October 21, 2019

October 21, 2019

Subscribe to Latest Legal News and Analysis

Accessing Database Violates Computer Fraud and Abuse Act and Economic Espionage Act – Ninth Circuit Affirms Criminal Conviction of Former Employee

The Ninth Circuit recently filed its latest installment in the saga involving David Nosal and his former employer, Korn/Ferry International, an executive search firm. Korn/Ferry maintains a proprietary database of executive candidates for its paying customers.  Nosal, a former Korn/Ferry executive, set up a competing business.  Allegedly desiring the information in Korn/Ferry’s database for his competing business, Korn/Ferry alleged that Nosal tried two methods to access it: (1) using his own user name and password to download information before his departure; and (2) after his departure, using the user name and password of a willing accomplice who was still employed by Korn/Ferry.

Nosal was charged with violating a criminal provision of the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”), which states, “[w]hoever…knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value…shall be punished.” This provision also provides for civil liability.  In a prior decision, United States v. Nosal (“Nosal I”), 676 F.3d 854 (9th Cir. 2012) (en banc), the appellate court held the CFAA does not prohibit Nosal’s first act—using his user name and password to obtain Korn/Ferry’s information during his employment—because using information in an unauthorized way is not “exceed[ing] authorized access.”

In United States v. Nosal, No. 14-10037 (9th Cir. July 5, 2016) (“Nosal II”), the court held Nosal’s second act—obtaining Korn/Ferry’s information by logging in to the database with the user name and password of a willing currently-employed accomplice—does violate the CFAA.  The panel, by a vote of 2-1, held such activity violated the unambiguous meaning of the phrase “access a protected computer without authorization.”  The court noted its holding is in accord with all other circuits to have addressed this issue: the Second, Fourth and Sixth Circuits.  Accordingly, the court affirmed Nosal’s conviction.

The dissent, which the majority largely ignored, would have held that because Nosal had the “authorization” of the willing accomplice, he did not violate the CFAA. The dissent was concerned that the majority’s broader reading of “authorization” may criminalize innocent acts—including what the dissent termed “password sharing,” such as a former employee who accesses his former employer’s database using a current employee’s credentials to assist his former colleague for a legitimate reason.

In a portion of the opinion that may be overlooked given the long-running drama over whether the CFAA should be interpreted broadly or narrowly, the Ninth Circuit also affirmed Nosal’s conviction for trade secret theft under the Economic Espionage Act, 18 U.S.C. § 1832 (“EEA”). Nosal appealed his conviction in part on the ground the information contained in the Korn/Ferry database was not a trade secret because it contained publicly-available information and was akin to a customer list.  The appellate court rejected Nosal’s contentions, and held – significantly – that a list of customers may qualify for trade secret protection.  Moreover, the court noted the database was more than a mere list of executive candidates.  The database contained information on over one million executives, including contact information, employment history, salaries, biographies and resumes, all compiled since 1995.  When launching a new search to fill an open executive position, Korn/Ferry could compile a “source list” of potential candidates, which was the result of a query run through a proprietary algorithm that generated a custom subset of possible candidates.  The court held the jury was permitted to find the database contained Korn/Ferry’s trade secrets.

Nosal II has two implications for the civil remedies available to employers to protect their trade secrets and other property. First, because the CFAA provides for civil causes of action, the decision affirms an employer’s right to sue a former employee who accesses its data by using someone else’s credentials.  Second, in light of the Defend Trade Secrets Act—which provides a civil claim for trade secret misappropriation under the EEA and relies on the same definitions supporting the EEA—Nosal II affirms that customer lists and related information deserve legal protection.

Jackson Lewis P.C. © 2019

TRENDING LEGAL ANALYSIS


About this Author

Clifford R. Atlas, Employment Litigation Attorney, Jackson Lewis, non-solicitation agreements lawyer
Principal

Clifford Atlas is a Principal in the New York City, New York, office of Jackson Lewis P.C. He is the Co-Leader of the Non-Competes and Protection Against Unfair Competition Practice Group.

Mr. Atlas works extensively with clients in developing and drafting employment contracts and restrictive covenant agreements, and developing programs to best protect clients’ confidential business information. He has significant experience in prosecuting as well as defending actions involving breach of non-competition and non-solicitation...

212-545-4017
Dylan B. Carp, Jackson Lewis, unfair competition lawyer, trade secrets law attorney
Principal

Dylan B. Carp is a Principal in the San Francisco, California, office of Jackson Lewis P.C. He is a Certified Specialist in Appellate Law by The State Bar of California Board of Legal Specialization.

Mr. Carp has argued 10 appeals before federal and state courts. In addition to appeals and writs, Mr. Carp focuses his practice on unfair competition and trade secrets law, having second chaired a three-month unfair competition jury trial.

Mr. Carp also handles all aspects of litigation in cases involving discrimination, harassment, disability, and wage and hour issues, including taking and defending depositions, briefing and arguing dispositive motions, and participating in mediations and settlement conferences. In addition to Mr. Carp’s litigation practice, he counsels employers on unfair competition, discrimination, harassment, and wage and hour issues.

415-796-5425
Ravindra K. Shaw, Employment Attorney, Jackson Lewis Law Firm
Associate

Ravindra K. Shaw is an Associate in the New York City, New York, office of Jackson Lewis P.C. He focuses his practice on employment litigation and counseling.

Mr. Shaw represents employers before federal and state courts and administrative agencies throughout the metropolitan New York area. He has defended cases involving claims of sexual harassment, retaliation, and/or discrimination on the bases of race, sex, age, pregnancy, disability, national origin, and religion. In addition, Mr. Shaw has litigated breach of executive employment contract disputes and...

212-545-4041