On July 5, 2016, the Ninth Circuit affirmed the conviction of David Nosal, an ex-employee of Korn/Ferry, an executive search firm, who left to start a competing firm. With Nosal’s knowledge and encouragement, two other former employees of Korn/Ferry used a current employee’s credentials to gain access to the Korn/Ferry database and take confidential information. U.S. v. Nosal, No. 14-10037, 2016 WL 3608752 at 6 (9th Cir. July 5, 2016).
The prosecutors charged Nosal with violating section 1030 (a)(4) of the Computer Fraud and Abuse Act (“CFAA”), which criminalizes “knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing]authorized access, and by means of such conduct further[ing] the intended fraud and obtain[ing] anything of value.”1 Having failed to state an offense that Nosal “exceeded authorized access” by violating the company’s internal use restrictions (decided in Nosal I), the government filed a superseding indictment alleging Nosal violated the “without authorization” prong of the CFAA after his login credentials were revoked through his co-conspirators’ use of his former executive assistant’s login information to access Korn/Ferry’s database.
The jury convicted Nosal on all counts. On appeal, the Ninth Circuit analyzed the meaning of the words “without authorization.” The Court held that the phrase was unambiguous and its plain meaning encompassed the situation in this case where the employer rescinded permission to access a computer and the defendant accessed the computer anyway.