The document discusses the United States v. David Nosal case regarding an ex-employee who accessed his former employer's computer system to download confidential information. Specifically: 1) The case centered around whether Nosal exceeded his authorized access under the Computer Fraud and Abuse Act (CFAA) by downloading information for personal use in violation of company policy. 2) The majority opinion held that violating a private computer use policy is not sufficient for criminal liability under the CFAA, while the dissent argued Nosal clearly knew the information could only be used for business purposes. 3) There are differing interpretations among circuit courts on what constitutes "authorization" and "exceeds authorized access" under the CFAA. The

1. Without authorization and exceeds authorized access
under 18 U.S.C. §1030 – focusing on Nosal case
United States v. David Nosal, 676 F.3d 854 (9th Circuit 2012) is a case about an
ex-employee who planned to start a competitive business and accessed to the
employer’s computer and downloaded the confidential information.1 The
problem emerging from Nosal is that when David Nosal and his co-conspirators
downloaded the confidential information from the employer’s computer for their
personal use, did they have the authorized access to the information or did they
exceed authorized access to the computer in breach of the employer’s policy of
non-business use of the confidential information? The majority Of Nosal holds
that there is no violation of 18 U.S.C. §1030(a)(4). The majority, looking into the
history of the statute and considering the statute uses the same term “without
authorization and exceeds authorized access” both in 18 U.S.C. §1030(a)(2) and
18 U.S.C. §1030(a)(4)2, holds that there seems much ambiguity if incorporating
the corporate policy or terms of service into authorization, which will
1 David Nosal used to work for Korn/Ferry, an executive search firm. After he left the company,
he convinced some of his former colleagues to who were still working for Korn/Kerry to help him
start a competing business. The employees used their login credentials to download source lists,
names and contact information from a confidential database on the company’s computer, and
then transferred the information to Nosal. The employees were authorized to access to the
database, but Korn/Ferry had a policy that forbade disclosing confidential information. The
government indicted Nosal on twenty counts, including trade secret, mail fraud, conspiracy and
violation of the CFAA of 18 U.S.C. §1030(A)(4). Nosal, 676 F.3d 854(Ninth Circuit. 2012)
2 18 U.S.C.§ 1030 –
(a) Whoever—
(2) Intentionally accesses a computer without authorization or exceeds authorized access, and
thereby obtains—
(A) Information contained in a financial record of a financial institution, or of a card issuer as
defined in section 1602 (n) [1] of title 15, or contained in a file of a consumer reporting agency
on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) Information from any department or agency of the United States; or
(C) Information from any protected computer;
(4) Knowingly and with intent to defraud, accesses a protected computer without authorization,
or exceeds authorized access, and by means of such conduct furthers the intended fraud and

2. criminalized the ordinary innocuous behavior into federal crimes simply because
a computer is involved.3 The behavior of David Nosal will not be covered by 18
U.S.C. §1030. While the dissenting holds that at the time when David Nosal and
his co-conspirators accessed the database, they knew they were only allowed to
use the database for legitimate business purpose because the co-conspirators
allegedly signed an agreement which restricted the use and disclosure of
information on the database except for legitimate Korn/Ferry business. Nosal’s
co-conspirators accessed the database to obtain the confidential information
with the intent to defraud Korn/Ferry by setting up a competing company to
take business away using the stolen data, they “exceeded their authorized access”
to a computer with an intent to defraud and violate 18 U.S.C. §1030(a)(4). 4
The CFAA does not define “authorization”, but only defines “ exceeds
authorized access” in 18 U.S.C. 1030(E)(6). 5 In Nosal, the Ninth Circuit follows
the rationale in LVRC Holdings LLC v. Christopher Brekka, 581 F. 3d 1127(9th
circuit 2009). In Brekka, the employer LVRC Holdings LLC sued the ex-employer
Christopher Brekka by accessing LVRC’s computer without authorization both
while he was employed at LVRC and after he left the company. The Ninth Circuit
obtains anything of value, unless the object of the fraud and the thing obtained consists only of
the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
3 The majority explains that being criminal liability on violation of private computer use polices
cab transform whole categories of otherwise innocuous behavior into federal crimes simply
because a computer is involved. Employees who call family members from their work phones
will become criminals if they send an email instead. Employees can sneak in the sports section of
the NEW York Times to read at work, but they’d better not visitESPN.com. And sudoku
enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from
their work computers might give them more than enough time to hone their Sudoku skills behind
bars. Id.1
4 The dissenting explains that a bank teller is entitled to access a bank’s money for legitimate
banking purpose, but not to take the bank’s money for himself. A person of ordinary intelligence
understands that he may be totally prohibited from doing something altogether, or authorized to
do something but prohibited from going beyond what is authorized. Id.1

3. holds that during the course of the employment, Christopher Brekka used to
email the document he obtained or create in connection with his work for LVRC
from the company’s computer to his personal computer when commuting back
and forth between Florida and Nevada. Even though Christopher Brekka still
retained the information in his personal computer after he left LVRC, at the time
when Christopher Brekka accessed the document and information, he was given
the permission to use LVRC’s computer. Besides, nothing in the CFAA suggests
that a defendant’s liability for accessing a computer without authorization turns
on whether the defendant breached a state law duty of loyalty to an employer.6
In Brekka, neither did Christopher Brekka sign a written employment agreement
with LVRC, nor did LVRC promulgate employee guidelines that would prohibit
employees from emailing LVRC documents to personal computers. Therefore, no
evidence show that Christopher Brekka had agreed to keep the emailed
document confidential. In contrast to Nosal, Korn/Ferry had a policy that forbade
employees from disclosing the confidential information for non-business use.
Employees also signed an agreement prohibiting the use and disclosure of
information except for legitimate Korn/Ferry business. In my view, there is an
ambiguity problem when interpreting the scope of authorization in Brekka
because there is no agreement or notice about the use of confidential
information. However, in Nosal, the employer clearly established a policy and
had an agreement with employees concerning the use of the confidential
information, it seems no ambiguity problem in Nosal. Although the majority in
5 18 U.S.C. §1030(e)(6)-- The term “exceeds authorized access” means to access a computer with
authorization and to use such access to obtain or alter information in the computer that the
accesser is not entitled so to obtain or alter.

4. Nosal holds that the use of non-business purpose is too broad to hold someone
criminally liable, the Korn/Ferry policy clearly limited the use of the information
on database for its business use only. Nosal seems far from the majority’s
concern about using the corporate computer to chat with friends or checking the
weather. It is about stealing the valuable information from the employer for
personal gain. The perpetrators clearly understood the boundaries of
authorization and tried to evade from the liability. Applying the Brekka rule to
Nosal seems creating the loophole of the statute and confining the scope of
without authorization rigidly limited.
Besides the Ninth Circuit ‘s interpretation of authorization under 18 U.S.C.
§1030, there are different interpretations of authorization among other Circuits.
First, in EF Cultural Travel BV v. Explorica, Inc., 274 F. 3d 577, 583--584(1th
Circuit 2001), the First Circuit holds that an employee is likely to exceed the
authorized access to employer’s computers when he used that access to disclose
information in violation of a confidential agreement.7
Second, in International Airport Centers L.L.C, v. Jacob Citrin, 440 F. 3d 418,
420-421(7th Circuit 2006), the Seventh Circuit holds that authorization to access
the employer’s computer terminated when an employer engaged in misconduct
and breached his duty of loyalty to the agency law imposed on an employee.8
6 The LVRC also argued that CFAA incorporates an additional limitation on the word
authorization. An employee can lose authorization to use a company computer when the
employee resolves to act contrary to the employer’s interest. Brakka, 581 F.3d 1127
7 EF is the world’s largest private student travel organization. The individual defendant Philip
Gormley, had been the vicepresident of EF and then started his own competing company,
Explorica. Gormley envisioned Explorica could gain a substantial advantage by undercutting EF’s
price on student tour. He then asked Explorica’s Internet consultant to design a computer
program named “scraper” to glean all of the necessary information from EF’s website. EF, 274 F
3d 577, 579-580.
8 Jacob Citrin is the former employee of International Airport Centers (IAC), IAC was a company
engaged in the real estate business. Citrin was employed to identify properties that IAC might
want to acquire. IAC lent Citrin a laptop to use to record data that he collected in the course of his

5. Third, in United States v. Roberto Rodriguez, 628 F. 3d 1258,1260-1263(11th
Circuit 2010), the Social Security Administration set a policy that prohibited an
employee from obtaining information from its databases without a business
reason. The Administration informed its TeleService employees about its policy
through mandatory training sessions. Notices about the prohibition of
nonbusiness use of information posted in the office, moreover, a banner about
the prohibition of nonbusiness use if the confidential information appeared on
every computer screen. The Seventh Circuit holds that even though the
defendant, Roberto Rodriguez accessed the database with his personal
identification numbers and password, he still exceeded his authorized access and
violated the CFAA when he obtained personal information for a nonbusiness
reason.9
Forth, in United States v. John, 597 F.3d 263, 271(5th Circuit 2010), the Fifth
Circuit holds that whether authorized access or authorization under CFAA may
encompass limits placed on the use of information obtained by permitted access
to a computer system and data available on that system. An employee would
exceed authorized access if he or she used that access to obtain or steal
information as part of a criminal scheme.10
work in identifying potential acquisition targets. When Citrin decided to quit the job and go into
his own business, before returning the computer to IAC, he deleted all the data in it and loaded
into the laptop a secure-erasure program, designed by writing over the deleted files to prevent
their recovery. Citrin, 440 F.3d 418.
9 Robert Rodriguez worked as a TeleService representative for the Social Security Administration.
Rodriguez’s duties included answering questions of the general public about social security
benefits over the telephone. As part of his duties, Rodriguez had access to Administration
databases that contain sensitive personal information. In August 2008, Administration records
established that Rodriguez had accessed the personal records of 17 different individuals for
nonbusiness reasons. Rodriguez, 628 F. 3d 1258.
10 John was employed as an account manager at CITIgroup. By virtue of her position, she had
access to Citigroup‘s internal computer system and customer account information contained in it.
In September 2005, John provided Leland Riley with customer account information enabling
Riley and other confederates tot incur fraudulent charges. In this case, John argued that the

6. After reading all the split Circuit decisions on authorization of the CFAA, the
difference among Circuits seems rising from the way to interpret “authorization”
narrowly or broadly. Will David Nosal be liable for his misconduct in other
jurisdictions? Is the CFAA merely the anti-hacker statute or the computer crime
statute? To begin with, if we take a look of the legal history of CFAA, it started
with the first version of §1030 enacted in 1984. It then covered each major
amendment through 2008. The history shows a clear and uniform trend of
expansion. The remarkable growth of the CFAA has made the void-for-vagueness
doctrine a critical weapon for challenging overbroad interpretations of the act.11
Therefore, with the scope of §1030 is vastly broadened, a narrow interpretation
of the statue is essential to save its constitutionality.
To the next step, when there is a vagueness challenge to CFAA, how do we
narrowly interpret the statute? To let the terms of conditions of a website
defines the scope of authorization may seem too ambiguous, on the other hand, if
the private entity already set the password and other electronic means to limit
the unauthorized distribution of the confidential information and gave notice
statute 18 U.S.C. §1030(A)(2) doesn’t prohibit unlawful use of material that she was authorized
to access through authorized use of computer. John, 597 F.3d 263.
11 See Orin S. Kerr” Vagueness Challenge to the Computer Fraud and Abuse Act “, Minnesota Law
Review (2010, p1563, 1572) (From 1984, the new statute, to be codified at 18 U.S.C. §1030,
established three new federal crimes. Then Congress significantly expanded the statute just two
years later when it passed Pub. L. No. 99-474, formerly known as the Computer Fraud and Abuse
Act. The 1986 Act added three new prohibitions codified at §1030(a)(4)-(6). The next
amendment to §1030 occurred in 1994. The 1994 amendment expanded §1030(a)(5), the
computer damage statute. The next expansion of §1030 occurred 1996. There are three major
changes to expand the scope of §1030. First, the vastly expanded scope of §1030(a)(2). Second,
the 1996 amendment added new provisions to the computer damage prohibition, added a new
felony enhancement to §1030(a)(2), and added a computer extortion statute at §1030(a)(7).
Finally, the 1996 amendment expanded the statute by replacing the category of Federal interest
computers with the new category of protected computers. The USA Patriot Act of 2001 contained
provisions expanding the scope of §1030. The most significant amendment to the scope of §1030
was the definition of protected computer to include computers located outside the United States.
The most recent expansions to 18 U.S.C. §1030 were enacted in 2008. Three changes are most
notable. First, the statute once again expanded the cope 0f §1030(a)(2) by removing the

7. and set guidelines to employees about the scope of using the confidential
information. Employees, like in Nosal, still access to the code-protected database
to obtain the confidential information for personal gain. Should this kind of
conduct still “authorized” under §1030? If private entities still under the
protection of CFAA, then what actions should private entities take to be
protected under §1030? I think if the employer makes clear the policy and gives
enough notices to employees about the right way to use the corporate computer
and confidential information, there should be a boundary for “authorization”.
What is the precaution of confidential information the employer should take to
notify employees? In my view, for example, there should be a corporate policy
regarding the use of confidential information and computers. The policy should
be clearly defined. By contrast, the business/nonbusiness use of the confidential
information may not be adequate to hold someone criminally liable. Besides, the
private entity should set a guideline to instruct employees about the use of
computers. It’s better to give employees regularly trainings about the use of
computers. Moreover, periodic notices to employees concerning their use or
violations of the policy seems a good way to let employees know the line
between authorization and excess of authorization.
Looking back to Nosal, did the action taken by Korn/Ferry sufficiently support
a criminal charge under §1030(a)(4)? According to the fact in Nosal, it is clear
that Korn/Ferry had a policy forbidding the disclosure of the confidential
information. There was also an agreement between co-conspirators and the
employer, which restricted the use and disclosure of information on the database
requirement of an interstate communication. The statute also expanded the reach of §1030(a)(5).
The third expansion is the definition of “protected computer”).

8. except for legitimate business use. Besides, an opening notice in employer’s
computer screen show the information stored on the computer was the property
of Korn/Ferry. To access the information without relevant authority could lead
to disciplinary action and criminal prosecution. It is not known if there was a
guideline for employees to follow in Nosal. It is better to set a guideline for
employee to follow. But the most important thing is about giving sufficient
notices. In my view, the notice given in Nosal, like the policy, agreement and
warning in the computer screen seems enough to let employees know the line
between authorization and excess of it. There is big difference between Nosal
and Brekka, David Nosal and his co-conspirators should be liable for excess of
authorization to access the database to obtain the confidential information of
Korn/Ferry for personal benefit.
Nosal is a close case. Even though I consider David Nosal and his co-
conspirators should be criminally liable, the opinion from the majority still
seems pretty persuasive to me. The growing reliance on computers is
foreseeable. The misconduct of David Nosal needs to be regulated. Litigations,
similar to Nosal, with former employees who depart to set up a business in
competition with their former employer happen frequently in this information
technology age. Even though the majority of Nosal shows the concern about the
expansion of the CFAA threatens to criminalize wider varieties of activities, the
concern can’t deter this kind of litigation and may encourage the former
employees try to penetrate the loophole of §1030. By contrast, the dissent tries
to make the line between authorization and excess of it under the contract-based
authorization. The debate on the line between authorization and excess of
authorization will keep on heatedly. The reform of the CFAA becomes urgently

9. needed. There are two pending proposals in Congress to amend the concepts of
authorization and exceeded authorized access. While compared to the
development of technology, I believe in the future, courts still play a leading role
to determine all kinds of legal term in the visual world.