Former Employee Sentenced to Prison for Trade Secret Misappropriation and Computer Fraud Related Misconduct

Computer Crime HandcuffsOne of the more noteworthy employer/employee trade-secret misappropriation and Computer Fraud and Abuse Act  (CFAA) cases came to an end earlier this week. Specifically, Mr. David Nosal wa sentenced on January 8, 2014 to one year and one day in prison. He was convicted for misappropriating his former employer's trade secrets and improperly accessing the employer's computer network.

We previously reported upon a trade secret misappropriation case and violation of the federal Computer Fraud and Abuse Act (CFAA) arising out of the employment relationship between David Nosal and his former employer. At the time we reported on this case, it was unusual in that the charges against Mr. Nosal essentially amounted to criminalization of violations of an employers' computer use policy.

Specifically, Mr. Nosal had been charged by U.S. prosecutors with one count of conspiracy, three counts of unauthorized access to a computer used in interstate or foreign commerce or communication, one count of unauthorized downloading and copying of trade secrets, and one count of unauthorized receipt and possession of stolen trade secrets.

Mr. Nosal had challenged these criminal charges primarily arguing that the CFAA was "aimed primarily at computer hackers" and that it "does not cover employees who misappropriate information or who violate contractual confidentiality agreements." This challenge resulted in an extensive and sometimes complicated procedural trail that saw the district court initially rejecting Mr.Nosal's arguments only to later accept the arguments and dismissing five counts of the six count indictment. From here the government appealed this decision to the Ninth Circuit Court of Appeals and later to an en banc appeal (an appeal to the full bench as opposed to a panel selected to hear the appeal) followed. Follow this link for a full explanation of the trial and appellate time-line.

Ultimately after dust from the the trial and appeals settled, the jury returned a guilty verdict against Mr. Nosal on all six counts of the indictment finding that he had conspired to gain unauthorized access to the computer system of his former employer, the executive search firm Korn/Ferry International, and to illegally obtain trade secrets belonging to Korn/Ferry. The jury also found Nosal guilty of three substantive computer intrusions in April and July 2005 and two substantives trade secret offenses that occurred in April 2005. 

The Take-Away for Employers and Employees

The sentencing of Mr. Nosal is stark reminder to employees about the serious consequences that may result from trade secret misappropriation and engaging in unauthorized access to an employer's computer system.

The Nosal decision also eventually resulted in "clarifying" the scope of the CFAA (at least for employers and employees within the jurisdiction of the Ninth Circuit Court of Appeals) in that the Court held under the CFAA, "an employee accesses a computer in excess of his or her authorization when that access violates the employer’s access restrictions, which may include restrictions on the employee’s use of the computer or of the information contained in that computer." 

For more information about trade secret protections or investigating trade secret misappropriation issues, including matters involving the Computer Fraud and Abuse Act, contact attorney Jason Shinn. He is a legal-technology nerd and has been retained as an expert in various legal matters involving computers and misconduct. He also routinely investigates employment-based workplace computer issues and misconduct, as well as making sure employer's meet their obligations when law enforcement needs to investigate suspected computer crimes involving employer provided computers and technology.

Computer Fraud and Abuse Act Does not Protect Against Employee Violations of Company Computer Use Policies

Security_Computer_Laptop in Chain.jpegPreviously this blog outlined the various approaches Courts have taken to applying the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. 1030, to workplace misuse of employer provided computer resources.

A recent opinion from the Ninth Circuit Court of Appeals, however, seriously limits the applicability of the CFAA to the employer/employee relationship and challenges other courts to reconsider its application.

Specifically, the Ninth Circuit Court rejected the Justice Department's interpretation of the CFAA, which asserted the CFAA targets both hackers and individual employees who use a computer for an unauthorized purpose.

Factual Background

The case, U.S. v. Nosal (PDF) involved David Nosal who worked for Korn/Ferry International “Korn/Ferry”), an executive search firm. After leaving the company in 2004, Nosal and other Korn/Ferry employees allegedly conspired to help Nosal start a competing business, in violation of a a non-compete agreement.  

Korn/Ferry eventually learned that information contained within a confidential company database had been transferred to Nosal. Korn/Ferry argued this database was one of the most comprehensive of its type in the world. Accordingly, it had taken significant measures to protect the information from improper use. 

of the information.

Procedural Background and the Criminal Charges

After David Nosal was indicted on 20 counts, including violations of the CFAA, his lawyers argued that the CFAA charges should be thrown out. They argued that the CFAA targets only hackers, not employees who misappropriate information or who violate contractual confidentiality agreements by using employer-owned information in a manner inconsistent with those agreements. In other words, Nosal argued the Korn/Ferry employees could not have acted without authorization, nor could they have exceeded authorized access, because they had permission to access the database and its information.

The district court initially rejected Nosal’s argument. This decision, however was reversed because the trial followed the reasoning of a subsequent CFAA opinion, that later came out (LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009)), which construed narrowly the phrases “without authorization” and “exceeds authorized access” in the CFAA. Based on Brekka, the district court concluded that “[t]here is simply no way to read [the definition of ‘exceeds authorized access’] to incorporate corporate policies governing use of information unless the word alter is interpreted to mean misappropriate,” as “[s]uch an interpretation would defy the plain meaning of the word alter, as well as common sense.”

The government appealed but lost this decision before the Ninth Circuit Court of Appeals.

The Computer Fraud and Abuse Act and the Employment Relationship

The Ninth Circuit's ruling is at odds with the Fifth, Seventh and Eleventh Circuits, all of which have adopted a broader view of the CFAA's sweep. In responding to the conflict, Judge Kozinski said those other courts "failed to consider the effect on millions of ordinary citizens" and urged them to reconsider. Judge Kozinski further noted: 

Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it’s unlikely that you’ll be prosecuted for watching Reason.TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit.

Michigan Employers and the Computer Fraud and Abuse Act 

For Michigan employers and employees, it is important to note that the applicable federal circuit (the Sixth Circuit Court of Appeals) has upheld the criminal conviction of a CFAA violation arising out of the employment relationship.

Specifically, an employee who stole confidential data from his employer’s computers, but that decision was limited to the issue of whether the government had offered sufficient proof that the value of the data stolen exceeded $5,000 to qualify as a 5 year felony, 18 U.S.C. § 1030 (a)(2)(C)(c)(B)(iii), and whether the district court had abused its discretion in ordering restitution in the amount of $47,565. Additionally, the former employee's conviction was based on the fact that after he had been discharged he accessed his employer's computer network and confidential files at least 21 times, including through an employer server and 19 times through the email account of another employee.

Take Away for Employers

Certainly courts continue to debate whether the CFAA should, if at all, be applied to the employer/employee relationship. Setting aside this issue, it is important for employers to protect their company and confidential information. And these steps may improve the likelihood that, if necessary, the CFAA will be available to protect competitive advantages and defend against unfair competition.

Korn/Ferry provides an overview of protective measures employers should take to protect company computers and databases. Specifically, Korn/Ferry took the following steps:  

  • The placement of controls on electronic access of the database and its servers;
  • The creation of unique usernames and passwords for authorized users; 
  • A requirement that all employees sign an agreement confirming the confidential and proprietary nature of the information; and 
  • Having the opening screen of the database include the warning: “This product is intended to be used by Korn/Ferry employees for work on Korn/Ferry business only.”

Should the CFAA apply to the employment relationship? There are a number of reasons why the CFAA should have limited application in the employment context.    

Computer Fraud and Abuse Act: A Criminal Statute That Extends to the Employment Relationship?

Fingerprint shackle.jpgA recent article in the Wall Street Journal, As Criminal Laws Proliferate, More Ensnared (Gary Fields and John Emshwiller), details the increasing number of federal criminal statutes and federal prosecutions - a threefold increase over the last 30 years. The article attributes - in part - this upward spiral to the criminalization of issues generally considered more appropriate for civil lawsuits. 

The Computer Fraud & Abuse Act

The Computer Fraud and Abuse Act ("CFAA"), discussed in the preceding article, is a prime example of a criminal statute increasingly applied to civil matters and especially to matters arising in the context of the employment relationship. 

In fact, a federal judge in dismissing CFAA claims against a former employee for excessive internet/facebook use, echoed concerns similar to those raised in the WSJ's article:  

The CFAA is a criminal statute originally designed to target hackers who access computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possess the capacity to "access and control high technology processes vital to our everyday lives ....

Despite the original "design" of the CFAA as a primarily criminal statute, now anyone "who suffers damage or loss ... may maintain a civil action ... to obtain compensatory damages and injunctive relief or other equitable relief." 18 U.S.C. § 1030(g). The CFAA lacks a "specific intent" requirement, which simply means that a violation does not require a person to intend to wrongfully access and cause damage. Instead, criminal and civil liability are essentially based upon accessing or obtaining information from a protected computer without authorization.

But "access without authorization" has become such an elastic concept that the statute has been applied to a number of common employment scenarios:

The Take-away

Reasonable people can certainly debate the appropriateness of applying a federal criminal computer hacking statute to employment related disputes. But the bottom line is that a computer engineer who decides to copy some interesting source code "just in case" he needs it at his next job, or the budding entrepreneur who downloads a customer database in preparation to start a competing business, or any number of situations where an employee accesses an employer's computer "without authorization" may form the foundation for imposing liability under the CFAA. 

Targeting "Excessive" Social Media Use as Violation of Computer Fraud & Abuse Act Misses the Mark

Social Media (2).jpgComputer Fraud and Abuse Act Claim (CFAA) against a former employee based on "excessive Internet usage," including visiting Facebook was recently dismissed by a Federal District Court in Florida. 

Specifically, in Lee v. PMSI, Inc., the former employer claimed Wendi Lee, engaged in "excessive Internet usage" and visited "personal websites such as Facebook" and sent and reviewed her "personal web mail account. PMSI filed the CFAA claim after Ms. Lee sued for pregnancy discrimination.

Before shooting down PMIS's CFAA claim, the Court set the stage by noting: 

The CFAA is a criminal statute originally designed to target hackers who access computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possess the capacity to "access and control high technology processes vital to our everyday lives .... Both the letter and the spirit of the CFAA convey that the statute is not intended to cover an employee who uses the Internet instead of working.

Against, this backdrop, the Court quickly picked apart PMSI's claim:  

  • First, a critical element for a CFAA claim involves "unauthorized access." PMSI, however, expressly admitted that it knew of Ms. Lee's excessive computer/Internet usage while she was employed and never terminated her authorization to use her work computer. 
  • Second and building upon the preceding point, PMSI made no reference to any express computer policy that Ms. Lee violated. Instead, the employer compared Ms. Lee's computer usage to two other employees in her department and argued that this discrepancy transformed acceptable Internet usage into a violation of the Computer Fraud and Abuse Act.
  • Third, another required element is a loss in excess of $5,000. PMSI argued "dubiously" (court's description) that Ms. Lee caused PMSI "financial losses in excess of $5,000, due to her lack of productivity. The Court flatly rejected that "loss" under the CFAA should include lack of productivity.
  • Fourth, obtaining or altering information on a protected computer is also a required element. But Ms. Lee accessed her Facebook, personal email, and news websites, i.e., information not on PMSI's computer system. Thus, Ms. Lee never "obtained or alter[ed] information" on a "protected computer." 

Practical Considerations in Applying the Computer Fraud and Abuse Act to the Employment Relationship

From a practical perspective, one estimate has over 116,010,760 Americans on Facebook. Facebook itself estimates having over 500 million active users with 30% of this consisting of U.S. residents. Taking these numbers at face value, a recent survey identified that 77% of workers who have a Facebook account use it during work hours.

So following PMSI's logic and only considering Facebook (as opposed to other non-work web browsing), at any given moment a significant number of American employees are violating a criminal statute while accessing Facebook at work. This remains true even if the number of Facebook users is lowered to account for those who are not employed. And if you include accessing and monitoring March Madness or Fantasy Football stats on employer time, well I would have to exercise my Fifth Amendment rights against self-incrimination

The Take Away for Employers and Employees

The bottom line is the CFAA is a criminal statute focused on hacking of computers for criminal purposes, e.g., stealing information or destroying functionality. This statute also includes civil provision applicable to certain situations. But as the Lee Court appropriately noted, employers and their attorneys should not fall into the lazy reasoning that the CFAA's civil provision is applicable to the regulation of private sector employment relationships:

Extension of a federal criminal statute to employee misconduct in the private sector is a legislative responsibility and not a proper occasion for aggressive statutory interpretation by the judiciary.

There are certainly compelling factual situations where a Computer Fraud and Abuse Act claim against a current or former employee falls squarely within the scope and purpose of the statute. And Courts have reached a range of results favorable to employers when it comes to such claims involving employmee/employer related facts. PMSI's CFAA claim, however, does not come within a gunshot of falling in that range. 

Computer Fraud and Abuse Act Continues to be Potent Weapon Against Disgruntled and Departing Employees

Business professional in handcuffs.jpgA recent opinion from the Ninth Circuit Court of Appeals (PDF) confirms that the Computer Fraud and Abuse Act (essentially a federal computer hacking statute) continues to be a significant resource for employers to protect against the loss and damage of mission critical information due to departing or rogue employees.

To add the Computer Fraud and Abuse Act ("CFAA") to your tool-box, however, requires careful planning and potentially retooling your company's computer use policy. 

This is because in the context of the employment relationship, a violation of the statute turns on whether an individual "intentionally accesses a computer without authorization" or "exceeds authorized access" 18 U.S.C § 1030(e)(6). The CFAA defines "exceeds authorized access" as accessing a "... computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." The CFAA does not define the phrase "without authorization" and courts have reached conflicting interpretations as to both of these phrases when it comes to the employment relationship.

Acting adversely to Employer's Interest May Trigger Computer Fraud and Abuse Act Violation

Some Courts take an employer friendly approach and recognize that "unauthorized" or "exceeding authorized" access" is established if an employee accesses the employer's computer for a purpose adverse to the employer’s interests, i.e., violates a duty of loyalty. A common fact pattern in these cases involves an employee obtaining company or proprietary information from the employer's computers for use in a competing venture or on behalf of a competitor. Such action has been found to establish "without authorization" or "exceeding authorization" under the Computer Fraud and Abuse Act. See International Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, (7th Cir. 2006) reversing dismissal of CFAA claims where employee went into business for himself and used "scrubbing" software to delete all of the files on his company-issued computer). 

The Computer Fraud and Abuse Act is concerned with access, not subsequent use or misuse of information.   

Another line of decisions distinguish between "exceeds authorized access' and "exceeds authorized use." What this boils down to is that employees are not acting "without authorization" in accessing company information when they have "permission to use" a company network even if that employee later misuses that information, e.g., to improperly compete against the former employer. See LVRC Holdings LLC v. Brekka (2009). This concept was explained in the case of U.S. v. Aleynikov (2010) where a New York Federal District Court dismissed claims against an employee and overturned his conviction under the CFAA for copying and removing software trading codes. The court reasoned that the statute should be restricted to prohibiting people from "hacking" into a computer system, not the subsequent use or misuse of information.

Violation of Computer Fraud and Abuse Act occurs when an employer's express limitations for accessing company information are violated.   

A third line of cases focus on an employer's express limitations as to accessing company data/networks. An employee accessing the employer's computer in excess of the express limitations violates the employer's access restrictions, which may include the use of the computer or of the information contained in that computer. This situation was illustrated in the recent Ninth Circuit's Opinion in U.S. v. Nosal (2011) (PDF), which concluded: 

as long as the employee has knowledge of the employer's limitations on that authorization, the employee 'exceeds authorized access' when the employee violates those limitations. It is as simple as that.

Take away for Employers

Certainly there is a robust debate as to how the Computer Fraud and Abuse Act should, if at all, be applied to the employer/employee relationship. But there are important steps employers should take to improve the likelihood that, if necessary, the CFAA will be available to protect competitive advantages and defend against unfair competition. 

The most important step is to review the employer's computer use policy and what it restricts. If an employer lacks a computer use policy or it is deficient, then the employer will likely be left to rely upon Citrin and the line of cases where liability under the CFAA depends upon a violation of a "duty of loyalty."

But if you ask me, the reasoning in Citrin and similar cases is inherently unworkable. This is because it overlooks that an employee's authorization to access a particular document on the same computer may change throughout his or her employment (It pains me to say that Citrin got it wrong because it was authored by the venerable Richard Posner, a judge on the Seventh Circuit Court of Appeals and a favorite jurist of mine).  

For example, an employee's access rights to particular information would change if the employee began looking for employment. And in pursuing alternative employment if an employee accessed such information to assist in the job search - i.e., refreshing the employee's memory about accomplishments or better describe skills and abilities on a resume or in an interview. Under Citrin, a violation of the CFAA arguably occurred because there was access for reasons adverse to the employer and thereby access without authorization. But if that same employee decided not to seek outside employment and accessed the same information for work related reasons, the employee's interests would again be aligned with the employer and, therefore, access would be authorized. 

The better strategy is to make sure the computer use policy expressly restricts employees from using, copying, and accessing any information on the company's computer systems for personal gain. Such a provision allows employers to argue that any access for personal gain is without authorization and thereby keep in play the Computer Fraud and Abuse Act claims without having to resort to Citrin's duty of loyalty reasoning.