On April 10, 2012, an en banc panel of the Ninth Circuit Court of Appeals limited the application of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, to violations of restrictions in accessing information, i.e. “hacking,” rather than criminalizing violations of restrictions on use of information obtained through authorized access of a computer.
In United States v. Nosal, an ex-employee of an executive recruiting firm was prosecuted on the theory that he persuaded current company employees of the company to access the company’s proprietary database and provide him with information in violation of corporate computer-use policy, presumably to start a competing business. The government claimed that the violation of this private policy was a violation of the Computer Fraud and Abuse Act (CFAA). Following a decision issued in 2009 by the Ninth Circuit, the district court ruled that violations of corporate policy are not equivalent to violations of federal computer crime law.
The court held that: “We need not decide today whether Congress could base criminal liability on violations of a company or website’s computer use restrictions. Instead, we hold that the phrase ‘exceeds authorized access’ in the CFAA does not extend to violations of use restrictions. If Congress wants to incorporate misappropriation liability into the CFAA, it must speak more clearly.”