Bye Bye Brekka–Hello Nosal! Ninth Circuit Warms-up to Intended-Use Theory of “Access” Under the Computer Fraud and Abuse Act

This past Monday I blogged of what I called the “Trilogy of Access Theories” to refer to the 3 lines of circuit court cases that have different theories for interpreting “access” under the Computer Fraud and Abuse Act (“CFAA”).

That was a FAIL!

United States v. Nosal

[EDITOR’S NOTE: THE CASE DISCUSSED IN THIS BLOG POST WAS SUBSEQUENTLY REVERSED BY YET ANOTHER UNITED STATES V. NOSAL — ACCORDINGLY, THIS BLOG POST IS OUTDATED]

As of today the trilogy has become a duo with the Ninth Circuit‘s opinion in United States v. Nosal. Honestly, however, I can’t say that it is that much of a surprise that the Ninth Circuit backed off of the hard line it took in LVRC Holdings LLC v. Brekka in which it established the rigid “access means access” theory. The facts of Brekka were quite distinguishable from the facts of United States v. Rodriguez, United States v. John, United States v. Phillips, and International Airport Centers, LLC v. Citrin–the cases in which the Eleventh, Fifth, and Seventh Circuits, respectively, ruled differently on the access issue. Moreover, the Brekka Court left a few clues in its opinion though I am saving those for a different day … but here’s a hint: study those Bluebook signals!

Case Background

As for Nosal, if you are interested in reviewing the entire opinion then here it is: Nosal Opinion. The basic facts of Nosal are these: Employee resigns his position as an executive to become an independent contractor. Employee signs agreements agreeing to not compete with his former employer and governing his access to and use of confidential and proprietary information belonging to employer. Employee decides to open his own company competing with his former employer, takes three employees with him, and they all obtained trade secrets and other proprietary information from the former employer’s computer system and are now using it to compete. Former employee then indicted for violating the Computer Fraud and Abuse Act.

Key Facts Materially Different from Brekka

What really forced the Ninth Circuit’s hand in this case are the great lengths to which the former employer had gone to restrict and limit access to and use of its confidential and proprietary information, and they were extensive. Recall, in Brekka there were no restrictions and the employee had unfettered access to the computer and all data thereon.One of the Brekka Court’s biggest hang-ups was the employee had no way of knowing when authorization to access would terminate and, therefore, ruled on the side of being lenient. Not so in Nosal.

The Nosal Court found that because of the employer’s extensive restrictions and limitations, the issue before the court was whether the defendants “could have exceeded their authorized access by accessing information that they were entitled to access only under limited circumstances.” The Court held “that an employee ‘exceeds authorized access’ under [the CFAA] when he or she violates the employer’s computer access restrictions including use restrictions.” In other words, the court basically adopted the Intended-Use Theory first set forth by the Fifth Circuit in United States v. Phillips and United States v. John which was then joined by the Eleventh Circuit in United States v. Rodriguez. Now I make this overly generalized statement knowing full well that there already are and will continue to be differences in the application between the courts, just as there are differences in the reasoning between John and Rodriguez. Of course there will be. Nonetheless, …

What Was the Intended-Use Theory Again?

The Intended-Use Theory, as explained in the Trilogy, provides that an employee’s own subjective changing of allegiances (which is sufficient according to the Citrin Agency Theory), is not sufficient by itself to terminate authorization; Yet an employer is not required to expressly notify the employee that his access has been terminated either. Rather, the employer can implement certain restrictions on access and use of information obtained thereby, ahead of time by policies and agreements, that are known by the employee, and if the employee still violates those limitations by accessing information and using it for improper purposes–not for its intended use–that access will be considered as having been unauthorized for purposes of the Computer Fraud and Abuse Act.

“Bye Bye Brekka”? Not Really … the Nosal Court is Not Abandoning, But Refining Brekka

The Nosal Court made it clear that it was not abandoning its reasoning in Brekka but was simply refining its application in this Nosal. Given how substantially different the facts of Brekka were vis-a-vis most other cases to which it has been compared, that certainly makes sense and follows from the court’s reasoning. The court also made it clear that it was not adopting the Citrin line Agency Theory. The court maintained its earlier position from Brekka that “it is the action of the employer that determines whether an employee is authorized to access the computer.” In Brekka it had held that once access to a computer had been authorized the only way the employer could terminate that authorization was to notify the employee that it was rescinding the right to access. In Nosal the court has simply taken that reasoning one step further, to the place of John and Rodriguez, and found that the authorization to access the computer can be limited at the outset by placing clear and conspicuous restrictions on the right to access and use the computer and any data there from. When one has knowledge of those limitations on that authorization, he “exceeds authorized access” by violating those limitations. “It is as simple as that,” as the court put it.

The Holding

In conclusion, the holding of the Nosal court is as follows:

Today, we clarify that under the CFAA,an employee accesses a computer in excess of his or her authorization when that access violates the employer’s access restrictions, which may include restrictions on the employee’s use of the computer or of the information contained in that computer. We reaffirm our previous conclusion that “an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has ‘exceed[ed] authorized access.'”

What Does All of This Mean?

From an employer’s standpoint, this case is very helpful. While it was a criminal case, the same standards of “access” that apply criminally under the CFAA also apply to civil actions. This case puts employers in the Ninth Circuit in the same position as employers in the Fifth and Eleventh Circuits. That is, it allows employers to implement clear and unambiguous policies that define the scope of permissible authorization for employees to access and use their computers as well as any data from those computers. If they have such policies, then under Nosal employers may have a valid CFAA claim against employees who exceed that authorization. If they do not, and their employees have “unfettered access” to the computers and data, then under Brekka the employer will not then be allowed to assert CFAA claims against them because the limitations on access were not set at the outset. In other words, the lesson for employers is to have comprehensive computer access and data use policies!

From a business litigation standpoint, I appreciate the Ninth Circuit’s opinion in United States v. Nosal though there are an awful lot of district courts who have taken a very hard line approach to following Brekka, in a way that was not followed in Nosal, and they are going to have a lot of work to do in order to get their rulings in line with this new opinion out of the Ninth Circuit. Now, however, we are left with only two clearly distinct lines of reasoning on the “access” issue, with the second being the agency theory set forth below.

From a jurisprudence standpoint, this shows the wisdom of the courts, including the United States Supreme Court, in allowing a body of law to mature and develop in the district courts and the circuit courts.

Agency Theory

The Trilogy started with the Seventh Circuit in International Airport Centers, LLC v. Citrin (citing Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc.) in which it held that under common law agency principles, an employee’s right to access his employer’s computer is premised on his serving the interests of his employer. Should his loyalties to his employer change and his interests become adverse, so to would his authorization change by becoming unauthorized. Under this “agency theory” the authorization to access was based upon the employee’s own subjective loyalties and interests and, if they changed, his authorization to access the employer’s computer changed with it.

This line of reasoning remains unfazed by the Ninth Circuit’s ruling in United States v. Nosal though it remains to be seen whether the Seventh Circuit will now move closer to the Intended-Use Theory. If it does then this issue may never need to be interpreted by the Supreme Court. If it doesn’t, then as long as there are at least two diverging theories on this issue, there’s always a chance that the access issue will be the vehicle to get the Computer Fraud and Abuse Act before the United States Supreme Court so that we can finally learn what the justices have to say about it. Until then, we’ll all keep arguing over it … and that’s our job!

11 thoughts on “Bye Bye Brekka–Hello Nosal! Ninth Circuit Warms-up to Intended-Use Theory of “Access” Under the Computer Fraud and Abuse Act

  1. Wow Shawn, what a thorough post. Can I admit that the majority of what you shared was WAY over my head!

    But what I will say is it’s perfectly obvious to me that if you are an employee and you sign a non compete agreement when hired, when you leave the company under any circumstances, you are not allowed to compete against that company. Dah! That’s what a non compete agreement is people. Don’t sign anything unless you understand what it says and if you don’t understand, have it explained to you. You then abide by that agreement and if you don’t, you’ve just broken the law. You can’t get any clearer than that. Even my little pea brain knows that!

    Darn you are smart, but then again, you are a lawyer. I want you on my side should I ever need one. 🙂

    Have a great day my friend.

    Adrienne

  2. Adrienne, thank you for your wonderful comment and your kind words! The points that you raise are very insightful and go straight to the heart of my biggest conundrum of all: HOW in the world do you blog about substantive legal “stuff” in a way that:
    (1) makes sense to your audience, which requires
    (2) deciding upon who is your “target audience”, but that
    (3) accurately provides a level of substantive analysis beyond that which any run-of-the-mill charlatan could provide yet,
    (4) does so within a reasonable amount of words that doesn’t drive the reader to either sleep or suicide?

    This is the #1 biggest thing I have been trying to figure out since I started reading other people’s blogs and blogging myself, and I am still trying to figure out how to do it. First and foremost, I am a lawyer, not a blogger, so I’m trying to figure out how to blog as a lawyer, hopefully using my training and experience to provide valuable substantive information to others. Most really good legal bloggers give you just a taste – a snippet – of the legal issues and analysis but don’t seem to get too deep, which makes their blogs much more readable and, therefore, popular. I, however, love the analysis part and what is what I really enjoy writing about, because it makes me really think and work through all of the issues, so I do not want to limit my posts to just the high points even if it means no popularity! So, I have had to sit here and think through this some more … in fact, I have now been thinking about this for nearly two hours since you left your comment – and that is good, I like to think but even more importantly, I like to solve problems! So …

    I see two options here: (a) I could ask you to write a non-lawyer summary of each of my blog posts because, in practical terms, the analysis in your comment is spot-on and distilled that entire mass of legal blah blah blah down to the core points that matter to most normal people (i.e., non-lawyer). This shows me that you are not only smart and perceptive (pea-brain or not! Haha), but you are truly a professional at what you do which is to distill blobs of information down into core concepts in a way that makes them easy and interesting for people to read. That is, there is a skill and technique to doing what you do that can hopefully be learned! So, my next option (b) is for me to work on developing that skill and structuring my blog posts in a way that allow for both a normal person to read it and get the practical gist and then, if someone is so inclined, to then dig a little deeper for the legal analysis that underlies the practical gist that is the limit of what most people want to read. I have an idea …

    I will try it on my next blog post and see how it works! Thank you Adrienne for helping me work through this and, given that I suspect this will be a continually evolving process, please keep your thoughts and advice coming, its invaluable!

  3. Pingback: mediaoptions

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s