The error was also prejudicial. Not anticipating Nosal, the government made no attempt to prove that Wright accessed any databases that she was not authorized to access in the course of doing her job. Although the government now contends that Wright’s use of the code “ERR” upon logging out in an attempt to cover her tracks constituted evidence of unauthorized access, we are not persuaded. “ERR” was a code that phone company employees were instructed to use if they accessed an account by accident. The use of that code did not necessarily prove that the employee was not authorized to access the database. Wright might have used the “ERR” code simply to divert suspicion as to what she was doing. That use of the “ERR” code may have violated company policy, but Wright may nonetheless have been authorized to access the database. Under Nosal, unauthorized use was not enough to support the convictions of Turner and Pellicano for aiding and abetting computer fraud by Wright.
We reach a similar conclusion on the convictions associated with Arneson’s misuse of information from the LAPD database. The government contends that Nosal does not preclude criminal liability under the CFAA for violations of state or federal law that restrict access to certain types of information. See, e.g., 28 C.F.R. § 20.33(d) (restricting the dissemination of certain criminal history information). This argument lacks merit. Those laws arguably prohibited Arneson’s conduct based on the way the information was used, as distinguished from the way it was accessed, but that does not expand the reach of the CFAA. Congress has created other statutes under which a government employee who abuses his database access privileges may be punished, but it did not intend to expand the scope of the federal antihacking statute. See Nosal, 676 F.3d at 857 & n.3 (refusing to “transform the CFAA from an anti-hacking statute into an expansive misappropriation statute,” and citing another statute restricting the use of information under which a defendant might properly be charged).
The jury instructions defining both computer fraud and unauthorized computer access of United States agency information were plainly erroneous under Nosal. The error was prejudicial. We therefore vacate Turner’s conviction for aiding and abetting computer fraud, Arneson’s convictions for computer fraud and unauthorized computer access, and Pellicano’s convictions for aiding and abetting both computer fraud and unauthorized computer access. We remand for further proceedings as may be appropriate. If the government so decides, it may seek to retry the defendants on these charges.