United States v. Nosal

United States Court of Appeals for the Ninth Circuit
844 F. 3d 1024 (2016)

ELI5:

Rule of Law:

An individual accesses a computer 'without authorization' under the Computer Fraud and Abuse Act (CFAA) when they have had their access credentials affirmatively revoked by the system owner but subsequently gain access by using the credentials of a third party, regardless of whether that third party consented to sharing their credentials.

Facts:

David Nosal was a high-level employee at the executive search firm Korn/Ferry International.
After being passed over for a promotion, Nosal planned to leave and launch a competing firm with several Korn/Ferry colleagues, including Becky Christian, Mark Jacobson, and Jacqueline Froehlich-L’Heureaux (FH).
Upon Nosal's departure from his employment role (though he remained a contractor for a time), Korn/Ferry explicitly revoked his credentials to access its computer system and its proprietary database, 'Searcher'.
Becky Christian and Mark Jacobson also left Korn/Ferry, and the company revoked their computer access credentials as well.
FH remained an employee at Korn/Ferry at Nosal's request.
On three occasions after their departures, Christian and Jacobson, with FH's permission, used FH's valid login credentials to access the Searcher database.
Christian and Jacobson downloaded proprietary source lists and other confidential information from Searcher for the benefit of Nosal's new, competing business.

Procedural Posture:

The United States charged David Nosal in the U.S. District Court for the Northern District of California with violations of the CFAA and the Economic Espionage Act (EEA).
The district court dismissed a set of initial CFAA counts that were based on alleged misuse of computer access by individuals who were still employed at Korn/Ferry.
The U.S. Court of Appeals for the Ninth Circuit, sitting en banc, affirmed the dismissal of those counts in a prior decision known as Nosal I and remanded the case for trial on the remaining charges.
The government filed a superseding indictment based on access that occurred after Nosal's co-conspirators had left Korn/Ferry and had their access credentials revoked.
A jury in the district court convicted Nosal on all remaining counts.
Nosal (appellant) appealed his conviction to the U.S. Court of Appeals for the Ninth Circuit, challenging the sufficiency of the evidence and the interpretation of the CFAA.

Premium Content

Subscribe to Lexplug to view the complete brief

You're viewing a preview with Rule of Law, Facts, and Procedural Posture

Issue:

Does a former employee access a computer 'without authorization' in violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(4), when their own access has been explicitly revoked by the employer, but they gain entry by using the valid login credentials of a current employee?

Opinions:

Majority - Judge McKeown

Yes. A former employee whose computer access has been rescinded accesses a computer 'without authorization' by using a current employee's credentials to circumvent the revocation. The term 'without authorization' is an unambiguous, non-technical term that means accessing a computer without permission from the entity that has the authority to grant or deny it. Once Korn/Ferry affirmatively revoked access for Nosal, Christian, and Jacobson, they became 'outsiders,' and any subsequent access was without authorization. The current employee, FH, lacked the authority to override the company's explicit revocation of access for former employees. This conduct is distinct from the misuse of data by an authorized insider, which was addressed in Nosal I, and falls squarely within the CFAA's prohibition against accessing a computer after permission has been unequivocally withdrawn.

Dissenting - Judge Reinhardt

No. A person does not access a computer 'without authorization' when they do so with the consent of a legitimate account holder. The majority's broad interpretation of the CFAA threatens to criminalize the ubiquitous and generally harmless conduct of password sharing among millions of ordinary citizens. The CFAA is an anti-hacking statute, not a tool for enforcing private corporate computer use policies. The phrase 'without authorization' is ambiguous as to whether permission must come from the system owner or can come from an authorized user. Under the rule of lenity, this ambiguity should be resolved in the defendant's favor by holding that access is permissible if authorized by either the system owner or the account holder. Because FH, an authorized user, consented to sharing her password, the access was not 'without authorization.'

Analysis:

This decision solidifies the Ninth Circuit's interpretation of the 'without authorization' prong of the CFAA, distinguishing it sharply from the 'exceeds authorized access' prong addressed in Nosal I. It establishes a clear rule that once an employer affirmatively revokes an individual's access, that individual becomes an 'outsider,' and any subsequent access, even through a consenting insider, constitutes a criminal violation. This holding creates a bright-line rule for former employees, making it clear that using a former colleague's credentials is not a permissible workaround. The case deepens the circuit split on the CFAA's scope by narrowly defining 'authorization' as something only the system owner can grant in cases where access for a specific individual has been explicitly terminated.

🤖 Gunnerbot:

Query United States v. Nosal (2016) directly. You can ask questions about any aspect of the case. If it's in the case, Gunnerbot will know.

Subscribe to Lexplug to chat with the Gunnerbot about this case.

Premium Feature