David Nosal, Employee Data Theft, and Why Employment Lawyers Should Understand Their Clients' IT Infrastructure

by Stoel Rives LLP
Contact

Earlier this month, a federal judge in San Francisco sentenced David Nosal to a year in prison, three years’ supervised release, 400 hours of community service, and $60,000 in fines. His crime? Nosal violated the Computer Fraud and Abuse Act (“CFAA”), among other federal statutes, when he departed from his former employer with a stash of its most sensitive business data.

Employment law doesn’t normally develop in criminal courtrooms, but Nosal’s case is an important exception. The outcome of his pending appeal to the 9th Circuit will almost certainly offer important guidance for employers on how best to prevent and, where necessary, remedy employee data theft. It’ll likely reinforce a familiar lesson: employers should craft their employee technology policies with an eye toward the law of data security. A well-developed IT infrastructure can give an employer substantial legal advantages and lead to better outcomes when employee data theft occurs.

What Is The CFAA?

To understand the practical importance of Nosal’s case, employers should first understand how the CFAA can apply to departing employees who steal company data. Congress passed the CFAA in 1986 – before the advent of most modern information technology – to combat computer hacking. The CFAA makes it a federal offense to obtain information or perpetrate a fraud either by (a) accessing a computer “without authorization,” or (b) by “exceed[ing] authorized access” on any such computer. In addition to its criminal penalties, the CFAA creates a parallel civil cause of action for hacking victims.

For employers, a key benefit of the CFAA is that it may provide a ticket into federal court in a data theft case. (It’s one of only a few federal statutes that does so.) The benefits of a federal forum can be significant for an employer. Particularly in multi-state disputes, the federal system allows for the streamlined discovery of electronically stored information in ways that many states do not. Additionally, CFAA plaintiffs need not prove that the stolen information rises to the level of a trade secret, which is often a central dispute in other types of data theft cases.

When Is Employee Access To Sensitive Data "Unauthorized" Under The CFAA?

That makes the CFAA important for employers. But just how broadly does its concept of “unauthorized access” sweep? At the time of its passage, the CFAA seemed only to target “hacking” in the traditional sense of the word, i.e., external bad actors who – often from remote locations – secretly program their way into a company’s computer system without ever setting foot on company premises. (Consider, for example, the recent attack on Target’s computer system.) 

Today, however, breaches due to external threats make up only a limited portion of all yearly data theft in the U.S. In May 2013, the Commission on the Theft of American Intellectual Property found that “[m]uch [data theft] occurs the old-fashioned way.” The culprit is often a disloyal employee who had legitimate access to the stolen data through her employment: “Hard drives are either duplicated on site or physically stolen by bribed employees; employees are planted temporarily in companies or permanent employees leave and illegally share proprietary information; . . . and email accounts are compromised.”  

At first blush, theft by a disloyal employee would seem to fall outside the scope of the CFAA. Employees are, after all, typically “authorized” to access and use hard drives, email accounts, and the proprietary information they contain in connection with their jobs.   So, for employers, is the CFAA off-limits?

Not quite. In the last decade or so, a handful of federal courts have applied the CFAA to employee data theft using a duty-of-loyalty theory. The best-known example is International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006), in which Judge Richard Posner reasoned that an employee who misused a company laptop forfeited his authorization to use the laptop when he engaged in misconduct. The court held that “Citrin's breach of his duty of loyalty terminated his agency relationship . . . and with it his authority to access the laptop, because the only basis of his authority had been that relationship.”

Nosal:  Misuse Is Not Unauthorized Access

But then along came David Nosal. In October 2004, Nosal voluntarily resigned from Korn/Ferry International, a major executive search firm headquartered near San Francisco. He departed with confidential business data from Korn/Ferry’s internal database of executive candidates. When it discovered Nosal’s theft, the government indicted him for violating the CFAA, the Economic Espionage Act, and other federal laws. The district court eventually dismissed the CFAA counts against Nosal, and the government appealed.

In United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), the 9th Circuit affirmed the dismissal of the CFAA counts against Nosal. In a colorful opinion by Judge Alex Kozinski, the court held that the CFAA does not cover an employee who merely misuses an employer’s information to which he otherwise has legitimate access. Judge Kozinski viewed the government’s argument to the contrary as giving way to an essentially unlimited category of criminal liability:

Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, . . . . Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes.

Instead, he wrote, “‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.” Because the government had not alleged that Korn/Ferry restricted Nosal’s access to the data at issue, it affirmed the dismissal.

Unfortunately, that rule wasn’t good news for employers in the 9th Circuit, who now face a significant obstacle when pursuing CFAA claims against thieving employees. According to Nosal, they must allege and prove that the offending employee had no authorization to access the stolen data for any purpose.

Nosal's Case Goes On

But the case hasn’t ended there. Nosal’s indictment contained several other CFAA counts that the 9th Circuit didn’t consider on appeal. On remand, those counts presented another intriguing question about the CFAA: can a former employee violate the CFAA through an agent

Consider, for example, a case in which employees Jack and Jill work for Acme, Inc. Jack voluntarily resigns from Acme, thereby terminating his authorization to use its computer systems. Jill, however, still works for Acme and is authorized to access its computer network. Jack then asks Jill to steal data from the Acme network on his behalf. By herself, Jill is immune from CFAA liability under Nosal, because she is authorized to access the network. But Jack has no such authorization. May the government prosecute him under the CFAA for asking Jill to pass him data that she herself may legitimately access?

In United States v. Nosal, 930 F. Supp. 2d 1051 (N.D. Cal. 2013), a federal district judge overseeing Nosal’s prosecution on the remaining counts said yes. The government alleged that – in addition to the theft he personally committed – Nosal and a co-conspirator had persuaded then-current Korn/Ferry employees to steal valuable business data on Nosal’s behalf. At the time of the theft, then employees were authorized to access the information, but Nosal and the co-conspirator were not. Nosal moved to dismiss those counts. “[B]ecause [a then-current employee] allowed Defendant’s co-conspirators to use her credentials to access the Korn/Ferry system, the co-conspirators cannot be said to be acting ‘without authorization’. . . .” 

The court disagreed and denied the motion to dismiss. “[T]he Ninth Circuit made clear,” it held, “that it is the actions of the employer who maintains the computer system that determine whether or not a person is acting with authorization,” a rule established in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). Applying Brekka, the court found that “the CFAA appears to contemplate that one using the password of another may be accessing a computer without authorization.” Nosal has indicated that he will likely challenge that conclusion on appeal.

So What Does All This Mean For Employers?

On a practical level, what does this mean for employers? Nosal’s second appeal will likely reaffirm Brekka’s principle that “it is the actions of the employer who maintains the computer system that determine whether or not a person is acting with authorization.” In other words, the ways in which an employer designs its information technology infrastructure can have far-ranging legal consequences for its business. To anticipate those consequences, employers should:

  • Implement access controls with the law of data security in mind. The manner in which an employer restricts access to its business data can make or break a subsequent CFAA claim. For each category of business data, employers should impose clear requirements dictating who may access it and who may not. Of course, well-developed access controls have other benefits, too. The Uniform Trade Secrets Act, for example, defines “trade secret” to include only information that “is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.” Trade secret plaintiffs commonly meet that requirement by offering evidence of thorough access controls.   

Deciding to implement effective access controls in the abstract is easy. Actually doing so isn’t, for a number of reasons. For one thing, the particular controls that an employer should adopt depend heavily on the specifics of its broader IT infrastructure and business needs. Password protection alone may in some cases be too lax, especially if the employer has not developed a clear electronic technology policy for its employees. On the other hand, overly-restrictive controls might inhibit communication among employees, hampering productivity and innovation. To achieve the right balance, employers need more than abstract legal knowledge; they (and their counsel) should carefully analyze the particulars of their business goals and IT infrastructure in light of the standards and ground rules set by the applicable law of data security.

  • Use IT to determine the full scope of data theft. Nosal’s conviction also usefully illustrates the value of a well-designed IT infrastructure in uncovering evidence of theft, particularly when it comes to exiting tech-savvy employees. Had the evidence shown that only Nosal himself accessed Korn/Ferry’s confidential database, the CFAA charges against him would likely have failed. However, because the evidence revealed the involvement of multiple other co-conspirators, the government successfully showed that Nosal “accessed” its computer system through an agent, and at a time when he had no right to do so for any purpose.

Careful analysis of a departing employee’s company computer media can easily yield such key evidence. That analysis is as much a lawyer’s work as it is an IT professional’s. A normal computer’s hard drive contains far too much information for anybody to digest completely, which means that computer forensic investigators often need guidance on where and what to look for. Many investigators are familiar with the basic technical aspects of data theft – rapid file access, indicia of USB and cloud storage activity, etc. – but even the best investigators may miss key evidence. Evidence of illegal solicitation or a fragment of a web-based personal email to a co-conspirator may be lurking in a computer’s slack and unallocated space, but if an investigator focuses solely on an employee’s use of external storage devices, she may miss it. A lawyer’s involvement in the forensic investigation is often necessary to unearth such key facts.

Nosal’s case is an important reminder that employers should plan ahead when it comes to data security. We will track his appeal as it progresses.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Stoel Rives LLP | Attorney Advertising

Written by:

Stoel Rives LLP
Contact
more
less

Stoel Rives LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.