shutterstock_299582249On October 20, 2015, a Ninth Circuit panel consisting of Chief Judge Sidney Thomas and Judges M. Margaret McKeown and Stephen Reinhardt heard oral argument from the U.S. Department of Justice and counsel for David Nosal on Nosal’s criminal conviction arising under the Computer Fraud and Abuse Act (CFAA).   In 2013, Nosal was found to have violated the CFAA by allegedly conspiring to obtain access to company information belonging to his former employer, executive search firm Korn Ferry, through the borrowing of another employee’s login password. He was also convicted of trade secret misappropriation under the Economic Espionage Act.

The panel focused most of its questions around one main point of contention between the parties: the interpretation of the “without authorization” language appearing throughout Section (a) of the CFAA.  Such a focus makes sense given that the interpretation of this short phrase could completely change the legal landscape surrounding password sharing, not only in professional settings, but also in personal, consensual settings.

Nosal’s Points

Counsel for Nosal urged the panel to adopt a limited reading of the CFAA, based on the reasoning laid out in the Ninth Circuit’s previous en banc opinion (Nosal I).  Nosal I held that the CFAA was an “anti-hacking” statute and did not contemplate, nor criminalize, the misappropriation of trade secrets.  As an “anti-hacking” statute, the CFAA, the court held, criminalizes “the circumvention of technological access barriers.”  In other words, a person cannot be found to have accessed a computer “without authorization” if he did not circumvent a technological access barrier, or “hack” into a computer.

This time around, counsel for Nosal argued that password sharing is not hacking, and therefore, such an action cannot amount to a federal crime.  Further, counsel urged the panel to limit its interpretation of the “without authorization” language appearing throughout the Act, so as to prevent the over-criminalization of actions otherwise not prohibited by law (e.g., password sharing over a cloud system, or another consensual password sharing arrangement).   Nosal’s counsel also argued that the “without authorization” language be read consistently throughout the Act, so that the same interpretation would apply to both the misdemeanor and felony provisions of the Act.

U.S. Government’s Arguments

On the other side of the spectrum lie the government’s arguments.  Counsel for the government argued that protecting computers with passwords to prevent unintended user access indeed creates a “technological access barrier,” and any circumvention thereof (consensual or otherwise) constitutes a violation of the CFAA.  Such a broad interpretation was met with raised brows from the members of the judicial panel.

Counsel for the government repeatedly argued that the interpretation of the “without authorization” language should mirror the interpretation in the LVRC Holdings LLC v. Brecka case.  Per Brecka, a person accesses information “without authorization” under Sections (a)(2) and (4) of the CFAA when he has not received permission to use a computer for any purpose, or when the person’s employer has rescinded permission to access a computer and the person uses it anyway.  In other words, the government’s counsel seemed to advocate the criminalization of any sort of password sharing.  After receiving some push-back from the panel after making such an argument, counsel suggested limiting this interpretation to the employment context only, but members of the panel shot back because the CFAA includes no such limiting language. The government’s counsel argued that the person must have shared or used the password while also knowing it was prohibited by an employer to do so.

With regard to Nosal’s trade secrets conviction, the panel pressed the government’s counsel for a good portion of her allotted argument time.  Counsel argued the record revealed sufficient evidence to establish the element that source lists derive independent economic value for not being generally known by the general public.

Possible Outcomes for Nosal and Beyond

Though the panel did not give a clear indication one way or the other whose side it was likely to advocate in Nosal’s case, recent Ninth Circuit precedent may prove enlightening on the topic.  In the U.S. v. Christensen (9th Cir. 2015) decision, the Ninth Circuit (composed of a panel of different judges than those deciding Nosal’s fate) vehemently upheld the holdings in Nosal I, despite the different facts of each case.  In particular, the Christensen panel relied heavily on the Nosal I rationale that the CFAA only deals with violations of restrictions on access to information, not restrictions on use.  At the very least, Christensen demonstrates that the CFAA has been on the Ninth Circuit’s radar, even though its rationale may not impact the outcome in Nosal II.

Moreover, the panel’s surprise at the government’s assertion that all password sharing should be subject to criminal sanctions indicates an unwillingness to adopt such an argument.  As a previous post hypothesized, the panel’s final ruling will likely put to bed the password sharing issue, and limit it to certain situations (on which ground is still unclear), at least in the Ninth Circuit.  The ruling will hopefully provide helpful guidance on how to formulate acceptable computer policies prohibiting conduct running afoul of the CFAA. That way, employers and businesses can better protect their trade secrets from escaping the confines of their walls.

On January 8th, after years of litigation and numerous delays, Executive Recruiter David Nosal was sentenced to one year and a day in federal prison for his April 25, 2013 conviction on three counts under the Computer Fraud and Abuse Act (“CFAA”), two counts under the Economic Espionage Act (“EEA”), and one count of conspiracy to violate the CFAA and EEA. The court also ordered Nosal to 400 hours of community service and three years of supervised release.

While Nosal’s counsel had argued for mere probation, the one-year sentence was considerably shorter than the maximum statutory penalty of five years’ imprisonment and a fine of $250,000, plus potential restitution, on the conspiracy and CFAA counts, and 10 years’ imprisonment and a fine of $250,000, plus potential restitution, on the EEA counts. The sentence was also shorter than the 27 months requested by federal prosecutors, and less than the 15 to 21 months provided for by sentencing guidelines.

The court based the sentence on its conclusion that Nosal’s former employer’s losses were less than $50,000, based on the value of the stolen information and time spent investigating the crime. Federal prosecutors had estimated the losses at close to $600,000, while Nosal’s counsel argued that the former employer had suffered no real loss.

Following sentencing, the court released Nosal to return to the British Virgin Islands where he is vacationing with his family.

Although the sentencing is the end of a chapter, it is not the end of this saga. Federal prosecutors have asked the court to order Nosal to pay more than $1.3 million in restitution to his former employer, including almost $1 million in legal fees incurred by the former employer’s counsel. Defense counsel has already filed a motion for Nosal to remain free pending appeal. The court will address those motions in a future hearing. The appeal process will likely take years to resolve. As referenced in an earlier post, this case will presumably once again end up before the Ninth Circuit which will determine whether the conviction will stand in light of its earlier en banc decision limiting the reach of the CFAA, finding that the statute was intended to punish hacking, not misappropriation of trade secrets in violation of an employer’s acceptable use policies.

In Parts I and II of this post, we looked at the Court’s ruling on Nosal’s motion for acquittal and new trial following his conviction of three CFAA counts, two EEA counts and one count of conspiracy. In this final part, we look at what may lie ahead for Nosal and lessons employers may learn from this case.

What’s Next for Nosal?

Sentencing in this case is now scheduled for October 9, 2013. Nosal faces a maximum statutory penalty of five years’ imprisonment and a fine of $250,000, plus potential restitution, on the conspiracy and CFAA counts, and 10 years’ imprisonment and a fine of $250,000, plus potential restitution, on the EEA counts.

Presumably, this matter will once again end up before the Ninth Circuit which will determine whether the conviction and the Court’s denial of Nosal’s motions for acquittal and a new trial will stand or whether they run afoul of the Ninth Circuit’s earlier en banc decision in this case. Earlier, Judge Kozinski, writing for the majority, affirmed the dismissal of CFAA counts against Nosal finding that the statute was intended to punish hacking, not misappropriation of trade secrets in violation of an employer’s acceptable use policies. In the opinion, Judge Kozinski stated that to hold otherwise would make a federal crime out of non-business related conduct in violation of acceptable use policies such as “g-chatting with friends, playing games, shopping or watching sports highlights.” A strong dissent by Judge Barry Silverman argued that this case has nothing to do with such innocent violations of employer policy, apparently suggesting that such conduct, although “unauthorized access,” would not fall under the CFAA because the required element of fraud is missing. Conversely, Judge Silverman stated that this case was about fraudulent and unauthorized access to a computers with the intent to steal valuable information.

Perhaps any future ruling will address password sharing and provide useful guidance on how to design acceptable use policies prohibiting conduct running afoul of the CFAA, without offending Judge Kozinski’s sensibilities. Stay tuned.

What can employers learn from this case?

Obviously, Nosal’s former employer did a lot of things right which allowed the government to successfully prosecute and convict Nosal. For starters, his former employer protected its trade secrets by in a number of ways, including that: (1) it did not permit trade secrets to be sent outside the company; (2) it required usernames and passwords to access computers; (3) it housed its database containing the trade secrets at a secure data center with restricted access; (4) it protected the database with a firewall and anti-virus software; (5) it monitored users’ downloading activity; (6) the database warned users with messages that information was to be used for “company business only”; and (7) lists exported from the database stated the information was “Proprietary & Confidential.” Based on these efforts, the Court concluded that Nosal’s former employer took reasonable steps to protect its trade secrets.

However, although ultimately not determinative in this case, the Court also noted evidence of things that Nosal’s former employer did not do, including that: (1) it did not prevent users from e-mailing source lists outside the company; (2) it did not prevent users from printing source lists; (3) it did not encrypt source lists or protect them with separate passwords; and (4) it did not have a procedure for preventing employees from printing and taking source lists home. It is possible some of these additional safeguards may have made misappropriation more difficult, or even prevented it altogether.

There are also a number of additional safeguards and procedures not referenced in the order that companies should consider as part of “best practices” in preventing trade secret theft. For example, the order is silent as to Nosal’s former employer’s onboarding procedures, and whether it used non-disclosure and trade secret protection agreements to protect sensitive information. It is also unclear what, if anything, his former employer did to educate and to continue to remind its workers regarding their obligations to protect company information. There is also no information as to whether his former employer conducted exit interviews, and whether it used exit interview certifications requiring departing workers to confirm they did not have any company trade secrets or confidential or proprietary information. All of these may be helpful tools in protecting company information. While none of these efforts by themselves prevent misappropriation, workers who are informed and understand that a company values and protects such assets are presumably less likely to misappropriate.

In Part I of this post, we reviewed the Court’s ruling on Nosal’s conviction on the CFAA counts. Here in Part II, we turn to the Court’s ruling on the EEA counts, and the exclusion of evidence regarding Nosal’s non-compete provision.

B.    Nosal’s Conviction on the EEA Counts:

Nosal was convicted of two counts under the EEA for downloading, copying and duplicating his former employer’s trade secrets without authorization, and for receiving and possessing his former employer’s stolen trade secrets. In relevant part, the EEA provides:

Whoever, with intent to convert a trade secret, that is related to a product or service used in or intended
for use in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof,
and intending or knowing that the offense will, injure any owner of that trade secret, knowingly –

. . .

(2) without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters,
destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys such
information;

(3) receives, buys, or possesses such information, knowing the same to have been stolen or appropriated,
obtained, or converted without authorization;

(4) attempts to commit any offense described in paragraphs (1) through (3);

shall, except as provided in subsection (b), be fined under this title or imprisoned not more
than 10 years, or both.

18 U.S.C. § 1832(a).

Nosal raised four arguments for acquittal or a new trial on the EEA counts: (1) instruction that jury could find Nosal guilty of conspiracy to commit the EEA violations even if there was no trade secret was erroneous; (2) there was insufficient evidence that the source lists were trade secrets; (3) there was insufficient evidence that Nosal and his co-conspirators knew or believed that the source lists were trade secrets; and (4) there was insufficient evidence that Nosal and his co-conspirators knew or believed that taking the source lists would cause his former employer economic harm. The Court rejected each of these arguments.

1.     Requirement of Existence of Actual Trade Secret

Nosal argued for acquittal or a new trial on all counts claiming the Court erroneously instructed the jury that it could find him guilty of conspiracy to misappropriate, receive, possess, and transmit trade secrets even if the source lists were not trade secrets as long as he “firmly believed” they were.

The Court rejected this argument based on authority holding that legal impossibility is not a defense to conspiracy charges, including United States v. Hsu, 155 F.3d 189, 193 (3d Cir. 1998). The defendants in Hsu were charged with attempt and conspiracy to steal trade secrets, and sought discovery to prove that the documents they had attempted to obtain were not trade secrets. The Hsu court ruled that the documents were not relevant because legal impossibility is not a defense to either attempt or conspiracy. Id. at 203. The Court further cited the Supreme Court’s recognition that conspiracies are distinct and independent evils punishable by themselves. Salinas v. United States, 522 U.S. 52, 65 (1997).

The Court also found that the legislative history of EEA specifically supported a finding that a “firm belief” satisfied the “knowingly” element. The Court further concluded that any error in the instruction was harmless because the jury found Nosal guilty of the substantive EEA counts, and to do so it had to find that at least one of the source lists was a trade secret. The Court also dismissed several other arguments, including that the conspiracy instruction was a constructive amendment of the indictment because it sought conviction based on the theory that Nosal “firmly believed” the source lists were trade secrets, even if they were not.

2.     Evidence the Source Lists Were Trade Secrets

Nosal also argued for acquittal or a new trial on the EEA counts because there was insufficient evidence the source lists were, in fact, trade secrets, and specifically that the information was not drawn from publicly available sources and that the source lists had not been publicly disclosed.

The Court dismissed this argument citing evidence introduced at trial that would support a finding that the source lists were compilations of both public and non-public information, and that the jury could have inferred based on Nosal’s efforts to retrieve the source lists that the information therein was not entirely public.

The Court also held that the jury could reasonably have found that the trade secret status of the source lists was not destroyed by disclosure to third parties based on evidence that such disclosure was relatively rare and that the alleged trade secrets had not been disclosed to third parties, or had been disclosed only subject to a confidentiality agreement.

Finally, based on a review of the balance of evidence, the Court concluded there was sufficient evidence to conclude his former employer had taken “reasonable” steps to protect the source lists as trade secrets.

3.     Evidence Conspirators Knew Source Lists Were Trade Secrets

Nosal also demanded acquittal or a new trial because there was not sufficient evidence that he and his co-conspirators knew the source lists were trade secrets. The Court disagreed, holding there was sufficient evidence showing both that the co-conspirators were aware that the specific source lists were, in fact, trade secrets, and that the co-conspirators attempted to keep their activities secret, from which the jury could have inferred they knew the information was trade secret.

4.     Evidence Conspirators Knew Taking Source Lists Would Cause Harm

Nosal also argued for acquittal or a new trial because there was insufficient evidence that the co-conspirators intended or knew that their actions would injure his former employer, as is required by the EEA. In reviewing the evidence, the Court concluded there was sufficient evidence from which the jury could conclude that the co-conspirators knew their actions would injure his former employer, including that they were starting a business to compete with his former employer.

C.     Exclusion of Evidence Regarding Non-Compete

Finally, Nosal demanded a new trial on all counts claiming he was prejudiced by not being allowed to argue that a non-compete provision in his independent contractor agreement with his former employer was illegal.

The Court stated that, in ruling on motions in limine, it precluded either party from presenting evidence or argument as to whether the provision was actually legal and enforceable. In rejecting Nosal’s demands, the Court held that there was no convincing argument that this ruling was in error, or that Nosal was so unfairly prejudiced by evidence and argument presented at trial relating to the non-compete as to require a new trial.

In the final part of this post, we will look at what may be next for Nosal, and also look at some lessons employers can learn from this case.

On April 25, 2013, a federal jury convicted Executive Recruiter David Nosal on three counts under the Computer Fraud and Abuse Act (“CFAA”), two counts under the Economic Espionage Act (“EEA”), and one count of conspiracy to violate the CFAA and EEA, for Nosal’s conduct leaving his former employer and establishing a competing business in 2004 and 2005.

The conviction followed an FBI investigation and multiple indictments alleging that Nosal conspired with former co-workers to gain unauthorized access to his former employer’s computers system and to illegally obtain its trade secrets – source lists of candidates compiled for search assignments – to use in his competing business.

On August 7, 2013, U.S. District Judge Edward Chen heard argument on Nosal’s motions for acquittal and a new trial and took both motions under submission. On August 15, 2013, the Court issued its ruling, denying both motions in a 39-page order.

This is Part I of a three part post. In this post we will look at the Court’s order on Nosal’s conviction of the CFAA counts. In Part II, we will review the EEA counts. Finally, in Part III, we will try to foresee what the future may hold for Nosal and look at some lessons employers can learn from this case.

A.     Nosal’s Conviction on the CFAA Counts:

Nosal was convicted of three counts under the CFAA for accessing his former employer’s computers and obtaining information on three separate occasions. In relevant part, the CFAA provides criminal penalties for:

[whoever] knowingly and with intent to defraud, accesses a protected computers without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computers and the value of such use is not more than $5,000 in any 1-year period;

18 U.S.C. § 1030(a)(4).

In his motions, Nosal argued broadly that he was entitled to acquittal or a new trial on the CFAA counts because: (1) no person gained unauthorized access to his former employer’s computers within the meaning of the CFAA; (2) the deliberate ignorance jury instruction was confusing; (3) there was insufficient evidence that Nosal had the requisite mental state to commit the CFAA violations; and (4) there was insufficient evidence of a conspiracy.

1.     Unauthorized Access to his former employer’s Computers

In support of the “no unauthorized access” argument, Nosal argued that: (1) under the Ninth Circuit’s en banc decision in this case (United States v. Nosal, 676 F.3d 854 (9th Cir. 2012)), there can be no CFAA violation because any access to his former employer’s computers was gained with the permission of the password holder and there was no circumvention of technological barriers; (2) Nosal’s former co-workers were authorized to access the computers; and (3) Nosal was authorized to receive certain information in the course of his work as an independent contractor for his former employer.

The Court rejected Nosal’s first argument, holding that “[n]owhere does the court’s opinion in Nosal hold that the government is additionally required to allege that a defendant circumvented technological access barriers in bringing charges under § 1030(a)(4)” and also noted that the indictment actually does allege circumvention of a technological barrier because “password protection is one of the most obvious technological access barriers that a business could adopt.”

The Court also dismissed Nosal’s second argument that his former co-workers were authorized to access his former employer’s computer, holding that the evidence established they did not have his former employer’s authorization and “that it is the actions of the employer who maintains the computers system that determine whether or not a person is acting with authorization.” In so doing, the Court distinguished Nosal’s argument that the verdict was criminalizing the allegedly common practice of employees sharing passwords with each other to access their employer’s computers systems by explaining that here, an employee of his former employer impermissibly gave her password, not to a co-worker, but to former employees who were not authorized to access the computers.

The Court also rejected Nosal’s argument that his former co-workers were authorized to access his former employer’s computers on the relevant dates, finding that the evidence sufficiently established that they were not authorized. Finally, the Court rejected Nosal’s argument that he was authorized to receive certain information from his former employer’s computers in his work as an independent contractor, holding he was only authorized to receive limited information relevant to specific work he was doing for his former employer, but that the information he received was for his competing business.

2.     Deliberate Ignorance Jury Instruction

Nosal also argued that an instruction that the jury could find that he had acted “knowingly” to violate the CFAA if he was aware of a high probability that his former executive assistant or former co-workers had gained unauthorized access to the computers or misappropriated trade secrets, and he deliberately avoided learning the truth, was confusing because his former executive assistant was at all relevant times employed by his former employer and was authorized to access the computers while the other former co-workers were not employed by his former employer and were not authorized.

The Court held that Nosal had waived this argument by not raising it earlier. Moreover, the Court held that the instruction was sufficiently clear that the jury could not convict Nosal on the CFAA counts if they concluded his former executive assistant has accessed the computers, because such access would not have been “unauthorized.”

3.     Evidence Nosal had Knowledge of Unauthorized Downloads

Nosal further argued that there was insufficient evidence he had knowledge of downloads from his former employer’s computers were unauthorized because the downloads were not conducted by his former executive assistant. Reciting substantial evidence presented at trial by the government, including evidence that Nosal gave his former co-workers specific directions about information he wanted from his former employer’s computers, that he knew a former co-worker had a large amount of data taken from the computers, that he knew they were not authorized to obtain the information, and that Nosal’s executive assistant did not know how to do so, the Court concluded the government had proved beyond a reasonable doubt that Nosal knew of, was deliberately indifferent to, and/or had conspired to commit the CFAA violations.

4.     Evidence of Conspiracy

Nosal also argued that there was not sufficient evidence of conspiracy. The Court dismissed this argument, concluding that the same evidence that Nosal had knowledge of the downloads from his former employer’s computers was sufficient to support the verdict on the conspiracy count.

In Part II of this post, we will look at Nosal’s conviction on the EEA counts.

Last month we blogged about a district court for the Northern District of California that distinguished the Ninth Circuit’s recent U.S. v. Nosal decision and allowed an employer to bring a counterclaim under the Computer Fraud and Abuse Act (“CFAA”) against a former employee for alleged violations of a verbal computer access restriction. (Weingand v. Harland Financial Solutions, 2012 U.S. Dist. LEXIS 84844 (N.D. Cal. June 19, 2012). Recently, the court reaffirmed its conclusion regarding Nosal concerning the employee’s subsequent motion to dismiss that CFAA counterclaim.

Defendant employer Harland Financial Solutions alleged that it verbally authorized plaintiff and former employee Michael Weingand to return to its offices after the termination of his employment to copy his personal files from his prior work computer. A dispute arose, however, when Weingand allegedly “accessed , without authorization, over 2,700 business files,” some containing confidential, proprietary, and copyrighted information. (See our previous blog post for further details regarding the background of this case).

As discussed in our previous post, the court granted Harland’s motion for leave to amend its answer to assert a counterclaim against Weingand for violations of the CFAA.

Harland subsequently amended its answer to assert the CFAA counterclaim. Weingand then moved to dismiss the claim for “failure to state a plausible claim for relief.” (FRCP 12(b)(6)).

On August 29, 2012, the court denied Weingand’s motion to dismiss. The court noted that it already rejected a bulk of Weingand’s arguments in the prior motion for leave to amend. The court acknowledged, but declined to adopt, Weingand’s argument that verbal authorization could not be the sort of authorization cover by the CFAA:

Notably, the court reiterated its prior conclusion concerning Nosal:

“although Nosal clearly precluded applying the CFAA to violating restrictions on use, it did not preclude applying the CFAA to rules regarding access.”

Additionally, the court noted that many of the issues raised by Weingand concerning the scope and nature of his authorization, what constituted “personal” files, and whether he exceeded Harland’s authorization, were factual questions appropriate for summary judgment — not a motion to dismiss.

The court denied Weingand’s motion to dismiss because Harland alleged specific details about Weingand’s alleged unauthorized access, including when, where, and what Weingand allegedly accessed and copied.

The court’s reassertion that Nosal does not preclude employers’ “access restrictions” is significant because it reaffirms that Nosal may not be as broad of a limitation for employers that seek to use the CFAA against departing employees that steal valuable company data. After Nosal, it was feared that employers would have no recourse under the CFAA against employees that violate clear and explicit computer, network, and information security policies.

The court allowed Harland to proceed with its CFAA claim based on a mere verbal access restriction. This holding remains consistent with the Ninth Circuit’s prior decision in LVRC Holdings LLC v. Brekka: “The plain language of the statute therefore indicate that authorization depends on actions taken by the employer.” Thus under Weingand, an employer’s computer access policies may remain viable post-Nosal to bring CFAA claims in the Ninth Circuit against employees that violate those policies and steal valuable company data.

On June 19, 2012, a district court for the Northern District of California distinguished the Ninth Circuit’s recent U.S. v. Nosal decision and allowed an employer to bring a claim under the Computer Fraud and Abuse Act (“CFAA”) against a former employee for alleged violations of a verbal computer access restriction. (Weingand v. Harland Financial Solutions, 2012 U.S. Dist. LEXIS 84844 (N.D. Cal. June 19, 2012). The decision alleviates some of restraints imposed by Nosal on employers who want to bring CFAA claims against departing employees that steal valuable company data.

Plaintiff Michael Weingand worked as a Senior Field Engineer at Defendant Harland Financial Solutions. On November 4, 2010, Harland notified Weingand that it was terminating his employment. The next day, after learning of the termination of his employment, Weingand allegedly emailed Harland’s H.R. Manager, requesting permission to copy his “personal files” on his Harland laptop to a USB flash drive. Harland agreed and let him access his Harland laptop at Harland’s offices on November 6, 2010 at approximately 1:00 p.m.

Weingand later brought action against his former employer Harland for wrongful termination and employment retaliation.

During discovery, Harland learned through computer forensic analysis that Weingand allegedly accessed and copied over 2,700 business files belonging to Harland, its clients, and third-party software vendors; some files containing confidential, proprietary, and copyrighted information. Harland also discovered that Weingand’s alleged unauthorized access of these files allegedly occurred on November 6, 2010 between 1:11 p.m. and 1:41 p.m.–the same date and time Harland gave Weingand permission to copy his personal files from his old work computer.

In light of these alleged facts, Harland moved to amend its answer to add counterclaims against Weingand for, inter alia, violations of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030.

Weingand opposed Harland’s motion on grounds that, inter alia, Harland’s CFAA counterclaim would be futile and subject to a motion to dismiss. In particular, Weingand contended that Harland handed the computer to Weingand without restriction. Moreover, Weingand contended that Harland’s proposed CFAA counterclaim contained no allegations as to what directions, limitations, or restricted authorization were stated to Weingand when we was handed the computer. Further, Weingand argued that Harland’s “verbal authorization” regarding access to only personal files was irrelevant because the only authorization which the statute speaks is “code” authorization (i.e. whether someone is literally blocked from certain files by some security measure such as a password).

The Court rejected Weingand’s arguments, granted Harland’s motion, and allowed Harland to amend its answer to add the CFAA counterclaim. The Court reasoned that “[Weingand] received permission to access Harland’s computer system based on his representations that he wanted to get his ‘personal files’ after his termination, but he had no authority with respect to the additional files he accessed.” “Thus, the counterclaim creates at least a reasonable inference that his authorization extended only to accessing and copying said ‘personal files’ and that he exceeded that authorization.” Weingand, 2012 U.S. Dist. LEXIS 84844, *6.

This post-Nosal decision has several significant takeaways:

(1) Computer access restrictions/policies may remain viable for CFAA claims in the Ninth Circuit post-Nosal

One of the important holdings from Nosal was that violations of an employer’s computer use policy do not constitute violations under the CFAA. Weingand recognized, however, that Nosal precluded applying the CFAA to violating restrictions on use, but not rules regarding access. In fact, Weingand allowed a claim under the CFAA based on the employer’s mere verbal restriction on access (i.e. that the employee could only access personal files). This holding remains consistent with the Ninth Circuit’s prior decision in LVRC Holdings LLC v. Brekka: “The plain language of the statute therefore indicate that authorization depends on actions taken by the employer.” Thus under Weingand, an employer’s computer access policies may remain viable post-Nosal to bring CFAA claims against employees that violate those policies and steal company data.

(2) Physical access to a computer does not equal “authorization”

The mere fact that an employee is granted physical access to a computer does not necessarily mean the employee is immune to CFAA claims. The Court rejected Weingand’s argument that he had “authorization” simply because he had physical access to the computer. The Court noted that while the Nosal opinion uses the phrase ‘physical access,’ “[Nosal] was concerned only with the distinction between access and use, not any distinction between different types of authorization pertaining to access.” The Court went on: “Indeed, Nosal … suggests that one need not engage in such rigorous technological measures to block someone from accessing files in order to limit their authorization.” Thus, an employer can communicate its computer access restrictions to employees and remain protected under the CFAA, without having to physically block certain files every time that employee’s authorizations change.

This also remains consistent with Brekka, where the Ninth Circuit stated that if a former employee accesses information without permission, even if his prior log-in information is still operative as a technical matter, such access would violate the CFAA.

While Nosal substantially limits employers’ use of the CFAA against departing employees that steal company data, it may not be as broad of a limitation as anticipated.

Weingand has since moved to dismiss Harland’s CFAA counterclaim pursuant to FRCP Rule 12(b)(6). The hearing is set for August 31, 2012. We will follow the decision to see if the Court provides any further discussions regarding Nosal, the CFAA, and employers’ use of the CFAA to stop data theft by employees.

By Robert Milligan and Joshua Salinas

The Solicitor General indicated yesterday that he will not file a petition for a writ of certiorari with the Supreme Court in U.S. v. Nosal.

It was anticipated by some legal commentators that a Supreme Court decision in Nosal may resolve a deepening split between the Circuit Courts regarding the proper interpretation of the statutory language in the Computer Fraud and Abuse Act (CFAA) and its applicability to factual scenarios where employees steal company data in violation of computer usage policies or in breach of their loyalty obligations.

Earlier this spring, a Ninth Circuit en banc panel in Nosal adopted a narrow interpretation of the CFAA and found that an employee’s violation of his/her employer’s computer usage policies was not a violation of the CFAA. The Court focused on whether the employee originally had access to the information, not whether the employee misused the employer’s confidential information in violation of usage policies.

Last week, the Fourth Circuit in WEC Carolina Energy Solutions v. Miller joined the Ninth Circuit and adopted this narrow interpretation of the CFAA. Please see John Marsh’s and Ken Vanko’s blogs on the case.

On the other side, the Fifth, Seventh, and Eleventh Circuits have adopted a broader interpretation of the CFAA based on either common-law agency principles or computer usage policies. Under the agency theory, when an employee accesses a computer to further interests adverse to the employer, such actions terminate his or her agency relationship and, thus the employee loses any authority to access the computer. Under the computer usage theory, a violation of a computer usage policy can serve as a basis for holding an employee liable under the CFAA, Thus, an employee who is authorized to access a company computer, but uses that access to steal or damage valuable company data in violation of a computer usage policy, would be liable for his or her wrongful conduct.

The Supreme Court has yet to decide a CFAA case since the statute’s inception in 1984. With the Solicitor General refraining from filing a petition in Nosal, a resolution of the circuit split may lie with a statutory fix by the legislature or possible review of the Fourth Circuit’s decision in WEC Carolina Energy Solutions v. Miller. No such fix, however, appears imminent.

Earlier this week, Senator Patrick Leahy (D-Vt.) proposed an amendment to the Cybersecurity Act of 2012 (S3413), that would in effect adopt the Ninth Circuit’s narrow interpretation of the CFAA.

Yesterday, the cybersecurity bill failed to obtain the required amount of votes required to move the legislation forward. With Congress on August recess and its focus turning towards the upcoming November elections, any cybersecurity legislation is not expected to be voted on until next year.

As of now, an employer’s protection under the CFAA against rogue employees that steal valuable company data may simply depend on which jurisdiction they are in and/or the genius of counsel.

The Solicitor General obtained a thirty day extension on the July 9, 2012 deadline to file a petition for a writ of certiorari with the United States Supreme Court on the Ninth Circuit’s controversial U.S. v. Nosal decision, which limits the use of the federal Computer Fraud and Abuse Act. According to the extension request, the Solicitor General “has not yet determined whether to file a petition for a writ of certiorari in this case. The additional time sought in this application is needed to assess the legal and practical impact of the court’s ruling and, if a petition is authorized, to permit its preparation and printing.”

A writ petition would challenge the Ninth Circuit’s recent decision which circumscribes the use of the Computer Fraud and Abuse Act to primarily outsider hacking activities, rather than violations of employer computer usage policies or internet service providers’ terms of service/use, and request that the Supreme Court resolve the current circuit split. We previously discussed the Court’s decision and its impact.

Should your company be interested in taking a side in the dispute, including joining a letter to the Solicitor General or participating in an amicus filing, please contact your Seyfarth attorney contact or submit your interest here.

According to a recent filing with the California federal district court in the United States v. Nosal case, the Solicitor General, in consultation with the Criminal Division of the Department of Justice and the United States Attorney’s Office, is still deciding whether to file a writ of certiorari with the United States Supreme Court.

The writ would challenge the Ninth Circuit’s recent decision in the case which circumscribes the use of the Computer Fraud and Abuse Act to primarily hacking activities, rather than violations of employer computer usage policies or internet service providers’ terms of service/use, and request that the Supreme Court resolve the current circuit split. We previously discussed the Court’s decision and its impact. Other legal commentators such as John Marsh, Ken Vanko, and Nick Akerman have weighed in on the decision. The parties’ stipulation indicates that the government’s deadline to file the writ is July 9, 2012.

Should your company be interested in taking a side in the dispute, including joining a letter to the Solicitor General or participating in an amicus filing, please contact your Seyfarth attorney contact or submit your interest here.