Supreme Court Declines to Review Conviction Under the Computer Fraud and Abuse Act

The U.S. Supreme Court declined to review the Computer Fraud and Abuse Act (CFAA) conviction of a former recruiting firm executive, David Nosal, who used an ex-colleague’s password to steal his former employer’s client lists. Nosal challenged a provision of the CFAA which provides that a person who “knowingly and with intent to defraud, accesses a protected computer without authorization.” A “protected computer” is defined broadly to apply to most any computer connected to the internet.  

Nosal had asked the Ninth Circuit to overturn his conviction, arguing that gaining access to a computer through a willingly provided password doesn’t constitute a violation of the CFAA because he was authorized by his former colleague—who gave him the password—to access the network. In upholding Nosal’s conviction, the Ninth Circuit interpreted the phrase “without authorization” by looking to whether the access was authorized under the company’s computer use policies. Critics of the Ninth Circuit’s ruling argue that allowing a company’s computer use policies to define what constitutes “authorization” under CFAA is too expansive. Nosal argued, for example, that the Ninth Circuit’s approach meant that individuals could face criminal liability for everyday acts, such as “an office worker asking a friend to log into his email in order to print a boarding pass” in violation of the company’s access policies.

With the Supreme Court’s refusal to hear Nosal’s appeal, the Ninth Circuit’s holding stands—using another employee’s password to access a company database constitutes unauthorized access under the CFAA.

TIP: Companies should review their computer use and confidential information policies to ensure that they clearly define what type of access is, and is not, permitted.