Ninth Circuit Limits Application of the Computer Fraud and Abuse Act

Published: September 12, 2014

Victims of trade secret theft often can seek a variety of civil and criminal remedies against those who have absconded with proprietary information. The Ninth Circuit however recently rejected criminal charges in a situation where the claims could be addressed as a civil matter under California’s trade secret laws.

In United States v. Nosal, David Nosal was sued by his former employer, the Korn/Ferry executive search and placement firm. After leaving Korn/Ferry, Mr. Nosal contacted several former colleagues who were still working with the company and asked them for assistance with his efforts to set up a competing business. Mr. Nosal’s former co-workers had access to a significant amount of proprietary information on the Korn/Ferry computer system, and assisted Mr. Nosal by using this access in order to provide names, contact information, and other confidential data from Korn/Ferry’s proprietary database to Mr. Nosal. Although their access to the database was authorized, the employees provided information to Mr. Nosal in violation of a trade secret and nondisclosure agreement with their employer.

Responding to Korn/Ferry’s complaints, the United States government indicted Mr. Nosal on multiple criminal counts, including mail fraud, theft of trade secrets, conspiracy, and violations of the Computer Fraud and Abuse Act (“CFAA”). Specifically, the government claimed that Mr. Nosal conspired with his former co-workers in order to “exceed authorized access” to the company’s computers to defraud Korn/Ferry.

Claiming that the CFAA applies only to unauthorized access to computer systems, not abuse of authorized access by misusing or misappropriating the information obtained through that access, Nosal’s attorneys brought a motion to dismiss the government’s CFAA complaint. The district court granted that request and the Ninth Circuit agreed. The courts found that the provisions of the CFAA which prohibit users from “exceeding authorized access” do not extend to situations where users violate use restrictions on data that was otherwise acquired through authorized means. In the appellate court’s opinion, unless a narrow reading is applied, myriad people across the country could potentially be charged for felony violations of the CFAA simply because they had exceeded the permitted use of data which they otherwise had acquired through authorized means. The court therefore held that misuse of information otherwise lawfully acquired was properly addressed through civil remedies under the Uniform Trade Secrets Act. Although the Ninth Circuit’s holding in the Nosal case runs counter to holdings in several other federal appellate courts which have allowed such claims to proceed under the CFAA, the holding in Nosal must be considered when analyzing claims and remedies available to victims of trade secret theft and misappropriation.