By Robert Milligan and Joshua Salinas
A California federal jury convicted a San Francisco executive recruiter this week for violations of the Computer Fraud and Abuse Act (“CFAA”) and theft of trade secrets from his former employer. The conviction represents a significant landmark in the closely watched eight-year case that deepened a federal circuit court split concerning the appropriate scope of the CFAA.
The case involves executive recruiter and former employee David Nosal, who allegedly conspired with then-current employees at his former employer, Korn/Ferry, to illegally access and download valuable candidate lists and other trade secret information from Korn/Ferry’s “Searcher” database. Nosal’s accomplices were able to access the computer system through a password provided to them by Nosal after he borrowed the password from a current Korn/Ferry employee. Nosal allegedly used this newly acquired information to start a competing business, Nosal Partners.
Nosal was indicted by a federal grand jury in 2008 for, inter alia, violations of the CFAA and trade secret theft. The district court for the Northern District of California initially dismissed several CFAA counts on grounds that the employees he allegedly conspired with had access to the computer systems and, thus, could not “exceed authorized access” under the CFAA. The prosecution argued that the employee’s violations of his employer’s computer use restrictions “exceeded their authorized access,” but the court found the employer’s restrictions irrelevant to such a determination.
In April 2011, the Ninth Circuit Court of Appeals reversed the district court and held that a former employee “exceeds authorized access” to data on his employer’s computer system under the CFAA where the employee takes actions on the computer that are prohibited by his employer’s written policies and procedures concerning acceptable use (e.g. prohibitions against copying or e-mailing files to compete or help a third party compete with the employer). The decision strengthened the CFAA as a viable remedy to help fight employee data theft.
The following year, however, a Ninth Circuit en banc panel affirmed the district court’s decision, reversed the prior Ninth Circuit opinion, and adopted a narrow interpretation of the CFAA. The panel found that an employee’s violation of his/her employer’s computer usage policies was not a violation of the CFAA. The Court focused on whether the employee originally had access to the information, not whether the employee misused the employer’s confidential information in violation of usage policies. The decision widened a split between the circuit courts regarding the proper interpretation of unauthorized access under the CFAA and its applicability to factual scenarios where employees allegedly steal company data in violation of computer usage policies or in breach of their loyalty obligations.
The government subsequently obtained superseding indictments, and charged Nosal with, inter alia, the remaining CFAA and trade secret theft counts. During the two-week trial, Nosal’s defense team developed a theme that Korn/Ferry was a corporate Goliath “using the government to essentially do [its] dirty work” and the case was a “perversion of the criminal process” orchestrated by Korn/Ferry to eliminate him as a competitor. The prosecution responded by reemphasizing that “it’s the defendant that’s on trial here … not Korn/Ferry.”
Nosal was found guilty on these counts on April 24, 2013 after two days of jury deliberations. None of the jurors would discuss their deliberations.
It is anticipated that the case may again return to the Ninth Circuit Court of Appeal for a third decision. One of the significant issues likely on appeal involves the factual scenario seen in Nosal where a password is borrowed by one individual, he/she provides the password to a second individual, and the second individual uses the password to access a computer system–is the first individual liable under the CFAA for “unauthorized access”? In fact, some legal commentators question whether Nosal actually committed a direct violation of the CFAA. Nevertheless, the case will continue to be closely monitored.
Nosal is scheduled for sentencing on September 4, 2013. He faces penalties up to five years’ imprisonment and $250,000 for the computer offenses, and up to 10 years’ imprisonment and $250,000 for the trade secret offenses.