8.97 Obtaining Information by Computer—"Protected" Computer

8.97 OBTAINING INFORMATION BY COMPUTER—"PROTECTED" COMPUTER
(18 U.S.C. § 1030(a)(2)(C))

The defendant is charged in [Count _______ of] the indictment with unlawfully obtaining information from a protected computer in violation of Section 1030(a)(2) of Title 18 of the United States Code. In order for the defendant to be found guilty of that charge, the government must prove each of the following elements beyond a reasonable doubt:

First, the defendant intentionally [accessed without authorization] [or] [exceeded authorized access to] a computer; and

Second, by [accessing without authorization] [exceeding authorized access to] a computer, the defendant obtained information from a computer that was [[exclusively for the use of a financial institution or the United States government] [not exclusively for the use of a financial institution or the United States government, but the defendant’s access affected the computer’s use by or for the financial institution or the United States government] [used in or affecting interstate or foreign commerce or communication] [located outside the United States but that computer was used in a manner that affected interstate or foreign commerce or communication of the United States]]. 

Comment 

18 U.S.C. § 1030(e) provides definitions of the terms "computer," "financial institution," and "exceeds authorized access." While the term "protected computer" is defined in 18 U.S.C. §　1030(e), that term is not used in the elements of this instruction because that definition has been incorporated into the second element. Accordingly, it is not necessary to provide a definition of "protected computer."

The first prong is satisfied when a defendant intentionally accesses a computer without authorization or exceeds authorized access. Musacchio v. United States, 136 S. Ct. 709, 713 (2016).

Interpreting the civil counterpart to Section 1030 and expressly finding such interpretation equally applicable in the criminal context, the Ninth Circuit held that "a person uses a computer ‘without authorization’ under §§ 1030(a)(2) and (4) when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone’s computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway." LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1135 (9th Cir. 2009). The court further held that an employee’s use of a computer contrary to the employer’s interest does not alone satisfy the "without authorization" prong of the statute. Id.　

The Ninth Circuit has held that the phrase "exceeds [or exceeded] authorized access" is limited to violations of restrictions on access to information, and not restrictions on the use of information that is permissibly accessed. United States v. Nosal, 676 F.3d 854, 864 (9th Cir. 2012); see also United States v. Christensen, 828 F.3d 763, 786-87 (9th Cir. 2015), as amended on denial of reh’g (July 8, 2016).　　

Approved 6/2019