The U.S. Supreme Court, which just began a new term on Monday with a full complement of nine justices, is expected to soon decide whether it will hear the appeal of David Nosal, the former Korn Ferry executive whose conviction under the Computer Fraud and Abuse Act was upheld in a controversial and closely-watched Ninth Circuit decision last year. Nosal submitted his reply brief in support of certiorari on September 19, 2017, responding to the Department of Justice’s opposition submitted two weeks earlier.
Readers of Trade Secrets Watch are familiar with the Nosal case, which started in 2008 when the DOJ charged Nosal with eight counts of violating the CFAA for conspiring with then-current and former Korn Ferry employees to obtain confidential data from the firm’s “Searcher” database.
In April 2012, the Ninth Circuit dismissed five of the eight counts against Nosal, ruling that he could not have “exceed[ed] authorized access” under the CFAA when he and his co-conspirators used their own log-in credentials to access and download Korn Ferry’s confidential data after Nosal left the firm (“Nosal I”).
However, in April 2013, a jury convicted Nosal of the remaining CFAA counts. These counts related to charges under CFAA’s “without authorization” prong, and were based on separate instances when his co-conspirators accessed the database using the login credentials of a third party, Nosal’s former secretary, who remained at the firm and voluntarily gave them her credentials.
In July 2016, the Ninth Circuit affirmed Nosal’s conviction on the “without authorization” counts (“Nosal II”). Nosal appealed the case to the Supreme Court in May 2017. His certiorari petition argues that the holding in Nosal II would make a federal crime out of innocent password-sharing among family members, as well as a host of other common and innocuous behaviors, and that the Supreme Court needed to intervene to resolve a circuit split on the issue.
The DOJ’s opposition emphasizes that in Nosal II, the Ninth Circuit limited its holding to the particular facts of the case, where Korn Ferry “retained exclusive discretion to issue or revoke access” and Nosal “received particularized notice of his revoked access following a prolonged negotiation.” Such a holding, according to the DOJ, does not create a risk of criminalizing innocuous behavior and is not at odds with holdings in any other circuit.
Nosal’s petition was supported by amicus curiae briefs from the Electronic Frontier Foundation and a group of attorneys and academics led by Dartmouth Computer Science Professor Sergey Bratus. The EFF’s arguments focus on the origins of the CFAA as an anti-hacking statute and how its undefined terms can lead to prosecutorial overreach. The brief submitted by Bratus’ group, on the other hand, focuses on the claimed detrimental and unintended consequences of the current circuit split on, among other things, computer security research and the healthcare industry (where, according to one source cited by the amici, password circumvention is endemic).
The Court will consider whether to grant Nosal’s certiorari petition this Friday during its October 6 Conference.
As always, we’ll be watching.