II. The Ninth Circuit: Limiting the CFAA to “Hacking”
In Nosal, the defendant Nosal worked for an executive search firm and convinced several employees shortly before he left to start a competing business with him. He asked the employees to use their log-in credentials to download confidential information from the firm’s computers and to send the information to him. The employees were permitted to access the information by their employer, but were forbidden from disclosing it. Nosal was indicted for aiding and abetting the employees in “exceed[ing] their authorized access” in violation of 18 U.S.C. § 1030(a)(4). The charge was dismissed by the district court, and the government appealed.
The Nosal court, sitting en banc, affirmed, reasoning that “exceeds authorized access” should only be applied to a person “who’s authorized to access only certain data or files but accesses unauthorized data or files—what is colloquially known as ‘hacking.’” The statutory definition of the phrase supported this interpretation because “entitled” should be read as a synonym for “authorized” in the text and a broader interpretation “would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute,” which the court would not presume Congress intended absent clearer language. A broader construction “would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer.” What is more, because § 1030(a)(2)(C) punishes a person who merely “exceeds authorized access” and “obtains information from any protected computer” without intent to defraud, a broader interpretation “makes every violation of a private computer use policy a federal crime.” The court construed the statute narrowly “so that Congress will not unintentionally turn ordinary citizens into criminals” and concluded that “‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.” Because Nosal’s coworkers had permission to access the information, Nosal was off the hook.
The dissent, citing the Explorica decision among others, noted that none of the other circuits to consider the meaning of “exceeds authorized access” read the statute the same way.
III. The First Circuit: Breach of Confidentiality Agreement Proves Excessive Access
The First Circuit in Explorica reviewed the district court’s issuance of a preliminary injunction against defendant Explorica and several of its employees pursuant to § 1030(a)(4) of the CFAA. In Explorica, an employee of Explorica and a former employee of the plaintiff, EF Cultural Travel BV (EF), revealed EF proprietary information to Zefer, a company employed by defendant Explorica, an EF competitor, in violation of his confidentiality agreement with EF. Zefer then used that information to create a computer program that “scraped” EF’s public website of pricing information, thus allowing Explorica to undercut EF’s prices.
The court ruled that the district court’s decision was not clearly erroneous because “whatever authorization Explorica had to navigate around EF’s site (even in a competitive vein),” if EF’s allegations were proven, EF likely would prove that Explorica “exceeded that authorization by providing proprietary information and know-how to Zefer to create the scraper.” In fact, “[p]ractically speaking, . . . if proven, Explorica’s wholesale use of EF’s travel codes to facilitate gathering EF’s prices from its website reeks of use—and, indeed, abuse—of proprietary information that goes beyond any authorized use of EF’s website.” Although decided in a different factual and procedural context than Nosal, as one judge in the District of Massachusetts noted, the First Circuit in Explorica “advocated a broader reading” of the CFAA than the Ninth Circuit.
IV. Conclusion: On to the Supreme Court?
The Nosal decision’s statement that a CFAA violation is limited to violations of restrictions on access to information, not use, when read with Explorica’s competing conclusion that a CFAA violation may be based on the abuse of proprietary information, crystallizes the CFAA circuit split for Supreme Court review. Violations of an employer’s contractual and computer use policies cannot be used to show a CFAA violation in the Ninth Circuit, but they can in the First Circuit. Assuming the government seeks certiorari, a decision by the Supreme Court not to review the Nosal case will have an immediate impact on employer decisions on where to file CFAA claims against former employees who may have taken confidential information. In fact, the Nosal decision adds yet another hurdle for employers filing lawsuits in California (part of the Ninth Circuit) in addition to the unenforceability of non-competition agreements as a matter of policy in that state. The circuit split is even more important because of the location of important industries: Silicon Valley and Massachusetts (part of the First Circuit) are high-tech hubs where many companies rely on highly sensitive information to stay ahead of the competition. If the Supreme Court chooses not to review Nosal, more employers will file CFAA cases outside of the Ninth Circuit.