On April 24, 2013, a federal jury in the Northern District of California found former Korn/Ferry International corporate executive recruiter, David Nosal, guilty on six counts of conspiracy, stealing trade secrets, and violations of the Computer Fraud and Abuse Act (“CFAA”). An appeal is expected, however.
The jury trial followed a lengthy procedural history that began in late 2004 when Nosal left the employ of Korn/Ferry. Shortly after Nosal left Korn/Ferry, he convinced three of his former colleagues to help him compile a large volume of data, including lists of employment candidates, from Korn/Ferry computers in order to help him start up a competing executive recruiting firm. On June 26, 2008, Nosal was indicted by the federal government on 20 counts related to him improperly accessing Korn/Ferry’s computers and proprietary databases.
Ultimately, the Ninth Circuit considered the issues related to Nosal’s indictment and whether the CFAA covered the situation presented by Nosal’s actions. In part, Nosal argued that the CFAA was “aimed primarily at hackers” and does not cover employees (such as him) who allegedly misappropriate information or who are accused of violating confidentiality agreements. Nosal further argued that the employees who downloaded the Korn/Ferry information actually were provided access to that information, and, therefore, did not “act without authorization” or “exceed authorized access” as required to be found in violation of the CFAA. In deciding the issue, the Ninth Circuit was principally tasked with determining whether Nosal’s accomplices could have exceeded their authorized access by obtaining information that they were entitled to review only under limited circumstances. Notably, the Korn/Ferry employees were subject to a computer use policy that placed “clear and conspicuous restrictions” on the employees’ access to the system in general, as well as certain databases specifically. Nonetheless, relying on its earlier decision in LVRC Holdings LLC v. Brekka , the Ninth Circuit concluded that “an employee ‘exceeds authorized access’ under [the CFAA] when he or she violates the employer’s computer access restrictions – including use restrictions.” U.S. v. Nosal, 642 F.3d 781 (9th Cir. 2011). However, the Ninth Circuit then reconsidered the issue en banc, and chose to construe the CFAA narrowly. Accordingly, the Ninth Circuit held that the phrase “exceeds authorized access” does not extend to violations of use restrictions, where an employee with approved access then misappropriates the data, because to find otherwise, it concluded, would turn the CFAA from a hacker statute to a broad misappropriation statute, which it refused to do.
The federal jury’s recent verdict identifies an issue that many federal circuits have grappled with: How should the CFAA apply to people who are not “hackers” in any traditional sense of the word? Indeed, the Fifth and Eleventh Circuits have interpreted the CFAA much more broadly, finding, for example, that a Social Security Administration employee exceeded authorized access under the CFAA when he obtained personal information about former girlfriends and potential lovers and then used that information to pursue them. Given the Ninth Circuit’s apparent reluctance to interpret the CFAA broadly (contrary to those other Circuits), it will be interesting to see what the future holds for Nosal’s situation in light of his likely appeal.