Decision deepens circuit split on scope of CFAA

9th Circuit rules that workplace computer policy violations are not crimes

On April 10, the 9th Circuit ruled in U.S. v. Nosal that employees who violate workplace computer policies or website terms of use are not criminally liable under the federal Computer Fraud and Abuse Act (CFAA), which allows for the prosecution of anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access.” The decision represents a split with several other circuits, which could result in the issue heading to the Supreme Court.

David Nosal resigned as head of the CEO practice group at executive recruiting firm Korn/Ferry International in October 2004. After his departure, Nosal allegedly tried to start a competing business by convincing three former colleagues to download a confidential client database in violation of Korn/Ferry’s company policy.

The court’s opinion makes extensive references to the CFAA’s broader implications, namely that minor violations of computer usage policies—such as checking Facebook, playing Sudoku or sending personal emails—could result in criminal charges. Writing the opinion for the court, Judge Alex Kozinski worried that the government’s interpretation of the CFAA would “transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved.”

Judge Barry Silverman criticized the majority’s use of “far-fetched hypotheticals” in his dissent. He focused on the CFAA’s prohibition of “exceed[ing] unauthorized access,” arguing that Nosal and his co-workers clearly exceeded their access by using confidential information with the intent to defraud their company.

Alanna Byrne

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.