Last week, the Ninth Circuit published its long awaited en banc decision, authored by Chief Judge Alex Kozinski, in United States v. Nosal [pdf].  The 9-2 reversal of the 3-judge appellate decision holds that the Computer Fraud and Abuse Act's phrase “exceeds authorized access” is limited to violations of restrictions on physical access to information and does not extend to violations of restrictions on the use of information.  Prosecution under the CFAA thus requires proof of “hacking” and employers will not be able to bring a claim for violation of the CFAA based on a violation of a computer use policy.    

The decision calls out for United States Supreme Court review.  It departs from the Fifth, Seventh and Eleventh Circuit decisions concerning interpretation of the same statutory language and criticizes those courts for taking a short-sighted approach that focused on the facts of the cases before them while criminalizing acts that are wide-spread, commonplace and trivial.  

Unlike those cases, the Nosal decision makes only a quick introductory recitation of the facts of the case.  Those following the case will recall that Nosal persuaded his former colleagues still working for his former employer to help him start a competing business by accessing information from the company’s database and then transferring that information to Nosal.  The employees had access to the database, but use of the information was restricted by policy:  “This product is intended to be used by Korn/Ferry employees for work on Korn/Ferry business only.”  Nosal was criminally prosecuted for aiding and abetting the employees in “exceeding their authorized access” with intent to defraud the employer.       

The Nosal decision sets aside its factual underpinnings and takes an expansive and some may say alarmist view of the CFAA’s potential impact, focusing on the ubiquity of computers and internet use in contemporary society generally and in the workplace.  It envisions employees being charged with federal crimes for “g-chatting with friends, playing games, shopping, or watching sports highlights” while at work and in violation of their employer’s policies prohibiting use of the employer’s computer systems for those activities.  These are “minor workplace dalliances” that employers’ policies would turn into federal crimes.  While the CFAA could be interpreted to criminalize violations of such use policies, the en banc panel rejected that interpretation to avoid the undesirable result of criminalizing common-place conduct that is not inherently wrong and which is without criminal intent.    

Where does this leave employers?  While Nosal was a criminal case, it is not limited to application in the criminal context. Very few employment cases are prosecuted criminally, and because the decision itself arises out of the employment context, its application in the civil context is expected.  While California employers may still bring claims for trade secret misappropriation, breach of contract, and certain torts, they will likely not have a basis for claiming federal subject matter jurisdiction under the CFAA. While they may no longer have a federal claim, employers will still want to have policies that clearly and appropriately restrict both access to and use of their information.