Chief Judge Alex Kozinski authored the opinion, which stemmed from a case where a former employee of an executive search firm convinced his former co-workers, who were still with the firm, to use their log-in credentials to download source lists, names and contact information from a confidential company database in order to help him start a competing business. The government indicted the defendant on twenty counts, including violations of the CFAA for aiding and abetting his former co-workers in exceeding their authorized access to their work computers.
In its ruling, the court held that the phrase in the CFAA “exceeds authorized access” should be construed narrowly to apply to hacking only and should not extend to violations of use restrictions. A broader construction would “allow private parties to manipulate their computer-use and personnel policies” to turn employer-employee relationships into ones policed by criminal law, and could criminalize behavior such as using an employer’s computer to chat with friends, play games, shop or watch sports highlights. Further, the court acknowledged the circuit split, stating that the other courts “looked only at the culpable behavior of the defendants before them, and filed to consider the effect on millions of ordinary citizens caused by the statute’s unitary definition of ‘exceeds authorized access.’”