Appeal from the United States District Court for the Northern District of California Marilyn H. Patel, Senior District Judge, Presiding D.C. No. 3:08-cr-00237-MHP-1
The opinion of the court was delivered by: Trott, Circuit Judge
Argued and Submitted February 14, 2011-San Francisco, California
Before: Diarmuid F. O'Scannlain and Stephen S. Trott, Circuit Judges, and Tena Campbell, District Judge.*fn1
Opinion by Judge Trott; Dissent by Judge Campbell
The United States appeals from the district court's dismissal of several counts of an indictment charging David Nosal with, inter alia, numerous violations of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030.*fn2 Subsection (a)(4), the subsection under which Nosal was charged, subjects to punishment anyone who "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value." Id. § 1030(a)(4). The indictment alleges that Nosal's co-conspirators exceeded their authorized access to their employer's computer system in violation of § 1030(a)(4) by obtaining information from the computer system for the purpose of defrauding their employer and helping Nosal set up a competing business.
The district court relied on our decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), in determining that an employee does not exceed authorized access to a computer by accessing information unless the employee has no authority to access the information under any circumstances - in other words, an employer's restrictions on the use of the computer or of the information stored on that computer are irrelevant to determining whether an employee has exceeded his or her authorization. The government contends, on the other hand, that Brekka counsels in favor of its interpretation of the statute - that an employee exceeds authorized access when he or she obtains information from the computer and uses it for a purpose that violates the employer's restrictions on the use of the information.
We have jurisdiction under 18 U.S.C. § 3731, and we agree with the government. Although we are mindful of the concerns raised by defense counsel regarding the criminalization of violations of an employer's computer use policy, we are persuaded that the specific intent and causation requirements of § 1030(a)(4) sufficiently protect against criminal prosecution those employees whose only violation of employer policy is the use of a company computer for personal - but innocuous - reasons. We therefore reverse and remand to the district court with instructions to reinstate Counts 2, 4, 5, 6, and 7.
For purposes of our review, the indictment's allegations must be taken as true. United States v. Fiander, 547 F.3d 1036, 1041 n.3 (9th Cir. 2008).
THE ALLEGATIONS AGAINST NOSAL
From approximately April 1996 to October 2004, Nosal worked as an executive for Korn/Ferry International ("Korn/Ferry"), an executive search firm. When Nosal left Korn/Ferry in October 2004, he signed a Separation and General Release Agreement and an Independent Contractor Agreement. Pursuant to these contracts, Nosal agreed to serve as an independent contractor for Korn/Ferry and not to compete with Korn/Ferry for one year. In return, Korn/Ferry agreed to pay Nosal two lump-sum payments in addition to twelve monthly payments of $25,000.
Shortly after leaving his employment, Nosal engaged three Korn/Ferry employees to help him start a competing business. The indictment alleges that these employees obtained trade secrets and other proprietary information by using their user accounts to access the Korn/Ferry computer system. Specifically, the employees transferred to Nosal source lists, names, and contact information from the "Searcher" database - a "highly confidential and proprietary database of executives and companies" - which was considered by Korn/Ferry "to be one of the most comprehensive databases of executive candidates in the world."
Paragraphs 9-11 of the indictment describe Korn/Ferry's efforts to keep its database secure:
9. Korn/Ferry undertook considerable measures to maintain the confidentiality of the information contained in the Searcher database. These measures included controlling electronic access to the Searcher database and controlling physical access to the computer servers that contained the database. Korn/Ferry employees received unique usernames and created passwords for use on the company's computer systems, including for use in accessing the Searcher database. These usernames and passwords were intended to be used by the Korn/Ferry employee only.
10. Korn/Ferry required all of its employees . . . to enter into agreements that both explained the proprietary nature of the information disclosed or made available to Korn/Ferry employees (including the information contained in the Searcher database) and restricted the use and disclosure of all such information, except for legitimate Korn/Ferry business. . . .
11. Among other additional measures, Korn/Ferry also declared the confidentiality of the information in the Searcher database by placing the phrase "Korn/Ferry Proprietary and Confidential" on every Custom Report generated from the Searcher database. Further, when an individual logged into the Korn/Ferry computer system, that computer system displayed the following notification, in sum and substance:
This computer system and information it stores and processes are the property of Korn/Ferry. You need specific authority to access any Korn/Ferry system or information and to do so without the relevant authority can lead to disciplinary action or criminal prosecution. . .
(emphasis added) (third alteration in original).
DISTRICT COURT PROCEEDINGS
On June 26, 2008, the government filed a twenty-count superseding indictment against Nosal and one of his accomplices. Counts 2 through 9 of the indictment allege that the Korn/Ferry employees who conspired with Nosal - and Nosal himself as an aider and abettor - violated § 1030(a)(4).
Nosal filed a motion to dismiss the indictment. He argued "that the CFAA was aimed primarily at computer hackers and that the statute does not cover employees who misappropriate information or who violate contractual confidentiality agreements by using employer-owned information in a manner inconsistent with those agreements." In other words, the Korn/Ferry employees could not have acted "without authorization," nor could they have "exceed[ed] authorized access," because they had permission to access the computer and its information under certain circumstances.
Recognizing that the question was one of first impression in the Ninth Circuit, the district court described the "two lines of diverging case law on this issue":
Some courts, including two courts of appeal, have broadly construed the CFAA to hold an employee acting to access an employer's computer to obtain business information with intent to defraud, i.e., for their own personal benefit or the benefit of a competitor, act "without authorization" or "exceed authorization" in violation of the statute. These courts have generally held that authorized access to a company computer terminated once an employee acted with adverse or nefarious interests and against the duty of loyalty imposed on an employee in an agency relationship with his or her employer or former employer.
Other courts have refused to hold employees with access and nefarious interests within the statute, concluding that a violation for accessing a protected computer "without authorization" or in "excess of authorized access" occurs only when initial access or the access of certain information is not permitted in the first instance. Those courts have generally reasoned that the CFAA is intended to punish computer hackers, electronic trespassers and other ...