United States v. Nosal, 676 F.3d 854 (2012) (en banc)

In this criminal proceeding brought under the Computer Fraud and Abuse Act (“CFAA”), the United States government filed a 20-count indictment against David Nosal (a former employee of Korn/Ferry International) and his accomplices (also from Korn/Ferry) as a result of their obtaining information from their employer’s computer system for the purpose of defrauding Korn/Ferry and helping Nosal set up a competing business. The government contended that under the CFAA, an employee exceeds authorized access when he or she obtains information from a computer and uses it for a purpose that violates the employer’s restrictions on the use of such information. A three-judge panel of the Ninth Circuit Court of Appeals agreed with the government’s interpretation of the CFAA, but a broader en banc panel of the Court affirmed the district court’s dismissal of the CFAA counts, holding that the CFAA was intended by Congress to criminalize hacking by outsiders and not to reach the activities of employees who had exceeded their authorized access. In so holding, the Ninth Circuit parted company with the Fifth, Seventh and Eleventh Circuits, all of which have interpreted the CFAA to encompass employee misconduct such as that alleged in this case.