likely exceeded authorization by destroying data he

knew had no duplicates). 99 Nosal, 676 F.3d at 863.


ANALYSIS

The Nosal court erred on three interrelated grounds.100 First, the court failed to adjudicate the facts raised by the case and the relevant portion of the statute under which the government prosecuted Nosal.101 Second, the court should have distinguished between the dangers of prosecuting the general public for innocent website user agreement violations (a subject not raised by the case) and prosecuting employees for intentional and knowing violations of employment contracts and use agreements that bar misappropriating valuable company data.102 In glossing over this stark distinction, the court, likely drawing on voluminous scholarly criticism of the former, obscured and overlooked the legitimate function of the latter.103 Congress indeed contemplated prosecuting insider abuse and misappropriation.104 Third, the Nosal court buttressed its arguments against a broad interpretation by attacking whacky hypothetical scenarios styled on a “slippery slope” argument that confused the issues and policies at hand.105

III. The Court Failed to Adjudicate the Actual Facts and Law Before It

This case has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values. It has everything to do with stealing an employer’s valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants’ employment contracts.106

How did we go from a wealthy former executive stealing valuable company data for his own business purposes to a homely fellow in a “handsome orange jumpsuit”?107 The answer, in part, rests on the “slippery slope” argument structure employed by the majority and discussed further below.108

100 See Nosal, 676 F.3d 854. 101 See id. at 857, 858, 864; cf. John, 597 F.3d at 272. 102 See Nosal, 676 F.3d at 860; cf. John, 597 F.3d at 272. 103 See infra Part III.B. 104 See S. REP. NO. 99-432, at 14 (1986), reprinted in 1986 U.S.C.C.A.N. (99 Stat. 432) 2479,

2491–92. 105 See infra Part III.B.2. 106 Nosal, 676 F.3d at 864 (Silverman, J., dissenting). 107 See id. at 862 (majority opinion). 108 See infra Part III.B.2.


A. The Relevant CFAA Statutory Provision and Material Facts

One may wonder what Nosal was actually about, given the entire court opinion makes mention of KF once and Nosal twice.109 The provision of the CFAA at issue, 18 U.S.C. § 1030(a)(4), states “whoever . . . knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value” shall be subject to fines and/or imprisonment for up to five years.110 The record demonstrated that while Nosal’s co-conspirators knowingly and intentionally logged on to a company database and passed a prompt notifying them they would face criminal prosecution for improperly using company data, they nonetheless downloaded and forwarded valuable client lists to Nosal.111 Their employment contracts clearly forbid the use and disclosure of company data except for legitimate KF business purposes.112 Nosal’s use of KF’s client list to set up his competing business most certainly was not such a purpose.113 As defined by KF’s use and access agreements, the defendants exceeded their authorized access to obtain a thing of value and thus clearly violated § 1030(a)(4).114

As framed by the majority, the issue was not just whether an employee who exceeds the access as defined by their employer incurs liability, but more broadly whether an individual who violates any contract incidental to computer and Internet use (including the terms of service on social networking sites) would incur liability115:

Employer-employee and company-consumer relationships are traditionally governed by tort and contract law; the government’s proposed interpretation of the CFAA allows private parties to manipulate their computer-use and personnel policies so as to turn these relationships into ones policed by the criminal law.116

Thus, halfway through the opinion, the court veered off into CFAA violations based upon Internet use agreements,117 a distinct issue that raises a separate line of cases and analysis.118 Indeed, criminal prosecution for

109 See Nosal, 676 F.3d at 857, 858, 864. 110 18 U.S.C. § 1030(a)(4) (2012). 111 See Nosal, 676 F.3d at 866 (Silverman, J., dissenting). 112 See id. 113 See United States v. John, 597 F.3d 263, 272 (5th Cir. 2010) (finding that a defendant can

“exceed[] authorized access” even when defendant is “authorized” to view the information). 114 See Nosal, 676 F.3d at 866 (Silverman, J., dissenting). 115 See id. at 856 (majority opinion). 116 Id. at 860. 117 See id. at 861. 118 See, e.g., United States v. Drew, 259 F.R.D. 449, 452 (C.D. Cal. 2009) (focusing the


unknowingly violating esoteric user agreements and protecting valuable data from misuse by greedy employees are two vastly different cases.119

B. Criminalization of Internet Terms of Use and Notice Concerns

1. United States v. Drew

The problems with criminally prosecuting individuals for violating Internet terms-of-use agreements are well documented, most notably in United States v. Drew.120 Lori Drew posed as a sixteen-year-old boy (violating MySpace terms of use prohibiting the assumption of a false identity on the site) and contacted Megan Meier, one of her daughter’s classmates.121 After several days of flirting through the pseudonym, Drew informed Meier that “he no longer liked her and that ‘the world would be a better place without her in it,’” prompting Meier to commit suicide.122 With few viable avenues to prosecute Drew, prosecutors found themselves grasping at straws amid mounting public pressure.123 The prosecution eventually brought a misdemeanor CFAA claim under § 1030(a)(2)(C).124 The court held that intentionally violating the MySpace terms of use exceeded authorized access under the CFAA, but ultimately applied the void for vagueness doctrine to acquit Drew.125 The court concluded that relying on terms of use agreements to prosecute users “would result in transforming section 1030(a)(2)(C) into an overwhelmingly overbroad enactment that would convert a multitude of otherwise innocent Internet users into misdemeanant criminals.”126

The Drew case initiated a tidal wave of scholarly scrutiny and criticism

analysis on the defendant’s guilt based on a violation of MySpace’s user agreement);

Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238, 253 (S.D.N.Y. 2000), aff'd as modified, 356

F.3d 393 (2d Cir. 2004) (discussing alleged CFAA violations arising from end use restrictions);

Am. Online, Inc. v. LCGM, Inc., 46 F. Supp. 2d 444, 448 (E.D. Va. 1998) (indicating that claims

under the CFAA arose from alleged violations of AOL’s user agreements). 119 Compare Drew, 259 F.R.D. at 467–68 (acquitting defendant for violating MySpace terms

of use on vagueness grounds), with United States v. John, 597 F.3d 263, 272, 289 (5th Cir. 2010)

(affirming CFAA conviction where employee had clear notice she lacked authorization to

commit financial fraud). 120 See Drew, 259 F.R.D. at 452. 121 See id. at 451–52. 122 Id. at 452. 123 Kim Zetter, Lori Drew Not Guilty of Felonies in Landmark Cyberbullying Trial, WIRED (Nov.

26, 2008, 11:26 AM), http://www.wired.com/threatlevel/2008/11/lori-drew-pla-5/. 124 Id. 125 See Drew, 259 F.R.D. at 461, 466. 126 Id. (emphasizing that ordinary persons would have no reason to be on notice that

breach of a terms of use agreement could result in criminal liability, and the provision would

therefore run afoul of the void for vagueness doctrine).


of the CFAA.127 The problem is obvious: tying criminal liability to terms of service agreements creates substantial notice concerns128 and would criminalize everyday Internet conduct—already a cause for concern in privacy matters.129

Criminalizing terms of use agreements is most certainly undesirable, but rather than acknowledging that the CFAA contemplates misappropriation, the Nosal majority utilized the potential for unfettered prosecution of innocents to justify dismissing a clear CFAA violation.130 The opinion is largely styled on a slippery-slope argument structure.131

2. The Slippery Slope Argument: About that Handsome Orange Jumpsuit

Slippery slope arguments have a consistent structure.132 Those who slogged through first-year torts may have subconsciously (or quietly) sighed at the prefatory remarks of students who paused: “well, I think it’s a slippery slope . . .” before offering their views on hypothetical questions of how we are to distribute social costs.133 References to the slippery slope (while generally banal platitudes in a 1L torts class) must be kept in mind in a common law system that honors precedent and is subject to gradual

127 See, e.g., Kristopher Accardi, Is Violating an Internet Service Provider's Terms of Service an

Example of Computer Fraud and Abuse?: An Analytical Look at the Computer Fraud and Abuse Act,

Lori Drew's Conviction and Cyberbullying, 37 W. ST. U. L. REV. 67, 82 (2009); Brandon Darden,

Definitional Vagueness in the CFAA: Will Cyberbullying Cause the Supreme Court to Intervene?, 13

SMU SCI. & TECH. L. REV. 329, 330 (2010); David A. Puckett, Terms of Service and the Computer

Fraud and Abuse Act: A Trap for the Unwary?, 7 OKLA. J. L. & TECH. 53 (2011), available at

http://www.law.ou.edu/sites/default/files/files/FACULTY/2011okjoltrev53.pdf; Murray, supra

note 12, at 477. 128 See Drew, 259 F.R.D. at 466 (acquitting the defendant of the criminal charge for breach

of MySpace terms of service because the statute was unconstitutionally vague); Mark A.

Lemley, Terms of Use, 91 MINN. L. REV. 459, 463 (2006) (observing individuals rarely, if ever,

read terms of use agreements). 129 Judge Alex Kozinski, author of the majority opinion, may have had reason to feel

cautious about unanticipated perils of Internet use: in 2008, he found himself embroiled in

controversy over sexually explicit images and other content posted to his website. See Scott

Glover, U.S. Judge in Obscenity Trial Steps Down, L.A. TIMES, June 14, 2008, at 1, available at 2008

WLNR 11230206. 130 See United States v. Nosal, 676 F.3d 854, 857–60 (9th Cir. 2012). 131 See id. at 859–60. 132 See Frederick Schauer, Slippery Slopes, 99 HARV. L. REV. 361, 361–65 (1985). 133 See generally DAN B. DOBBS ET AL., TORTS AND COMPENSATION: PERSONAL

ACCOUNTABILITY AND SOCIAL RESPONSIBILITY FOR INJURY 121 (6th ed. 2009) (posing a

hypothetical question to discuss how far the law should extend individual liability for personal

injury accidents).


slippage.134 Essential to the slippery slope argument is the implicit concession that a proposed resolution of a case may not appear dangerous under the present set of facts.135 What compels a court to make such a decision is the threat of ending up at the bottom of the slope—creating law that greases the slide for a perceived dangerous or untenable outcome down the road.136 This concern often influences jurists to inflate the dangers posed by the future case in the present case.137

The Nosal court’s use of the argumentative structure is easily recognizable.138 If the court found that Nosal exceeded authorized access in misappropriating data by reference to KF employment contracts, it would lend support to future courts to find that a simple breach of contract can trigger CFAA liability.139 To illustrate the perils of such an outcome, the court marched out a “parade of horribles” in which innocent people could end up federal criminals just for goofing around on the Internet.140

Admittedly, CFAA cases are not the model of consistency.141 But allowing well-drafted employment contracts to dictate the scope of authorized access will not put online Sudoku enthusiasts behind bars.142 The slippery slope can be avoided entirely when courts have clear and limited standards to apply.143 Two principles should dictate moving forward. First, the CFAA contemplates misappropriation and should not be narrowly construed to cover only hacking.144 Legislative history supports this view.145 Second, employment contracts may define the scope and purpose of an employee’s access where clear notice and intent can be shown.146 Sensible statutory interpretation can prevail on grounds where clear notice has been

134 See Oona A. Hathaway, Path Dependence in the Law: The Course and Pattern of Legal

Change in a Common Law System, 86 IOWA L. REV. 601, 622 (2001). 135 See Mario J. Rizzo & Douglas Glen Whitman, The Camel's Nose Is in the Tent: Rules,

Theories, and Slippery Slopes, 51 UCLA L. REV. 539, 544 (2003). 136 See Schauer, supra note 132, at 368–69. 137 See id. at 376. 138 See United States v. Nosal, 676 F.3d 854, 860 (9th Cir. 2012) (arguing that a broad

reading of the CFAA “could” create criminal liability for employees engaging in “minor

dalliances”). 139 See id. 140 Id. at 857–60, 866. 141 See, e.g., id. at 856; United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010);

United States v. Phillips, 477 F.3d 215, 219–21 (5th Cir. 2007); Int’l Airport Ctrs., L.L.C. v. Citrin,

440 F.3d 418, 421 (7th Cir. 2006). 142 See Nosal, 676 F.3d at 860. 143 See Schauer, supra note 132, at 372–73. 144 See supra notes 36–40 and accompanying text. 145 See supra notes 36–40 and accompanying text. 146 See infra Part IV.


provided and an individual knowingly engaged in culpable conduct in excess of his or her authorized access.147

3. Separating Drew from Legitimate Employment Contracts

The Nosal court conflated terms of use violations and employer contract-based violations, but this confusion also pervades academic literature.148 Scholarly criticism of contract-defined authorization primarily focuses on terms of use violations rather than misappropriation in the employment context.149 The notice problems inherent in the latter prosecutions are absent from cases like Nosal where the defendants had clear notice,150 not only in their employment contracts, but also with explicit logins reminding them data theft is a crime.151 The guilty act is entirely different: in terms of use agreements, the unauthorized access alone, without regard to notice or intent, is sufficient to trigger liability.152 Contract-based misappropriation on the other hand requires affirmative and intentional steps to steal information when the employee knows he or she lacks authorization.153 Congress did not intend to criminalize violations of the MySpace terms of use and has taken legislative steps to prevent another Drew case.154 That said, the congressional record supports prosecuting defendants for misappropriation,155 and the government continues to show concern for insider threats to security.156

By scrutinizing facts and law not raised by the case, the court adjudicated the perceived flaws of the statute rather than the defendants’ guilt.157 A court’s decision “calls, not for an advisory opinion upon a hypothetical basis, but for an adjudication of present right upon established

147 See infra Part IV. 148 See Nosal, 676 F.3d at 857–60. 149 See Cyrus Y. Chung, The Computer Fraud and Abuse Act: How Computer Science Can Help

with the Problem of Overbreadth, 24 HARV. J.L. & TECH. 233, 242 (2010); Vagueness Challenges, supra

note 42, at 1578–83 (arguing that a broad reading of authorization was a stretch). 150 See United States v. John, 597 F.3d 263, 273 (5th Cir. 2010) (“An authorized computer

user ‘has reason to know’ that he or she is not authorized to access data or information in

furtherance of a criminally fraudulent scheme.”). 151 See Nosal, 676 F.3d at 866 (Silverman, J., dissenting). 152 See United States v. Drew, 259 F.R.D. 449, 461–62 (C.D. Cal. 2009). 153 See John, 597 F.3d at 272. 154 See CHARLES DOYLE, CONG. RESEARCH SERV., CYBERSECURITY: CYBER CRIME PROTECTION

ACT (S. 2111) – A LEGAL ANALYSIS 7–8 (2012), available at http://assets.opencrs.com/rpts/

R42403_20120312.pdf. 155 S. REP. NO. 99-432, at 14 (1986), reprinted in 1986 U.S.C.C.A.N. (99 Stat. 432) 2479, 2491–

92. 156 Cybercrime, supra note 16, at 2. 157 See United States v. Nosal, 676 F.3d 854, 864–65 (9th Cir. 2012) (Silverman, J.,

dissenting).


facts.”158 Ultimately, the court leaned upon hypotheticals and the criticism of other CFAA provisions to reach its conclusion. In doing so, the court failed to consider that contract-based limits to authorization in the employment context may be preserved without a per se conversion of all contractual agreements into vehicles to criminalize computer use.159

IV. With Certain Limitations, Courts Should Rely on Contract-Defined Authorization

The Nosal court briefly considered using employment contracts to determine the scope of authorization, but ultimately concluded that such an interpretation would lead to employer abuse.160 This concern has yet to materialize—courts have summarily rejected CFAA claims against employees for using Facebook,161 checking email, and for other personal uses at work.162 Through clear drafting and intent requirements, narrowly drawn contract-based CFAA prosecutions serve a valid purpose in the employment context163 while avoiding the notice concerns presented by general website user agreements, as in Drew.164

A. Ninth Circuit Precedent Rejected Agency Theory, Not Contract Theory

Contract-defined authorization has substantial basis in case law.165 In fact, the Ninth Circuit misconstrued the precedent it had recently set in Brekka supporting contract theory.166 Brekka rejected Citrin and agency

158 Ashcroft v. Mattis, 431 U.S. 171, 172 (1977) (citing Aetna Life Ins. Co. v. Haworth, 300

U.S. 227, 242 (1937)). 159 See Nosal, 676 F.3d at 860–63 (majority opinion). 160 Id. at 860 (“Employers wanting to rid themselves of troublesome employees without

following proper procedures could threaten to report them to the FBI unless they quit.”). 161 See Lee v. PMSI, Inc., No. 8:10-cv-2904-T-23TBM, 2011 WL 1742028, at *2 (M.D. Fla. May

6, 2011) (rejecting CFAA counterclaim in employment discrimination suit on the grounds that

personal websites are not restricted company systems and thus the employee had authorization

to view the sites). 162 See Clarity Services, Inc. v. Barney, 698 F. Supp. 2d 1309, 1316 (M.D. Fla. 2010) (finding

reading of personal email was authorized and rejecting agency theory). 163 Cf. Kerr, supra note 2, at 1642–43 (advocating for narrow statutory definitions of

authorization, ultimately finding employment contracts inadequate). 164 See Katherine Mesenbring Field, Note, Agency, Code, or Contract: Determining Employees'

Authorization Under the Computer Fraud and Abuse Act, 107 MICH. L. REV. 819, 849 (2009). 165 See, e.g., United States v. John, 597 F.3d 263, 272 (5th Cir. 2010); United States v.

Rodriguez, 628 F.3d 1258, 1263–64 (11th Cir. 2010); LVRC Holdings LLC v. Brekka, 581 F.3d

1127, 1135 (9th Cir. 2009); Cont’l Grp., Inc. v. KW Prop. Mgmt., LLC, 622 F. Supp. 2d 1357, 1372

(S.D. Fla. 2009). 166 Compare United States v. Nosal, 676 F.3d 854, 860 (9th Cir. 2012), with Brekka, 581 F.3d at


theory167 and held that an employee’s authorization does not terminate upon breach of a duty of loyalty grounded in agency law and dismissed the claims.168 The decision left open contract-based liability by observing that “[t]he plain language of the statute therefore indicates that ‘authorization’ depends on actions taken by the employer.”169 Because Brekka’s employment contracts did not restrict emailing documents to himself, he did not exceed his authorization.170

It is true that relying upon agency theory raises issues of over breadth because employees may lack notice that simply acting in a manner adverse to their employers’ interests terminates authorization.171 But the undesirable aspects of terms-of-use-agreement-defined and agency-theory-defined authorization do not apply to clearly drafted and understood employment contracts.172 The employer in Brekka simply could not lodge a CFAA claim without notice to employees.173 Some commentators criticize CFAA liability in the employment context by focusing exclusively upon agency-theory-defined authorization, neglecting to consider contractually-defined authorization.174 Others criticize contracts as ambiguous, vague, or not clearly understood by employees.175

B. Other Circuit Courts Embrace the Use of Contracts to Determine Authorization

Several circuit courts of appeal have affirmed CFAA convictions by reference to employment contracts and policy.176 The “ordinary, contemporary, [and] common meaning” of “authorization” dictates that employees with access to view data lack free license to use such access for

1135. 167 See supra notes 61–65 and accompanying text. 168 See Brekka, 581 F.3d at 1134–35. 169 Id. at 1135. 170 See id. at 1129, 1134. 171 See id. at 1135. 172 See United States v. John, 597 F.3d 263, 273 (5th Cir. 2010) (“An authorized computer

user ‘has reason to know’ that he or she is not authorized to access data or information in

furtherance of a criminally fraudulent scheme”); Field, supra note 164, at 849. 173 See Brekka, 581 F.3d at 1135. 174 See Vagueness Challenges, supra note 42, at 1583–87. Kerr curiously discusses Nosal (a

clear contract-based authorization case) to illustrate the “void for vagueness” problems of

agency theory. Id. 175 See Obie Okuh, When Circuit Breakers Trip: Resetting the CFAA to Combat Rogue Employee

Access, 21 ALB. L.J. SCI. & TECH. 637, 663–64 (2011) (speculating notice issues would arise where

the employer’s intent in drafting is unclear or the policy lies buried deep in a manual or pasted

to a bulletin board no one examines). 176 E.g., John, 597 F.3d at 272; United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010).


any purposes and are limited by the terms of their contracts.177

In United States v. John, an account manager at Citigroup provided information on client accounts to incur fraudulent charges.178 The government brought CFAA charges under § 1030(a)(2)(A) and (C) for exceeding authorized access (as defined in employment contracts and reiterated during company policy workshops) for using client financial data to commit fraud.179 The issue was not whether interpreting employment contracts would open the flood gates to criminalize innocent conduct, but whether the CFAA extends criminal liability to situations where an employee has authorized access but abuses it.180 The court concluded “it may, at least when the user knows or reasonably should know that he or she is not authorized to access a computer and information obtainable from that access in furtherance of or to perpetrate a crime.”181 In so holding, the court enunciated a common sense definition of exceeding authorized access: “Access to a computer and data that can be obtained from that access may be exceeded if the purposes for which access has been given are exceeded.”182

In United States v. Rodriguez, an employee of the Social Security Administration abused his access to personal records in order to stalk past lovers and other romantic interests.183 Prosecutors brought misdemeanor charges against the employee under 18 U.S.C. § 1030(a)(2)(B) for exceeding authorized access to information from a department or agency of the United States as governed by an internal policy and contract prohibiting accessing personal information for a “nonbusiness” reason.184 The court found the defendant had clear notice of the policy and even admitted to accessing the subject records for a nonbusiness purpose without authorization at trial.185 Rejecting a narrow reading of John, the CFAA charges did not require a criminal purpose or an effort to further financial or commercial interests because the defendant faced only a misdemeanor penalty.186

Importantly, the John court held that an employment contract violation will not always trigger criminal liability.187 “[W]e do not necessarily agree that violating a confidentiality agreement under circumstances such as those

177 Brekka, 581 F.3d at 1132–33. 178 See 597 F.3d at 269. 179 Id. at 269–70. 180 Id. at 271. 181 Id. 182 Id. at 272 (emphasis added). 183 628 F.3d 1258, 1260–62 (11th Cir. 2010). 184 Id. at 1261–62. 185 See id. at 1260, 1263. 186 Id. at 1264. 187 See John, 597 F.3d at 272.


in EF Cultural Travel BV would give rise to criminal culpability.”188 In EF Cultural Travel BV v. Explorica, Inc., the court found a former employee of a travel agency (called EF) civilly liable for exceeding authorized access by designing a computer program to undercut prices for a competitor.189 The relevant provision from a confidentiality agreement with the employer prohibited disclosure of “any technical, business, or financial information, the use or disclosure of which might reasonably be construed to be contrary to the interests of EF.”190 Likely for the same reasons Brekka rejected agency theory, this provision would be too broad to provide adequate notice of criminal prosecution.191

Though Rodriguez did not involve misappropriation of data, the employee’s notice and conscious decision to violate the policy were crucial to the outcome.192 The defendant could not seriously complain that he did not receive notice or reasonably expect to face misdemeanor charges for improperly accessing sensitive personal information on government databases.193 Therefore, a narrow and careful approach to employer-defined authorization in criminal prosecutions is the wise course and one that may be taken in cases of clear and intentional conduct, as in Nosal.194

Contracts can and have been used as a reference for criminal liability.195 In United States v. Sorich, the court utilized a civil Consent Decree to determine the scope of the defendants’ fiduciary duties.196 Noting “[o]ther courts have looked to sources other than the federal criminal statutes in an effort to understand the contours that shape a defendant’s duties,” the court swept aside the defendants’ argument that reference to the Decree would convert a breach of contract into a criminal prosecution.197 The court emphasized the defendants were charged under the statute.198 As in Sorich, CFAA cases attempting to discern authorization may refer to an employment contract without a per se criminalization of breaches of contract because the prosecution must still prove all the elements of the statutory

188 Id. 189 274 F.3d 577, 579–80 (1st Cir. 2001). 190 Id. at 582. 191 See LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1135 (9th Cir. 2009). 192 See United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010). 193 See id. 194 Cf. United States v. Nosal, 676 F.3d 854, 857–60 (9th Cir. 2012). 195 See infra notes 196–199. 196 See 427 F. Supp. 2d 820, 834 & n.9 (N.D. Ill. 2006), aff'd, 523 F.3d 702, 702 (7th Cir. 2008). 197 See id. (“The Government at no point states that it is bringing suit because Defendants

violated either Shakman Decree; the indictment states that it brings suit because Defendants

allegedly violated the mail fraud statute.”). 198 See id. at 834.


violation.199

CONCLUSION

Despite seemingly complicated technical issues and conflicting statutory interpretations at play, United States v. Nosal was decided incorrectly for a simple reason. The defendants had clear notice in their employee use agreements that they were not authorized to misappropriate data, but did so anyway to defraud their employer and further their own financial interests.200 Picturing a dystopian future, the Nosal court overreached, oversimplified, and generally misapplied the law to the facts.201 It stretches the limits of the definition of “authorization” to conclude access confers free reign to use information for any and all purposes.202 The court’s interpretation leaves employers to either confer constrained access on select employees, slowing efficiency, or place fewer restrictions with the risk a faithless employee will sell secrets to a competitor or start a competing outfit.203 The Nosal court’s policy concerns are apparent in light of Drew, but general online use agreements and employer-defined contracts are clearly distinguishable.204 The case law demonstrates that with proper notice and assent, employment contracts can and should serve as a guidepost to determine whether an employee exceeded his or her authorized access.205

199 See id. 200 See United States v. Nosal, 676 F.3d 854, 856 (9th Cir. 2012). 201 See id. at 865–67 (Silverman, J., dissenting). 202 See id. at 865; United States v. John, 597 F.3d 263, 272 (5th Cir. 2010). 203 See Nosal, 676 F.3d at 856–58 (majority opinion). 204 See United States v. Drew, 259 F.R.D. 449, 452 (C.D. Cal. 2009). 205 See, e.g., John, 597 F.3d at 272; United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir.

2010).

richard: united states v. nosal and the cfaa

Documents