As many loyal TSW readers know, we’ve been watching the ongoing saga involving ex-Korn Ferry recruiter David Nosal wind its way through the courts since the early days of this blog. And last month, the highly anticipated Ninth Circuit opinion in United States v. Nosal was issued on July 5, 2016 (“Nosal II”). This was the second time the Ninth Circuit had issued a ruling in the case relating to charges under the Computer Fraud and Abuse Act (the “CFAA”). In April 2012, an en banc panel dismissed five of the eight CFAA counts against Nosal (“Nosal I”). A jury subsequently convicted Nosal of the remaining three CFAA counts, as well as two Economic Espionage Act (“EEA”) counts in April 2013 and Nosal was sentenced to 366 days in prison, three years supervised release, community service, $60,000 in fines, and restitution.
Nosal’s prosecution stemmed from his departure from the executive search firm, Korn Ferry International. When he left to start a competing venture, he conspired with three other Korn Ferry employees (two former and one current) to obtain confidential data from Korn Ferry’s “Searcher” database. The current Korn Ferry employee provided her log-in information to the former employees, and they used those credentials to access the Searcher database and obtained information from it on multiple occasions.
As Trade Secrets Watch reported after oral argument in the case late last year, Nosal challenged his conviction under both the CFAA and the EEA. The Ninth Circuit found in the government’s favor on both.
The CFAA
The major fireworks in the ruling occur in the CFAA holding, in which Judges McKeown and Thomas hold that “without authorization” is unambiguous and means accessing a computer without permission. In this case, using a third party’s credentials to access a computer after one’s own authorization has been revoked constituted access without permission. The opinion explained that this question was previously answered by the Ninth Circuit in LVRC Holdings LLC v. Brekka, where the parties agreed that if a former employee had accessed his former employer’s information using his company login after leaving the company, he would have accessed a computer “without authorization” under the CFAA.
Judge Reinhardt penned a vigorous dissent, arguing that authorization could be provided by either the owner or an authorized user. Judge Reinhardt argued that this case could be distinguished from Brekka because the current Korn Ferry employee whose account was used by the former employees authorized the use of her credentials. He then argued that the Court was required to adopt the narrower interpretation of the statute and that by failing to do so the majority opinion was creating federal criminal liability for ordinary password sharing done on a daily basis.
The EAA
Nosal was convicted of trade secrets violations under the EAA, based on the use of a current employee’s credentials to obtain three CFO source lists from Korn Ferry’s Searcher database and a list of executives derived from the database. The Court rejected Nosal’s argument that the source lists could not be trade secrets because they were comprised largely of public information, finding that they were compilations of public and proprietary data generated by a proprietary algorithm. “[T]he nature of the trade secret and its value stemmed from the unique integration, compilation, cultivation, and sorting of . . . the Searcher database.” The opinion quickly rejected Nosal’s other arguments that he was unaware that the source lists were trade secrets and that the piracy would harm his former employer. As a former Korn Ferry executive, Nosal was familiar with the value that the database provided and aware that Korn Ferry had labeled the lists “Proprietary & Confidential” and that the company considered its databases extremely valuable assets. Overall, the jury was presented enough evidence to conclude that the source lists were trade secrets, Nosal knew they were trade secrets, and Nosal knew that stealing the information would help a competitor, thereby harming Korn Ferry.
Restitution
Although Nosal’s convictions were upheld, the case is being remanded for reconsideration regarding the restitution award to Korn Ferry. The Court upheld the inclusion of Korn Ferry’s costs but directed the trial court to review the attorney’s fees included in the award, including whether the fees were reasonable.
Judge Reinhardt was bothered by the commercial market forces at play in this particular criminal prosecution. He highlighted the aggressive investigation tactics by Korn Ferry, including using ex-FBI agents to follow one of the former employees and rummage through another’s personal garbage for evidence. When Korn Ferry referred the case to the government it agreed to provide the facts necessary to show criminal capability and provided legal theories for liability under the CFAA. Highlighting the almost million dollars in legal fees sought in restitution, Judge Reinhardt reasoned that “private assistance of such magnitude blurs the line between criminal and civil law.” He argued that, while there was no evidence of misconduct, it could be argued that Korn Ferry’s ability to bear so much of the cost was a factor in the government’s decision to prosecute the case.
Ultimately, this argument should give some comfort to those concerned about federal criminal liability for everyday password sharing, as argued by the dissent. CFAA cases are expensive to pursue and prosecute. Given the $14.99 monthly cost for HBO NOW, HBO is unlikely to ask the government to individually prosecute a millennial using his parent’s password to access HBO from his apartment.
Nosal has already indicated he will be seeking en banc review of the decision.