California -- brick wallIn United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc), the court held that the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, prohibits unlawful access to a computer but not unauthorized use of computerized information.  Although that holding represents a minority position, two recent opinions — one in a Ninth Circuit criminal case and one by a California district court in a civil proceeding — indicate that the ruling in Nosal still is the law out west.

Recent Ninth Circuit and California district court CFAA cases. 

Christensen.  The 100+ page opinion in U.S. v. Christensen, Nos. 08-50531, et al. (9th Cir., Aug. 25, 2015), details what the court described as “a widespread criminal enterprise offering illegal private investigation services in Southern California.”  Six individuals were accused and convicted in the District Court for the Central District of California pre-Nosal of computer fraud, bribery, racketeering, wiretapping, identity theft, and more.  On appeal, several convictions were affirmed, and some others were remanded but just for resentencing.  Of particular interest to readers of this blog, however, all three convictions for violating the CFAA were vacated on the ground that Nosal rendered the jury instructions clearly erroneous and prejudicial.  A retrial may be possible.

Loop AI Labs.  In Loop AI Labs Inc. v. Gatti, No. 15-cv-00798 (N.D. Cal., Sept. 2, 2015), the defendants’ motion to dismiss certain counts of the amended complaint was granted in part and denied in part.  The defendant was Loop AI Labs’ former CEO.  Although she had left the company and worked for a competitor, she continued to log in to Loop AI Labs’ computers.  The court ruled that until Loop AI Labs formally revoked her authorization to access the company’s computers, she did not violate the CFAA by logging in, regardless of her motive.

Faulty jury instructions in Christensen.  One of the defendants was a Los Angeles police officer.  He was charged with violating the CFAA, among other statutes, by (a) logging in to confidential state and federal law enforcement databases — which he had the right to access — and (b) in exchange for a bribe, providing to two other defendants information they requested from those databases but to which they were not entitled.  The prosecutor simply assumed, and did not attempt to prove, that the officer thereby committed a CFAA violation.  According to the Ninth Circuit, that assumption was unwarranted after Nosal was decided.

By the same token, at trial the three defendants accused of CFAA violations did not object when the court instructed the jurors — before Nosal — that they should find a CFAA violation if they determined that a computer had been knowingly accessed with the intent to use the information to commit a fraud.  In Christensen, the appellate court held that those jury instructions were plainly erroneous in light of Nosal and clearly were prejudicial.  For these reasons, the CFAA convictions were vacated.

Takeaways.  Approximately one-half of the circuit courts of appeal have ruled on the meaning of the phrase “exceeds authorized access” as used in the CFAA.  In the circuits where there has not yet been a ruling, obviously, there is uncertainty as to which position the court will adopt.

The majority — so-called liberal — view is exemplified by holdings in cases such as International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (CFAA violated by accessing a computer for an unauthorized purpose).  Nosal, and now Christensen, represent the minority (or narrow) position that an individual with authorization to access a computer does not commit a CFAA violation regardless of what the individual does with the information so obtained.

Adding to the confusion, courts are not in agreement over the meaning of Nosal.  For example, in the recent case of U.S. v. Shen, Case No. 4:14-CR-122 (W.D. Mo. Apr. 21, 2015), the facts were somewhat similar to those in Loop AI Labs.  Citing Nosal, the court in Shen stated: “There is some disagreement as to whether an employee who properly accesses a computer and then misuses the information can be convicted” of violating the CFAA.  The Missouri court added: “However, courts are clear that employees who gain access to a computer through their employment lose authorization once they have resigned or been terminated.  Moreover, persons of common intelligence would understand as much.”  Id. at p.4 (citations omitted).  As is apparent, the judge who decided Loop AI Labs does not concur. Further, there are also federal courts in California who have concurred with the Shen reasoning.

Similarly, one cannot be sure that all courts agreeing with the “narrow view” set forth in Nosal also would accept the holding implicit in Christensen that a corrupt police officer does not exceed his “authorized access” to confidential government data bases when he logs in solely for the purpose of providing other persons, in exchange for a bribe, information to which they have no right. With all this uncertainty, the one thing that is certain is that the Ninth Circuit continues to embrace a very narrow and restrictive view of CFAA liability, in contrast to most of the other circuits in the nation.

By Robert Milligan and Joshua Salinas

As part of our annual tradition, we are pleased to present our discussion of the top 10 developments/headlines in trade secret, computer fraud, and non-compete law for 2013. Please join us for our complimentary webinar on March 6, 2014, at 10:00 a.m. P.S.T., where we will discuss them in greater detail. As with all of our other webinars (including the 12 installments in our 2013 Trade Secrets webinar series), this webinar will be recorded and later uploaded to our Trading Secrets blog to view at your convenience.

Last year we predicted that social media would continue to generate disputes in trade secret, computer fraud, and non-compete law, as well as in privacy law.  2013 did not disappoint with significant social media decisions involving the ownership of social media accounts and “followers” and “connections,” as well as cases addressing liability or consequences for actions taken on social media, such as updating one’s status, communicating with “restricted” connections, creating fake social media accounts, or deleting one’s account during pending litigation.

We also saw more states (e.g., Arkansas, Utah, New Mexico, California, Colorado, Nevada, Michigan, New Jersey, Oregon, and Washington) enact legislation to protect employees’ “personal” social media accounts and we expect more states to follow.

The circuit split regarding the interpretation of what is unlawful access under the Computer Fraud and Abuse Act (“CFAA”) remains unresolved and another case will need to make its way up to the Supreme Court or legislation passed to clarify its scope as federal courts continue to reach differing results concerning whether employees can be held liable under for violating computer use or access policies.

There have also been several legislative efforts to modify trade secret, computer fraud, or non-compete law in various jurisdictions.  Texas adopted a version of the Uniform Trade Secrets Act, leaving Massachusetts and New York as the lone holdouts. Oklahoma passed legislation expressly permitting employee non-solicit agreements. Massachusetts, Michigan, Illinois, New Jersey, Maryland, Minnesota, and Connecticut considered bills that would provide certain limitations on non-compete agreements but they were not adopted.

We expect more legislative activity in 2014, particularly regarding privacy, the scope of the CFAA, and trade secret legislation to curb foreign trade secret theft and cyber-attacks.

Finally, while the Snowden kerfuffle and NSA snooping captured the headlines in 2013, government agencies remained active, including some high profile prosecutions under the Economic Espionage Act, the release of the Obama Administration’s Strategy on Mitigating the Theft of U.S. Trade Secrets,  and the National Labor Relations Board’s continued scrutiny of employers’ social media policies. We expect more government activity in this space in 2014.

Here is our listing of top developments/headlines in trade secret, computer fraud, and non-compete law for 2013 in no particular order:

1)         Dust Off Those Agreements . . . Significant New Non-Compete Cases Keep Employers On Their Toes

Employers were kept on their toes with some significant non-compete decisions which forced some employers to update their agreements and onboarding/exiting practices. First, in Fifield v. Premier Dealer Services, an Illinois appellate court found that less than two years employment is inadequate consideration to enforce a non-compete against an at-will employee where no other consideration was given for the non-compete. Second, in Dawson v. Ameritox, an Alabama federal court found that a non-compete executed prior to employment was unenforceable. Next, in Corporate Tech. v. Hartnett, a Massachusetts federal court held that initiating contact was not necessary for finding solicitation in breach of a customer non-solicitation agreement. Lastly, in Assurance Data v. Malyevac, the Virginia Supreme Court found that a demurrer (i.e., a pleading challenge) should not be used to determine the enforceability of non-compete provisions but rather evidence should be introduced before making such a determination.

2)         Continued Split of Authority On the Computer Fraud and Abuse Act and Efforts to Reform CFAA and Enhance Federal Trade Secret and Cybersecurity Law

Courts in Massachusetts, Minnesota, and New York joined the Ninth Circuit’s narrow reading of the CFAA and limited its applicability to pure hacking scenarios rather violations of employer computer usage or access policies. Additionally, in 2013, Representative Zoe Lofgren introduced Aaron’s Law, named after the political hackvist Aaron Swartz, to reform of the Computer Fraud and Abuse Act. Her proposed legislation would limit the CFAA to pure hacking scenarios and exclude violations of computer usage policies and internet terms of service from its scope. Lofgren also introduced legislation which would create a federal civil cause of action in federal court for trade secret misappropriation. Other legislation to prevent intellectual property theft was also introduced including the Deter Cyber Theft Act, which aims to block products that contain intellectual property stolen from U.S. companies by foreign countries from being sold in the United States. The Cyber Economic Espionage Accountability Act was also introduced and allows U.S. authorities to “punish criminals backed by China, Russia or other foreign governments for cyberspying and theft.” We expect Congress to consider similar legislation in 2014.

3)         Texas Adopts Uniform Trade Secrets Act

Texas joined forty-seven other states in adopting some version of the Uniform Trade Secrets Act. Until recently, Texas common law governed misappropriation of trade secrets lawsuits in Texas. The new changes under the Texas UTSA (which we discuss in more detail here) provide protection for customer lists, the ability to recover attorneys’ fees, a presumption in favor of granting protective orders to preserve the secrecy of trade secrets during pending litigation, and that information obtained by reverse engineering does not meet the definition of a trade secret.  Legislation has been introduced in Massachusetts to adopt the Act but has yet to pass. For additional information on recent trade secret and non-compete legislative updates, check out our webinar “Trade Secrets and Non-Compete Legislative Update.”

4)         High Profile Prosecutions and Trials under Computer Fraud and Abuse Act and Economic Espionage Act

2013 saw several high profile prosecutions and trials under the CFAA and Economic Espionage Act. Bradley Manning, who allegedly leaked confidential government documents, to WikiLeaks, and Andrew ‘Weev’ Auernheimer, who allegedly hacked AT&T’s servers, were both convicted under the CFAA. Executive recruiter David Nosal was convicted by a San Francisco jury of violating federal trade secret laws and the CFAA and sentenced to one year and a day in federal prison.  In U.S v. Jin, the Seventh Circuit upheld the conviction of a Chicago woman sentenced to four years in prison for stealing trade secrets of her employer before boarding a plane for China. For additional information on criminal liability for trade secret misappropriation, check out our webinar “The Stakes Just Got Higher: Criminal Prosecution of Trade Secret Misappropriation.”

5)         More Social Media Privacy Legislation

Arkansas, Utah, New Mexico, Colorado, Nevada, Michigan, New Jersey, Oregon, and Washington all passed legislation social media privacy legislation in 2013 that prohibited employers from asking or insisting that their employees provide access to their personal social networking accounts. California extended its current social media privacy law to specify that it encompassed public employers.  We expect more states to enact social media privacy legislation in 2014.

6)         Continued Uncertainty on the Scope of Trade Secret Preemption

Courts have continued struggled with the scope and timing of applying preemption in trade secret cases but there is a growing movement to displace common law tort claims for the theft of information. Such claims are typically tortious interference with contract, conversion, unfair competition, and breach of fiduciary duty. In essence, plaintiffs may only be left with breach of contract and a trade secret claim for the theft of information if a jurisdiction has adopted a broad preemption perspective. Courts in western states such as Arizona, Hawaii, Nevada, Utah, and Washington have preempted “confidential information” theft claims under their respective trade secret preemption statutes.

In K.F. Jacobsen v. Gaylor, an Oregon federal court, however, found that a conversion claim for theft of confidential information was not preempted. In Triage Consulting Group v. IMA, a Pennsylvania federal court permitted the pleading of preempted claims in the alternative. Additionally, in Angelica Textile Svcs. v. Park, a California Court of Appeal found that there was no preemption of claims for breach of contract, unfair competition, conversion, or tortious interference because the claims were based on facts distinct from the trade secret claim and the conversion claim asserted the theft of tangible documents. In contrast, in Anheuser-Busch v. Clark, a California federal court found that a return of personal property claim based on the taking of “confidential, proprietary, and/or trade secret information” was preempted because there was no other basis beside trade secrets law for a property right in the taken information. For additional information on the practical impact of preemption on protecting trade secrets and litigating trade secret cases, check out our webinar “How and Why California is Different When it Comes to Trade Secrets and Non-Competes.”

7)         Growing Challenge of Protecting of Information in the Cloud with Increasing Prevalence of BYOD and Online Storage

While the benefits of cloud computing are well documented, the growth of third party online data storage has facilitated the ability for rogue employees to take valuable trade secrets and other proprietary company electronic files, in the matter of minutes,  if not seconds. The increasing use of mobile devices and cloud technologies by companies both large and small is likely to result in more mobile devices and online storage being relevant in litigation. A recent article in The Recorder entitled “Trade Secrets Spat Center on Cloud,” observed that the existence of cloud computing services within the workplace makes it “harder for companies to distinguish true data breaches from false alarms.”

An insightful Symantec/Ponemon study on employees’ beliefs about IP and data theft was released in 2013. It surveyed 3,317 employees in 6 countries (U.S., U.K., France, Brazil, China, South Korea). According to the survey, 1 in 3 employees move work files to file sharing apps (e.g. Drop Box). Half of employees who left/lost their jobs kept confidential information 40% plan to use confidential information at new job. The top reasons employees believe data theft acceptable: (1) does not harm the company does not strictly enforce its policies; (2) information is not secured and generally available; or (3) employee would not receive any economic gain.  The results of this study serve as a reminder that employers must be vigilant to ensure that they have robust agreements and policies with their employees as well as other sound trade secret protections, including employee training and IT security, to protect their valuable trade secrets and company data before they are compromised and stolen. Employers should implement policies and agreements to restrict or clarify the use of cloud computing services for storing and sharing company data by employees. Some employers may prefer to simply block all access to such cloud computing services and document the same in their policies and agreements. For a further discussion about steps and responses companies can take when their confidential information and/or trade secrets appear, or are threatened to appear, on the Internet, check out our webinar “My Company’s Confidential Information is Posted on the Internet! What Can I Do?

8)         Continued Significance of Choice of Law and Forum Selection Provisions In Non-Compete and Trade Secret Disputes

The U.S. Supreme Court’s recent decision in Atlantic Marine v. U.S.D.C. for the W.D. of Texas appears to strengthen the enforceability of forum selection clauses as it held that courts should ordinarily transfer cases pursuant to applicable and enforceable forum selection clauses in all but the most extraordinary circumstances. While Atlantic Marine did not concern restrictive covenant agreements or the employer-employee context, it may nonetheless make it more difficult for current and/or former employees to circumvent the forum selection clauses contained in their non-compete or trade secret protection agreements. Many federal courts continue to enforce out-of-state forum selection clauses in non-compete disputes (see AJZN v. Yu and Meras Eng’r’g v. CH2O), while some courts have disregarded forum selection clauses in such disputes “in the interests of justice.”  The Federal Circuit in Convolve and MIT v. Compaq and Seagate, held that information at issue lost its trade secret protection when the trade secret holder disclosed the information because it failed to comply with the confidential marking requirement set forth in a non-disclosure agreement. Accordingly, trade secret holders should be careful what their non-disclosure agreements say about trade secret protection otherwise they may lose such protection if they fail to follow such agreements.

9)         Social Media Continues to Change Traditional Legal Definitions and Analyses  

Social media continues to change the way we define various activities in employment, litigation, and our everyday lives. A Pennsylvania federal district court in the closely watched Eagle v. Morgan case found that a former employee was able to successfully prove her causes of action against her former employer for the theft of her LinkedIn account, but she was unable to prove damages with reasonable certainty. Recent cases in Massachusetts and Oklahoma held that social media posts, updates and communications with former customers did not violate their non-solicitation restrictive covenants with their former employer. In the litigation context, a  New Jersey federal court issued sanctions against a litigant for deleting his Facebook profile, while a New York federal court allowed the FTC to effectuate service of process on foreign defendants through Facebook. The Fourth Circuit held that “liking” something on Facebook is “a form of free speech protected by the First Amendment.” Federal district courts in Nevada and New Jersey illustrated the growing trend of courts finding that individuals may lack a reasonable expectation of privacy in social media posts. For further discussion on the relationship between social media and trade secrets, check out our webinar “Employee Privacy and Social Networking: Can Your Trade Secret Survive?

10)       ITC Remains Attractive Forum to Address Trade Secret Theft

The Federal Circuit caught the attention of the ITC and trade secret litigators alike when it ruled in TianRui Group Co. v. ITC that the ITC can exercise its jurisdiction over acts of misappropriation occurring entirely in China. Since then, victims of trade secret theft by foreign entities are increasingly seeking relief from the ITC (e.g. In the Matter of Certain Rubber Resins and Processes for Manufacturing Same (Inv. No. 337-TA-849)). For valuable insight on protecting trade secrets and confidential information in China and other Asian countries, including the effective use of non-compete and non-disclosure agreements, please check out our recent webinar titled, “Trade Secret and Non-Compete Considerations in Asia.“

We thank everyone who followed us this year and we really appreciate all of your support. We also thank everyone who helped us make the ABA’s Top 100 Law Blogs list. We will continue to provide up-to-the-minute information on the latest legal trends and cases across the country, as well as important thought leadership and resource links and materials.

Don’t forget to register to receive a copy of our Annual Blog Year in Review.

By Robert Milligan and Grace Chuchla

Earlier this year, we blogged on federal legislative efforts to amend the Computer Fraud and Abuse Act (“CFAA”) following the death of computer activist Aaron Swartz.  These efforts were spearheaded by Representative Zoe Lofgren (D-CA), who released her discussion draft of proposed amendments to the CFAA on January 15, 2013 on Reddit.  Lofgren’s January draft sought to modify the definition of “exceeds authorized access” so that those who only violate, for example, a computer use policy or internet terms of service cannot be held liable under the CFAA.

On Thursday, June 20, Representative Lofgren and Senator Ron Wyden (D-OR) formally introduced companion bills in both the House and Senate seeking to amend the CFAA.  According to Senator Wyden’s website, these amendments seek to eliminate “vagueness” and “redundant provisions” from the CFAA and “establish that a mere breach of terms of service, employment agreements, or contracts are not automatic violations of the CFAA.”  Additionally, with the nickname “Aaron’s Law,” they also seek to limit what some see as the CFAA’s tendency to allow for overzealous prosecution that they claim characterized Aaron Swartz’s case.

As before, both bills seek to clarify the meaning of  “exceeds authorized access” by striking it and replacing it with the phrase “access without authorization,” which is defined to mean

a) “to obtain information on a protected computer”;

b) “that the accesser lacks authorization to obtain”; and

c) “by knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information.” 

Both bills also propose amendments to the definition of punishable offenses under the CFAA by inserting a requirement that offenses committed for commercial advantage or private financial gain must also involve information that has a market value over $5,000.  

Lofgren and Wyden said in their opinion piece for Wired that, “Aaron’s Law is not just about Aaron Swartz, but rather about refocusing the law away from common computer and Internet activity and toward damaging hacks.”

Opinions are split on how successful these proposed amendments will be.  On the one hand, previous efforts to amend the CFAA in April 2013 failed after  there was significant opposition from both the left and the right.  Those proposed amendments to the CFAA, however, are not similar to what is currently in front of Congress.  The Justice Department has previously been against amendments to the CFAA that would significantly narrow the Act’s scope. It recently obtained the conviction of David Nosal under the CFAA in San Francisco, California (the conviction has been appealed to the Ninth Circuit). Additionally, Richard Downing, Deputy Section Chief for Computer Crime and Intellectual Property, told the House in 2011 that removing key parts of the CFAA “could make it difficult or impossible to deter and punish serious threats from malicious insiders.”

BSA Software Alliance has come out against the proposed legislation, arguing that it would force companies to build additional security mechanisms into their networks and systems to adequately protect them from unauthorized parties. “Everyone agrees that lying about your age on Facebook shouldn’t be a felony, but Aaron’s Law is a flawed solution to that problem,” Tim Molino, BSA’s director of government relations, reportedly said in a statement. “Tying liability to theft that involves ‘knowingly circumventing technological or physical measures’ is out of step with the technology innovations driving today’s economy. It would compel many companies to erect new technical protection measures throughout their networks and support systems, reversing a trend that has contributed the growth of cloud computing, software as a service, and on-demand support.” 

Additionally, with the highly publicized omnipresent cybersecurity threat and recent high profile employee data theft cases, there may not be significant momentum to drastically change the CFAA, particularly with the Obama Adminstration focused on addressing the cybersecurity threat. Echoing those sentiments, Molino reportedly said the bill is “especially troubling at a time when hacking and intellectual property theft are rampant — weakening cybercrime laws would be like handing out keys to the castle.”

On the other hand, however, advocacy groups have come out in vocal support of Lofgren’s and Wyden’s bills.  The Center for Democracy and Technology and Demand Progress have both issues recent statements applauding Aaron’s Law for “prevent[ing] the government from using the Computer Fraud and Abuse Act (CFAA) to prosecute mere terms-of-service violations as computer crimes, and prevent prosecutors from bringing multiple redundant charges based on a single crime.” Further, the Electronic Frontier Foundation has also been a vocal supporter of the proposed amendments, stating that, “(t)he CFAA was originally intended to cover the hacking of defense department and bank computers, but it’s been expanded so that it now covers virtually every computer on the Internet while meting out disproportionate penalties for virtual crimes. We’ve written extensively about the need for CFAA reform and Aaron’s Law is a great first step.” Additionally, with the recent NSA and Snowden kerfuffle, there may be public support for limitations on the CFAA, including limiting its use for pure hacking scenarios.

How this will play out is anyone’s guess.  What started with a circuit split after the Ninth Circuit’s decision in U.S. v. Nosal has grown into a hot-button topic for everyone from civil rights activists to technology lobbying organizations to employers looking to protect their data.  Stay tuned for updates as the saga unfolds. 

By Robert Milligan and Grace Chuchla

A recently unsealed criminal complaint out of the Eastern District of New York raises allegations that paint a frightening picture for employers of the havoc that disgruntled ex-employees can wreak on company computer networks.

The prosecution alleges that a former employee of an unnamed company that manufactures high-voltage power supplies in Suffolk County, New York improperly downloaded company files, accessed the company network, and altered key company source code after his resignation on December 30, 2011.

The employee allegedly resigned because he was unhappy about being passed over for a promotion and set his final day to be January 13, 2012. However, only one week after announcing his resignation, on January 6, 2012, the employee’s supervisor claims to have observed him copying files from his computer onto a flashdrive. Acting swiftly, the company blocked his access to their servers and VPN on January 7, 2013, but unfortunately, this was not enough to thwart the employee’s alleged tampering with the company’s networks.

During his time at the company, the employee worked with another unnamed employee maintaining the company’s software. In the course of working together, this employee allegedly shared his password with the defendant. Furthermore, this employee had the practice of rotating between the same two or three passwords whenever the company’s system prompted him to change it, and thus, the prosecution claims that the defendant, with some easy guesswork, was able to gain access to the company’s systems via their VPN even after he had resigned and after the company had blocked his access to its system.

Working under his former coworker’s credentials and after he left the company’s employee, the defendant allegedly:

• Obtained the email addresses of candidates applying to fill his now vacant position and sent them messages from iamconcern2012@gmail.com  telling them not to work for the Company;

• Modified dates within the computer code for the Company’s Period Roll Tables, which prevented the Company from processing transactions during a critical month-end period;

• Deleted purchase order tables from the Company’s systems; and

• Deleted key lines of code from a program that calculates work order costs, which led to incorrect calculations.

When all was said and done, the company estimates that it spent approximately $94,000 investigating and addressing the employee’ s alleged actions.

The U.S. Attorneys’ Office charged the defendant under the Computer Fraud and Abuse Act.

“The defendant engaged in a 21st century campaign of cyber-vandalism and high-tech revenge,” Loretta E. Lynch of the U.S. Attorney’s Office for the Eastern District of New York said in a statement. “We will hold accountable any individual who victimizes others by exploiting computer network vulnerabilities.”

FBI Assistant Director in Charge Venizelos stated, “Bent on revenge, the defendant exploited his access and his technical know-how to sabotage his former employer. As alleged, he caused significant disruption and monetary damage. The FBI is committed to vigorous enforcement of laws governing computer intrusions.”

The defendant could face up to 10 years in prison, a $250,000 fine and restitution. He posted a $50,000 bond and a Federal Defender was appointed to represent him.

The case is United States of America v. Meneses, case number 13M343, in the United States District Court for the Eastern District of New York.

This case follows the highly publicized U.S. v. Nosal case in which an executive recruiter was convicted under the Computer Fraud and Abuse Act where there were allegations of password sharing to obtain access to the company’s computer network.

Regardless of the outcome of Meneses, the allegations made by the prosecution highlight a core rule of data protection — employees must keep their passwords confidential. In this day and age, we have hundreds of passwords swirling around our heads. It’s no wonder, therefore, that they begin to lose their importance, and all too often, employees will nonchalantly share their passwords with a colleague or rotate between the same few passwords whenever the system requires a password change. Employers should be on the lookout for this kind of activity and should frequently impress upon employees how important it is to have both unique and confidential passwords and that they routinely change their passwords. IT specialists recommend that special care should be given to password security. Some believe that the use of biometric authentication will eventually surpass conventional passwords. Even implementing other trade secret protection measures — such as granting employees access to trade secrets only on a need-to-know basis — are useless if one employee obtains another employee’s password and is able to have free reign on the company’s computer network.

Additionally, companies must immediately disable network access of departing employees at termination.  Most internal attacks happen through access obtained on the job that is not removed when the employee leaves, FBI assistant special agent Austin Berglas reportedly told businesses leaders at a recent cybersecurity conference. More commonly a “company fires someone in their IT department and forgets to block or cancel their login credentials,” Mr. Berglas reportedly said. “It’s just so easy for them to use that password to steal data or do destructive things to the network…and it looks like normal traffic to IT staff.”

In this case, the company shut down the employee’s access the day he left but he was allegedly able to figure out another employee’s password because he had previously shared it with the defendant and that colleague rotated between similar passwords.

In the end, hindsight is 20/20, but the simple steps of maintaining the confidentiality of employee passwords, having unique passwords that are changed often,  and shutting off network access of departing employees at termination can go a long way toward protecting your trade secrets and your company networks as a whole. Companies should also stay abreast of the latest in technologic enhancements, such as biometric authentication. We will continue to keep you apprised of developments in this case. For more information on the threats to trade secrets posed by cybersecurity attacks and mitigation strategies, please see my recent presentation with U.S. Attorney Wesley Hsu and cybersecurity specialist Steve Lee.

A designer and marketer of stereophonic technology for presenting 3-D imaging on a computer screen recently sued some ex-employees in a California federal court for allegedly violating the federal Computer Fraud and Abuse Act (CFAA), among other claims. At some point, the ex-employees allegedly downloaded their former employer’s confidential computer code and provided it to their new employer, a competitor.  The defendants moved to dismiss on the grounds that there was no allegation as to exactly how or when the ex-employees obtained the code.  In response to the motion, the plaintiff said it would need discovery in order to ascertain that information.   

The court granted the motion and dismissed the complaint for failure to plead “facts giving rise to a valid claim under the CFAA.”  The plaintiff was allowed 30 days “to amend, keeping in mind Rule 11 [the federal civil procedure sanctions rule], if Plaintiff is able to plead facts giving rise to a valid CFAA claim.”  Metabyte, Inc. v. Nvidia Corp., Case No. 12-0044 SC (N.D. Cal., Apr. 22, 2013).    

The CFAA prohibits “access[ing] a computer without authorization or exceed[ing] authorized access.”  Some federal courts, such as the Ninth Circuit Court of Appeals, interpret that phrase narrowly and typically only find a violation if the “access” occurs by someone who was not authorized to use that computer or in excess of that authorization.  See, e.g., U.S. v. Nosal, 676 F.3d 854 (2012) (en banc) and LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (2009).   

Some other federal courts, including the Seventh Circuit Court of Appeals, disagree.  They hold that, under the CFAA, use of a computer to misappropriate is unlawful even though the user was authorized to access the computer for lawful purposes.  See, e.g., International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2008). 

In addition to charging the individual defendants with violation of the CFAA, Metabyte accused Nvidia of violating the California Unfair Competition Law (UCL).  Nvidia moved to dismiss the claim on the ground that it was pre-empted by the U.S. Copyright Act because Metabyte simply accused Nvidia of selling copies of products for which Metabyte had a copyright.  The court agreed and dismissed that claim with prejudice.

Metabyte pled some causes of action besides those based on the CFAA and the UCL.  For example, Metabyte claimed copyright infringement, breach of contract, and misappropriation of trade secrets.  With respect to the CFAA claim, however, there is little likelihood that within a period as short as 30 days Metabyte will be able to learn sufficient relevant facts to adequately support an allegation of hacking or other actionable conduct.  In the future, plaintiffs averring CFAA violations for misappropriation of confidential information by use of a computer, but uncertain exactly how or when the defendant obtained the information and/or access to the computer, would be well advised to carefully consider whether the federal circuit in which they plan to sue permit such claims. 

By Robert Milligan and Joshua Salinas

A California federal jury convicted a San Francisco executive recruiter this week for violations of the Computer Fraud and Abuse Act (“CFAA”) and theft of trade secrets from his former employer. The conviction represents a significant landmark in the closely watched eight-year case that deepened a federal circuit court split concerning the appropriate scope of the CFAA.

The case involves executive recruiter and former employee David Nosal, who allegedly conspired with then-current employees at his former employer, Korn/Ferry, to illegally access and download valuable candidate lists and other trade secret information from Korn/Ferry’s “Searcher” database. Nosal’s accomplices were able to access the computer system through a password provided to them by Nosal after he borrowed the password from a current Korn/Ferry employee. Nosal allegedly used this newly acquired information to start a competing business, Nosal Partners.

Nosal was indicted by a federal grand jury in 2008 for, inter alia, violations of the CFAA and trade secret theft. The district court for the Northern District of California initially dismissed several CFAA counts on grounds that the employees he allegedly conspired with had access to the computer systems and, thus, could not “exceed authorized access” under the CFAA. The prosecution argued that the employee’s violations of his employer’s computer use restrictions “exceeded their authorized access,” but the court found the employer’s restrictions irrelevant to such a determination.

In April 2011, the Ninth Circuit Court of Appeals reversed the district court and held that a former employee “exceeds authorized access” to data on his employer’s computer system under the CFAA where the employee takes actions on the computer that are prohibited by his employer’s written policies and procedures concerning acceptable use (e.g. prohibitions against copying or e-mailing files to compete or help a third party compete with the employer). The decision strengthened the CFAA as a viable remedy to help fight employee data theft.

The following year, however, a Ninth Circuit en banc panel affirmed the district court’s decision, reversed the prior Ninth Circuit opinion, and adopted a narrow interpretation of the CFAA. The panel found that an employee’s violation of his/her employer’s computer usage policies was not a violation of the CFAA. The Court focused on whether the employee originally had access to the information, not whether the employee misused the employer’s confidential information in violation of usage policies. The decision widened a split between the circuit courts regarding the proper interpretation of unauthorized access under the CFAA and its applicability to factual scenarios where employees allegedly steal company data in violation of computer usage policies or in breach of their loyalty obligations.

The government subsequently obtained superseding indictments, and charged Nosal with, inter alia, the remaining CFAA and trade secret theft counts. During the two-week trial, Nosal’s defense team developed a theme that Korn/Ferry was a corporate Goliath “using the government to essentially do [its] dirty work” and the case was a “perversion of the criminal process” orchestrated by Korn/Ferry to eliminate him as a competitor. The prosecution responded by reemphasizing that “it’s the defendant that’s on trial here … not Korn/Ferry.

Nosal was found guilty on these counts on April 24, 2013 after two days of jury deliberations. None of the jurors would discuss their deliberations.

It is anticipated that the case may again return to the Ninth Circuit Court of Appeal for a third decision.  One of the significant issues likely on appeal involves the factual scenario seen in Nosal where a password is borrowed by one individual, he/she provides the password to a second individual, and the second individual uses the password to access a computer system–is the first individual liable under the CFAA for “unauthorized access”?  In fact, some legal commentators question whether Nosal actually committed a direct violation of the CFAA. Nevertheless, the case will continue to be closely monitored.

Nosal is scheduled for sentencing on September 4, 2013. He faces penalties up to five years’ imprisonment and $250,000 for the computer offenses, and up to 10 years’ imprisonment and $250,000 for the trade secret offenses.

By Gary Glaser and Jacob Oslick

An old folk melody describes the world as “a very narrow bridge,” where one misstep can bring disaster. The song seeks to inspire, calling on people to have “no fear at all” while crossing through life’s perils.

However inspiring this song might be, some metaphorical bridges just aren’t worth crossing. Trying to assert Computer Fraud and Abuse Act (“CFAA”) claims against disloyal employees is a perfect example. Employers rightly want to seek relief against employees who steal confidential information that might not qualify as “trade secrets.” And, at first glance, the CFAA appears to present a promising bridge into federal court for just such a claim. Even better, for a while, many federal courts adopted a broad view of the statute that permitted precisely these claims. In fact, between 2001 and 2010, the First, Fifth, Seventh, and Eleventh Circuits all issued opinions that interpreted the CFAA broadly, which still stand as the precedent in those Circuits.

Over the past few years, however, other federal courts have increasingly construed the CFAA narrowly. In a number of decisions, various federal courts have restricted both the claims that can be brought under the CFAA and the damages available for violations. These days, simply asserting a CFAA claim will almost certainly be met with a time-consuming and burdensome motion to dismiss. And, often, the CFAA proves to be a bridge to nowhere, because the Court dismisses the claim.

The plaintiff in JBCHoldings NY, LLC v. Pakter, 2013 U.S.Dist. LEXIS 39157 (S.D.N.Y. 3/20/13) recently learned this lesson. In JBCHoldings NY LLC, an employer was faced with a familiar situation: it gave a trusted employee access to its highly confidential information, only to have her allegedly misappropriate it for herself, and then allegedly misuse it to pilfer the company’s business opportunities which she then allegedly provided to former business colleagues who had set up a competing entity with her. The employer responded with a CFAA claim, alleging that the disloyal employer had violated the statute because, by stealing data, she accessed the company’s computers “without authorization” or “exceeded [her] authorized access.”

On March 20, 2013, the Southern District of New York dismissed the employer’s claim. The Court reasoned that the CFAA’s “plain meaning” only prohibits accessing information “without authorization” or “exceed[ing] authorized access,” but “does not speak to the misuse of permitted access or the misappropriation of information which an employee is authorized to access.” In so doing, the Court followed recent decisions by the Fourth and Ninth Circuits in WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012) and United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), respectively, along with a plethora of Second Circuit district court decisions.

The Court further reasoned that a “review of the statute as a whole confirms the narrow interpretation,” because it defines “loss” quite narrowly. In this regard, the Court noted that an unpublished Second Circuit decision held that the CFAA did not cover losses sustained due to the plaintiff’s misappropriation of proprietary information. See Nexans Wires S.A. v. Sark-USA, Inc., 166 F. App’x 559, 563 (2d Cir. 2006). Given this limitation, the Court in JBCHoldings articulated that “[i]t would be illogical for the statute to prohibit misappropriation of employer information, but not define loss to include the losses resulting from that misappropriation.”

Additionally, the Court held that, while it “does not find the statute ambiguous,” the “rule of lenity” would caution towards a narrow interpretation, “because the CFAA is primarily a criminal statute.”

The Court’s opinion does leave two narrow bridges of hope for employers. First, on the law, the CFAA’s interpretation is far from settled. Despite WEC Carolina Energy Solutions, Nosal, and district court decisions like JBCHoldings, a majority of circuit courts that have addressed this issue have come down on the side of the broader interpretation. And the Supreme Court won’t be resolving this circuit-split anytime soon. The Department of Justice declined to seek certiorari in the Nosal case and, back in January, the Supreme Court dismissed the certiorari petition in WEC Carolina Energy Solutions, upon the parties’ stipulation. So a “broad” CFAA claim remains viable in many jurisdictions.

Second, on the facts, the JBCHoldings court provided direction on how employers can sometimes successfully navigate a narrow CFAA claim. For, although the Court held that the CFAA doesn’t provide a remedy against a disloyal employee who misuses access to a computer, it does apply to an “outside hacker” who lacks any permission whatsoever. The Court further noted that at least some of the Complaint’s allegations created an inference of “outside hack[ing],” including allegations that the disloyal employee may have used spyware or malware to accomplish her goals. That being said, the Court ultimately found that these allegations were “couched in terms of sheer possibility,” and thus failed to pass the Twombly/Iqbal “plausibility” standard. This is because it was much more likely that the employee “simply copied the information to her personal laptop,” without resorting to a nefarious program.

Taking that reasoning to heart, employers should remember that the JBCHoldings case is not every case. While disloyal employees often just swipe information that they can lawfully access, sometimes they get even greedier. They may load spyware and malware onto their employer’s server to farm for useful information. They may decrypt passwords to access higher-level information than they are permitted. Or they might “hack” this data in other ways. And, when employees engage in such conduct, they do more than just misuse information that they can lawfully access. They exceed their authorized access to a company’s computers, and thus indisputably fall within the CFAA’s ambit.

In fact, this kind of conduct may very well have happened in the JBCHoldings case. The employer just didn’t have the facts to back it up its allegations. For, although it began some kind of investigation into the employee’s conduct, this investigation remained “incomplete” when they filed their Complaint, and apparently wasn’t too detailed.

This may have been a fatal mistake. A professional forensic examination can reveal what employees stole, how they stole it, whether they engaged in any other sinister conduct (such as deleting data), and whether they comprised the system’s integrity. Accordingly, this kind of examination can – at least sometimes – provide factual backing for a CFAA claim, even if a Court construes the CFAA narrowly. In short, a forensic examination can help employers decide which potential CFAA claims to avoid, and which to pursue. After all, when you’re crossing a narrow bridge, you want it to be as strongly supported as possible. Even if you have no fear at all.

Employers may also find that they have a better chance of successfully articulating a successful CFAA claim in a “narrow interpretation” circuit, if they draft their confidentiality/trade secrets policies with the express precepts of the CFAA in mind. Thus, for example, it may pay for an employer to expressly provide that an employee’s authorization to access certain specified confidential information of the employer ceases immediately upon certain triggering events. Needless to say, the Courts will have the last word as to whether such policy language can “trump” their interpretation of the terms of the CFAA, but where the employer’s polices closely track those very terms, it may be more difficult for the Court to find that authorization, once given, cannot be lost. Just sayin’. . .

Does the Computer Fraud and Abuse Act (“CFAA”) prohibit hacking–improperly gaining entrance into a computer system–or simply prohibit improper use of a computer system? U.S. Courts of Appeal are divided. Now, district and appellate court judges in a single federal case pending in the Northern District of California, U.S. v. Nosal, have produced several divergent opinions regarding congressional intent with respect to the meaning of the CFAA.

The defendant in Nosal allegedly persuaded employees of his former employer to log in to the employer’s computer system and forward confidential information to him. Nosal allegedly planned to use the information to compete with his former employer.

The CFAA provides that an individual who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access” is guilty of a crime. Although the CFAA is a criminal statute, most judicial opinions interpreting it are issued in civil (injunction and damages) litigation. Nosal is one of the unique reported CFAA cases in which the defendant was charged with a crime.

The most recent Ninth Circuit opinion in Nosal was written in 2012 by an en banc majority. Those judges concluded that the CFAA is simply an anti-hacking statute that criminalizes circumventing “technological barriers.” It does not apply to Nosal, the majority held, because he was not the person who entered his former employer’s computer system.

After the Ninth Circuit’s en banc decision was issued, affirming the district court’s dismissal of the indictment’s CFAA counts, a superseding indictment was returned. It alleged substantially the same crimes but added more facts with the purpose, apparently, of getting around the en banc ruling. Nosal again moved to dismiss the CFAA counts, stressing that the statutory words “accesses” and “access” relate to unauthorized logging into the company’s computer, not to the use that is made of the computer after logging in. Since he did not log in, he insisted, he could not be guilty of CFAA crimes.

In a ruling issued in mid-March 2013, Nosal’s motion was denied. The district court judge emphasized that the Ninth Circuit en banc majority’s words cannot be taken literally. According to that judge, “[h]acking was only a shorthand term used [by the en banc majority] as common parlance . . . to describe the general purpose of the CFAA,” and the phrase “circumvention of technological access barriers’ was an aside that does not appear to have been intended as having some precise definitional force.” In short, the district court judge concluded,

“[i]f the CFAA were not to apply where an authorized employee gave or even sold his or her password to another unauthorized individual, the CFAA could be rendered toothless. Surely Congress could not have intended such a result.”

Proposed legislation to expand the scope of the CFAA is currently being circulated among the House Judiciary Comittee. Nevertheless, practitioners and parties in the states and territory which encompass the Ninth Circuit — Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, Oregon, Washington State, and the Territory of Guam — will likely have to wait at least until the next CFAA lawsuit is decided by the Ninth Circuit before they may reliably predict what conduct will be held to violate the CFAA.

In Seyfarth’s first installment of its 2013 Trade Secrets Webinar series, Seyfarth attorneys Michael Wexler, Robert Milligan, and Joshua Salinas will review noteworthy cases and other legal developments from across the nation this past year in the areas of trade secrets and data theft, non-compete enforceability, computer fraud, and company owned social media accounts and social media policies, as well as provide their predictions for what to watch for in 2013.

The webinar will take place on Monday, January 28, 2013, from 12:00 p.m. to 1:00 p.m. Central (10:00 a.m. to 11:00 a.m. Pacific).

The Seyfarth panel will specifically address the following topics:

  • Significant U.S. and state supreme court non-compete and trade secret decisions, including a discussion of choice of law, forum selection, and arbitration issues;
  • Important legislative efforts, including several states enacting legislation to protect employees’ “personal” social media accounts, the recent amendments to the Economic Espionage Act in response to the Second Circuit’s U.S. v. Aleynikov decision, New Jersey’s adoption of the Uniform Trade Secrets Act, and New Hampshire’s new non-compete notification requirements;
  • Prominent social media cases involving disputes over the ownership of company social media accounts and account “followers” on Twitter, LinkedIn, Facebook, and Myspace;
  • Noteworthy jury trial verdicts and criminal sentences;
  • The increased involvement of government agencies, such as the FBI, Department of Justice, Federal Trade Commission, and National Labor Relations Board, in the areas of trade secrets and non-compete law, including the DOJ’s scrutiny of no-hire or no recruiting provisions among competitors;
  • Trade secret preemption and courts’ difficulties in grappling with whether the theft of non-trade secret information is actionable in tort;
  • The current circuit split regarding the ability of employers to use the Computer Fraud and Abuse Act to sue former employees in typical employee data theft cases.

The panel will discuss the following 2012 cases: PhoneDog v. Kravitz; Eagle v. Morgan; Lown Companies, LLC v. Piggy Paint; Christou v. Beatport; US v. Nosal; WEC Carolina Energy Solutions, LLC v. Miller; Acordia of Ohio, L.L.C. v. Fishel; Nitro-Lift Technologies LLC v. Howard; US v. Aleynikov; and DuPont v. Kolon.

There is no cost to attend this program, however, registration is required.

 

 

*CLE credit is available.  (Seyfarth has applied for CLE credit in IL, NY, and CA. If you would like us to pursue CLE credit in any additional states, please contact events@seyfarth.com. Please note that in order to receive full credit for attending this webinar, the registrant must be present for the entire session.)