An employee “exceeds authorized access” to information on a protected computer under the Computer Fraud and Abuse Act, 18 USC Sec. 1030, when “he or she violates the employer’s computer access restrictions — including use restrictions,” ruled the Ninth Circuit in a 2-1 decision (USA v Nosal, April 28, 2011, Trott, S). As such, the appeals court reversed and remanded a district court’s order dismissing several counts of a criminal indictment on the grounds that an individual could not “exceed authorized access” under the statute unless he or she was without authority to access the information under any circumstances.

Background. The indictment charged that a former employee and his co-conspirators violated Sec. 1030(a)(4) by exceeding their authorized access to their employer’s computer system in order to obtain information for the purpose of defrauding the employer and helping the former employee set up a competing business. The employer had taken several measures to keep secure the “highly confidential and proprietary” database at issue, including controlling electronic access to the database and physical access to the computers and servers that contained the database, requiring employees to sign confidentiality agreements that explained the proprietary nature of the information and restricted use and disclosure, placing a statement on all reports generated from the database, and giving a notification and warning at log-on that access without authority could lead to disciplinary action or criminal prosecution.

After initially denying the former employee’s motion to dismiss, the lower court dismissed several counts of the indictment relating to the co-conspirators based on the court’s interpretation of LVRC Holdings LLC v Brekka. The district court interpreted Brekka to hold that the meaning of the phrase “exceeds authorized access,” as used in CFAA, Sec. 1030, as having permission to access part of a computer, or certain information on that computer, but accessing a different part of the computer, or different information on the computer, that the individual is not entitled to access under any circumstances. The lower court concluded that intent is irrelevant in determining whether authorized access has been exceeded, even if the individual’s access is limited by the employer’s use restrictions. The district court held that because the co-conspirators were authorized to obtain information from the database for legitimate business purposes, they had not exceeded their authorized access, even if they acted with fraudulent intent.

Violation of use restrictions. On appeal, the government urged that authorized access is exceeded under Sec. 1030 when an employee obtains information from the computer and uses it for a purpose that violates the employer’s restrictions on the use of the information.

The Ninth Circuit agreed. Subsection (a)(4) punishes anyone who: “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.” While the CFAA does not define the phrase “without authorization,” it states that “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter,” the court emphasized. “So” in this context, means “in a manner or way that is indicated or suggested,” the court wrote, noting that the former employee’s asserted interpretation would render the word “so” superfluous, which the appeals court declined to do. “Because the statute refers to an accesser who is not entitled to access information in a certain manner, whether someone has exceeded authorized access must be defined by those access limitations,” concluded the Ninth Circuit.

Applying precedent. In Brekka, the appeals court held that it was the employer’s actions which determined whether an employee acted without authority to access a computer in violation of Sec. 1030. The conclusion here that an employer’s use restrictions define whether an employee “exceeds authorized access” is merely an application of Brekka’s reasoning, the Ninth Circuit said. Brekka held that ‘“an employer gives an employee authorization’ to access a company computer when the employer gives the employee permission to use it.” Thus, emphasized the Ninth Circuit, “the only logical interpretation of ‘exceeds authorized access,’ is that the employer has placed limitations on the employee’s “permission to use” the computer and the employee has violated — or ‘exceeded’ — those limitations.”

The court also noted that Brekka was factually distinguishable from the instant case, because in that case, the employee had unfettered access to the company computer, while the employer here had access restrictions in place. As long as the employee has knowledge of the employer’s limitations on authority to use a computer or the information contained on it, the employee “exceeds authorized access” when the employee violates those limitations, held the appeals court, joining the Fifth, Eleventh and First Circuits.

Dissent. Senior District Judge Tena Campbell, sitting by designation, dissented, arguing that under the majority’s interpretation, a person who obtains information from a computer connected to the Internet, in violation of his or her employer’s use restrictions, is guilty of a crime under CFAA, Sec. 1030(a)(2)(C), given that “exceeds authorized access” must be given the same meaning in that section, which does not contain the intent requirement included in Sec. 1030(a)(4). She also raised arguments related to constitutional vagueness and statutory construction.