In a 22-page ruling, the appellate court held that an employee with valid access to corporate data, cannot be held liable under the federal Computer Fraud and Abuse Act (CFAA), if they then misuse or misappropriate the data.

"The CFAA expressly prohibits improper 'access' of computer information," chief judge Alex Kozinski said writing the court's majority opinion. "It does not prohibit misuse or misappropriation," he wrote. The term "exceed authorized access" under the CFAA applies specifically to external hackers and violations of "restrictions on access to information, and not restrictions on its use," Kozinski held.

The appellate court's decision affirms a previous ruling made by the U.S. District Court for the Northern District of California. The government must now decide if it wants to take the case all the way to the U.S. Supreme Court.

The case in question involves David Nosal, a former employee at Korn/Ferry, a large executive recruitment firm based in Los Angeles. Soon after Nosal left the firm a few years ago, he convinced a few of his former colleagues to join him in setting up a competing firm, according to a description of the case in court documents.

Before joining Nosal, some of he employees used their login credentials to access a confidential Korn/Ferry database and download a large list of names and contact information of executive candidates from around the world. The information, which was clearly marked as meant for Kron/Ferry's internal use and prohibited from disclosure, was then passed on to Nosal.