United States v. Nosal

A key case defining the limits of “unauthorized access” under computer misuse law.

Short Description About the Case

This case is a landmark decision interpreting the scope of the Computer Fraud and Abuse Act (CFAA) in the United States. It deals with whether employees who have legitimate access to a computer system can be held liable for misuse of information obtained from that system. The case is significant because it limits the overbroad application of “unauthorized access” and clarifies that misuse of data does not automatically amount to a criminal offence under the statute.

Facts

David Nosal, a former employee of an executive search firm, left the company and later persuaded some current employees to access the company’s confidential database and provide him with proprietary information. These employees had valid login credentials and were authorized to access the system, but they used that access to obtain information for a competing business.

The prosecution charged Nosal under the Computer Fraud and Abuse Act, arguing that the employees had “exceeded authorized access” by violating company policies and using the information for an improper purpose.

Nosal challenged the charges, contending that the law should not criminalize mere misuse of information where access to the system itself was authorized.

Findings

The Court held that “exceeding authorized access” under the CFAA does not include violations of company use policies. It clarified that the statute is intended to target hacking and unauthorized entry into computer systems, not the misuse of information by individuals who are otherwise permitted to access the system.

The Court expressed concern that interpreting the law broadly would criminalize everyday activities, such as employees violating workplace policies or terms of service agreements. It emphasized that criminal law must be interpreted narrowly to avoid overreach.

The ruling established that access restrictions, not use restrictions, determine liability under the CFAA.

Suggestion

This case is highly useful in matters involving data misuse, employee access, cyber law, confidentiality breaches, and statutory interpretation. It can be cited where a party attempts to treat policy violations or misuse of information as criminal “unauthorized access.”

For practical legal use, this case supports the principle that having authorized access to a system means that misuse of information alone does not amount to unauthorized access under criminal law.

Judgment

The Court ruled in favour of Nosal and limited the interpretation of the CFAA. It held that the statute applies to unauthorized access to computers, not to misuse of information obtained through permitted access.

The judgment stands as an important precedent ensuring that cybercrime laws are not applied too broadly to ordinary workplace or contractual violations.