IP Law Daily Employee’s conviction for CFAA violation and trade secret theft upheld, but remanded on restitution
Wednesday, July 6, 2016

Employee’s conviction for CFAA violation and trade secret theft upheld, but remanded on restitution

By Lorene D. Park, J.D.

A former executive was unable to convince the Ninth Circuit to overturn his conviction for violating the Computer Fraud and Abuse Act (CFAA) and the Economic Espionage Act (EEA). He and a few coworkers with whom he was forming a competing company, knowingly or with intent to defraud, exceeded their authorized access to their former employer’s computer database to take confidential and trade secret information. However, the restitution award was vacated and remanded for a reconsideration of the attorneys’ fee award, which the Ninth Circuit found excessive (United States v. Nosal, July 5, 2016, McKeown, M.).

Competing firm launched. David Nosal was a regional director at global executive search firm Korn/Ferry International. In late 2004, he announced his intent to leave, but he agreed to stay a year as a contractor to finish open searches. Meanwhile, he and a few coworkers secretly launched a competing firm in January 2005. What their start-up lacked was Korn/Ferry’s core asset: an internal database with information on over one million executives, including resumes, salaries, and more, all compiled since 1995. When launching a search for a client, Korn/Ferry compiled a "source list" of candidates, which it considered confidential and proprietary.

Korn/Ferry issued each employee a unique username and password to its computer system and password sharing was prohibited by a confidentiality agreement that each employee signed. While still employees, Nosal and his compatriots used their passwords to download information and source lists for their new company. After Nosal became a contractor and the others left, their computer access was revoked. However, they continued to access the database with credentials from Nosal’s former executive assistant, who had stayed at Korn/Ferry at Nosal’s request.

Convictions. Thereafter, Nosal was convicted of knowingly and with intent to defraud accessing a protected computer "without authorization" in violation of the CFAA. Specifically, he was found guilty of three computer intrusions. He was also convicted on one conspiracy count and two counts of trade secret theft in violation of the EEA. In 2014, the district court sentenced him to one year and one day in prison, three years of supervised release, a $60,000 fine, a $600 special assessment and $827,983 in restitution to Korn/Ferry.

"Exceeds authorized access." In an April 2012 ruling, the Ninth Circuit addressed whether Nosal’s coworkers, as current employees, exceeded authorized access. It adopted a narrow interpretation of the CFAA’s phrase "exceeds authorized access," limiting the provision to violations of restrictions on access to information, not restrictions on use. In the 2012 ruling, Nosal’s access to Korn/Ferry computers after he and his co-conspirators left Korn/Ferry was not addressed. Thus, the question now was whether the CFAA’s prohibition extended to a former employee whose computer access was rescinded but who accessed it by other means.

After reviewing the statute and precedent, the Ninth Circuit concluded: "‘without authorization’ is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission. This definition has a simple corollary: once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party."

CFAA conviction upheld. Thus, after Nosal and his coworkers’ credentials were revoked, they were outsiders no longer authorized to access Korn/Ferry computers, but they blatantly circumvented the revocation by using the login credentials of a current employee. This fell squarely within the CFAA’s prohibition on access "without authorization," found the court, affirming his conviction under Section 1030(a)(4). While Nosal challenged a jury instruction, arguing that the CFAA only criminalizes access if a party circumvents a technological barrier, the appeals court found no such requirement and concluded that the instruction was a fair and accurate characterization of the term "without authorization."

Deliberate ignorance of CFAA violation. Nosal’s convictions under the CFAA rested on accomplice liability and he claimed the government failed to prove mens rea. He objected to a jury instruction on deliberate ignorance. The court instructed that the government had to prove he "knowingly and intentionally" aided or induced a person to commit each element of the crime and he acted "knowingly" if he "was aware of a high probability" that the coworkers "gained unauthorized access to a computer . . . and deliberately avoided learning the truth." Finding no error, the appeals court noted it has repeatedly "equated positive knowledge and deliberate ignorance" in conspiracy cases and it saw no reason to distinguish aiding and abetting liability.

EEA conviction also upheld. The appeals court also affirmed Nosal’s convictions under the EEA for downloading, receiving, and possessing trade secrets in the form of source lists from Korn/Ferry’s database. He challenged the sufficiency of evidence, arguing that the government failed to prove secrecy and difficulty of development because the information was derived from public sources. Finding otherwise, the Ninth Circuit explained that trade secrets are not limited to scientific formulas and include business information, such as lists created by compiling data from public and/or proprietary sources. Here, the database contained a massive confidential compilation of data—the product of years of effort and expense—which was not readily ascertainable. In addition, while Nosal claimed that Korn/Ferry’s sharing of lists with clients undermined secrecy, evidence showed that, as a matter of practice, source lists were not shared with clients. There were also technological protections and limitations on distribution.

Also rejected was Nosal’s argument that he and his coworkers were unaware that their actions would harm Korn/Ferry. It was clear that they went to great lengths to access the source lists and were fully aware of the competitive advantage the database gave Korn/Ferry as they tried to create their own database.

Restitution order remanded. Relying on the Mandatory Victim Restitution Act (MVRA), which "makes restitution mandatory for particular crimes, including those offenses which involve fraud or deceit," the district court awarded Korn/Ferry $827,983 in restitution as follows: 1) $27,400 for internal investigation costs; 2) $247,695 for employee time spent assisting the government’s investigation and prosecution; and 3) $595,758 attorneys’ fees incurred in aid of the investigation and prosecution.

Nosal asserted that the award was invalid because it exceeded the court’s finding, for purposes of Federal Sentencing Guidelines, that a reasonable estimate of Korn/Ferry’s actual harm was $46,907. Unswayed, the Ninth Circuit explained that calculating loss under the guidelines is not identical to calculating loss for restitution, the point of which is to make the victim "whole." MVRA includes expenses related to investigation and prosecution, but the guidelines exclude such costs. And notably, the MVRA never uses the terminology of "actual loss."

That said, the appeals court found that the district court abused its discretion in awarding nearly $1 million in restitution. For investigation costs and attorneys’ fees, the rule is: restitution for such losses "may be recoverable" where the harm was the "direct and foreseeable result" of the unlawful conduct. Here, the award for internal investigation costs was fine, but the district court did not go far enough in reducing attorneys’ fees. The appeals court noted that fees are only recoverable for "participation in" the prosecution, and a company’s attorneys are not a substitute for the work of a prosecutor. Also, the amount of fees was striking given that the trial ultimately involved only three incidents of criminal behavior, and a highly disproportionate percentage of fees arose from responding to inquiries on sentencing, damages, and restitution. With this in mind, the appeals court vacated and remanded for reconsideration as to attorneys’ fees.

Dissent. Dissenting, Judge Reinhardt found this case to be about password sharing: "People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it. In my view, the [CFAA] does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals. Whatever other liability, criminal or civil, Nosal may have incurred in his improper attempt to compete with his former employer, he has not violated the CFAA."

The cases are Nos. 14-10037 and 14-10275.

Attorneys: Kyle Francis Waldinger, U.S. Attorney’s Office, for the United States. Dennis P. Riordan (Riordan & Horgan) for David Nosal.

Companies: Korn/Ferry International

MainStory: TopStory TechnologyInternet TradeSecrets AlaskaNews ArizonaNews CaliforniaNews HawaiiNews IdahoNews MontanaNews NevadaNews OregonNews WashingtonNews

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More
Reading IP Law Daily on tablet

IP Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on intellectual property legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.

Free Trial Learn More