In Parts I and II of this post, we looked at the Court’s ruling on Nosal’s motion for acquittal and new trial following his conviction of three CFAA counts, two EEA counts and one count of conspiracy. In this final part, we look at what may lie ahead for Nosal and lessons employers may learn from this case.
What’s Next for Nosal?
Sentencing in this case is now scheduled for October 9, 2013. Nosal faces a maximum statutory penalty of five years’ imprisonment and a fine of $250,000, plus potential restitution, on the conspiracy and CFAA counts, and 10 years’ imprisonment and a fine of $250,000, plus potential restitution, on the EEA counts.
Presumably, this matter will once again end up before the Ninth Circuit which will determine whether the conviction and the Court’s denial of Nosal’s motions for acquittal and a new trial will stand or whether they run afoul of the Ninth Circuit’s earlier en banc decision in this case. Earlier, Judge Kozinski, writing for the majority, affirmed the dismissal of CFAA counts against Nosal finding that the statute was intended to punish hacking, not misappropriation of trade secrets in violation of an employer’s acceptable use policies. In the opinion, Judge Kozinski stated that to hold otherwise would make a federal crime out of non-business related conduct in violation of acceptable use policies such as “g-chatting with friends, playing games, shopping or watching sports highlights.” A strong dissent by Judge Barry Silverman argued that this case has nothing to do with such innocent violations of employer policy, apparently suggesting that such conduct, although “unauthorized access,” would not fall under the CFAA because the required element of fraud is missing. Conversely, Judge Silverman stated that this case was about fraudulent and unauthorized access to a computers with the intent to steal valuable information.
Perhaps any future ruling will address password sharing and provide useful guidance on how to design acceptable use policies prohibiting conduct running afoul of the CFAA, without offending Judge Kozinski’s sensibilities. Stay tuned.
What can employers learn from this case?
Obviously, Nosal’s former employer did a lot of things right which allowed the government to successfully prosecute and convict Nosal. For starters, his former employer protected its trade secrets by in a number of ways, including that: (1) it did not permit trade secrets to be sent outside the company; (2) it required usernames and passwords to access computers; (3) it housed its database containing the trade secrets at a secure data center with restricted access; (4) it protected the database with a firewall and anti-virus software; (5) it monitored users’ downloading activity; (6) the database warned users with messages that information was to be used for “company business only”; and (7) lists exported from the database stated the information was “Proprietary & Confidential.” Based on these efforts, the Court concluded that Nosal’s former employer took reasonable steps to protect its trade secrets.
However, although ultimately not determinative in this case, the Court also noted evidence of things that Nosal’s former employer did not do, including that: (1) it did not prevent users from e-mailing source lists outside the company; (2) it did not prevent users from printing source lists; (3) it did not encrypt source lists or protect them with separate passwords; and (4) it did not have a procedure for preventing employees from printing and taking source lists home. It is possible some of these additional safeguards may have made misappropriation more difficult, or even prevented it altogether.
There are also a number of additional safeguards and procedures not referenced in the order that companies should consider as part of “best practices” in preventing trade secret theft. For example, the order is silent as to Nosal’s former employer’s onboarding procedures, and whether it used non-disclosure and trade secret protection agreements to protect sensitive information. It is also unclear what, if anything, his former employer did to educate and to continue to remind its workers regarding their obligations to protect company information. There is also no information as to whether his former employer conducted exit interviews, and whether it used exit interview certifications requiring departing workers to confirm they did not have any company trade secrets or confidential or proprietary information. All of these may be helpful tools in protecting company information. While none of these efforts by themselves prevent misappropriation, workers who are informed and understand that a company values and protects such assets are presumably less likely to misappropriate.