close

For more than four decades, Fenwick & West LLP has helped some of the world’s most recognized companies become, and remain, market leaders. From emerging enterprises to large public corporations, our clients are leaders in the technology, life sciences and cleantech sectors and are fundamentally changing the world through rapid innovation.  MORE >

Fenwick & West was founded in 1972 in the heart of Silicon Valley—before “Silicon Valley” existed—by four visionary lawyers who left a top-tier New York law firm to pursue their shared belief that technology would revolutionize the business world and to pioneer the legal work for those technological innovations. In order to be most effective, they decided they needed to move to a location close to primary research and technology development. These four attorneys opened their first office in downtown Palo Alto, and Fenwick became one of the first technology law firms in the world.  MORE >

From our founding in 1972, Fenwick has been committed to promoting diversity and inclusion both within our firm and throughout the legal profession. For almost four decades, the firm has actively promoted an open and inclusive work environment and committed significant resources towards improving our diversity efforts at every level.  MORE >

At Fenwick, we are proud of our commitment to the community and to our culture of making a difference in the lives of individuals and organizations in the communities where we live and work. We recognize that providing legal services is not only an essential part of our professional responsibility, but also an excellent opportunity for our attorneys to gain valuable practical experience, learn new areas of the law and contribute to the community.  MORE >

Year after year, Fenwick & West is honored for excellence in the legal profession. Many of our attorneys are recognized as leaders in their respective fields, and our Corporate, Tax, Litigation and Intellectual Property Practice Groups consistently receive top national and international rankings, including:

  • Named Technology Group of the Year by Law360
  • Ranked #1 in the Americas for number of technology deals in 2015 by Mergermarket
  • Nearly 20 percent of Fenwick partners are ranked by Chambers
  • Consistently ranked among the top 10 law firms in the U.S. for diversity
  • Recognized as having top mentoring and pro bono programs by Euromoney

MORE >

We take sustainability very seriously at Fenwick. Like many of our clients, we are adopting policies that reduce consumption and waste, and improve efficiency. By using technologies developed by a number of our cleantech clients, we are at the forefront of implementing sustainable policies and practices that minimize environmental impact. In fact, Fenwick has earned recognition in several areas as one of the top US law firms for implementing sustainable business practices.  MORE >

At Fenwick, we have a passion for excellence and innovation that mirrors our client base. Our firm is making revolutionary changes to the practice of law through substantial investments in proprietary technology tools and processes—allowing us to deliver best-in-class legal services more effectively.   MORE >

Mountain View Office
Silicon Valley Center
801 California Street
Mountain View, CA 94041
650.988.8500

San Francisco Office
555 California Street
13th Floor
San Francisco, CA 94104
415.875.2300

Seattle Office
1191 Second Avenue
10th Floor
Seattle, WA 98101
206.389.4510

New York Office
1211 Avenue of the Americas
32nd Floor
New York, NY 10036
212.921.2001

Shanghai Office
Unit 908, 9/F, Kerry Parkside Office
No. 1155 Fang Dian Road
Pudong New Area, Shanghai 201204
P.R. China
+86 21 8017 1200


Litigation Alert: Ninth Circuit Holds Computer Fraud and Abuse Act Criminalizes Employee's Access To Information In Violation Of Employer's Express Access Limitations

United States v. Nosal, No. 10-10038 (April 28, 2011) (Trott, J., O'Scannlain, J., Campbell, J.)
http://www.ca9.uscourts.gov/datastore/opinions/2011/04/28/10-10038.pdf

Summary

On Thursday, April 28, 2011, the Ninth Circuit, in a split decision, held that an employee could be criminally liable under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the "CFAA"), for exceeding authorized access to an employer's computer system by accessing proprietary information in violation of the employer's written policies. In so holding, the Ninth Circuit joined several other circuits in interpreting the CFAA's "exceeds authorized access" prong to cover violations of an employer's clearly disclosed computer use policy to misappropriate proprietary company information. This interpretation of the CFAA also has ramifications outside the employment context, and potentially extends to enforceable terms of use policies and other contracts restricting network access.

Background of the Case

The facts of the case read like a garden-variety civil trade secret dispute. David Nosal had worked for the executive search firm Korn/Ferry International, which he left to start a competing firm. Soon after leaving the firm, Nosal engaged three Korn/Ferry employees to help set up the rival company. Those employees downloaded information about executive candidates from Korn/Ferry's password-protected leads database and provided that information to Nosal. All Korn/Ferry employees had been required to sign employment agreements prohibiting disclosure of such information.

In a federal criminal indictment, Nosal, was charged with violating § 1030(a)(4) of the CFAA, which imposes criminal liability for anyone who: "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value." In light of the Ninth Circuit's decision in LVRC Holdings LLC v. Brekka, which construed the phrase "accesses.... without authorization" to exclude the actions of individuals who had misused their otherwise authorized access to computer systems, the district court dismissed five of the eight counts against Nosal.

The Ninth Circuit's Decision

In reversing the district court, the Ninth Circuit held that "an employee 'exceeds authorized access' under § 1030 when he or she violates the employer's computer access restrictions—including use restrictions." Because the company had contractually prohibited its employees from disclosing information on its computer system to third parties, or from using the information except for legitimate business purposes, the employees exceeded their authorization when they violated that prohibition.

The Ninth Circuit distinguished Brekka, which addressed the CFAA's access without authorization prong, as opposed to the exceeding authorized access prong at issue in Nosal. Unlike the company in Brekka, Korn/Ferry had made its computer access and non-disclosure policies conspicuously clear to all its employees.

The Ninth Circuit addressed the concern that its interpretation of "exceeds authorized access" would make criminals out of employees who violated their employer's use policies by using work computers for personal reasons. It held that the government—and by extension, a plaintiff in a private civil action, which is also available to enforce the CFAA—would still need to satisfy the other elements of § 1030(a)(4). Those elements require proof that that (1) the defendant intended to defraud the company, (2) the computer access furthered that intent, and (3) the defendant obtained something of value through the access.

Implications

Nosal gives greater teeth to computer access and use policies, thereby improving companies' ability to deter both outsiders and insiders from stealing confidential business information. In Nosal, the computer use policy prohibited disclosure to outside parties and use other than for legitimate business purposes. Restrictions on disclosure create a bright line rule that puts employees on notice. Restrictions on the purpose of access—such as for legitimate business purposes—present greater vagueness problems. Although the majority did not explicitly criticize Korn/Ferry's restriction for legitimate business purposes, it effectively replaced that standard by focusing on the "intent to defraud" element. This suggests that companies may face difficulty enforcing a computer use policy where an employee's motivation falls in the gray area between a legitimate business purpose and outright fraud. Where possible, computer use policies should be drafted to prohibit actions, instead of intentions.

Employers computer use policies, in addition to being clear, must be conspicuous. Korn/Ferry's policy was disclosed to employees at the time of hiring and each time an employee logged onto the Korn/Ferry computer system.

Nosal also has implications for restrictions on access to electronic information provided to customers or the public. A company that provides information on its website may be able to restrict the use of that information through enforceable Terms of Use. By the same token, companies who access information on an outside website should take note of what use restrictions exist. Nosal, however, involved the employment context, and the Ninth Circuit has not yet addressed whether the definition of access or authorization will be interpreted differently for non-employees.


For further information, please contact:

Laurence F. Pulgram, Partner, Litigation Group
lpulgram@fenwick.com, 415.875.2390
Tyler G. Newby, Of Counsel, Litigation Group and
White Collar/Regulatory Group
tnewby@fenwick.com, 415.875.2495
Sebastian E. Kaplan, Associate, Litigation Group
skaplan@fenwick.com, 415.875.2477
©2011 Fenwick & West LLP. All Rights Reserved.

The views expressed in this publication are solely those of the author, and do not necessarily reflect the views of Fenwick & West LLP or its clients. The content of the publication ("content") should not be regarded as advertising, solicitation, legal advice or any other advice on any particular matter. The publication of any content is not intended to create and does not constitute an attorney-client relationship between you and Fenwick & West LLP. You should not act or refrain from acting on the basis of any content included in the publication without seeking the appropriate legal or professional advice on the particular facts and circumstances at issue.