On January 8th, after years of litigation and numerous delays, Executive Recruiter David Nosal was sentenced to one year and a day in federal prison for his April 25, 2013 conviction on three counts under the Computer Fraud and Abuse Act (“CFAA”), two counts under the Economic Espionage Act (“EEA”), and one count of conspiracy to violate the CFAA and EEA. The court also ordered Nosal to 400 hours of community service and three years of supervised release.
While Nosal’s counsel had argued for mere probation, the one-year sentence was considerably shorter than the maximum statutory penalty of five years’ imprisonment and a fine of $250,000, plus potential restitution, on the conspiracy and CFAA counts, and 10 years’ imprisonment and a fine of $250,000, plus potential restitution, on the EEA counts. The sentence was also shorter than the 27 months requested by federal prosecutors, and less than the 15 to 21 months provided for by sentencing guidelines.
The court based the sentence on its conclusion that Nosal’s former employer’s losses were less than $50,000, based on the value of the stolen information and time spent investigating the crime. Federal prosecutors had estimated the losses at close to $600,000, while Nosal’s counsel argued that the former employer had suffered no real loss.
Following sentencing, the court released Nosal to return to the British Virgin Islands where he is vacationing with his family.
Although the sentencing is the end of a chapter, it is not the end of this saga. Federal prosecutors have asked the court to order Nosal to pay more than $1.3 million in restitution to his former employer, including almost $1 million in legal fees incurred by the former employer’s counsel. Defense counsel has already filed a motion for Nosal to remain free pending appeal. The court will address those motions in a future hearing. The appeal process will likely take years to resolve. As referenced in an earlier post, this case will presumably once again end up before the Ninth Circuit which will determine whether the conviction will stand in light of its earlier en banc decision limiting the reach of the CFAA, finding that the statute was intended to punish hacking, not misappropriation of trade secrets in violation of an employer’s acceptable use policies.