On Tuesday, October 10, 2017, the United States Supreme Court denied certiorari in Nosal v. United States, 16-1344. Nosal asked the Court to determine whether a person violates the Computer Fraud and Abuse Act’s prohibition of accessing a computer “without authorization” when using someone else’s credentials (with that other user’s permission) after the owner of the computer expressly revoked the first person’s own access rights. In denying certiorari, the Court effectively killed the petitioner’s legal challenge to his conviction in a long-running case that we have extensively covered here, here, here, here, here, here, and here (among other places). The denial of certiorari leaves further development of the scope of the CFAA in the hands of the lower courts. Continue Reading Supreme Court Refuses to Hear Password-Sharing Case, Leaving Scope of Criminal Liability Under Computer Fraud and Abuse Act Unclear
We are pleased to announce the webinar “2016
National Year In Review: What You Need to Know About the Recent Cases/Developments in Trade Secrets, Non-Compete, and Computer Fraud Law” is now available as a webinar recording.
In Seyfarth’s first installment of its 2017 Trade Secrets Webinar series, Seyfarth attorneys reviewed noteworthy cases and other legal developments from across the nation over the last year in the areas of trade secrets and data theft, non-competes and other restrictive covenants, and computer fraud. Plus, they provided their predictions for what to watch for in 2017.
As a conclusion to this well-received webinar, we compiled a summary of three takeaways that were discussed during the webinar:
- The DTSA can be a powerful tool to protect intellectual capital. However, in order to take full advantage of the DTSA, businesses should carefully check their agreements with employees, handbooks and equity awards to make sure they contain language mandated by the Defend Trade Secrets Act.
- 2016 was a record year for data and information security breaches. Organizations should alert and train employees on following company policies, spotting potential social engineering attacks, and having a clear method to escalate potential security risks. Employee awareness, coupled with technological changes towards better security will reduce risk and exposure to liability.
- Several states enacted laws to limit the scope and duration of non-competes in 2016. There were also some significant decisions limiting their scope and enforceability in 2016 as well. Companies should have their non-disclosure and non-compete agreements reviewed to ensure that they comply with the latest state and federal laws, including the new Defend Trade Secrets Act.
The 2016 Year in Review is a compilation of our significant blog posts from throughout last year and is categorized by specific topics such as: Trade Secrets, Computer Fraud and Abuse Act, Non-Compete & Restrictive Covenants, Legislation, International, and Social Media and Privacy. As demonstrated by our specific blog entries, including our Top Developments/Headlines, Trade Secrets Webinar Series – Year in Review and our dedicated page concerning federal trade secret legislation, our blog authors stay on top of the latest developments in this area of law and provide timely and entertaining posts on significant new cases, legal developments, and legislation.
The 2016 Review also includes links to the recordings of all webinars in the 2016 Trade Secrets Webinar Series. More information on our upcoming 2017 webinars is available in the program listing contained in this Review. Our highly successful blog and webinar series further demonstrate that Seyfarth Shaw’s national Trade Secret, Computer Fraud & Non-Competes Practice Group is one of the country’s preeminent groups dedicated to trade secrets, restrictive covenants, computer fraud, and unfair competition matters and is recognized as a Legal 500 leading firm.
Clients and friends of the firm can request a digital, CD, or printed copy of the 2016 Review below.
As we previously reported, the FBI has been investigating the St. Louis Cardinals for hacking into the Houston Astros’ internal computer network and stealing proprietary information, including internal discussions about trades, proprietary statistics, and scouting reports. The investigation has now concluded, the Cardinals’ former director of baseball development, Chris Correa, pleaded guilty to five counts of unauthorized access of a protected computer in January, and he has now been sentenced to 46 months in federal prison. He also must pay $279,038 in restitution. According to NPR, “U.S. District Judge Lynn Hughes, as she sentenced Correa, noted that the crime has resulted in stricter security at other baseball teams, according to a press release from the Justice Department. When Correa apologized and called his actions ‘reckless,’ [Judge] Hughes replied, ‘No, you intentionally and knowingly did these acts.’”
As the Department of Justice reported at the time of Correa’s plea:
The plea agreement details a selection of instances in which Correa unlawfully accessed the Astros’ computers. For example, during 2013, he was able to access scout rankings of every player eligible for the draft. He also viewed, among other things, an Astros weekly digest page which described the performance and injuries of prospects who the Astros were considering, and a regional scout’s estimates of prospects’ peak rise and the bonus he proposed be offered. He also viewed the team’s scouting crosscheck page, which listed prospects seen by higher level scouts. During the June 2013 amateur draft, he intruded into that account again and viewed information on players who had not yet been drafted as well as several players drafted by the Astros and other teams.
Correa later intruded into that account during the July 31, 2013, trade deadline and viewed notes of Astros’ trade discussions with other teams.
Another set of intrusions occurred in March 2014. The Astros reacted by implementing security precautions to include the actual Ground Control website address (URL) and required all users to change their passwords to more complex passwords. The team also reset all Ground Control passwords to a more complex default password and quickly e mailed the new default password and the new URL to all Ground Control users.
Shortly thereafter, Correa illegally accessed the aforementioned person’s e mail account and found the e mails that contained Ground Control’s new URL and the newly-reset password for all users. A few minutes later, Correa used this information to access another person’s Ground Control account without authorization. There, he viewed a total of 118 webpages including lists ranking the players whom Astros scouts desired in the upcoming draft, summaries of scouting evaluations and summaries of college players identified by the Astros’ analytics department as top performers.
On two more occasions, he again illicitly accessed that account and viewed confidential information such as projects the analytics department was researching, notes of Astros’ trade discussions with other Major League Baseball teams and reports of players in the Astros’ system and their development.
The parties agreed that Correa masked his identity, his location and the type of device that he used, and that the total intended loss for all of the intrusions is approximately $1.7 million.
Michael McCann provides a good analysis of the sentence for Sports Illustrated and describes potential penalties Major League Baseball may pursue against the Cardinals.
On July 12, 2016, the Ninth Circuit filed its published opinion in Facebook, Inc. v. Power Ventures, Inc., et al., Case No. 13-17154 (“Power Ventures”). Power Ventures is the latest in a series of decisions from the Ninth Circuit relating to the type of activities potentially giving rise to liability under the Computer Fraud and Abuse Act (18 U.S.C. §1030) (“CFAA”). Power Ventures has potentially important implications for the ways that businesses create, store, and monetize data through computers and web-based applications. Unlike the court’s Nosal line of decisions, Power Ventures is focused more on internet-based conduct that may violate the CFAA.
The underlying legal dispute between the parties began in 2008, when Facebook filed suit against Power Ventures, Inc. (“Power”) in the USDC for the Northern District of California. Power, which aggregated data from different social networking sites using, among other things, automated scripts (i.e., “scraping”), enabled people with various social media accounts to access all of their information in one place. Power used user-provided social media log-in information to import people’s information to a Power portal. In an effort to promote itself and attract users, Power then contacted via e-mail Facebook users’ friends, making it appear as if the e-mails came from Facebook.
Upon learning of Power’s activities, Facebook sent Power a cease and desist letter and used IP blocks in an attempt to prevent Power from obtaining Facebook data (IP blocking is a process by which a computer or network is directed to ignore all communications from a particular IP address). But Power continued to copy Facebook data and took measures to evade the IP blocks.
Although the Ninth Circuit analyzed whether Power’s conduct violated the federal CAN-SPAM Act (finding that it did not, and reversing District Court Judge Lucy Koh), the court’s analysis of the CFAA issues are most noteworthy. The court first walked through its United States v. Nosal CFAA decisions (from 2012 and July 5, 2016; see our coverage of these decisions here and here) to “distill two general rules” in analyzing the issue of authorized access under the CFAA:
(1) “a defendant can run afoul of the CFAA when he or she has no permission to access a computer or when such permission has been revoked explicitly” (noting that “once permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability”); and
Applying these rules, the court noted that Power users “arguably gave Power permission to use Facebook’s computers to disseminate messages” (further stating that “Power reasonably could have thought that consent from Facebook users to share the [Power promotion] was permission for Power to access Facebook’s computers”) (emphasis in original). Importantly, the court found that “[b]ecause Power had at least arguable permission to access Facebook’s computers, it did not initially access Facebook’s computers ‘without authorization’ within the meaning of the CFAA.”
The court declined, in a footnote, to “decide whether websites such as Facebook are presumptively open to all comers, unless and until permission is revoked expressly” (citing to a law review article asserting that “websites are the cyber-equivalent of an open public square in the physical world”).
Power continued to access Facebook and took steps to evade the IP blocks that Facebook put in place. The court noted discovery from the trial court that appears to reflect a concerted effort by Power to wire around Facebook’s countermeasures and a likely awareness that Power’s conduct implicated the CFAA.
To explain its finding that the Facebook cease and desist letter had revoked Power’s permission to access Facebook, the court analogized the circumstances to a person who wanted to borrow a friend’s jewelry held in a bank safe deposit box. The court said that the borrower would need permission from the bank and the safe deposit box holder to access the box if the bank had determined that it did not want the borrower on its premises (in the court’s example, because the borrower brought a shotgun to the bank when entering to access the safe deposit box).
Although the court’s analogy might have helped it better understand the technology and information flow at issue in Power Ventures, it lacks the nuance that can swirl around alleged “scraping” scenarios where there are sometimes questions concerning whether “access” under the CFAA has occurred and whether there is a protectable or property interest in the data scraped (in the court’s analogy, the jewelry was the safe deposit box holder’s property, but what was the data equivalent in Power Ventures and, under different facts, what might be the bank’s property interest?).
Notably, Facebook does not appear to have pleaded a breach of contract claim in the trial court.
Cyberspace and e-commerce law will continue to evolve rapidly, so banks best keep an eye out for those skilled in the programming arts along with shotgun-toting borrowers of jewelry.
Ever since Iqbal and Twombly, it has become imperative that a complaint filed in federal court contains “sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 554, 570 (2007)). The Eastern District of Michigan recently reiterated this point in the context of an alleged violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. As detailed below, failure to include the requisite factual allegations can and will result in the dismissal of potential CFAA claims.
In Fabreeka International Holdings, Inc. v. Robert Haley and Armadillo Noise & Vibration LLC, 2015 U.S. Dist. LEXIS 154869 (E.D. MI, Nov. 17, 2015), Fabreeka Intl. Holdings filed suit against its former employee, Robert Haley, and his new employer, alleging that Haley unlawfully accessed its computers to obtain confidential information in violation of the CFAA. Specifically, Fabreeka alleged that: (1) during the period of his employment, Haley accessed confidential business information stored on Fabreeka’s servers; (2) Haley did not return all of Fabreeka’s confidential information at the time of his resignation; and (3) Haley authored or assisted in authoring proposals for his new employer using Fabreeka’s confidential information for the purpose of undercutting Fabreeka’s prices.
Fabreeka contended that its allegations establish violations under three sections of the CFAA: 18 U.S.C. §§ 1030(a)(2)(C), 1030(a)(4), 1030(a)(5)(B) and (C).
- Subsection (a)(2) prohibits (1) intentionally accessing a computer (2) without authorization or exceeding authorized access and (3) thereby obtaining information (4) from any protected computer (if the conduct involved an interstate or foreign communication) where (5) there was loss to one or more persons during any one-year period aggregating at least $5,000 in value.
- Subsection (a)(4) prohibits (1) accessing a “protected computer” (2) without authorization or exceeding such authorization that was granted, (3) “knowingly” and with “intent to defraud,” and thereby (4) furthering the intended fraud and obtaining anything of value, causing (5) a loss to one or more persons during any one-year period aggregating at least $5,000 in value.
- Subsection (a)(5)(B) prohibits (1) intentionally accessing (2) a protected computer (3) without authorization, and (4) as a result of such conduct, recklessly causes damage. 18 U.S.C. § 1030(a)(5)(B).
- Subsection (a)(5)(C) prohibits (1) intentionally accessing (2) a protected computer (3) without authorization, and (4) as a result of such conduct, causing damage and loss. 18 U.S.C. § 1030(a)(5)(C).
The District Court dismissed each of these CFAA claims for the following reasons:
- There was no dispute that Haley was authorized to access information on the Fabreeka’s servers, including sales and manufacturing data, during his employment at Fabreeka. Since the facts pled established Haley had authorization, the Court held that Fabreeka’s claims subsections (a)(5)(B) and (a)(5)(C), requiring the access be “without authorization,” should be dismissed. This left Fabreeka’s remaining CFAA claims, which the Court said could proceed so long as Fabreeka pled facts that establish Haley exceeded his authorized access.
- Fabreeka’s Complaint asserted that Haley misappropriated confidential information based solely on the similarity of proposals submitted by Fabreeka and his new employer. Based off those proposals, Fabreeka offered unsupported conclusions that Haley stole confidential files and assisted in authoring the competitor’s proposal. The Court held that because “[a] pleading must include factual allegations that exceed mere speculation, see Twombly, 550 U.S. at 555, and Fabreeka’s CFAA allegations fail to meet this standard.”
In addition, the Court noted that a complaint must state sufficient facts to “raise a reasonable expectation that discovery will reveal evidence” of a claim’s required elements. Although Fabreeka’s Complaint alleged that Haley and his new employer’s owner communicated on Fabreeka’s computer during Haley’s employment, the Court found that the mere fact that the two discussed Haley joining Armadillo does not support a plausible inference that the two colluded to misappropriate confidential information. Thus, the Court held that it did “ not feel” that Fabreeka’s Complaint “pled sufficient facts to raise a reasonable expectation that further evidence of a CFAA violation will be revealed in discovery.”
- Fabreeka’s Complaint implied that the company considers all non-public information confidential. Defendants, on the other hand, claimed that Fabreeka’s proposals cannot be considered confidential because they are transmitted to third parties without any steps to protect the proposals or the information they contain. The Court noted that the Sixth Circuit previously stated, in the context of trade secrets, that if a company did not take reasonable steps to maintain the confidentiality of alleged trade secrets, a misappropriation claim properly fails. See BDT Products, Inc. v. Lexmark Int’l, Inc., 124 F. App’x 329, 333 (6th Cir. 2005). Accordingly, the Court held that insofar as Fabreeka’s allegations address confidential material taken, the company’s proposals submitted to customers may not be properly considered secret or confidential.
- Finally, the Court held that Fabreeka’s Complaint did not allege that the “damage and loss” allegedly suffered arose from the cost of responding to or from investigation into Haley’s alleged violation. Instead, the Complaint merely recited the elements of the CFAA and asserted there had been “damage and loss.” The Court held this was insufficient.
When asserting claims under the CFAA, it is critical to not only review and pled the necessary elements that form the claims, but to also include the sufficient factual allegations to support those claims. The Fabreeka decision highlights how more and more courts are cracking down on insufficient pleading, particularly in the context of CFAA suits. As a plaintiff, do not fall victim to poor or lazy drafting and, as a defendant, carefully review a complaint’s factual allegations with an eye towards a possible motion to dismiss.
In a recent Computer Fraud and Abuse Act case, the Seventh Circuit Court of Appeals affirmed the district court’s conclusion that the plaintiff had produced no evidence refuting the defendant’s contention that it honestly believed it was engaging in lawful business practices rather than intentionally deceiving or defrauding the plaintiff. Accordingly, entry of judgment for the defendant was appropriate. Fidlar Technologies v. LPS Real Estate Data Solutions, Inc., Case No. 4:13-CV-4021 (7th Cir., Jan. 21, 2016).
Summary of the case. Fidlar licenses technology to county governments enabling them quickly to scan and digitize real estate transaction documents. The county-licensees pay Fidlar a fee for using its technology. In turn, county-licensees making the digitized documents available on line charge an access fee. Persons who access the digitized documents and print copies must remit copying fees to Fidlar.
LPS gathers, analyzes and sells data concerning real estate transactions. It developed software that permits the company, in exchange for a monthly payment to the county-licensees, to harvest and download en masse documents digitized by the counties using Fidlar’s technology. The software enables LPS to analyze the digitized data without printing the documents and, thereby, to avoid paying copying fees which otherwise would have been owed to Fidlar. When Fidlar learned what LPS was doing, Fidlar accused LPS of computer fraud in violation of the CFAA. LPS denied wrongdoing and prevailed in court on summary judgment.
The parties’ contentions. According to Fidlar, LPS defrauded Fidlar because LPS knew about the copying fee and had to know that its system for harvesting the information contained in the digitized real estate transaction documents allowed it to benefit from Fidlar’s technology without paying anything to that company. LPS responded that, far from intending to deceive or defraud, its business practices were driven by its need to access and analyze data quickly and efficiently, and that printing copies of the documents was unnecessary.
Did LPS intend to defraud Fidlar? Counties pay a fee to Fidlar for using its technology in order to digitize the contents of documents. LPS pays a fee to counties for enabling its computers to access the digitized data. LPS avoided remunerating Fidlar by not printing copies of the information. And, significantly, there was neither disruption nor destruction of Fidlar’s computer system or intellectual property. Fidlar apparently failed to anticipate, and therefore did not forbid, LPS’ access to and use of the data in this manner.
The CFAA criminalizes fraudulently accessing a computer or computer system with the intent of deceiving or cheating. In opposition to LPS’s summary judgment motion, Fidlar maintained that whether LPS intended to defraud Fidlar is a question of fact requiring a trial. However, both the lower and appellate tribunals said that the entry of summary judgment was appropriate because Fidlar was required, but failed, to demonstrate that there was evidence in the record supporting Fidlar’s claim that LPS had a fraudulent intent.
Takeaways. Proving a CFAA violation requires evidence of an intentional fraud. Even though Fidlar’s technology did not expressly permit third parties to access the digitized records and use the information without printing copies, thereby avoiding payment of fees to Fidlar, such access and use were not prohibited. Fidlar lost the case because it failed to design its software to require payments to the company by third parties who figured out how to make use of the data without printing it.
On Friday, January 29, 2016 at 12:00 p.m. Central, Seyfarth attorneys Michael Wexler, Robert Milligan and Joshua Salinas will present the first installment of the 2016 Trade Secrets Webinar series. The presenters will review noteworthy cases and other legal developments from across the nation this past year in the areas of trade secrets and data theft, non-competes and other restrictive covenants, computer fraud, as well as provide their predictions for what to watch for in 2016.
The Seyfarth panel will specifically address the following topics:
- New trade secret cases addressing damages, injunctive relief, and preemption;
- Practical implications of new state non-compete legislation in Alabama, Oregon, and New Mexico;
- Growing circuit split concerning applicability of Computer Fraud and Abuse Act in typical employee data theft scenarios;
- National and international efforts to improve trade secret protections, including the continuing attempt in the U.S. Congress with the proposed Defend Trade Secrets Act to create a federal civil cause of action for trade secrets theft, the European Union’s proposed directive to harmonize trade secret protection among the EU’s 28-member states as well as the Trans Pacific Partnership Agreement’s impact on trade secrets;
- Significant new federal and state court decisions on non-competes and other restrictive covenants that may impact their enforcement, including concerns regarding adequate consideration for agreements and growing efforts by government agencies and employees to challenge and narrow their use;
- Recent NLRB pronouncements on employer policies and agreements and their implications for protecting trade secrets;
- Noteworthy data breaches and criminal prosecutions and criminal sentences for trade secret misappropriation, data theft, and computer fraud and discussion of lessons learned.
In Seyfarth’s eighth installment in its series of Trade Secrets Webinars, Seyfarth social media attorneys discussed their recently released Social Media Privacy Legislation Desktop Reference and addressed the relationship between trade secrets, social media, and privacy legislation.
As a conclusion to this well-received webinar, we compiled a list of brief summaries of the more significant cases that were discussed during the webinar:
- In KNF&T Staffing Inc. v. Muller, Case No. 13-3676 (Mass. Super. Oct. 24, 2013) a Massachusetts court held that updating a LinkedIn account to identify one’s new employer and listing generic skills does not constitute solicitation. The court did not address whether a LinkedIn post could ever violate a restrictive covenant.
- Outside of the employment context, the Indiana Court of Appeals in Enhanced Network Solutions Group Inc. v. Hypersonic Technologies Corp., 951 N.E.2d 265 (Ind. Ct. App. 2011) held that a nonsolicitation agreement between a company and its vendor was not violated when the vendor posted a job on LinkedIn and an employee of the company applied and was hired for the position, because the employee initiated all major steps that led to the employment.
- In the context of Facebook, a Massachusetts court ruled in Invidia LLC v. DiFonzo, 2012 WL 5576406 (Mass. Super. Oct. 22, 2012) that a hairstylist did not violate her nonsolicitation provision by “friending” her former employer’s customers on Facebook because “one can be Facebook friends with others without soliciting those friends to change hair salons, and [plaintiff] has presented no evidence of any communications, through Facebook or otherwise, in which [defendant] has suggested to these Facebook friends that they should take their business to her chair.”
- Similarly, in Pre-Paid Legal Services, Inc. v. Cahill, Case No. CIV-12-346-JHP, 2013 U.S. Dist. LEXIS 19323 (E.D. Okla., Jan. 22, 2013) a former employee posted information about his new employer on his Facebook page “touting both the benefits of [its] products and his professional satisfaction with [it]” and sent general requests to his former co-employees to join Twitter. A federal court in Oklahoma denied his former employer’s request for a preliminary injunction, holding that communications were neither solicitations nor impermissible conduct under the terms of his restrictive covenants
- The Virginia Supreme Court in Allied Concrete Co. v. Lester, 285 Va. 295 (2013) upheld a decision sanctioning a plaintiff and his attorney a combined $722,000 for deleting a Facebook account and associated photographs that undermined the plaintiff’s claim for damages stemming from the wrongful death of his wife in an car accident. The deleted photographs showed plaintiff holding a beer while wearing a T-shirt with the message, “I Love hot moms.” Subsequent testimony revealed that the plaintiff’s attorney had instructed his paralegal to tell the plaintiff to “clean up” his Facebook entries because “we do not want blowups of this stuff at trial.”
- PhoneDog v. Noah Kravitz, No. C11-03474 MEJ, 2011 U.S. Dist. LEXIS 129229 (N.D. Cal., 2012) involved a dispute over whether a Twitter account’s followers constitute trade secrets even when they are publically visible. The court denied the defendant’s motion to dismiss and ruled that PhoneDog, an interactive mobile news and reviews web resource, could proceed with its lawsuit against Noah Kravitz, a former employee, who PhoneDog claimed unlawfully continued using the company’s Twitter account after he quit. The court held that PhoneDog had described the subject matter of the trade secret with “sufficient particularity” and satisfied its pleading burden as to Kravitz’s alleged misappropriation by alleging that it had demanded that Kravitz relinquish use of the password and Twitter account, but that he has refused to do so. With respect to Kravitz’s challenge to PhoneDog’s assertion that the password and the Account followers do, in fact, constitute trade secrets — and whether Kravitz’s conduct constitutes misappropriation, the court ruled that the such determinations require the consideration of evidence outside the scope of the pleading and should, therefore, be raised at summary judgment, rather than on a motion to dismiss. The parties ultimately resolved the dispute.
- The Second Circuit Court of Appeals in Triple Play v. National Labor Relations Board, No. 14-3284 (2d. Cir. Oct. 21, 2015) affirmed an NLRB decision that a Facebook discussion regarding an employer’s tax withholding calculations and an employee’s “like” of the discussion constituted concerted activities protected by Section 7 of the National Labor Relations Act. The Facebook activity at issued involved a former employee posting to Facebook, “[m]aybe someone should do the owners of Triple Play a favor and buy it from them. They can’t even do the tax paperwork correctly!!! Now I OWE money . . . Wtf!!!!” A current employee “liked” the post and another current employee posted, “I owe too. Such an asshole.” The employer terminated the two employees for their Facebook activity. The 2nd Circuit affirmed the NLRB’s decision that the employer’s termination of the two employees for their aforementioned Facebook activity was unlawful.
The following is a collection of social media policies that have been implemented by various companies: http://socialmediagovernance.com/policies/. While these policies can serve as a helpful guide, companies should tailor their own social media policies and consult with counsel.
On October 20, 2015, a Ninth Circuit panel consisting of Chief Judge Sidney Thomas and Judges M. Margaret McKeown and Stephen Reinhardt heard oral argument from the U.S. Department of Justice and counsel for David Nosal on Nosal’s criminal conviction arising under the Computer Fraud and Abuse Act (CFAA). In 2013, Nosal was found to have violated the CFAA by allegedly conspiring to obtain access to company information belonging to his former employer, executive search firm Korn Ferry, through the borrowing of another employee’s login password. He was also convicted of trade secret misappropriation under the Economic Espionage Act.
The panel focused most of its questions around one main point of contention between the parties: the interpretation of the “without authorization” language appearing throughout Section (a) of the CFAA. Such a focus makes sense given that the interpretation of this short phrase could completely change the legal landscape surrounding password sharing, not only in professional settings, but also in personal, consensual settings.
Counsel for Nosal urged the panel to adopt a limited reading of the CFAA, based on the reasoning laid out in the Ninth Circuit’s previous en banc opinion (Nosal I). Nosal I held that the CFAA was an “anti-hacking” statute and did not contemplate, nor criminalize, the misappropriation of trade secrets. As an “anti-hacking” statute, the CFAA, the court held, criminalizes “the circumvention of technological access barriers.” In other words, a person cannot be found to have accessed a computer “without authorization” if he did not circumvent a technological access barrier, or “hack” into a computer.
This time around, counsel for Nosal argued that password sharing is not hacking, and therefore, such an action cannot amount to a federal crime. Further, counsel urged the panel to limit its interpretation of the “without authorization” language appearing throughout the Act, so as to prevent the over-criminalization of actions otherwise not prohibited by law (e.g., password sharing over a cloud system, or another consensual password sharing arrangement). Nosal’s counsel also argued that the “without authorization” language be read consistently throughout the Act, so that the same interpretation would apply to both the misdemeanor and felony provisions of the Act.
U.S. Government’s Arguments
On the other side of the spectrum lie the government’s arguments. Counsel for the government argued that protecting computers with passwords to prevent unintended user access indeed creates a “technological access barrier,” and any circumvention thereof (consensual or otherwise) constitutes a violation of the CFAA. Such a broad interpretation was met with raised brows from the members of the judicial panel.
Counsel for the government repeatedly argued that the interpretation of the “without authorization” language should mirror the interpretation in the LVRC Holdings LLC v. Brecka case. Per Brecka, a person accesses information “without authorization” under Sections (a)(2) and (4) of the CFAA when he has not received permission to use a computer for any purpose, or when the person’s employer has rescinded permission to access a computer and the person uses it anyway. In other words, the government’s counsel seemed to advocate the criminalization of any sort of password sharing. After receiving some push-back from the panel after making such an argument, counsel suggested limiting this interpretation to the employment context only, but members of the panel shot back because the CFAA includes no such limiting language. The government’s counsel argued that the person must have shared or used the password while also knowing it was prohibited by an employer to do so.
With regard to Nosal’s trade secrets conviction, the panel pressed the government’s counsel for a good portion of her allotted argument time. Counsel argued the record revealed sufficient evidence to establish the element that source lists derive independent economic value for not being generally known by the general public.
Possible Outcomes for Nosal and Beyond
Though the panel did not give a clear indication one way or the other whose side it was likely to advocate in Nosal’s case, recent Ninth Circuit precedent may prove enlightening on the topic. In the U.S. v. Christensen (9th Cir. 2015) decision, the Ninth Circuit (composed of a panel of different judges than those deciding Nosal’s fate) vehemently upheld the holdings in Nosal I, despite the different facts of each case. In particular, the Christensen panel relied heavily on the Nosal I rationale that the CFAA only deals with violations of restrictions on access to information, not restrictions on use. At the very least, Christensen demonstrates that the CFAA has been on the Ninth Circuit’s radar, even though its rationale may not impact the outcome in Nosal II.
Moreover, the panel’s surprise at the government’s assertion that all password sharing should be subject to criminal sanctions indicates an unwillingness to adopt such an argument. As a previous post hypothesized, the panel’s final ruling will likely put to bed the password sharing issue, and limit it to certain situations (on which ground is still unclear), at least in the Ninth Circuit. The ruling will hopefully provide helpful guidance on how to formulate acceptable computer policies prohibiting conduct running afoul of the CFAA. That way, employers and businesses can better protect their trade secrets from escaping the confines of their walls.