On October 20, 2015, a three judge panel of the Ninth Circuit heard oral arguments in Round II of United States v. David Nosal. Both sides generally stuck with arguments from their briefs, with Nosal’s counsel arguing that upholding Nosal’s conviction under the Computer Fraud and Abuse Act (the “CFAA”) would lead to criminalization of relatively minor misappropriations of information, and the government arguing that the precedent would only apply in the employment context.
As previously covered by Trade Secrets Watch, the case involves the prosecution of David Nosal, a former executive with the recruitment and talent management firm, Korn Ferry. Nosal was originally charged with eight counts of violating the CFAA in 2008 for conspiring with then-current and former Korn Ferry employees to obtain confidential data from the firm’s database.
In April 2012, an en banc panel of the Ninth Circuit dismissed five of the eight CFAA counts against Nosal (Nosal I). A year later, in April 2013, a jury convicted Nosal of the remaining CFAA counts, as well as two counts of violating the Economic Espionage Act (EEA) for theft of trade secrets.
While Nosal I dealt with the meaning of “exceeds authorized access” under the CFAA, this case involved the “without authorization” prong of the CFAA. The “without authorization” charges stem from a series of incidents in 2005 when two of Nosal’s alleged co-conspirators, who by then had left Korn Ferry, accessed the firm’s database using the login credentials of Nosal’s former secretary, who remained at the firm and voluntarily gave them her credentials.
When questioning Nosal’s counsel, Judge M. Margaret McKeown posed a hypothetical of a Russian spy who “sweet-talks” a company secretary into giving him her password to the company’s computer system and then he uses the password to access the computer system. Nosal’s counsel responded that though the hypothetical may be a crime under some other law, it was not a crime under the CFAA because the secretary had authorization and transferred it consensually.
Judge McKeown’s hypothetical touched on a point raised by our prior post—that Nosal’s position could be vulnerable to hypotheticals comparing the facts in his case to phishing schemes. The court in Nosal I emphasized that CFAA criminalizes computer hacking, which it defined as “the circumvention of technological access barriers.” Hackers commonly employ phishing schemes to trick victims into voluntarily turn over their passwords. Though that is not precisely what occurred in Nosal’s case, the court might view both circumstances as similarly circumventing a technological barrier and therefore subject to CFAA liability.
Following Judge McKeown’s hypothetical, Chief Judge Sidney Thomas asked Nosal’s counsel directly whether a phishing scheme would be “without authorization.” Nosal’s counsel agreed that it would be.
The Government’s Argument
The government, however, did not “take the bait.”
Though it did press its argument that consensual password sharing could constitute “without authorization,” the government focused on attempting to alleviate concerns that such a ruling would be overbroad by arguing that it would be confined to the employment context. This, according to the government, would be consistent with another Ninth Circuit CFAA case, LVRC Holdings LLC v. Brekka. As it did in its briefs, the government cited Brekka’s holding that “without authorization” includes circumstances “when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.”
The panel also questioned the government about the effect of adopting its proposed rule for “without authorization” on prosecutions under section (a)(2)(C) of the CFAA. Though Nosal was charged under section (a)(4)—a felony provision requiring proof of fraudulent intent, among other elements—Nosal I made clear that any rule would apply equally to section (a)(2)(C)—a misdemeanor provision requiring only that the defendant’s unauthorized access be carried out “intentionally.” Counsel for the government argued that the “intentionally” mens rea element of section (a)(2)(C) ensured that routine password sharing would not become a federal crime under its proposed rule.
Trade Secrets Issues
The court also spent a substantial amount of time on Nosal’s EEA conviction for theft of trade secrets. In particular, the court questioned both sides about whether the source lists obtained by Nosal and his co-conspirators derived independent economic value by not being generally known to the public.
Nosal’s counsel argued that the lists essentially contained publicly-available contact information and therefore could not be considered secret. The government countered that the lists were not generally known because they were compiled into unique combinations that were not readily ascertainable and thus had independent economic value.
We’ll be watching with interest to see how the panel resolves the trade secrets and CFAA issue raised by Nosal.