Circuit Courts Struggling with Scope of CFAA

case law bytes 0 Comments
Jun 20

On April 10, the 9th Circuit ruled in U.S. v. Nosal that employees who violate workplace computer policies or website terms of use are not criminally liable under the federal Computer Fraud and Abuse Act (CFAA). The CFAA makes it unlawful to access a computer without authorization, or to exceed the scope of one’s authorization, for the purpose of obtaining or altering information in the computer that one is not entitled to obtain or alter. The CFAA defines "exceeds unauthorized access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the [user] is not entitled to obtain or alter."   The decision in U.S. v. Nosal represents a split with several other circuits, which could result in the issue heading to the Supreme Court. 

In January 2010, the District Court in U.S. v. Nosal ruled that because the employees were within the authority granted to them by their employer when they accessed information from the company database "they did not exceed their authorized access . . . even if they acted with a fraudulent intent."  The government appealed to the Ninth Circuit and in April 2011, a split Ninth Circuit panel held that even though the co-conspirators had authorized access to the database as employees, they violated the CFAA because they violated the employer’s access restrictions, which prohibited the disclosure of confidential information.  The court ultimately granted Nosal's petition for rehearing en banc. 
At issue is the precise meaning of the CFAA’s vague prohibition of activity that “exceeds authorized access” to obtain “information from any protected computer.” The CFAA was passed in 1984 by Congress to combat the growing problem of computer hacking. The CFAA criminalizes the act of breaking into a computer system to commit fraud or theft. However, in briefs and arguments before the Ninth Circuit in US v. Nosal, the DOJ claims that even authorized users can be prosecuted for hacking if they misuse their computers in unauthorized ways. The Third, Fifth and Eleventh Circuit Court of Appeals have all upheld the DOJ’s definition.

However, the Ninth Circuit’s recent en banc opinion in Nosal clearly contradicts the rulings made by the other federal circuit courts. The full court’s current opinion narrowly criminalizes only unauthorized use of a computer (hacking) as opposed to the DOJ’s desired intent to broadly criminalize any misuse of computers by users who are authorized to access them.

The majority of the en banc Ninth Circuit U.S. Court of Appeals held that the phrase "exceeds authorized access" within the Computer Fraud and Abuse Act (CFAA) "is limited to violations of restrictions on access to information, and not restrictions on its use."  The majority opinion, which was written by Chief Judge Alex Kozinski, stated that this was more in line with Congress' original intent in enacting the CFAA to combat hacking.  The majority also stated that adopting the broader DOJ-interpretation could potentially turn any employee's computer use that exceeds an employer's computer use policy into a federal crime.

Nosal argued that the disputed language clearly applies to a hacker or "someone who's authorized to access only certain data or files but accesses unauthorized date or files."  The government countered that the disputed phrase "could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information."

The majority held that "[t]he government's interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute."  This would effectively "expand the scope of criminal liability to anyone who uses a computer in violation of computer use restrictions - which may well include everyone who uses a computer."

The DOJ’s interpretation, the majority said, "would make criminals of large groups of people who would have little reason to suspect that they are committing a federal crime" by using an employer's computer for such activities as sending a personal email, checking a weather report or playing a game.  Such users would not be on fair notice of the criminal laws and penalties, the majority said. 
Should the intent of the CFAA be read to punish hackers or to punish unwitting computer users who routinely violate innocuous corporate restrictions?  The answer probably lies in between.  The government needs the authority to protect employers and prosecute those employees who abuse authorization for criminal gain.  However, a strict interpretation of the statute would essentially give the government carte blanche in preparing prosecutions and open a floodgate of potential indictments. Common sense dictates that the government hardly has the time or the inclination to prosecute victimless crimes that are innocuously hatched in a corporate cubicle.  Even if this issue reaches the Supreme Court the final rendering would be better off coming from a coherently written piece of legislation rather than another decision that can be picked apart.


David S. Weber is General Counsel for Digital Discovery ( and serves as a computer forensics consultant and eDiscovery expert to corporations and law firms. He can be reached at