Brian P. Bialas is an attorney at
Foley Hoag LLP in Boston who focuses on litigating cases involving
non-competition and non-solicitation agreements, trade
secrets, fiduciary duties, and other business disputes. He
co-authors the Massachusetts Non-Compete Law Blog and
frequently contributes to the Security, Privacy and the Law Blog.
U.S. District Court for the District of Massachusetts has noted
that employers are increasingly using the federal Computer Fraud
and Abuse Act (CFAA) "to sue former employees and their new
companies who seek a competitive edge through wrongful use of
information from the former employer's computer
But in April, the U.S. Court of Appeals for the Ninth Circuit made
such employer lawsuits more difficult in that circuit by issuing
its en banc decision in United States v. Nosal.2 In
Nosal, the Ninth Circuit determined that an employee does not
"exceed authorized access"3 to information in a
computer under the CFAA when he or she violates an employer's
computer use restrictions.
In contrast, the First Circuit concluded more than a decade ago in
EF Cultural Travel BV v. Explorica, Inc.4 that
contractual restrictions can serve as the basis for a CFAA
violation. This circuit split affects the ability of employers to
maintain lawsuits under the CFAA against former employees who were
authorized to access their employer's confidential information but
took that information to competitors. It also tees up the CFAA for
review by the Supreme Court.
I. The CFAA
The CFAA provides for both criminal and civil liability (if
certain conditions are met)5 when a person commits
various acts involving a computer and "exceeds authorized access"
or acts "without authorization" in the process.6 The
provision under review in both Nosal and Explorica was 18 U.S.C. §
1030(a)(4), which imposes liability on someone who "knowingly and
with the intent to defraud, accesses a protected computer without
authorization, or exceeds authorized access, and by means of such
conduct furthers the intended fraud and obtains anything of
The CFAA defines "exceeds authorized access" as "to access a
computer with authorization and to use such access to obtain or
alter information in the computer that the accesser is not entitled
so to obtain or alter."7 "Without authorization" is not
defined. Both the Ninth Circuit and the First Circuit focused their
respective analyses on whether employees "exceed[ed] authorized
access" when they were permitted by their employers to access
certain information on a computer, but then used that information
for the benefit of competitors. But because "without authorization"
is not defined, judicial interpretations of "exceeds authorized
access" necessarily affect the meaning of "without authorization"
II. The Ninth Circuit: Limiting the CFAA to "hacking"
In Nosal, the defendant Nosal worked for an executive search
firm and convinced several employees shortly before he left to
start a competing business with him. He asked the employees to use
their log-in credentials to download confidential information from
the firm's computers and to send the information to him. The
employees were permitted to access the information by their
employer, but were forbidden from disclosing it. Nosal was indicted
for aiding and abetting the employees in "exceed[ing] their
authorized access" in violation of 18 U.S.C. § 1030(a)(4). The
charge was dismissed by the district court, and the government
The Nosal court, sitting en banc, affirmed, reasoning that
"exceeds authorized access" should only be applied to a person
"who's authorized to access only certain data or files but accesses
unauthorized data or files--what is colloquially known as
'hacking.'"9 The statutory definition of the phrase
supported this interpretation because "entitled" should be read as
a synonym for "authorized" in the text and a broader interpretation
"would transform the CFAA from an anti-hacking statute into an
expansive misappropriation statute," which the court would not
presume Congress intended absent clearer language. A broader
construction "would expand its scope far beyond computer hacking to
criminalize any unauthorized use of information obtained from a
What is more, because § 1030(a)(2)(C) punishes a person who merely
"exceeds authorized access" and "obtains information from any
protected computer" without intent to defraud, a broader
interpretation "makes every violation of a private computer use
policy a federal crime." The court construed the statute narrowly
"so that Congress will not unintentionally turn ordinary citizens
into criminals" and concluded that "'exceeds authorized access' in
the CFAA is limited to violations of restrictions on access to
information, and not restrictions on its use." Because Nosal's
coworkers had permission to access the information, Nosal was off
The dissent, citing the Explorica decision among others, noted
that none of the other circuits to consider the meaning of "exceeds
authorized access" read the statute the same way.
III. The First Circuit: Breach of confidentiality
agreement proves excessive access
The First Circuit in Explorica reviewed the district court's
issuance of a preliminary injunction against defendant Explorica
and several of its employees pursuant to § 1030(a)(4) of the CFAA.
In Explorica, an employee of Explorica and a former employee of the
plaintiff, EF Cultural Travel BV (EF), revealed EF proprietary
information to Zefer, a company employed by defendant Explorica, an
EF competitor, in violation of his confidentiality agreement with
EF. Zefer then used that information to create a computer program
that "scraped" EF's public website of pricing information, thus
allowing Explorica to undercut EF's prices.
The court ruled that the district court's decision was not clearly
erroneous because "whatever authorization Explorica had to navigate
around EF's site (even in a competitive vein)," if EF's allegations
were proven, EF likely would prove that Explorica "exceeded that
authorization by providing proprietary information and know-how to
Zefer to create the scraper."10
In fact, "[p]ractically speaking, … if proven, Explorica's
wholesale use of EF's travel codes to facilitate gathering EF's
prices from its website reeks of use-and, indeed, abuse-of
proprietary information that goes beyond any authorized use of EF's
website."11 Although decided in a different factual and
procedural context than Nosal, as one judge in the District of
Massachusetts noted, the First Circuit in Explorica "advocated a
broader reading" of the CFAA than the Ninth
IV. Conclusion: On to the Supreme Court?
The Nosal decision's statement that a CFAA violation is limited
to violations of restrictions on access to information, not use,
when read with Explorica's competing conclusion that a CFAA
violation may be based on the abuse of proprietary information,
crystallizes the CFAA circuit split for Supreme Court review.
Violations of an employer's contractual and computer use policies
cannot be used to show a CFAA violation in the Ninth Circuit, but
they can in the First Circuit.
Assuming the government seeks certiorari, a decision by the
Supreme Court not to review the Nosal case will have an immediate
impact on employer decisions on where to file CFAA claims against
former employees who may have taken confidential information. In
fact, the Nosal decision adds yet another hurdle for employers
filing lawsuits in California (part of the Ninth Circuit) in
addition to the unenforceability of non-competition agreements as a
matter of policy in that state.
The circuit split is even more important because of the location
of important industries: Silicon Valley and Massachusetts (part of
the First Circuit) are high-tech hubs where many companies rely on
highly sensitive information to stay ahead of the competition. If
the Supreme Court chooses not to review Nosal, more employers will
file CFAA cases outside of the Ninth Circuit.
1Guest-Tek Interactive Entm't Inc. v. Pullen, 665 F.
Supp. 2d 42, 46 (D. Mass. 2009) (quotation omitted).
2No. 10-10038, 2012 U.S. App. LEXIS 7151 (9th Cir.
April 10, 2012) (en banc).
318 U.S.C. §§ 1030(a)(4), (e)(6) (2006).
4274 F.3d 577 (1st Cir. 2001).
518 U.S.C. § 1030(g) (2006).
6Id. at §§ 1030(a)(1)-(7) (2006).
7Id. at § 1030(e)(6) (2006).
8See Nosal, 2012 U.S. App. LEXIS 7151, at *9-*10.
9Id. at *5.
10Explorica, 274 F.3d at 583.
12Guest-Tek, 665 F. Supp. 2d at 46.