Continuing our annual tradition, we present the top developments/headlines for 2017/2018 in trade secret, computer fraud, and non-compete law.

1. Notable Defend Trade Secrets Act Developments

Just two years after its enactment, the Defend Trade Secrets Act (“DTSA”) continues to be one of the most significant and closely followed developments in trade secret law. The statute provides for a federal civil cause of action for trade secret theft, protections for whistleblowers, and new remedies (e.g., ex parte seizure of property), that were not previously available under state trade secret laws. Continue Reading Top Developments/Headlines in Trade Secret, Computer Fraud, and Non-Compete Law in 2017/2018

On Tuesday, October 10, 2017, the United States Supreme Court denied certiorari in Nosal v. United States, 16-1344. Nosal asked the Court to determine whether a person violates the Computer Fraud and Abuse Act’s prohibition of accessing a computer “without authorization” when using someone else’s credentials (with that other user’s permission) after the owner of the computer expressly revoked the first person’s own access rights. In denying certiorari, the Court effectively killed the petitioner’s legal challenge to his conviction in a long-running case that we have extensively covered here, here, here, here, here, here, and here (among other places). The denial of certiorari leaves further development of the scope of the CFAA in the hands of the lower courts. Continue Reading Supreme Court Refuses to Hear Password-Sharing Case, Leaving Scope of Criminal Liability Under Computer Fraud and Abuse Act Unclear

MEME_Cal Pecs eBookSeyfarth Shaw LLP has released its 2017 Edition of Cal-Peculiarities: How California Employment Law Is Different. Included within the publication is an overview of how California law is different in the areas of restrictive covenants , trade secrets, and computer fraud. For example, highlights include:

  • But for a narrow exception, new law provides that a California employer cannot in an employment agreement with an employee who primarily resides and works in California require the employee to (1) adjudicate outside of California a claim arising in California, or (2) accept the application of substantive law other than California’s with respect to a controversy arising in California. Cal. Labor Code § 925.
  • Also, although the Defend Trade Secrets Act of 2016 (DTSA) provides for a federal cause of action for trade secret misappropriation that may be pled in California courts, case law interpreting and applying the preemptive scope of California’s Uniform Trade Secrets Act (CUTSA) may impact what state law tort claims can be pleaded in conjunction with a DTSA claim, even where no CUTSA claim is pleaded.
  • Finally, in 2016, the Ninth Circuit published its opinion in United States v. Nosal, 844 F.3d 1024 (2016), where the court held that unequivocal revocation of computer access makes use of a password shared by an authorized system user to circumvent the revocation of a former employee’s access a crime.

Cal-Pecs provides many more useful details in the areas of areas of restrictive covenants, trade secrets, and computer fraud law. Cal-Pecs is available in an eBook to approved requestors.

submit request button

shutterstock_533123590Continuing our annual tradition, we present the top developments/headlines for 2016 in trade secret, computer fraud, and non-compete law. Please join us for our first webinar of the New Year on February 2, 2017, at 12:00 p.m. Central, where we will discuss these new developments, their potential implications, and our predictions for 2017.

1. Defend Trade Secrets Act

One of the most significant developments of 2016 that will likely have a profound impact on trade secret cases in the coming years was the enactment of the Defend Trade Secrets Act (“DTSA”). The DTSA creates a new federal cause of action for trade secret misappropriation, albeit it does not render state law causes of action irrelevant or unimportant. The DTSA was passed after several years and many failed attempts. The bill was passed with overwhelming bipartisan, bicameral support, as well as backing from the business community.

The DTSA now allows trade secret owners to sue in federal court for trade secret misappropriation, and seek remedies previously unavailable. Employers should be aware that the DTSA contains a whistleblower immunity provision, which protects individuals from criminal or civil liability for disclosing a trade secret if such disclosure is made in confidence to a government official or attorney, indirectly or directly. The provision applies to those reporting violations of law or who file lawsuits alleging employer retaliation for reporting a suspected violation of law, subject to certain specifications (i.e., trade secret information to be used in a retaliation case must be filed under seal). This is significant for employers because it places an affirmative duty on them to give employees notice of this provision in “any contract or agreement with an employee that governs the use of a trade secret or other confidential information.” Employers who do not comply with this requirement forfeit the ability to recoup exemplary damages or attorneys’ fees under the DTSA in an action against an employee to whom no notice was ever provided.

At least one federal district court has rejected an employee’s attempts to assert whistleblower immunity under the DTSA. In Unum Group v. Loftus, No. 4:16-CV-40154-TSH, 2016 WL 7115967 (D. Mass. Dec. 6, 2016), the federal district court for the district of Massachusetts denied a defendant employee’s motion to dismiss and held that a defendant must present evidence to justify the whistleblower immunity.

We anticipate cases asserting claims under the DTSA will be a hot trend and closely followed in 2017. For further information about the DTSA, please see our webinar “New Year, New Progress: 2016 Update on Defend Trade Secrets Act & EU Directive.”

2. EU Trade Secrets Directive

On May 27, 2016, the European Council unanimously approved its Trade Secrets Directive, which marks a sea-change in protection of trade secrets throughout the European Union (“EU”). Each of the EU’s 28 member states will have a period of 24 months to enact national laws that provide at least the minimum levels of protections afforded to trade secrets by the directive. Similar to the DTSA, the purpose of the EU’s Trade Secrets Directive was to provide greater consistency in trade secrets protection throughout the EU. For further information about the EU’s Trade Secrets Directive, please see our webinar “New Year, New Progress: 2016 Update on Defend Trade Secrets Act & EU Directive.”

3. Government Agencies Continue to Scrutinize the Scope of Non-Disclosure and Restrictive Covenant Agreements

Fresh off of signing the DTSA, the Obama White House released a report entitled “Non-Compete Reform: A Policymaker’s Guide to State Policies,” which relied heavily on Seyfarth Shaw’s “50 State Desktop Reference: What Employers Need to Know About Non-Compete and Trade Secrets Law” and contained information on state policies related to the enforcement of non-compete agreements. Additionally, the White House issued a “Call to Action” that encouraged state legislators to adopt policies to reduce the misuse of non-compete agreements and recommended certain reforms to state law books. The Non-Compete Reform report analyzed the various states that have enacted statutes governing the enforcement of non-compete agreements and the ways in which those statutes address aspects of non-compete enforceability, including durational limitations; occupation-specific exemptions; wage thresholds; “garden leave;” enforcement doctrines; and prior notice requirements.

With those issues in mind, the Call to Action encourages state policymakers to pursue three “best-practice policy objectives”: (1) ban non-competes for categories of workers, including workers under a certain wage threshold; workers in occupations that promote public health and safety; workers who are unlikely to possess trade secrets; or workers who may suffer adverse impacts from non-competes, such as workers terminated without cause; (2) improve transparency and fairness of non-competes by, for example, disallowing non-competes unless they are proposed before a job offer or significant promotion has been accepted; providing consideration over and above continued employment; or encouraging employers to better inform workers about the law in their state and the existence of non-competes in contracts and how they work; and (3) incentivize employers to write enforceable contracts and encourage the elimination of unenforceable provisions by, for example, promotion of the use of the “red pencil doctrine,” which renders contracts with unenforceable provisions void in their entirety.

While some large employers have embraced the Call to Action, even reform-minded employers are likely to be wary of some of these proposals. Moreover, this initiative may die or be limited with the new Trump administration.

On October 20, 2016, the Department of Justice (“DOJ”) and the Federal Trade Commission (“FTC”) jointly issued their “Antitrust Guidance for Human Resource Professionals.” The Guidance explains how antitrust law applies to employee hiring and compensation practices. The agencies also issued a “quick reference card” that lists a number of “antitrust red flags for employment practices.” In a nutshell, agreements (whether formal or informal) among employers to limit or fix the compensation paid to employees or to refrain from soliciting or hiring each other’s employees are per se violations of the antitrust laws. Also, even if competitors don’t explicitly agree to limit or suppress compensation, the mere exchange of compensation information among employers may violate the antitrust laws if it has the effect of suppressing compensation.

In recent years, the National Labor Relations Board (“NLRB”) has issued numerous decisions in which workplace rules were found to unlawfully restrict employees’ Section 7 rights. Last year, the U.S. Court of Appeals for the D.C. Circuit denied Quicken Loans, Inc.’s petition for review of an NLRB decision finding that confidentiality and non-disparagement provisions in the company’s Mortgage Banker Employment Agreement unreasonably burdened employees’ rights under Section 7 of the NLRA.

4. New State Legislation Regarding Restrictive Covenants

Oregon has limited the duration of employee non-competes to two years effective January 1, 2016. Utah has enacted the Post-Employment Restrictions Amendments, which limits restrictive covenants to a one-year time period from termination. Any restrictive covenant that is entered into on or after May 10, 2016, for more than one year will be void. Notably, Utah’s new law does not provide for a court to blue pencil an agreement (i.e., revise/modify to the extent it becomes enforceable), rather the agreement as a whole will be deemed void if it is determined to be unreasonable.

In what appears to have become an annual tradition, Massachusetts legislators have attempted to pass legislation regarding non-competes, to no avail. Two other states in New England, however, are able to claim accomplishments in that regard. Specifically, Connecticut and Rhode Island each enacted statutes last summer imposing significant restrictions on the use of non-compete provisions in any agreement that establishes employment or any other form of professional relationship with physicians. While Connecticut’s law limits only the duration and geographic scope of physician non-competes, Rhode Island completely banned such provisions in almost all agreements entered into with physicians.

5. Noteworthy Trade Secret, Computer Fraud, and Non-Compete Cases

In Golden Road Motor Inn, Inc. v. Islam, 132 Nev. Adv. Op. 49 (2016), the Supreme Court of Nevada refused to adopt the “blue pencil” doctrine when it ruled that an unreasonable provision in a non-compete agreement rendered the entire agreement unenforceable. Accordingly, this means that employers conducting business in Nevada should ensure that non-compete agreements with their employees are reasonably necessary to protect the employers’ interests. Specifically, the scope of activities prohibited, the time limits, and geographic limitations contained in the non-compete agreements should all be reasonable. If an agreement contains even one overbroad or unreasonable provision, the employer risks having the entire agreement invalidated and being left without any recourse against an employee who violates the agreement.

The Louisiana Court of Appeal affirmed a $600,000 judgment, plus attorneys’ fees and costs, against an ex-employee who violated his non-compete when he assisted his son’s start-up company compete with the ex-employee’s former employer. See Pattridge v. Starks, No. 50,351-CA (Louisiana Court of Appeal, Feb. 24, 2016) (Endurall III).

A Massachusetts Superior Court judge struck down a skin care salon’s attempt to make its non-compete agreement seem prettier than it actually was. In denying the plaintiff’s motion for a preliminary injunction, the court stressed that employees’ conventional job knowledge and skills, without more, would not constitute a legitimate business interest worth safeguarding. See Elizabeth Grady Face First, Inc. v. Garabedian et al., No. 16-799-D (Mass. Super. Ct. March 25, 2016).

In a case involving alleged violations of the Kansas Uniform Trade Secrets Act (“KUTSA”) and the Computer Fraud and Abuse Act (“CFAA”), a Kansas federal district court granted a defendant’s motion for summary judgment, holding that (a) payments to forensic experts did not satisfy the KUTSA requirement of showing an “actual loss caused by misappropriation” (K.S.A. 60-3322(a)), and (b) defendant was authorized to access the company’s shared files and, therefore, he did not violate the CFAA. See Tank Connection, LLC v. Haight, No. 6:13-cv-01392-JTM (D. Kan., Feb. 5, 2016) (Marten, C.J.).

The Tennessee Court of Appeals held that the employee’s restrictive covenants were unenforceable when the employer had not provided the employee with any confidential information or specialized training. See Davis v. Johnstone Group, Inc., No. W2015-01884-COA-R3-CV (Mar. 9, 2016).

Reversing a 2-1 decision of the North Carolina Court of Appeals, the state’s Supreme Court held unanimously that an assets purchase-and-sale contract containing an unreasonable territorial non-competition restriction is unenforceable Further, a court in that state must strike, and may not modify, the unreasonable provision. See Beverage Systems of the Carolinas, LLC v. Associated Beverage Repair, LLC, No. 316A14 (N.C. Sup. Court, Mar. 18, 2016).

The Ohio Court of Appeal upheld a non-compete giving the former employer discretion to determine whether an ex-employee was working for a competitor. See Saunier v. Stark Truss Co., Case No. 2015CA00202 (Ohio App., May 23, 2016).

In a clash between two major oil companies, the Texas Supreme Court ruled on May 20, 2016, that the recently enacted Texas Uniform Trade Secrets Act (“TUTSA”) allows the trial court discretion to exclude a company representative from portions of a temporary injunction hearing involving trade secret information. The Court further held a party has no absolute constitutional due-process right to have a designated representative present at the hearing.

A Texas Court of Appeals held on August 22, 2016, that a former employer was entitled to $2.8 million in attorneys’ fees against a former employee who used the employer’s information to compete against it. The Court reached this ruling despite the fact that the jury found no evidence that the employer sustained any damages or that the employee misappropriated trade secrets.

In Fidlar Technologies v. LPS Real Estate Data Solutions, Inc., Case No. 4:13-CV-4021 (7th Cir., Jan. 21, 2016), the Seventh Circuit Court of Appeals affirmed a district court’s conclusion that a plaintiff had produced no evidence refuting the defendant’s contention that it honestly believed it was engaging in lawful business practices rather than intentionally deceiving or defrauding the plaintiff. Even though the plaintiff’s technology did not expressly permit third parties to access the digitized records and use the information without printing copies, thereby avoiding payment of fees to plaintiff, such access and use were not prohibited.

A divided Ninth Circuit panel affirmed the conviction of a former employee under the CFAA, holding that “[u]nequivocal revocation of computer access closes both the front door and the back door” to protected computers, and that using a password shared by an authorized system user to circumvent the revocation of the former employee’s access is a crime. See United States v. Nosal, (“Nosal II”) Nos. 14-10037, 14-10275 (9th Cir. July 5, 2016).

The Ninth Circuit in Facebook v. Power Ventures, Case No. 13-17154 (9th Cir. Jul. 12, 2016), held that defendant Power Ventures did not violate the CFAA when it made copies and extracted data from the social media website despite receiving a cease and desist letter. The court noted that Power’s users “arguably gave Power permission to use Facebook’s computers to disseminate messages” (further stating that “Power reasonably could have thought that consent from Facebook users to share the [Power promotion] was permission for Power to access Facebook’s computers”) (emphasis in original). Importantly, the court found that “[b]ecause Power had at least arguable permission to access Facebook’s computers, it did not initially access Facebook’s computers ‘without authorization’ within the meaning of the CFAA.”

6. Forum Selection Clauses

California enacted a new law (Labor Code § 925) that restrains the ability of employers to require employees to litigate or arbitrate employment disputes (1) outside of California or (2) under the laws of another state. The only exception is where the employee was individually represented by a lawyer in negotiating an employment contract. For companies with headquarters outside of California and employees who work and reside in California, this assault on the freedom of contract is not welcome news.

We also continued to see federal district courts enforcing forum selection clauses in restrictive covenant agreements. For example, a Massachusetts federal district court last fall transferred an employee’s declaratory judgment action to the Eastern District of Michigan pursuant to a forum-selection clause in a non-compete agreement over the employee’s argument that he had signed the agreement under duress because he was not told he would need to sign it until he had already spent the money and traveled all the way from India to the United States.

7. Security Breaches and Data Theft Remain Prevalent

2016 was a record year for data and information security breaches, one of the most notably being WikiLeaks’ release of emails purportedly taken from the Democratic National Committee’s email server. According to a report from the Identity Theft Resource Center, U.S. companies and government agencies saw a 40% increase in data breaches from 2015 and suffered over a thousand data breaches. Social engineering has become the number one cause of data breaches, leaks, and information theft. Organizations should alert and train employees on following policy, spotting potential social engineering attacks, and having a clear method to escalate potential security risks. Employee awareness, coupled with technological changes towards better security will reduce risk and exposure to liability. For technical considerations and best practices and policies of attorneys when in the possession of client data, please view our webinar, “A Big Target—Cybersecurity for Attorneys and Law Firms.”

8. The ITC’s Extraterritorial Authority in Trade Secret Disputes

In a case involving the misappropriation of U.S. trade secrets in China, the U.S. Supreme Court was asked to decide whether Section 337 of the Tariff Act does, in fact, authorize the U.S. International Trade Commission (“ITC”) to investigate misappropriation that occurred entirely outside the United States. See Sino Legend (Zhangjiangang) Chemical Co. Ltd. v. ITC. The crux of Sino Legend’s argument was that for a statute to apply abroad, there must be express congressional intent. Not surprisingly, Sino Legend argued that such intent was missing from Section 337 of the Tariff Act. In Tianrui Group Co. Ltd. v. ITC, 661 F.3d 1322 (Fed. Cir. 2011), the Federal Circuit held that such intent was manifest in the express inclusion of “the importation of articles … into the United States” which evidenced that Congress had more than domestic concerns in mind. On January 9, 2017, the Supreme Court denied Sino Legend’s petition for certiorari, thereby keeping the ITC’s doors open to trade secret holders seeking to remedy misappropriation occurring abroad. For valuable insight on protecting trade secrets and confidential information in China and other Asian countries, including the effective use of non-compete and non-disclosure agreements, please check out our recent webinar titled, “Trade Secret and Non-Compete Considerations in Asia.”

We thank everyone who followed us this year and we really appreciate all of your support. We will continue to provide up-to-the-minute information on the latest legal trends and cases in the U.S. and across the world, as well as important thought leadership and resource links and materials.

shutterstock_414545476Not exactly. A divided Ninth Circuit panel recently affirmed the conviction of a former employee under the Computer Fraud and Abuse Act (“CFAA”), holding that “[u]nequivocal revocation of computer access closes both the front door and the back door” to protected computers, and that using a password shared by an authorized system user to circumvent the revocation of the former employee’s access is a crime. United States v. Nosal, (“Nosal II”) Nos. 14-10037, 14-10275 (9th Cir. July 5, 2016). The dissenting opinion raised concerns that the majority opinion would criminalize password-sharing in a wide variety of contexts where the password was shared by an authorized user but in violation of a service provider’s terms of service, such as for email or social networking.

An inside job

David Nosal was a recruiter employed by the executive search firm Korn/Ferry. To serve its clients and help place executives in response to talent searches, Korn/Ferry maintained a confidential, proprietary database containing detailed personal information about over one million executives. Nosal left Korn/Ferry and launched a competing firm with two other Korn/Ferry colleagues. Korn/Ferry revoked Nosal and his colleagues’ authorization to access its database. After Nosal and his colleagues left Korn/Ferry, Nosal’s colleagues accessed the database at his behest using the log-in credentials of Nosal’s former executive assistant, who remained employed at Korn/Ferry and who was authorized to access the database. They used the assistant’s valid credentials in order to run searches for candidates and thereby compete with Korn/Ferry. Nosal was convicted of violating the CFAA on a theory of accomplice liability based on his colleagues’ actions. He was ordered to pay a sizeable restitution award to Korn/Ferry.

What does “without authorization” mean, anyway?

The CFAA imposes criminal penalties on whoever “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . .” 18 U.S.C. § 1030(a)(4) (emphasis added). In a previous appeal in the Nosal case (“Nosal I”), the Ninth Circuit held that the “exceeds authorized access” prong makes criminal conduct out of “violations of [a company’s] use restrictions.” The Ninth Circuit’s decision in Nosal II, however, focused entirely on the “without authorization” prong of the CFAA.

The majority concluded that “without authorization” is unambiguous, and that the Ninth Circuit’s ruling in LVCR Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) applied to Nosal’s conduct: “[A] person uses a computer ‘without authorization’ under [the CFAA] . . . when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” The court stated that refusing to apply the CFAA to circumstances where an authorized user shared log-in credentials with a person whose credentials had been revoked by the owner of a protected computer system would “remove from the scope of the CFAA any hacking conspiracy with an inside person. That surely was not Congress’s intent.”

So is password-sharing now a crime?

Judge Reinhardt dissented from the majority’s opinion, expressing concerns that the ruling would criminalize “password sharing.” Judge Reinhardt warned that the majority opinion “threatens to criminalize all sorts of innocuous conduct” and does not provide “a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners” like email service providers or social networking sites. Judge Reinhardt asserted that, in order to avoid criminalizing such commonplace conduct, the “best reading of ‘without authorization’ in the CFAA is a narrow one: a person accesses an account ‘without authorization’ if he does so without having the permission of either the system owner or a legitimate account holder.” (Emphasis original.)

It will be left to future cases to ascertain the outer boundaries of the majority’s holding. It seems unlikely that the Ninth Circuit would uphold a CFAA conviction of a person who watched Netflix using a friend’s login credentials, but Judge Reinhart correctly points out that there is no inherently limiting language in the statute itself. So, future litigants may focus on the Nosal II majority’s discussion of “revocation of access” as a means to distinguish simple password sharing. It would be one thing for a person to use a friend’s Netflix account to watch movies; it would be another thing if the person had previously had a Netflix account revoked for downloading and selling pirated copyrighted works, then used a friend’s account to circumvent the “revocation of access” and continue such piracy. The problem is, the statute’s language does not make any distinctions based on “revocation of access.” It remains to be seen whether Nosal II provides a workable rule for applying the CFAA in future cases.

Practical Implications for Employers

Setting aside the great password-sharing debate, Nosal II makes clear that criminal sanctions can be imposed against former employees who improperly access their employer’s systems after their authorization to do so is revoked by the employer. Whether former employees use their old log-in credentials or use those of current employees who are themselves authorized to use the employer’s systems, Nosal II means that any such access is “without authorization” under the CFAA.

shutterstock_299582249On October 20, 2015, a Ninth Circuit panel consisting of Chief Judge Sidney Thomas and Judges M. Margaret McKeown and Stephen Reinhardt heard oral argument from the U.S. Department of Justice and counsel for David Nosal on Nosal’s criminal conviction arising under the Computer Fraud and Abuse Act (CFAA).   In 2013, Nosal was found to have violated the CFAA by allegedly conspiring to obtain access to company information belonging to his former employer, executive search firm Korn Ferry, through the borrowing of another employee’s login password. He was also convicted of trade secret misappropriation under the Economic Espionage Act.

The panel focused most of its questions around one main point of contention between the parties: the interpretation of the “without authorization” language appearing throughout Section (a) of the CFAA.  Such a focus makes sense given that the interpretation of this short phrase could completely change the legal landscape surrounding password sharing, not only in professional settings, but also in personal, consensual settings.

Nosal’s Points

Counsel for Nosal urged the panel to adopt a limited reading of the CFAA, based on the reasoning laid out in the Ninth Circuit’s previous en banc opinion (Nosal I).  Nosal I held that the CFAA was an “anti-hacking” statute and did not contemplate, nor criminalize, the misappropriation of trade secrets.  As an “anti-hacking” statute, the CFAA, the court held, criminalizes “the circumvention of technological access barriers.”  In other words, a person cannot be found to have accessed a computer “without authorization” if he did not circumvent a technological access barrier, or “hack” into a computer.

This time around, counsel for Nosal argued that password sharing is not hacking, and therefore, such an action cannot amount to a federal crime.  Further, counsel urged the panel to limit its interpretation of the “without authorization” language appearing throughout the Act, so as to prevent the over-criminalization of actions otherwise not prohibited by law (e.g., password sharing over a cloud system, or another consensual password sharing arrangement).   Nosal’s counsel also argued that the “without authorization” language be read consistently throughout the Act, so that the same interpretation would apply to both the misdemeanor and felony provisions of the Act.

U.S. Government’s Arguments

On the other side of the spectrum lie the government’s arguments.  Counsel for the government argued that protecting computers with passwords to prevent unintended user access indeed creates a “technological access barrier,” and any circumvention thereof (consensual or otherwise) constitutes a violation of the CFAA.  Such a broad interpretation was met with raised brows from the members of the judicial panel.

Counsel for the government repeatedly argued that the interpretation of the “without authorization” language should mirror the interpretation in the LVRC Holdings LLC v. Brecka case.  Per Brecka, a person accesses information “without authorization” under Sections (a)(2) and (4) of the CFAA when he has not received permission to use a computer for any purpose, or when the person’s employer has rescinded permission to access a computer and the person uses it anyway.  In other words, the government’s counsel seemed to advocate the criminalization of any sort of password sharing.  After receiving some push-back from the panel after making such an argument, counsel suggested limiting this interpretation to the employment context only, but members of the panel shot back because the CFAA includes no such limiting language. The government’s counsel argued that the person must have shared or used the password while also knowing it was prohibited by an employer to do so.

With regard to Nosal’s trade secrets conviction, the panel pressed the government’s counsel for a good portion of her allotted argument time.  Counsel argued the record revealed sufficient evidence to establish the element that source lists derive independent economic value for not being generally known by the general public.

Possible Outcomes for Nosal and Beyond

Though the panel did not give a clear indication one way or the other whose side it was likely to advocate in Nosal’s case, recent Ninth Circuit precedent may prove enlightening on the topic.  In the U.S. v. Christensen (9th Cir. 2015) decision, the Ninth Circuit (composed of a panel of different judges than those deciding Nosal’s fate) vehemently upheld the holdings in Nosal I, despite the different facts of each case.  In particular, the Christensen panel relied heavily on the Nosal I rationale that the CFAA only deals with violations of restrictions on access to information, not restrictions on use.  At the very least, Christensen demonstrates that the CFAA has been on the Ninth Circuit’s radar, even though its rationale may not impact the outcome in Nosal II.

Moreover, the panel’s surprise at the government’s assertion that all password sharing should be subject to criminal sanctions indicates an unwillingness to adopt such an argument.  As a previous post hypothesized, the panel’s final ruling will likely put to bed the password sharing issue, and limit it to certain situations (on which ground is still unclear), at least in the Ninth Circuit.  The ruling will hopefully provide helpful guidance on how to formulate acceptable computer policies prohibiting conduct running afoul of the CFAA. That way, employers and businesses can better protect their trade secrets from escaping the confines of their walls.

In Parts I and II of this post, we looked at the Court’s ruling on Nosal’s motion for acquittal and new trial following his conviction of three CFAA counts, two EEA counts and one count of conspiracy. In this final part, we look at what may lie ahead for Nosal and lessons employers may learn from this case.

What’s Next for Nosal?

Sentencing in this case is now scheduled for October 9, 2013. Nosal faces a maximum statutory penalty of five years’ imprisonment and a fine of $250,000, plus potential restitution, on the conspiracy and CFAA counts, and 10 years’ imprisonment and a fine of $250,000, plus potential restitution, on the EEA counts.

Presumably, this matter will once again end up before the Ninth Circuit which will determine whether the conviction and the Court’s denial of Nosal’s motions for acquittal and a new trial will stand or whether they run afoul of the Ninth Circuit’s earlier en banc decision in this case. Earlier, Judge Kozinski, writing for the majority, affirmed the dismissal of CFAA counts against Nosal finding that the statute was intended to punish hacking, not misappropriation of trade secrets in violation of an employer’s acceptable use policies. In the opinion, Judge Kozinski stated that to hold otherwise would make a federal crime out of non-business related conduct in violation of acceptable use policies such as “g-chatting with friends, playing games, shopping or watching sports highlights.” A strong dissent by Judge Barry Silverman argued that this case has nothing to do with such innocent violations of employer policy, apparently suggesting that such conduct, although “unauthorized access,” would not fall under the CFAA because the required element of fraud is missing. Conversely, Judge Silverman stated that this case was about fraudulent and unauthorized access to a computers with the intent to steal valuable information.

Perhaps any future ruling will address password sharing and provide useful guidance on how to design acceptable use policies prohibiting conduct running afoul of the CFAA, without offending Judge Kozinski’s sensibilities. Stay tuned.

What can employers learn from this case?

Obviously, Nosal’s former employer did a lot of things right which allowed the government to successfully prosecute and convict Nosal. For starters, his former employer protected its trade secrets by in a number of ways, including that: (1) it did not permit trade secrets to be sent outside the company; (2) it required usernames and passwords to access computers; (3) it housed its database containing the trade secrets at a secure data center with restricted access; (4) it protected the database with a firewall and anti-virus software; (5) it monitored users’ downloading activity; (6) the database warned users with messages that information was to be used for “company business only”; and (7) lists exported from the database stated the information was “Proprietary & Confidential.” Based on these efforts, the Court concluded that Nosal’s former employer took reasonable steps to protect its trade secrets.

However, although ultimately not determinative in this case, the Court also noted evidence of things that Nosal’s former employer did not do, including that: (1) it did not prevent users from e-mailing source lists outside the company; (2) it did not prevent users from printing source lists; (3) it did not encrypt source lists or protect them with separate passwords; and (4) it did not have a procedure for preventing employees from printing and taking source lists home. It is possible some of these additional safeguards may have made misappropriation more difficult, or even prevented it altogether.

There are also a number of additional safeguards and procedures not referenced in the order that companies should consider as part of “best practices” in preventing trade secret theft. For example, the order is silent as to Nosal’s former employer’s onboarding procedures, and whether it used non-disclosure and trade secret protection agreements to protect sensitive information. It is also unclear what, if anything, his former employer did to educate and to continue to remind its workers regarding their obligations to protect company information. There is also no information as to whether his former employer conducted exit interviews, and whether it used exit interview certifications requiring departing workers to confirm they did not have any company trade secrets or confidential or proprietary information. All of these may be helpful tools in protecting company information. While none of these efforts by themselves prevent misappropriation, workers who are informed and understand that a company values and protects such assets are presumably less likely to misappropriate.

In Part I of this post, we reviewed the Court’s ruling on Nosal’s conviction on the CFAA counts. Here in Part II, we turn to the Court’s ruling on the EEA counts, and the exclusion of evidence regarding Nosal’s non-compete provision.

B.    Nosal’s Conviction on the EEA Counts:

Nosal was convicted of two counts under the EEA for downloading, copying and duplicating his former employer’s trade secrets without authorization, and for receiving and possessing his former employer’s stolen trade secrets. In relevant part, the EEA provides:

Whoever, with intent to convert a trade secret, that is related to a product or service used in or intended
for use in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof,
and intending or knowing that the offense will, injure any owner of that trade secret, knowingly –

. . .

(2) without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters,
destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys such
information;

(3) receives, buys, or possesses such information, knowing the same to have been stolen or appropriated,
obtained, or converted without authorization;

(4) attempts to commit any offense described in paragraphs (1) through (3);

shall, except as provided in subsection (b), be fined under this title or imprisoned not more
than 10 years, or both.

18 U.S.C. § 1832(a).

Nosal raised four arguments for acquittal or a new trial on the EEA counts: (1) instruction that jury could find Nosal guilty of conspiracy to commit the EEA violations even if there was no trade secret was erroneous; (2) there was insufficient evidence that the source lists were trade secrets; (3) there was insufficient evidence that Nosal and his co-conspirators knew or believed that the source lists were trade secrets; and (4) there was insufficient evidence that Nosal and his co-conspirators knew or believed that taking the source lists would cause his former employer economic harm. The Court rejected each of these arguments.

1.     Requirement of Existence of Actual Trade Secret

Nosal argued for acquittal or a new trial on all counts claiming the Court erroneously instructed the jury that it could find him guilty of conspiracy to misappropriate, receive, possess, and transmit trade secrets even if the source lists were not trade secrets as long as he “firmly believed” they were.

The Court rejected this argument based on authority holding that legal impossibility is not a defense to conspiracy charges, including United States v. Hsu, 155 F.3d 189, 193 (3d Cir. 1998). The defendants in Hsu were charged with attempt and conspiracy to steal trade secrets, and sought discovery to prove that the documents they had attempted to obtain were not trade secrets. The Hsu court ruled that the documents were not relevant because legal impossibility is not a defense to either attempt or conspiracy. Id. at 203. The Court further cited the Supreme Court’s recognition that conspiracies are distinct and independent evils punishable by themselves. Salinas v. United States, 522 U.S. 52, 65 (1997).

The Court also found that the legislative history of EEA specifically supported a finding that a “firm belief” satisfied the “knowingly” element. The Court further concluded that any error in the instruction was harmless because the jury found Nosal guilty of the substantive EEA counts, and to do so it had to find that at least one of the source lists was a trade secret. The Court also dismissed several other arguments, including that the conspiracy instruction was a constructive amendment of the indictment because it sought conviction based on the theory that Nosal “firmly believed” the source lists were trade secrets, even if they were not.

2.     Evidence the Source Lists Were Trade Secrets

Nosal also argued for acquittal or a new trial on the EEA counts because there was insufficient evidence the source lists were, in fact, trade secrets, and specifically that the information was not drawn from publicly available sources and that the source lists had not been publicly disclosed.

The Court dismissed this argument citing evidence introduced at trial that would support a finding that the source lists were compilations of both public and non-public information, and that the jury could have inferred based on Nosal’s efforts to retrieve the source lists that the information therein was not entirely public.

The Court also held that the jury could reasonably have found that the trade secret status of the source lists was not destroyed by disclosure to third parties based on evidence that such disclosure was relatively rare and that the alleged trade secrets had not been disclosed to third parties, or had been disclosed only subject to a confidentiality agreement.

Finally, based on a review of the balance of evidence, the Court concluded there was sufficient evidence to conclude his former employer had taken “reasonable” steps to protect the source lists as trade secrets.

3.     Evidence Conspirators Knew Source Lists Were Trade Secrets

Nosal also demanded acquittal or a new trial because there was not sufficient evidence that he and his co-conspirators knew the source lists were trade secrets. The Court disagreed, holding there was sufficient evidence showing both that the co-conspirators were aware that the specific source lists were, in fact, trade secrets, and that the co-conspirators attempted to keep their activities secret, from which the jury could have inferred they knew the information was trade secret.

4.     Evidence Conspirators Knew Taking Source Lists Would Cause Harm

Nosal also argued for acquittal or a new trial because there was insufficient evidence that the co-conspirators intended or knew that their actions would injure his former employer, as is required by the EEA. In reviewing the evidence, the Court concluded there was sufficient evidence from which the jury could conclude that the co-conspirators knew their actions would injure his former employer, including that they were starting a business to compete with his former employer.

C.     Exclusion of Evidence Regarding Non-Compete

Finally, Nosal demanded a new trial on all counts claiming he was prejudiced by not being allowed to argue that a non-compete provision in his independent contractor agreement with his former employer was illegal.

The Court stated that, in ruling on motions in limine, it precluded either party from presenting evidence or argument as to whether the provision was actually legal and enforceable. In rejecting Nosal’s demands, the Court held that there was no convincing argument that this ruling was in error, or that Nosal was so unfairly prejudiced by evidence and argument presented at trial relating to the non-compete as to require a new trial.

In the final part of this post, we will look at what may be next for Nosal, and also look at some lessons employers can learn from this case.

On April 25, 2013, a federal jury convicted Executive Recruiter David Nosal on three counts under the Computer Fraud and Abuse Act (“CFAA”), two counts under the Economic Espionage Act (“EEA”), and one count of conspiracy to violate the CFAA and EEA, for Nosal’s conduct leaving his former employer and establishing a competing business in 2004 and 2005.

The conviction followed an FBI investigation and multiple indictments alleging that Nosal conspired with former co-workers to gain unauthorized access to his former employer’s computers system and to illegally obtain its trade secrets – source lists of candidates compiled for search assignments – to use in his competing business.

On August 7, 2013, U.S. District Judge Edward Chen heard argument on Nosal’s motions for acquittal and a new trial and took both motions under submission. On August 15, 2013, the Court issued its ruling, denying both motions in a 39-page order.

This is Part I of a three part post. In this post we will look at the Court’s order on Nosal’s conviction of the CFAA counts. In Part II, we will review the EEA counts. Finally, in Part III, we will try to foresee what the future may hold for Nosal and look at some lessons employers can learn from this case.

A.     Nosal’s Conviction on the CFAA Counts:

Nosal was convicted of three counts under the CFAA for accessing his former employer’s computers and obtaining information on three separate occasions. In relevant part, the CFAA provides criminal penalties for:

[whoever] knowingly and with intent to defraud, accesses a protected computers without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computers and the value of such use is not more than $5,000 in any 1-year period;

18 U.S.C. § 1030(a)(4).

In his motions, Nosal argued broadly that he was entitled to acquittal or a new trial on the CFAA counts because: (1) no person gained unauthorized access to his former employer’s computers within the meaning of the CFAA; (2) the deliberate ignorance jury instruction was confusing; (3) there was insufficient evidence that Nosal had the requisite mental state to commit the CFAA violations; and (4) there was insufficient evidence of a conspiracy.

1.     Unauthorized Access to his former employer’s Computers

In support of the “no unauthorized access” argument, Nosal argued that: (1) under the Ninth Circuit’s en banc decision in this case (United States v. Nosal, 676 F.3d 854 (9th Cir. 2012)), there can be no CFAA violation because any access to his former employer’s computers was gained with the permission of the password holder and there was no circumvention of technological barriers; (2) Nosal’s former co-workers were authorized to access the computers; and (3) Nosal was authorized to receive certain information in the course of his work as an independent contractor for his former employer.

The Court rejected Nosal’s first argument, holding that “[n]owhere does the court’s opinion in Nosal hold that the government is additionally required to allege that a defendant circumvented technological access barriers in bringing charges under § 1030(a)(4)” and also noted that the indictment actually does allege circumvention of a technological barrier because “password protection is one of the most obvious technological access barriers that a business could adopt.”

The Court also dismissed Nosal’s second argument that his former co-workers were authorized to access his former employer’s computer, holding that the evidence established they did not have his former employer’s authorization and “that it is the actions of the employer who maintains the computers system that determine whether or not a person is acting with authorization.” In so doing, the Court distinguished Nosal’s argument that the verdict was criminalizing the allegedly common practice of employees sharing passwords with each other to access their employer’s computers systems by explaining that here, an employee of his former employer impermissibly gave her password, not to a co-worker, but to former employees who were not authorized to access the computers.

The Court also rejected Nosal’s argument that his former co-workers were authorized to access his former employer’s computers on the relevant dates, finding that the evidence sufficiently established that they were not authorized. Finally, the Court rejected Nosal’s argument that he was authorized to receive certain information from his former employer’s computers in his work as an independent contractor, holding he was only authorized to receive limited information relevant to specific work he was doing for his former employer, but that the information he received was for his competing business.

2.     Deliberate Ignorance Jury Instruction

Nosal also argued that an instruction that the jury could find that he had acted “knowingly” to violate the CFAA if he was aware of a high probability that his former executive assistant or former co-workers had gained unauthorized access to the computers or misappropriated trade secrets, and he deliberately avoided learning the truth, was confusing because his former executive assistant was at all relevant times employed by his former employer and was authorized to access the computers while the other former co-workers were not employed by his former employer and were not authorized.

The Court held that Nosal had waived this argument by not raising it earlier. Moreover, the Court held that the instruction was sufficiently clear that the jury could not convict Nosal on the CFAA counts if they concluded his former executive assistant has accessed the computers, because such access would not have been “unauthorized.”

3.     Evidence Nosal had Knowledge of Unauthorized Downloads

Nosal further argued that there was insufficient evidence he had knowledge of downloads from his former employer’s computers were unauthorized because the downloads were not conducted by his former executive assistant. Reciting substantial evidence presented at trial by the government, including evidence that Nosal gave his former co-workers specific directions about information he wanted from his former employer’s computers, that he knew a former co-worker had a large amount of data taken from the computers, that he knew they were not authorized to obtain the information, and that Nosal’s executive assistant did not know how to do so, the Court concluded the government had proved beyond a reasonable doubt that Nosal knew of, was deliberately indifferent to, and/or had conspired to commit the CFAA violations.

4.     Evidence of Conspiracy

Nosal also argued that there was not sufficient evidence of conspiracy. The Court dismissed this argument, concluding that the same evidence that Nosal had knowledge of the downloads from his former employer’s computers was sufficient to support the verdict on the conspiracy count.

In Part II of this post, we will look at Nosal’s conviction on the EEA counts.

I recently presented on “Hot Topics In Trade Secret Law Across the Nation” at the ABA Annual Meeting in San Francisco, California.

Here are seven key takeaways regarding best practices and latest developments from the event that you may find useful:

Understanding the Importance of Trade Secret Preemption

Simply put, trade secret preemption or supersession is the concept that the Uniform Trade Secrets Act (adopted in 47 states) preempts or supersedes all other civil claims for the theft and/or wrongful use of information, except for breach of contract claims. Such claims are typically conversion, unfair competition (common law or statutory), tortious interference with contractual relations or business expectancy, breach of fiduciary duty or breach of duty of loyalty. Additionally, some states do not even permit such claims based upon the theft of confidential information that does not rise to the level of a trade secret. These non-UTSA claims can often be easier to prove than trade secret claims and can provide for tort remedies, rather than mere contract remedies.

In many states, non-UTSA claims are preempted by the UTSA and its preemption provision. Some states, however, still permit plaintiffs to bring such non-UTSA claims along with the trade secret claim and only preclude plaintiffs from pursuing the non-UTSA claims if a determination has been made that the information at issue is a trade secret. There is even variety within states, such as California, where three separate approaches have been followed by various courts.

While typically viewed as a “lawyers’ topic,” trade secret preemption is a much more significant and important topic that companies must be educated about to effectively protect their information assets. Many are surprised that some courts (following the strict preemption approach) view the UTSA as statute that actually “limits liability” for information theft. In those states following the strict preemption approach, companies are typically left with only two potential claims for the theft of information by former employees or other third parties, breach of contract and trade secret misappropriation. This reality underscores that employers should use confidentiality and non-disclosure agreements, rather than merely employee handbook policies to protect their proprietary information, so that they are not left with only one claim against a misappropriator.

Additionally, juries typically have high standards for what information qualifies for trade secret protection so trade secret preemption places added importance on companies thoughtfully classify their information assets and ensuring that valuable information is properly protected through reasonable secrecy measures. It also highlights that companies must have effective onboarding and termination procedures to ensure that employees are effectively educated regarding the importance of protecting company information and to ensure that companies obtain the return of their valuable information when employees leave. Valuable information assets that are not adequately protected will leave companies with little to no legal recourse if they are later stolen. Please see our previous webinar concerning best practices for protecting trade secrets in the hiring and termination of employees.  

Importance of Protecting Trade Secrets Throughout Litigation

Companies often need to be reminded when they initiate a trade secret lawsuit that the information at issue must be protected throughout the litigation process. The parties to the litigation will typically enter into a protective order which limits who may obtain access to documents and information exchanged in the litigation subject to strict confidentiality and non-disclosure obligations. Additionally, the protective order, court rules, and applicable case authority provide the requirements for filing or lodging documents in the litigation under seal when they are submitted to the court in connection with the determination of particular case issues.

While some litigants may view such sealing motions as perfunctory, some courts scrutinize sealing motions and generally evaluate whether it is in the public interest to seal such documents and whether there are other significant interests. The recent Apple v. Samsung case in the Northern District of California provides a reminder that courts independently evaluate whether documents should be sealed regardless of agreements between the parties to the litigation. Parties need to understand that these motions often must be brought to preserve the confidentiality of the information, that they are not inexpensive, and there is also some risk that the court will not always grant the motion.

The importance and cost of preserving confidentiality through the litigation is part of the checklist that plaintiffs should take into account before filing suit. Sensible counsel understand that they must continue to educate the judge throughout the litigation regarding the importance of keeping documents and information sealed in the case. Parties to contracts should also be cognizant that confidential documents and information exchanged during the relationship may later be subject to first party or third party discovery. They should require notification provisions in their contracts providing sufficient time to seek a protective order to protect the confidentiality of information or documents called for in discovery prior to disclosure.   

Is the Computer Fraud and Abuse Act Still a Viable Weapon in Employee Mobility Litigation?

Is the Computer Fraud and Abuse Act dead for employers that want to use it against employees who misuse their computer systems? The Ninth Circuit and Fourth Circuit have significantly pared down the utility of using the Act in the typical employee data theft scenario. Violations of computer use policies are not typically actionable in these jurisdictions if the employee was provided access to the computer network and the data at issue. Some jurisdictions still allow plaintiffs to bring CFAA claims for such violations demonstrating that analyzing the individual state and circuit authorities are essential in properly evaluating such claims. Even in the Ninth Circuit, violations of computer access policies, unauthorized password sharing to obtain unauthorized access to a protected computer, and violations of access revocation restrictions have recently been found actionable. Legislation has recently been proposed to “reform” the Computer Fraud and Abuse Act which would limit its applicability to pure hacker scenarios. For more information on the debate concerning whether violations of internet terms of service should constitute a violation of the Computer Fraud and Abuse Act, please see our webinar on “How Big Data Impacts Trade Secret, Computer Fraud and Privacy Law.”

Dealing with the Employee Whistleblower Who Takes Company Data

Employee whistleblowers are one of the more challenging areas that companies must face. A swift investigation is necessary to get a handle on the situation. The employee should be immediately interviewed and the company should make immediate efforts to obtain the return of any truly proprietary data. Civil and criminal remedies will need to be considered, particularly if proprietary company data has been stolen or compromised. All the while the employer will need to comply with its whistleblower compliance program and not retaliate against the employee for engaging in any protected activity. It is not an easy process to balance even for the most diligent employers.  Strategies for avoiding these scenarios include, employing hiring best practices, restricting access to key information on a need-to-know basis to only trusted employees, watching for employees who are downloading, transferring, or printing large amounts of documents/information and employing software solutions to prevent such actions, and having a thorough action plan on the shelf to employ for a rainy day. For more information on this topic, please see our webinar entitled “Employee Theft of Trade Secrets or Confidential Information in Name of Protected Whistleblowing.”

BYOD Explosion and Data Security

More companies are adopting BYOD policies to permit employees to use their own personal computing devices to access the company network. Companies must institute BYOD policies that protect company information, provide clear limits on access, and provide for clear protocols at termination. As employees can access work and personal email accounts on the same mobile devices, employers must be vigilant that employees do not rapidly transmit company files to their personal accounts. There are also greater risks for data security breaches with the greater accessibility provided by BYOD.  Employee education regarding security, including precautions to take outside the office and abroad, file encryption, and the use of secured computer networks is essential.

Effectively Conducting a Computer Forensic Investigation

Companies must keep up to date with the latest ways that valuable information is leaked or otherwise compromised. Such information can be compromised by hard copy theft, emailing of company information to personal accounts, CD burning, and the transfer of data to thumb drives and FTP sites. Companies must respond to the latest threats such as the unauthorized storage of valuable information in the cloud with third party file sharing sites. Many sophisticated companies use software to detect and prevent large data transfers either via email, USB, or third party file sharing sites. Additionally, it is essential to understand what data can be stored on specific electronic devices to understand what may be recoverable in a computer forensic investigation. For example, the iPhone 5, when compared to other smart phones or electronic storage devices, may have material differences in what may be stored and recovered in a computer forensic investigation. Lastly, social media evidence is becoming more useful in establishing non-compete and trade secret violations, but employers must be cognizant of employee privacy considerations in using and demanding access to social media accounts. Prudent employers should utilize compliant social media policies and social media ownership agreements.  

Annual Review of Significant Trade Secret Cases Across the Nation

The ABA Trade Secrets Committee also provided the audience with its Annual Case Law Review. The Review summarizes the most significant trade secret cases in the nation in 2012 and early 2013.