Ninth Circuit CFAA Case May Draw High Court Review

The facts in Nosal are simple and typical for CFAA matters. David Nosal had worked for an executive search firm. Shortly after he left, he convinced some former colleagues, still working at the company, to help him start a competing business, according to the opinion. The employees accessed the company's computer infrastructure using their authorized credentials, downloaded source lists, names and contact information from a confidential database ' to enter the database, the user had to “click through” a banner that warned that company policy forbade disclosing the data therein ' and transferred that information to Nosal. The government indicted Nosal on 20 counts, including violations of 18 U.S.C. '1030(a)(4), for aiding and abetting company employees in “exceed[ing their] authorized access” with intent to defraud.

The CFAA in Other Circuits

Many district court cases have held consistent with Nosal, and many have not, but most of the circuit courts that have addressed the issue have rejected Nosal's reasoning and held that an employee who accesses a company computer and uses data for purposes antithetical to the purpose he or she was granted such access “exceeds authorized access” under Section 1030(a)(4). In United States v. John, 597 F.3d 263 (5th Cir. 2010), the Fifth Circuit held that an employee exceeded authorized access when she accessed confidential customer information in violation of her employer's computer use restrictions and used that information to commit fraud. The Fifth Circuit reasoned that, at a minimum, when an employee “knows that the purpose for which she is accessing information in a computer is both in violation of an employer's policies and is part of [a criminally fraudulent] scheme, it would be 'proper' to conclude that such conduct 'exceeds authorized access.'”

In International Airport Centers v. Citrin, 440 F.3d 418 (7th Cir. 2006), Judge Richard Posner, writing for the Seventh Circuit, reasoned that an employee “exceeds authorized access” to a computer when he or she accesses the employer's data for a business purpose that runs contrary to the employer's interest. Similarly, in EF Cultural Travel BV v. Explorica, 274 F.3d 577 (1st Cir. 2001), the First Circuit held that an employee's breach of confidentiality agreement could “exceed authorized access” to the employer's network.

In United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010), the Eleventh Circuit held that an employee of the Social Security Administration exceeded his authorized access under Section 1030(a)(2) when he obtained personal information about former girlfriends and potential paramours and used that information to send the women flowers or to show up at their homes. Similarly, in United States v. Teague, 646 F.3d 1119 (8th Cir. 2011), the Eighth Circuit upheld a conviction under Sections 1030(a)(2) and (c)(2)(A) where an employee of a government contractor used his privileged access to a government database to obtain President Obama's private student loan records.

The Sixth Circuit did not reject the John/Citrin/EF Cultural Travel line of cases. However, in In re Black & Decker, No. 08-512 (6th Cir. Jan. 16, 2008), an interlocutory appeal, the court simply declined to examine the CFAA's application to employee data misuse.

The principal circuit to reject the John/Citrin/EF Cultural Travel interpretation of the CFAA was the Ninth Circuit, in LVRC Holdings v. Brekka, 581 F.3d 1127 (9th Cir. 2009), where it held that an employee's e-mailing of corporate documents to his private account was not “unauthorized” because corporate policies did not clearly prohibit it. The district court in Nosal followed Brekka in granting defendant's motion to dismiss the CFAA counts against Nosal. The Ninth Circuit, however, on appeal to a three-judge panel, reversed, distinguishing Brekka because the defendant in Nosal plainly violated company policy in accessing, copying and distributing the data in question. The Ninth Circuit, en banc, vacated the three-judge panel's decision and affirmed the district court.

The Court's Reasoning

In interpreting what “exceeds authorized access” means, the Ninth Circuit's focus in Nosal was on how crucial a part of our personal lives computer usage has become. It observed: “Computers have become an indispensable part of our daily lives. We use them for work; we use them for play. Sometimes we use them for play at work.”

Keeping in mind the importance Brekka placed on the fact that the company there had no policy forbidding what former employee Christopher Brekka did, while the three-judge panel in Nosal distinguished Brekka because the company in Nosal did have such a policy, the en banc Nosal court phrased the issue as whether the adoption of such policies would have the effect of criminalizing personal use of a company computer. Phrased in this manner, the court reached the obvious conclusion that it did not and should not.

Crucial to the court's reasoning was that the term “exceeds authorized access” had to be interpreted without looking at the purpose for which the user exceeded such access. Section 1030 explicitly defined “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The court noted that the phase was used in several parts of Section 1030. In Section 1030(a)(2)(A), the purpose is to obtain financial information; in Section 1030(a)(b)(B), it is to obtain “information from any department or agency of the United States”; and in Section 1030(a)(2)(C), it is to obtain “information from any protected computer” (a “protected computer” being one used in commerce, which, in the age of the Internet, means virtually every computer). In Section 1030(a)(4), the purpose is to further an “intended fraud” and obtain “anything of value.” The meaning of “exceeds authorized access,” then, the court found, has to remain constant within the statute; i.e., it could not change based upon the purpose for which the computer was accessed.

The court then concluded that someone who “exceeds authorized access” is “someone who's authorized to access only certain data or files but accesses unauthorized data or files,” rather than someone “who has unrestricted physical access to a computer, but is limited in the use to which he can put the information” and uses that information beyond his or her authorized limits. The court was led to that conclusion, it explained, dismissing the interpretation of “exceeds authorized access” articulated by the other circuits, because to conclude otherwise would be to criminalize the regular activity of millions of people who use their work computers for nonwork purposes. Here is how the court describes that slippery slope.

Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by Google-chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it's unlikely that you'll be prosecuted for watching Reason.TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.

The purpose of the CFAA, the court argued, was “to address the growing problem of computer hacking,” that is, computer intrusions by people who, in CFAA terms, accessed a computer without any authorization, as one images a prototypical burglar breaking into the home of another. The problem of authorized users accessing data for improper purposes was simply not contemplated by the drafters of the CFAA or addressed by the statute. Thus, the actions of Nosal, while possibly subject to other criminal statutes or common law tort or contract actions, did not constitute violations of the CFAA.

The Dissent

The dissent characterized the majority opinion as having done “a good job of knocking down straw men ' far-fetched hypotheticals involving neither theft nor intentional fraudulent conduct, but innocuous violations of office policy” ' by “ridiculing scenarios not remotely presented by this case.” The instant matter, the dissent noted, had “nothing to do with playing Sudoku, checking e-mail, fibbing on dating sites or any of the other activities that the majority rightly values. It has everything to do with stealing an employer's valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants' employment contracts.”

The dissent further argued that, to reach its result, the majority had to take “a plainly written statute” and parse it “in a hyper-complicated way” that distorted “the obvious intent of Congress. No other circuit that has considered this statute” found “the problems that the majority” did.

In plain language, the dissent noted, Section 1030(a)(4) required the government to prove that the defendant: 1) acted “knowingly and with intent to defraud”; 2) accessed a protected computer either a) “without authorization” or b) by “exceed[ing] authorized access”; 3) “by means of such conduct further[ed] the intended fraud”; and 4) “obtain[ed] anything of value.” Thus, the government had to prove that the defendant exceeded authorized access with the intent to defraud. Such requirement, obviously, removes employees who check their personal e-mail, etc., from the cast of potential defendants under the statute.

Moreover, the dissent even pointed to language from Brekka to support its interpretation: “'As this definition [of Section 1030(a)(4)] makes clear, an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has “exceed[ed] authorized access.” ' The definition of the term “exceeds authorized access” from '1030(e)(6) implies that an employee can violate employer-placed limits on accessing information stored on the computer and still have authorization to access that computer. The plain language of the statute therefore indicates that “authorization” depends on actions taken by the employer.'”

The dissent's interpretation of “exceeds authorized access” is not, it notes, “an esoteric concept. A bank teller is entitled to access a bank's money for legitimate banking purposes, but not to take the bank's money for himself. A new car buyer may be entitled to take a vehicle around the block on a test drive. But the buyer would not be entitled ' he would 'exceed his authority' ' to take the vehicle to Mexico on a drug run. A person of ordinary intelligence understands that he may be totally prohibited from doing something altogether, or authorized to do something but prohibited from going beyond what is authorized. This is no doubt why the statute covers not only 'unauthorized access,' but also 'exceed[ing] authorized access.' The statute contemplates both means of committing the theft.”

The majority's interpretation, the dissent reasons, “conflicts with the plain language of the statute.” Furthermore, reviewing the case law discussed above, the dissent concludes that “none of the circuits that have analyzed the meaning of 'exceeds authorized access'” as used in the CFAA “read[s] the statute the way the majority does.”

The indictment in the instant matter alleged that Nosal and his co-conspirators “knowingly exceeded the authority that they had to access their employer's computer, and that they did so with the intent to defraud and to steal trade secrets and proprietary information from the company's database for Nosal's competing business '. If true, these allegations adequately state a crime under a common-sense reading of this particular subsection.”

Furthermore, the dissent reasoned, “it does not advance the ball to consider, as the majority does, the parade of horribles that might occur under different subsections of the CFAA, such as Subsection (a)(2)(C), which does not have the scienter or specific intent to defraud requirements that Subsection (a)(4) has.” An actual case must be brought to consider such issues, “rather than posit a laundry list of wacky hypotheticals.”

Analysis

It would be an understatement to say that the dissent is onto something here. Starting from the plain meaning of the statute, it is hard to imagine, from a technical point of view, what “exceeds authorized access” could mean other than to use access for an unauthorized purpose. The majority weakly explains that someone who “exceeds authorized access” refers to “inside hackers (individuals whose initial access to a computer is authorized but who access unauthorized information or files).”

From a technical point of view, however, it is hard to see how an “inside hacker” is someone other than a person acting “without authorization.” If a user is authorized to access only certain data, but surreptitiously obtains the login credentials of another user with access to other data and then uses those credentials to log in and access that other data, such is plainly “unauthorized access.” If a user finds a way to circumvent the security measures that prevent him or her from accessing that “other” data through his or her login credentials and so accesses that “other” data, that, too, would be “unauthorized access.”

In other words, the majority's interpretation of “exceeds authorized access” renders the phrase a nullity by defining it only as pertaining to situations already covered under “unauthorized access.”

The majority's view of the legislative intent of the CFAA is also skewed. I have been involved in data security for almost 20 years, and investigated and prosecuted data breaches from the mid-1990s to 2005. Early on, I developed a data breach maxim that continued involvement in data security matters has led to me to repeat many times: 90% of high-tech crime is low-tech. Yes, there are many who seek to “hack” into computer systems, and I will not downplay that aspect of data security, especially when governmental or financial systems are involved.

But for every uber-sophisticated cybercrook with endless applications, strategies and bottles of Mountain Dew to search for weaknesses in a system's security, there are nine hospital admitting officers or human relations clerks who steal personal identifying information and departing employees who copy confidential information. Such has always been the problem, and to view the CFAA as a response to War Games-type breaches is to live in the movies.

The Ninth Circuit would have the government do as little as possible about the wrongful copying we see in Nosal, and that is a staple of the business world in the age of computers. The Ninth Circuit views as amoral the world of fallible employees who use their work computers to check Facebook or drop a few pounds from their Match.com profiles. That world must be protected, even at the expense of prosecuting those who copy valuable company information for their own personal gain.

The good news is that because the Ninth Circuit's en banc opinion rebukes the manner in which the Department of Justice interprets the CFAA, a law under which many indictments have been brought, the DOJ is highly motivated to seek certiorari and the Supreme Court is equally motivated to grant it. Thus, Nosal may, in the end, do some good, if it leads to the final resolution of how to interpret key language in a statute whose interpretation is of great importance to employers and employees in this age of the digital workplace.

In United States v. Nosal, No. 10-10038, 2012 U.S. App. LEXIS 7151(9th Cir. Apr. 10, 2012), http://1.usa.gov/J8AJZC, the U.S. Court of Appeals for the Ninth Circuit, en banc, held that the prohibition against “exceed[ing] authorized access” to a computer under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. '1030, http://bit.ly/Jz0c3n, which provides both criminal and civil penalties for such action, does not apply when an employee has been granted access to the company computer infrastructure but uses that access, against company policy and the obvious interests of the company, to copy valuable, confidential information in order to take business from the company.

For various reasons, articulated well in the dissent by Judge Barry Silverman (joined by only one other judge), the Ninth Circuit is wrong. What makes the decision particularly interesting is that, because it challenges the Justice Department's interpretation of the CFAA, it stands the best chance of making its way to the Supreme Court, a far more likely result than in any of the civil cases that held as Nosal did.

Background

The facts in Nosal are simple and typical for CFAA matters. David Nosal had worked for an executive search firm. Shortly after he left, he convinced some former colleagues, still working at the company, to help him start a competing business, according to the opinion. The employees accessed the company's computer infrastructure using their authorized credentials, downloaded source lists, names and contact information from a confidential database ' to enter the database, the user had to “click through” a banner that warned that company policy forbade disclosing the data therein ' and transferred that information to Nosal. The government indicted Nosal on 20 counts, including violations of 18 U.S.C. '1030(a)(4), for aiding and abetting company employees in “exceed[ing their] authorized access” with intent to defraud.

The CFAA in Other Circuits

Many district court cases have held consistent with Nosal, and many have not, but most of the circuit courts that have addressed the issue have rejected Nosal's reasoning and held that an employee who accesses a company computer and uses data for purposes antithetical to the purpose he or she was granted such access “exceeds authorized access” under Section 1030(a)(4). In United States v. John , 597 F.3d 263 (5th Cir. 2010), the Fifth Circuit held that an employee exceeded authorized access when she accessed confidential customer information in violation of her employer's computer use restrictions and used that information to commit fraud. The Fifth Circuit reasoned that, at a minimum, when an employee “knows that the purpose for which she is accessing information in a computer is both in violation of an employer's policies and is part of [a criminally fraudulent] scheme, it would be 'proper' to conclude that such conduct 'exceeds authorized access.'”

In International Airport Centers v. Citrin , 440 F.3d 418 (7th Cir. 2006), Judge Richard Posner, writing for the Seventh Circuit, reasoned that an employee “exceeds authorized access” to a computer when he or she accesses the employer's data for a business purpose that runs contrary to the employer's interest. Similarly, in EF Cultural Travel BV v. Explorica , 274 F.3d 577 (1st Cir. 2001), the First Circuit held that an employee's breach of confidentiality agreement could “exceed authorized access” to the employer's network.

In United States v. Rodriguez , 628 F.3d 1258 (11th Cir. 2010), the Eleventh Circuit held that an employee of the Social Security Administration exceeded his authorized access under Section 1030(a)(2) when he obtained personal information about former girlfriends and potential paramours and used that information to send the women flowers or to show up at their homes. Similarly, in United States v. Teague , 646 F.3d 1119 (8th Cir. 2011), the Eighth Circuit upheld a conviction under Sections 1030(a)(2) and (c)(2)(A) where an employee of a government contractor used his privileged access to a government database to obtain President Obama's private student loan records.

The Sixth Circuit did not reject the John/Citrin/EF Cultural Travel line of cases. However, in In re Black & Decker, No. 08-512 (6th Cir. Jan. 16, 2008), an interlocutory appeal, the court simply declined to examine the CFAA's application to employee data misuse.

The principal circuit to reject the John / Citrin / EF Cultural Travel interpretation of the CFAA was the Ninth Circuit, in LVRC Holdings v. Brekka , 581 F.3d 1127 (9th Cir. 2009), where it held that an employee's e-mailing of corporate documents to his private account was not “unauthorized” because corporate policies did not clearly prohibit it. The district court in Nosal followed Brekka in granting defendant's motion to dismiss the CFAA counts against Nosal. The Ninth Circuit, however, on appeal to a three-judge panel, reversed, distinguishing Brekka because the defendant in Nosal plainly violated company policy in accessing, copying and distributing the data in question. The Ninth Circuit, en banc, vacated the three-judge panel's decision and affirmed the district court.

The Court's Reasoning

In interpreting what “exceeds authorized access” means, the Ninth Circuit's focus in Nosal was on how crucial a part of our personal lives computer usage has become. It observed: “Computers have become an indispensable part of our daily lives. We use them for work; we use them for play. Sometimes we use them for play at work.”

Keeping in mind the importance Brekka placed on the fact that the company there had no policy forbidding what former employee Christopher Brekka did, while the three-judge panel in Nosal distinguished Brekka because the company in Nosal did have such a policy, the en banc Nosal court phrased the issue as whether the adoption of such policies would have the effect of criminalizing personal use of a company computer. Phrased in this manner, the court reached the obvious conclusion that it did not and should not.

Crucial to the court's reasoning was that the term “exceeds authorized access” had to be interpreted without looking at the purpose for which the user exceeded such access. Section 1030 explicitly defined “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The court noted that the phase was used in several parts of Section 1030. In Section 1030(a)(2)(A), the purpose is to obtain financial information; in Section 1030(a)(b)(B), it is to obtain “information from any department or agency of the United States”; and in Section 1030(a)(2)(C), it is to obtain “information from any protected computer” (a “protected computer” being one used in commerce, which, in the age of the Internet, means virtually every computer). In Section 1030(a)(4), the purpose is to further an “intended fraud” and obtain “anything of value.” The meaning of “exceeds authorized access,” then, the court found, has to remain constant within the statute; i.e., it could not change based upon the purpose for which the computer was accessed.

The court then concluded that someone who “exceeds authorized access” is “someone who's authorized to access only certain data or files but accesses unauthorized data or files,” rather than someone “who has unrestricted physical access to a computer, but is limited in the use to which he can put the information” and uses that information beyond his or her authorized limits. The court was led to that conclusion, it explained, dismissing the interpretation of “exceeds authorized access” articulated by the other circuits, because to conclude otherwise would be to criminalize the regular activity of millions of people who use their work computers for nonwork purposes. Here is how the court describes that slippery slope.

Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by Google-chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it's unlikely that you'll be prosecuted for watching Reason.TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.

The purpose of the CFAA, the court argued, was “to address the growing problem of computer hacking,” that is, computer intrusions by people who, in CFAA terms, accessed a computer without any authorization, as one images a prototypical burglar breaking into the home of another. The problem of authorized users accessing data for improper purposes was simply not contemplated by the drafters of the CFAA or addressed by the statute. Thus, the actions of Nosal, while possibly subject to other criminal statutes or common law tort or contract actions, did not constitute violations of the CFAA.

The Dissent

The dissent characterized the majority opinion as having done “a good job of knocking down straw men ' far-fetched hypotheticals involving neither theft nor intentional fraudulent conduct, but innocuous violations of office policy” ' by “ridiculing scenarios not remotely presented by this case.” The instant matter, the dissent noted, had “nothing to do with playing Sudoku, checking e-mail, fibbing on dating sites or any of the other activities that the majority rightly values. It has everything to do with stealing an employer's valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants' employment contracts.”

The dissent further argued that, to reach its result, the majority had to take “a plainly written statute” and parse it “in a hyper-complicated way” that distorted “the obvious intent of Congress. No other circuit that has considered this statute” found “the problems that the majority” did.

In plain language, the dissent noted, Section 1030(a)(4) required the government to prove that the defendant: 1) acted “knowingly and with intent to defraud”; 2) accessed a protected computer either a) “without authorization” or b) by “exceed[ing] authorized access”; 3) “by means of such conduct further[ed] the intended fraud”; and 4) “obtain[ed] anything of value.” Thus, the government had to prove that the defendant exceeded authorized access with the intent to defraud. Such requirement, obviously, removes employees who check their personal e-mail, etc., from the cast of potential defendants under the statute.

Moreover, the dissent even pointed to language from Brekka to support its interpretation: “'As this definition [of Section 1030(a)(4)] makes clear, an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has “exceed[ed] authorized access.” ' The definition of the term “exceeds authorized access” from '1030(e)(6) implies that an employee can violate employer-placed limits on accessing information stored on the computer and still have authorization to access that computer. The plain language of the statute therefore indicates that “authorization” depends on actions taken by the employer.'”

The dissent's interpretation of “exceeds authorized access” is not, it notes, “an esoteric concept. A bank teller is entitled to access a bank's money for legitimate banking purposes, but not to take the bank's money for himself. A new car buyer may be entitled to take a vehicle around the block on a test drive. But the buyer would not be entitled ' he would 'exceed his authority' ' to take the vehicle to Mexico on a drug run. A person of ordinary intelligence understands that he may be totally prohibited from doing something altogether, or authorized to do something but prohibited from going beyond what is authorized. This is no doubt why the statute covers not only 'unauthorized access,' but also 'exceed[ing] authorized access.' The statute contemplates both means of committing the theft.”

The majority's interpretation, the dissent reasons, “conflicts with the plain language of the statute.” Furthermore, reviewing the case law discussed above, the dissent concludes that “none of the circuits that have analyzed the meaning of 'exceeds authorized access'” as used in the CFAA “read[s] the statute the way the majority does.”

The indictment in the instant matter alleged that Nosal and his co-conspirators “knowingly exceeded the authority that they had to access their employer's computer, and that they did so with the intent to defraud and to steal trade secrets and proprietary information from the company's database for Nosal's competing business '. If true, these allegations adequately state a crime under a common-sense reading of this particular subsection.”

Furthermore, the dissent reasoned, “it does not advance the ball to consider, as the majority does, the parade of horribles that might occur under different subsections of the CFAA, such as Subsection (a)(2)(C), which does not have the scienter or specific intent to defraud requirements that Subsection (a)(4) has.” An actual case must be brought to consider such issues, “rather than posit a laundry list of wacky hypotheticals.”

Analysis

It would be an understatement to say that the dissent is onto something here. Starting from the plain meaning of the statute, it is hard to imagine, from a technical point of view, what “exceeds authorized access” could mean other than to use access for an unauthorized purpose. The majority weakly explains that someone who “exceeds authorized access” refers to “inside hackers (individuals whose initial access to a computer is authorized but who access unauthorized information or files).”

From a technical point of view, however, it is hard to see how an “inside hacker” is someone other than a person acting “without authorization.” If a user is authorized to access only certain data, but surreptitiously obtains the login credentials of another user with access to other data and then uses those credentials to log in and access that other data, such is plainly “unauthorized access.” If a user finds a way to circumvent the security measures that prevent him or her from accessing that “other” data through his or her login credentials and so accesses that “other” data, that, too, would be “unauthorized access.”

In other words, the majority's interpretation of “exceeds authorized access” renders the phrase a nullity by defining it only as pertaining to situations already covered under “unauthorized access.”

The majority's view of the legislative intent of the CFAA is also skewed. I have been involved in data security for almost 20 years, and investigated and prosecuted data breaches from the mid-1990s to 2005. Early on, I developed a data breach maxim that continued involvement in data security matters has led to me to repeat many times: 90% of high-tech crime is low-tech. Yes, there are many who seek to “hack” into computer systems, and I will not downplay that aspect of data security, especially when governmental or financial systems are involved.

But for every uber-sophisticated cybercrook with endless applications, strategies and bottles of Mountain Dew to search for weaknesses in a system's security, there are nine hospital admitting officers or human relations clerks who steal personal identifying information and departing employees who copy confidential information. Such has always been the problem, and to view the CFAA as a response to War Games-type breaches is to live in the movies.

The Ninth Circuit would have the government do as little as possible about the wrongful copying we see in Nosal, and that is a staple of the business world in the age of computers. The Ninth Circuit views as amoral the world of fallible employees who use their work computers to check Facebook or drop a few pounds from their Match.com profiles. That world must be protected, even at the expense of prosecuting those who copy valuable company information for their own personal gain.

The good news is that because the Ninth Circuit's en banc opinion rebukes the manner in which the Department of Justice interprets the CFAA, a law under which many indictments have been brought, the DOJ is highly motivated to seek certiorari and the Supreme Court is equally motivated to grant it. Thus, Nosal may, in the end, do some good, if it leads to the final resolution of how to interpret key language in a statute whose interpretation is of great importance to employers and employees in this age of the digital workplace.