On July 5, 2016, the Ninth Circuit affirmed the conviction of David Nosal, an ex-employee of Korn/Ferry, an executive search firm, who left to start a competing firm. With Nosal’s knowledge and encouragement, two other former employees of Korn/Ferry used a current employee’s credentials to gain access to the Korn/Ferry database and take confidential information. U.S. v. Nosal, No. 14-10037, 2016 WL 3608752 at 6 (9th Cir. July 5, 2016).
The prosecutors charged Nosal with violating section 1030 (a)(4) of the Computer Fraud and Abuse Act (“CFAA”), which criminalizes “knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing]authorized access, and by means of such conduct further[ing] the intended fraud and obtain[ing] anything of value.”1 Having failed to state an offense that Nosal “exceeded authorized access” by violating the company’s internal use restrictions (decided in Nosal I), the government filed a superseding indictment alleging Nosal violated the “without authorization” prong of the CFAA after his login credentials were revoked through his co-conspirators’ use of his former executive assistant’s login information to access Korn/Ferry’s database.
The jury convicted Nosal on all counts. On appeal, the Ninth Circuit analyzed the meaning of the words “without authorization.” The Court held that the phrase was unambiguous and its plain meaning encompassed the situation in this case where the employer rescinded permission to access a computer and the defendant accessed the computer anyway.
The dissent voiced concern that the majority’s application of the CFAA was over-inclusive, particularly outside the employment context. Judge Reinhardt argued that the CFAA only outlawed hacking, writing, “In my view, the Computer Fraud and Abuse Act does not make the millions of people who engage in ubiquitous, useful, and generally harmless conduct [i.e., sharing passwords] into unwitting federal criminals.”2 He reasoned that authorization could be obtained from either the system operator or the account holder. Noting that password sharing was prohibited by Korn/Ferry’s employment agreements, the majority countered that the permission granted by the account holder was irrelevant where the defendant had been “categorically. . . barred from entry” to Korn/Ferry’s database by having his login credentials revoked.
Unlike in Nosal I, the Court here was unmoved by the prospect of its interpretation of the CFAA rendering commonplace conduct criminal. Though the facts of this particular case “bear little resemblance to asking a spouse to log in to an email account to print a boarding pass,”3 this decision could have practical consequences for those who share and use other individuals’ passwords to online accounts. The majority’s focus on the revocation of Nosal’s credentials as the touchstone of his being “without authorization” may have everyday implications. What happens when an individual’s Netflix account expires, and he uses a friend’s Netflix log-in to catch the latest show? After this decision, the answer is less clear.
Though the Ninth Circuit upheld Nosal’s convictions, it vacated in part the district court’s restitution order. Precedent dictates that investigation costs and attorneys’ fees of the victim of a crime are recoverable under the Mandatory Victim Restitution Act (“MVRA”) so long as they are the “direct and foreseeable result” of the defendant’s conduct and are “reasonably necessary.” The Court affirmed the award for Korn/Ferry’s investigative costs, but held that the district court abused its discretion in awarding Korn/Ferry nearly $600,000 in attorneys’ fees out of the request for over $1 million. Because fees are only recoverable if incurred during “participation in the investigation or prosecution of the investigation,”4 the Court found that the company could not receive restitution for attorneys’ fees due to the substitution or duplication of the prosecutors’ work. The Court remanded this issue for the district court to consider whether the attorneys’ fees were reasonable, whether there was unnecessary duplication of tasks between Korn/Ferry staff and its attorneys, and whether the outside attorneys were substituting for, or duplicating work of, the prosecutors.
The Ninth Circuit’s order that the district court further parse the victim’s request for attorneys’ fees may give some companies pause before they unreservedly support the prosecutors’ efforts. After all, attorneys’ fees are recoverable in civil cases brought under the Defend Trade Secrets Act and California’s Uniform Trade Secret Act where the appropriation of trade secrets was willful and malicious.5 Should the courts make recovery of attorneys’ fees too difficult to obtain through restitution, corporate victims may prioritize pursuing the civil trade secrets claims available to them in lieu of supporting the criminal prosecution of the wrongdoer.
Summer Associate Richard Stella (not admitted to practice law) also contributed to this blog.
118 U.S.C. § 1030 (a)(4) (emphasis added).
2 2016 WL 3608752 at at 19.
3 Id. at 9.
4 18 U.S.C. § 3663A(b)(4) (emphasis added).
5 18 U.S.C. § 1836 (b)(3)(D); Cal. Civ. Code Ann. § 3426.4.