Header graphic for print

Trading Secrets

A Law Blog on Trade Secrets, Non-Competes, and Computer Fraud

All or Nothing: Nevada Supreme Court Refuses to Adopt “Blue Pencil” Doctrine for Non-Compete Agreements

Posted in Non-Compete Enforceability

shutterstock_303993722In a recent opinion, the Supreme Court of Nevada refused to adopt the “blue pencil” doctrine when it ruled that an unreasonable provision in a non-compete agreement rendered the entire agreement unenforceable. “Blue penciling” refers to a court’s willingness to strike unreasonable clauses from a non-compete agreement, leaving the rest of the agreement to be enforced; or to modify the agreement to reflect terms that are reasonable under the law. Many jurisdictions permit “blue penciling” while others have refused to adopt the doctrine.

Traditionally, Nevada courts have followed the latter approach by refraining from reforming or “blue penciling” parties’ private contracts, including non-compete agreements. The case of Golden Road Motor Inn, Inc. v. Islam, presented the Supreme Court of Nevada with an opportunity to join the number of jurisdictions that have embraced the doctrine. For various reasons, the Court refused to do so.

The Islam case involved a dispute between a casino worker and his former employer. The worker, who worked as a casino host for the former employer, entered into an agreement with the former employer to refrain from working for any other gaming establishment within 150 miles of the former employer for one (1) year following the end of his employment with the former employer. After resigning from his employment with the former employer, the worker began working as a casino host for a new employer within the prohibited 150-mile radius. The former employer sued the worker to prevent his employment with the new employer.

The Court found the non-compete agreement’s prohibition of all types of employment with a gaming establishment within 150 miles of the former employer was overbroad, as such a prohibition extended beyond what was necessary to protect the former employer’s interests. The Court also found such a prohibition severely restricted the worker’s ability to be gainfully employed. Finding this provision unreasonable, the Court declared the entire agreement unenforceable.

The former employer asked the Court to modify the overbroad provisions of the non-compete agreement to render the agreement enforceable. Rejecting the former employer’s argument, the Court stated that it was not its role to rewrite the parties’ contract and that courts are not empowered to make private agreements. The Court explained that its restraint from “the urge to pick up the pencil” to modify the non-compete agreement avoids trampling the parties’ contractual intent, preserves judicial resources, and holds the employer, as the drafter of the agreement, to a higher standard. The Court explained that under a “blue pencil doctrine,” the employer receives what amounts to a “free ride” on the unreasonable provision, perhaps knowing that the provision would never be enforced. Consequently, the Court stated, the practice of “blue-penciling” encourages employers with superior bargaining power to “insist upon unreasonable and excessive restrictions, secure in the knowledge that the promise will be upheld in part, if not in full.” This, the Court maintained, forces the employee to bear the burden as employers “carelessly, or intentionally overreach.”

In light of this opinion, employers conducting business in Nevada should ensure that non-compete agreements with their employees are reasonably necessary to protect the employers’ interests. This means that the scope of activities prohibited, the time limits, and geographic limitations contained in the non-compete agreements should all be reasonable. If an agreement contains even one overbroad or unreasonable provision, the employer risks having the entire agreement invalidated and being left without any recourse against an employee who violates the agreement. Employers should consult with an attorney if they have any concerns about the enforceability of their non-compete agreements with their employees.

We Traced The Trade Secret Leak … It’s Coming From Inside The Business

Posted in Trade Secrets

Cross Posted from California Peculiarities.

Seyfarth Synopsis:  Protecting trade secrets from employee theft requires more than using an NDA when onboarding employees. If businesses want to protect confidential information, they need a cradle-to-grave approach, reiterating employee obligations regularly, including during exit interviews. (Yes, you need to do exit interviews!)

Headline stories in intellectual property theft tend to involve foreign hackers engaged in high-tech attacks to pilfer vast troves of data stored by big businesses or government entities, such as those involving Russian government hackers or the Chinese military. The losses are staggering. In 2009, McAfee estimated that cybercrime cost worldwide economies $1 Trillion. That number was cited by (a then-youthful) President Obama in his first speech on cybersecurity. Since that time, attacks by professionals and nation states have remained at the forefront of both news reports and the public perception. Since then, hack attacks have remained at the forefront of both news reports and the public perception.

But despite the disproportionate attention given to high value, high-tech attacks by outsiders, many U.S. businesses recognize that threats from the inside are just as costly as revealed by a 2014 PricewaterhouseCoopers survey. Nevertheless, “only 49%” of organizations surveyed had “a plan for responding to insider threats.”

Trade secrets are particularly susceptible to theft because they, by definition, consist of secret information with economic value. Company insiders often find that information too tempting to be leave behind when changing employers, or when seeking new employment. Therein lies the problem.

Trade secret theft by employees may not grab as many headlines as neo-Cold War espionage, but the data suggest that employees, not outsiders, pose the greatest threat of loss from trade secret theft. The good news is that a little proactivity by employers will go a long way toward keeping them out of the 49% who lack a plan to prevent leaks.

Of course, in California, obtaining protection is not all that simple. Non-compete agreements are, with very limited exceptions, a non-starter under Business and Professions Code § 16600, so you need special steps to keep your trade secret house in order. And because a California trade secret plaintiff (e.g., a former employer suing its former employee) likely must identify its trade secrets with reasonable particularity before commencing discovery, it pays to invest time on the front end to identify and inventory your trade secret information before litigation arises.

So, what can employers do?

Update Non-Disclosure Agreements to Comply With the DTSA, and See That Employees Know Why NDAs Are Important

Almost all employers (we hope) have confidential/non-disclosure and trade secret protection provisions in their employment agreements. But have these agreements been updated to comply with the recently enacted Defend Trade Secrets Act (“DTSA”) and its important employee/whistleblower notification provisions? And what are employers doing to help ensure compliance with their agreements? Rolling out new agreements is relatively easy. Making sure they are effective takes some doing.

Remember, your organization will not even have trade secrets to protect unless it has made  “efforts reasonable under the circumstances” (under the California Uniform Trade Secrets Act) or has taken “reasonable measures” (under the DTSA) to maintain the secrecy of the information it claims to be a trade secret. Cal. Civ. Code § 3426.1(d); 18 U.S.C. § 1839(3)(A).

Implement Computer Use and Social Media Agreements and Policies

Most trade secret theft occurs via electronic device. Make sure your company has computer use and access policies and agreements that:

  • Set forth that company computers, network, related devices, and information stored therein belong to the company;
  • Indicate that access to company computers and networks are password-protected, with access authorized only for work-related purposes;
  • Make use of data storage/access hierarchies, with the most valuable information being accessible on only a need-to-know basis, with security access redundancies (housed in a highly secure database that requires unique user credentials distinct from the log-in credentials the employee uses to access a computer workstation);
  • Identify which devices are allowed in the workplace—BYOD practices have become popular, but also present challenges in regulating information flow and return. If employees use their own devices to perform work for the company, make clear that the company data on those devices belong to the company;
  • Notify employees that the company reserves the right to inspect devices used for work to ensure that no company data exist on the devices upon termination of employment;
  • Define whether cloud storage may be used by employees, under what terms, and what happens when employment ends;
  • Define whether external storage devices (e.g., thumb drives) are allowed and under what terms; and
  • Identify whether and how employees may use social media associated with their work—trade secrets must never be publicly disclosed, but beware of any overreach that would suppress employee communications protected by the National Labor Relations Act.

Build a Culture of Confidentiality—Make Sure Employees Know What The Company Regards as Confidential and Then Remind Them Routinely

Employees need to understand what information your company considers confidential.  Educating employees on this subject should start at the beginning of employment, continue  throughout employment,  and recur at the end of employment. Tools that can help in this regard include:

  • Onboarding procedures to emphasize the importance of company confidential information;
  • Including in NDAs an express representation that the employee does not possess and will not use while in your employ confidential information belonging to any former employer or other third party;
  • Using yearly (or more frequent) brief interactive e-modules emphasizing the importance of maintaining the confidentiality of company information;
  • Requiring that the employee sit for an exit interview; and
  • Requiring that the employee certify in writing, during exit interviews, that they have returned all company information and property (the employee may provide property on the spot or make statements about what will be returned—you should inventory all such indicated property and information).

Properly Exiting Employees—Particularly for High Risk Employees—Matters!

Not all employees present the same risk of loss. Generally, the loftier an employee is in the corporate hierarchy the greater the threat that that employee will expose company confidential information. The following recommendations are for mid-to-high risk departing employees:

  • The person conducting the exit interview must be prepared—use a checklist;
  • “Preparedness” for higher-risk employees will include (1) identifying, before the exit interview, the trade secret and confidential information the employee routinely accessed and used during employment, (2) reviewing for unusual activity the departing employee’s computer and work activities (including card key facility access data, where available) in the days and weeks leading up to their exit, (3) using an exit certification as noted above, and (4) inquiring where the employee is going and what position the employee will hold;
  • Where initial investigation warrants, discreetly interview company-friendly co-workers of the departing employee to identify potentially suspicious conduct;
  • Immediately shut down the departing employee’s access to company computers, networks, and other data repositories (e.g., cloud or other off-site storage). Cutting off access to company computer and data may be warranted before exiting the employee, depending on the perceived risk of data theft;
  • Send a reminder-of-obligations letter to the now former employee, reciting ongoing obligations to the company and attaching, where useful, a copy of the NDA the employee has signed;
  • Consider notifying the new employer, but tread carefully here to avoid overstepping or providing a basis to be accused of interfering with the employment relationship between your former employee and the new employer; and
  • Depending on the threat level you perceive, consider having a departing employees’ emails preserved and their electronic devices forensically imaged.

With best practices in place, protecting your company’s trade secrets should be more like routine, but vigilant maintenance, than preparing to do cyber battle with foreign states. Organizations understandably focus on creating the next “big thing,” increasing sales, and building investor value, but slowing down enough to be purposeful in protecting intellectual property is a must.

Federal Precedents Under the DTSA Have Arrived

Posted in Trade Secrets

shutterstock_232392391While the Defend Trade Secrets Act of 2016 (“DTSA”) has only been in effect for a few months, the first wave of cases raising DTSA claims have started to generate federal decisions. In what appears to be the first substantive ruling under the Act, the Northern District of California illustrated some the advantages – and limitations – of DTSA claims in the context of injunctive relief.

Henry Schein, Inc. (“HSI”), a manufacturer of medical, dental and veterinary supplies, sued its former employee, Jennifer Cook, under the DTSA and a host of other California state law claims. Henry Schein, Inc. v. Cook, 16-cv-03166-JST (N.D. Cal.). Cook, a former sales associate, is alleged to have taken HSI’s trade secrets (including customer information) to her new employer, a competing dental supply company, despite her confidentiality agreements with HSI. HSI sought a temporary restraining order and, later, a preliminary injunction under both the DTSA and California state law claims. The court entered a temporary restraining order and preliminary injunction prohibiting Cook from disclosing HSI’s trade secrets to her new employer, but refused to enter a preliminary injunction that would prevent Cook from contacting or doing business with her former HSI customers in light of California’s policy against non-compete agreements.

Perhaps the most striking aspect of the court’s ruling was ultimately how little effect the DTSA had upon it. The DTSA has been widely viewed as an avenue for plaintiffs to bring trade secret claims in federal court, but HSI already had diversity jurisdiction for its state law claims and, as noted by the Court, HSI’s California Uniform Trade Secrets Act claims closely mirror those brought under the DTSA. In other words, HSI could have brought its state law trade secret misappropriation claims against Cook in federal court even if the case had been filed before the passage of the DTSA, with little impact upon the court’s ruling. The Court noted at several points, in both the TRO and PI orders, the similarities between the DTSA and California’s Uniform Trade Secrets Act, and considered HSI’s claims under both statutes without distinguishing between the two.

The court’s rulings also serve as a reminder that the DTSA does not supplant state law concerning the enforceability of non-compete agreements. California’s longstanding adverse treatment of non-compete agreements was the basis for the court’s refusal to enjoin Cook from “contracting or doing business with her clients,” especially when HSI had failed to show “specific evidence that Cook was utilizing trade secret information to solicit customers.” While not the explicit basis for the court’s ruling, the DTSA requires “evidence of threatened misappropriation,” and not merely a showing that the individual has information in their possession, before the issuance of an injunction under the Act. 18 U.S.C. § 1836(b)(3)(A)(i)(I).

While the court’s decision in HSI may not go into great detail in its consideration of the DTSA, it is worth noting why the court did not have to do so. DTSA claims will, in many cases, closely track claims under state law. The plaintiff in HSI already had an avenue to federal court based on the complete diversity of the parties, but other litigants will undoubtedly have to rely on the DTSA as their basis for federal jurisdiction. The DTSA’s most striking feature – its ex parte seizure provision – remains untested in federal court.

In Like A Lion, Out Like A Lamb: Following Much Fanfare, Massachusetts Noncompete Reform Again Fails

Posted in Legislation, Non-Compete Enforceability

shutterstock_444377182-300x213In what has become a highly anticipated annual game of “Will They/Won’t They,” the Massachusetts legislature again failed to pass comprehensive noncompete reform legislation this year, despite much fanfare and high hopes from certain quarters. This should come as no surprise to our loyal readers, who have seen this happen virtually every year over the past decade, but it actually seemed as though something might be different this year, with the House and Senate both passing bills, and the Governor signaling his support for the House version.  Alas, the wheels of state government have again come to a screeching halt with no movement as the 2016 legislative session ended late last night with no compromise.  No controversial matters can now be advanced until the next legislative session, which begins in January 2017.  As we seem to say every summer, maybe next year . . .

Massachusetts Governor Supports Noncompete Reform, But Not Abolition

Posted in Legislation, Non-Compete Enforceability, Trade Secrets

shutterstock_444377182According to The Boston Globe, Massachusetts Governor Charlie Baker has publicly voiced his support for some restrictions on noncompete agreements, but he does not want to abolish them entirely. Specifically, Governor Baker supports the bill passed by the Massachusetts House of Representatives (discussed previously here), but not the far more restrictive bill passed by the Massachusetts Senate (discussed here). According to Governor Baker’s spokesman:

The Governor favors the House version of the noncompete legislation because he believes it better balances workers’ abilities to seek new employment while ensuring cutting edge businesses can protect essential intellectual property. . . . Finding the right compromise on this issue is essential to ensuring innovative businesses want to stay and grow in the Commonwealth.

A conference committee, being led by House Ways and Means Chairman Brian Dempsey and Senator Daniel Wolf, with Representatives John Scibak and Jay Barrows and Senators William Brownsberger and Ryan Fattman, will attempt to resolve the differences between the competing bills by the end of the formal legislative session, which wraps up for the year on July 31.

We will be monitoring and will report on any progress in the conference committee this week, so stay tuned.

When Stealing in Baseball Can Land You in Jail: Computer Fraud Sentencing Announced in MLB Case

Posted in Computer Fraud, Data Theft, Espionage

shutterstock_144630422Although stealing bases, and even signs, in baseball may be part of the game, stealing another team’s trade secrets can land you in federal prison, as one executive recently learned the hard way.

As we previously reported, the FBI has been investigating the St. Louis Cardinals for hacking into the Houston Astros’ internal computer network and stealing proprietary information, including internal discussions about trades, proprietary statistics, and scouting reports. The investigation has now concluded, the Cardinals’ former director of baseball development, Chris Correa, pleaded guilty to five counts of unauthorized access of a protected computer in January, and he has now been sentenced to 46 months in federal prison. He also must pay $279,038 in restitution. According to NPR, “U.S. District Judge Lynn Hughes, as she sentenced Correa, noted that the crime has resulted in stricter security at other baseball teams, according to a press release from the Justice Department. When Correa apologized and called his actions ‘reckless,’ [Judge] Hughes replied, ‘No, you intentionally and knowingly did these acts.’”

As the Department of Justice reported at the time of Correa’s plea:

The plea agreement details a selection of instances in which Correa unlawfully accessed the Astros’ computers. For example, during 2013, he was able to access scout rankings of every player eligible for the draft. He also viewed, among other things, an Astros weekly digest page which described the performance and injuries of prospects who the Astros were considering, and a regional scout’s estimates of prospects’ peak rise and the bonus he proposed be offered. He also viewed the team’s scouting crosscheck page, which listed prospects seen by higher level scouts. During the June 2013 amateur draft, he intruded into that account again and viewed information on players who had not yet been drafted as well as several players drafted by the Astros and other teams.

Correa later intruded into that account during the July 31, 2013, trade deadline and viewed notes of Astros’ trade discussions with other teams.

Another set of intrusions occurred in March 2014. The Astros reacted by implementing security precautions to include the actual Ground Control website address (URL) and required all users to change their passwords to more complex passwords. The team also reset all Ground Control passwords to a more complex default password and quickly e mailed the new default password and the new URL to all Ground Control users.

Shortly thereafter, Correa illegally accessed the aforementioned person’s e mail account and found the e mails that contained Ground Control’s new URL and the newly-reset password for all users. A few minutes later, Correa used this information to access another person’s Ground Control account without authorization. There, he viewed a total of 118 webpages including lists ranking the players whom Astros scouts desired in the upcoming draft, summaries of scouting evaluations and summaries of college players identified by the Astros’ analytics department as top performers.

On two more occasions, he again illicitly accessed that account and viewed confidential information such as projects the analytics department was researching, notes of Astros’ trade discussions with other Major League Baseball teams and reports of players in the Astros’ system and their development.

The parties agreed that Correa masked his identity, his location and the type of device that he used, and that the total intended loss for all of the intrusions is approximately $1.7 million.

Michael McCann provides a good analysis of the sentence for Sports Illustrated and describes potential penalties Major League Baseball may pursue against the Cardinals.

Facebook, Inc. v. Power Ventures, Inc.: Shotgun-Toting Borrowers of Jewelry From Bank Safe Deposit Boxes and the CFAA. Wait. What?

Posted in Computer Fraud, Computer Fraud and Abuse Act, Cybersecurity

shutterstock_236620168On July 12, 2016, the Ninth Circuit filed its published opinion in Facebook, Inc. v. Power Ventures, Inc., et al., Case No. 13-17154 (“Power Ventures”).  Power Ventures is the latest in a series of decisions from the Ninth Circuit relating to the type of activities potentially giving rise to liability under the Computer Fraud and Abuse Act (18 U.S.C. §1030) (“CFAA”). Power Ventures has potentially important implications for the ways that businesses create, store, and monetize data through computers and web-based applications. Unlike the court’s Nosal line of decisions, Power Ventures is focused more on internet-based conduct that may violate the CFAA.

The underlying legal dispute between the parties began in 2008, when Facebook filed suit against Power Ventures, Inc. (“Power”) in the USDC for the Northern District of California. Power, which aggregated data from different social networking sites using, among other things, automated scripts (i.e., “scraping”), enabled people with various social media accounts to access all of their information in one place. Power used user-provided social media log-in information to import people’s information to a Power portal. In an effort to promote itself and attract users, Power then contacted via e-mail Facebook users’ friends, making it appear as if the e-mails came from Facebook.

Upon learning of Power’s activities, Facebook sent Power a cease and desist letter and used IP blocks in an attempt to prevent Power from obtaining Facebook data (IP blocking is a process by which a computer or network is directed to ignore all communications from a particular IP address). But Power continued to copy Facebook data and took measures to evade the IP blocks.

Although the Ninth Circuit analyzed whether Power’s conduct violated the federal CAN-SPAM Act (finding that it did not, and reversing District Court Judge Lucy Koh), the court’s analysis of the CFAA issues are most noteworthy. The court first walked through its United States v. Nosal CFAA decisions (from 2012 and July 5, 2016; see our coverage of these decisions here and here) to “distill two general rules” in analyzing the issue of authorized access under the CFAA:

(1) “a defendant can run afoul of the CFAA when he or she has no permission to access a computer or when such permission has been revoked explicitly” (noting that “once permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability”); and

(2) “a violation of the terms of use of a website—without more—cannot be the basis for liability under the CFAA.”

Applying these rules, the court noted that Power users “arguably gave Power permission to use Facebook’s computers to disseminate messages” (further stating that “Power reasonably could have thought that consent from Facebook users to share the [Power promotion] was permission for Power to access Facebook’s computers”) (emphasis in original). Importantly, the court found that “[b]ecause Power had at least arguable permission to access Facebook’s computers, it did not initially access Facebook’s computers ‘without authorization’ within the meaning of the CFAA.”

The court declined, in a footnote, to “decide whether websites such as Facebook are presumptively open to all comers, unless and until permission is revoked expressly” (citing to a law review article asserting that “websites are the cyber-equivalent of an open public square in the physical world”).
Instead, the court found that a cease and desist letter sent to Power by Facebook expressly rescinded the permission granted by Facebook users to Power and put Power on notice that it “was no longer authorized to access Facebook’s computers.” The letter informed Power that, in Facebook’s view, Power had violated Facebook’s Terms of Use and directed Power to cease using Facebook content or otherwise interacting with Facebook through automated scripts.

Power continued to access Facebook and took steps to evade the IP blocks that Facebook put in place. The court noted discovery from the trial court that appears to reflect a concerted effort by Power to wire around Facebook’s countermeasures and a likely awareness that Power’s conduct implicated the CFAA.

To explain its finding that the Facebook cease and desist letter had revoked Power’s permission to access Facebook, the court analogized the circumstances to a person who wanted to borrow a friend’s jewelry held in a bank safe deposit box. The court said that the borrower would need permission from the bank and the safe deposit box holder to access the box if the bank had determined that it did not want the borrower on its premises (in the court’s example, because the borrower brought a shotgun to the bank when entering to access the safe deposit box).

Although the court’s analogy might have helped it better understand the technology and information flow at issue in Power Ventures, it lacks the nuance that can swirl around alleged “scraping” scenarios where there are sometimes questions concerning whether “access” under the CFAA has occurred and whether there is a protectable or property interest in the data scraped (in the court’s analogy, the jewelry was the safe deposit box holder’s property, but what was the data equivalent in Power Ventures and, under different facts, what might be the bank’s property interest?).

The court then went on to distinguish Power from its Nosal decisions and, in doing so made some interesting observations (arguably in dictum) about the legal effect of Facebook’s Terms of Use. The court observed that “Facebook and Power had no direct relationship, and it does not appear that Power was subject to any contractual terms that it could have breached.” It is unclear whether, by making this statement, the court is saying that, by its conduct, Power and Facebook had not entered into a contract (e.g., the Facebook Terms of Use) or rather there simply were no terms within the Terms of Use that prohibited Power’s conduct.

Notably, Facebook does not appear to have pleaded a breach of contract claim in the trial court.

In any event, whether a website’s terms of use will apply to and bind a party that attempts to “scrape” data from the website is likely to be further litigated as the intersection of traditional contact formation principles meet the evolving standards under “browser-wrap” and “click-wrap” agreements.

This much is clear from Power Ventures: Those who use websites to conduct business would be well-served to (1) carefully consider the drafting and use of website terms of use; (2) diligently monitor their websites and associated computers/servers for any access, and the means of access, by anyone other than authorized users; and (3) where unauthorized access is detected, to act promptly to notify in writing those who have potentially made such access of the conduct alleged to be improper/unlawful and demand that such conduct cease.

Cyberspace and e-commerce law will continue to evolve rapidly, so banks best keep an eye out for those skilled in the programming arts along with shotgun-toting borrowers of jewelry.

Computer Fraud and Abuse Act Ruling: Did the Ninth Circuit Just Criminalize Password Sharing?

Posted in Computer Fraud and Abuse Act

shutterstock_414545476Not exactly. A divided Ninth Circuit panel recently affirmed the conviction of a former employee under the Computer Fraud and Abuse Act (“CFAA”), holding that “[u]nequivocal revocation of computer access closes both the front door and the back door” to protected computers, and that using a password shared by an authorized system user to circumvent the revocation of the former employee’s access is a crime. United States v. Nosal, (“Nosal II”) Nos. 14-10037, 14-10275 (9th Cir. July 5, 2016). The dissenting opinion raised concerns that the majority opinion would criminalize password-sharing in a wide variety of contexts where the password was shared by an authorized user but in violation of a service provider’s terms of service, such as for email or social networking.

An inside job

David Nosal was a recruiter employed by the executive search firm Korn/Ferry. To serve its clients and help place executives in response to talent searches, Korn/Ferry maintained a confidential, proprietary database containing detailed personal information about over one million executives. Nosal left Korn/Ferry and launched a competing firm with two other Korn/Ferry colleagues. Korn/Ferry revoked Nosal and his colleagues’ authorization to access its database. After Nosal and his colleagues left Korn/Ferry, Nosal’s colleagues accessed the database at his behest using the log-in credentials of Nosal’s former executive assistant, who remained employed at Korn/Ferry and who was authorized to access the database. They used the assistant’s valid credentials in order to run searches for candidates and thereby compete with Korn/Ferry. Nosal was convicted of violating the CFAA on a theory of accomplice liability based on his colleagues’ actions. He was ordered to pay a sizeable restitution award to Korn/Ferry.

What does “without authorization” mean, anyway?

The CFAA imposes criminal penalties on whoever “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . .” 18 U.S.C. § 1030(a)(4) (emphasis added). In a previous appeal in the Nosal case (“Nosal I”), the Ninth Circuit held that the “exceeds authorized access” prong makes criminal conduct out of “violations of [a company’s] use restrictions.” The Ninth Circuit’s decision in Nosal II, however, focused entirely on the “without authorization” prong of the CFAA.

The majority concluded that “without authorization” is unambiguous, and that the Ninth Circuit’s ruling in LVCR Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) applied to Nosal’s conduct: “[A] person uses a computer ‘without authorization’ under [the CFAA] . . . when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” The court stated that refusing to apply the CFAA to circumstances where an authorized user shared log-in credentials with a person whose credentials had been revoked by the owner of a protected computer system would “remove from the scope of the CFAA any hacking conspiracy with an inside person. That surely was not Congress’s intent.”

So is password-sharing now a crime?

Judge Reinhardt dissented from the majority’s opinion, expressing concerns that the ruling would criminalize “password sharing.” Judge Reinhardt warned that the majority opinion “threatens to criminalize all sorts of innocuous conduct” and does not provide “a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners” like email service providers or social networking sites. Judge Reinhardt asserted that, in order to avoid criminalizing such commonplace conduct, the “best reading of ‘without authorization’ in the CFAA is a narrow one: a person accesses an account ‘without authorization’ if he does so without having the permission of either the system owner or a legitimate account holder.” (Emphasis original.)

It will be left to future cases to ascertain the outer boundaries of the majority’s holding. It seems unlikely that the Ninth Circuit would uphold a CFAA conviction of a person who watched Netflix using a friend’s login credentials, but Judge Reinhart correctly points out that there is no inherently limiting language in the statute itself. So, future litigants may focus on the Nosal II majority’s discussion of “revocation of access” as a means to distinguish simple password sharing. It would be one thing for a person to use a friend’s Netflix account to watch movies; it would be another thing if the person had previously had a Netflix account revoked for downloading and selling pirated copyrighted works, then used a friend’s account to circumvent the “revocation of access” and continue such piracy. The problem is, the statute’s language does not make any distinctions based on “revocation of access.” It remains to be seen whether Nosal II provides a workable rule for applying the CFAA in future cases.

Practical Implications for Employers

Setting aside the great password-sharing debate, Nosal II makes clear that criminal sanctions can be imposed against former employees who improperly access their employer’s systems after their authorization to do so is revoked by the employer. Whether former employees use their old log-in credentials or use those of current employees who are themselves authorized to use the employer’s systems, Nosal II means that any such access is “without authorization” under the CFAA.

One Step Forward, Two Steps Back: Massachusetts Senate Reverses Course On Non-Compete Reform

Posted in Legislation, Non-Compete Enforceability

shutterstock_131276240As we last reported, just a few weeks ago, the Massachusetts House of Representatives unanimously approved a non-compete bill that revised the original draft bill and addressed some of the business community’s concerns (such as the mandatory garden leave provision, prohibition on judicial reform of overbroad agreements, etc.). However, the Senate yesterday introduced a version that would dramatically curtail the enforceability of non-competes in Massachusetts, making substantial changes to the House’s version (and in some cases, even going beyond the original bill prior to the House’s compromise edits). Most — if not all — of the revisions are sure to concern those companies that use non-competes as one tool to protect their intellectual property:

  • The time limits for non-competes (except in cases where an employee has breached a fiduciary duty or engaged in misappropriation) would be limited to a mere three months, as distinct from the House’s 12 month provision;
  • To be enforceable, an employer must inform the employee of its intention to enforce the non-compete within 10 days of the termination of the employment relationship;
  • All non-competes must be “reviewed” with the employee at least once every 5 years after execution, although it is unclear what this “review” must consist of;
  • The non-compete must be supported by a garden leave clause or other mutually agreed upon consideration — although unlike the House’s version, which required a garden leave provision whereby an employee would receive 50% of his or her annualized salary or other agreed upon consideration (without dictating what the consideration must be), the Senate’s version requires the garden leave and/or other consideration to be equal to or greater than 100% of the employee’s highest annualized earnings within the prior 2 year period (note that earnings can be substantially greater than salary);
  • In addition to the numerous categories of employees that cannot be bound by non-competes under the House’s approved bill, the Senate’s version also prohibits enforcement of non-competes against employees “whose average weekly earnings . . . are less than 2 times the average weekly wage in the commonwealth” (based on the latest figures published by the United States Department of Labor, that would mean that employees making less than approximately $118,000 could not be bound by non-competes);
  • The Senate’s bill would reinstate the provision in the original bill that a court could not judicially reform an overbroad non-compete — a major departure from the current state of the law in Massachusetts (and an about-face from the House’s compromise);
  • The bill would also prohibit a court from relying on the “inevitable disclosure” doctrine to supplement non-competes or render an otherwise unenforceable agreement enforceable;
  • The bill would prohibit any provision that would penalize an employee from defending against or challenging the enforceability of a non-compete agreement (in other words, attorneys’ fees provisions);
  • Finally, Senator Mark Montigny of the Senate’s Committee on Rules has recommended that the bill be declared an “emergency law” — which would mean that if passed, it would go into effect immediately, rather than on October 1.

As previously noted, the current legislative session ends on July 31, so legislators will need to move quickly if this version is to pass. While we noted in our last post that the atmosphere in the Commonwealth seemed favorable to passage of the House’s version, we anticipate that the local business community will strongly voice its opposition to this latest draft.

We will keep you updated as we approach the end of this year’s legislative session…

Upcoming Webinar: International Non-Compete Law Update

Posted in International, Trade Secrets

WebinarOn Thursday, July 28, at 12:00 p.m. Central, Seyfarth attorney Dominic Hodson will present “International Non-Compete Law Update,” the eighth installment in Seyfarth’s 2016 Trade Secrets Webinar series.

Mr. Hodson will focus on non-compete considerations from an international perspective. Specifically, the webinar will involve a discussion of recent developments, and a refresher in general principals, in non-compete issues around the globe. This webinar will provide valuable insight for companies who compete in the global economy and must navigate the legal landscape in these countries to ensure protection of their trade secrets and confidential information, including via the effective use of non-compete and non-disclosure agreements.

*CLE Credit for this webinar has been awarded in the following states: CA, IL, NJ and NY. CLE Credit is pending for GA, TX and VA. Please note that in order to receive full credit for attending this webinar, the registrant must be present for the entire session.