United States v. Nosal

• Decision Date: 05 July 2016
• Docket Number: 14-10275,Nos. 14-10037,s. 14-10037
• Citation: 844 F.3d 1024
• Parties: UNITED STATES of America, Plaintiff–Appellee, v. David NOSAL, Defendant–Appellant.
• Court: U.S. Court of Appeals — Ninth Circuit

844 F.3d 1024

UNITED STATES of America, Plaintiff–Appellee,

v.David NOSAL, Defendant–Appellant.

Nos. 14-10037

14-10275

United States Court of Appeals, Ninth Circuit.

Argued and Submitted October 20, 2015 San Francisco, California

Filed July 5, 2016

Amended December 8, 2016

Dennis P. Riordan (argued) and Donald M. Horgan, Riordan & Horgan, San Francisco, California; Ted Sampsell-Jones, William Mitchell College of Law, St. Paul, Minnesota; for Defendant–Appellant.

Jenny C. Ellickson (argued), Trial Attorney, Criminal Division, Appellate Section; Sung–Hee Suh, Deputy Assistant Attorney General; Leslie R. Caldwell, Assistant Attorney General; United States Department of Justice, Washington, D.C.; J. Douglas Wilson, Assistant United States Attorney, Chief, Appellate Division; Kyle F. Waldinger and Matthew A. Parrella, Assistant United States Attorneys; United States Attorney's Office, San Francisco, California; for Plaintiff–Appellee.

Jamie Williams, Cindy Cohn, Andrew Crocker, and Stephanie Lacambra, Electronic Frontier Foundation, San Francisco, California; Esha Bhandari and Rachel Goodman, American Civil Liberties Union Foundation, New York, New York; Linda Lye, Nicole Ozer, and Matthew T. Cagle, American Civil Liberties Union Foundation of Northern California; for Amici Curiae Electronic Frontier Foundation, American Civil Liberties Union, and American Civil Liberties Union of Northern California.

Martin Hansen, Covington & Burling, Washington, D.C.; Simon J. Frankel and Matthew D. Kellogg, Convington & Burling, San Francisco, California, for Amicus Curiae BSA | The Software Alliance.

David Nied, Keenan W. Ng and Michael S. Dorsi, Ad Astra Law Group, San Francisco, California, for Amicus Curiae NovelPoster.

Before: Sidney R. Thomas, Chief Judge and Stephen Reinhardt and M. Margaret McKeown, Circuit Judges.

Dissent by Judge Reinhardt

ORDER

The opinion filed on July 5, 2016, and appearing at 828 F.3d 865, is hereby amended. An amended opinion is filed concurrently with this order.

With these amendments, Chief Judge Thomas and Judge McKeown vote to deny the petition for rehearing en banc. Judge Reinhardt votes to grant the petition for rehearing en banc.

The full court has been advised of the petition for rehearing en banc, and no judge has requested a vote on whether to rehear the matter en banc. Fed. R. App. P. 35.

The petition for rehearing en banc is denied. No further petitions for en banc or panel rehearing shall be permitted.

OPINION

McKEOWN, Circuit Judge:

This is the second time we consider the scope of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030, with respect to David Nosal. The CFAA imposes criminal penalties on whoever "knowingly and with intent to defraud, accesses a protected computer without authorization , or exceeds authorized access , and by means of such conduct furthers the intended fraud and obtains anything of value." Id. § 1030(a)(4) (emphasis added).

Only the first prong of the section is before us in this appeal: "knowingly and with intent to defraud" accessing a computer "without authorization." Embracing our earlier precedent and joining our sister circuits, we conclude that "without authorization" is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission. Further, we have held that authorization is not pegged to website terms and conditions. This definition has a simple corollary: once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door. This provision, coupled with the requirement that access be "knowingly and with intent to defraud," means that the statute will not sweep in innocent conduct, such as family password sharing.

Nosal worked at the executive search firm Korn/Ferry International when he decided to launch a competitor along with a group of co-workers. Before leaving Korn/Ferry, Nosal's colleagues began downloading confidential information from a Korn/Ferry database to use at their new enterprise. Although they were authorized to access the database as current Korn/Ferry employees, their downloads on behalf of Nosal violated Korn/Ferry's confidentiality and computer use policies. In 2012, we addressed whether those employees "exceed [ed] authorized access" with intent to defraud under the CFAA. United States v. Nosal (Nosal I ), 676 F.3d 854 (9th Cir. 2012) (en banc). Distinguishing between access restrictions and use restrictions, we concluded that the "exceeds authorized access" prong of § 1030(a)(4) of the CFAA "does not extend to violations of [a company's] use restrictions." Id. at 863. We affirmed the district court's dismissal of the five CFAA counts related to Nosal's aiding and abetting misuse of data accessed by his co-workers with their own passwords.

The remaining counts relate to statutory provisions that were not at issue in Nosal I : access to a protected computer "without authorization" under the CFAA and trade secret theft under the Economic Espionage Act ("EEA"), 18 U.S.C. § 1831 et seq . When Nosal left Korn/Ferry, the company revoked his computer access credentials, even though he remained for a time as a contractor. The company took the same precaution upon the departure of his accomplices, Becky Christian and Mark Jacobson. Nonetheless, they continued to access the database using the credentials of Nosal's former executive assistant, Jacqueline Froehlich–L'Heureaux ("FH"), who remained at Korn/Ferry at Nosal's request. The question we consider is whether the jury properly convicted Nosal of conspiracy to violate the "without authorization" provision of the CFAA for unauthorized access to, and downloads from, his former employer's database called Searcher.¹ Put simply, we are asked to decide whether the "without authorization" prohibition of the CFAA extends to a former employee whose computer access credentials have been rescinded but who, disregarding the revocation, accesses the computer by other means.

We directly answered this question in LVRC Holdings LLC v. Brekka , 581 F.3d 1127 (9th Cir. 2009), and reiterate our holding here: "[A] person uses a computer ‘without authorization’ under [the CFAA] ... when the employer has rescinded permission to access the computer and the defendant uses the computer anyway." Id. at 1135. This straightforward principle embodies the common sense, ordinary meaning of the "without authorization" prohibition.

Nosal and various amici spin hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing. Nor is it about violating a company's internal computer-use policies. The conduct at issue is that of Nosal and his co-conspirators, which is covered by the plain language of the statute. Nosal is charged with conspiring with former Korn/Ferry employees whose user accounts had been terminated, but who nonetheless accessed trade secrets in a proprietary database through the back door when the front door had been firmly closed. Nosal knowingly and with intent to defraud Korn/Ferry blatantly circumvented the affirmative revocation of his computer system access. This access falls squarely within the CFAA's prohibition on "knowingly and with intent to defraud" accessing a computer "without authorization," and thus we affirm Nosal's conviction for violations of § 1030(a)(4) of the CFAA.

The dissent mistakenly focuses on FH's authority, sidestepping the authorization question for Christian and Jacobson. To begin, FH had no authority from Korn/Ferry to provide her password to former employees whose computer access had been revoked. Also, in collapsing the distinction between FH's authorization and that of Christian and Jacobson, the dissent would render meaningless the concept of authorization. And, pertinent here, it would remove from the scope of the CFAA any hacking conspiracy with an inside person. That surely was not Congress's intent.

We also affirm Nosal's convictions under the EEA for downloading, receiving and possessing trade secrets in the form of source lists from Searcher. We vacate in part and remand the restitution order for reconsideration of the reasonableness of the attorneys' fees award.

BACKGROUND

I. FACTUAL BACKGROUND

Nosal was a high-level regional director at the global executive search firm Korn/Ferry International. Korn/Ferry's bread and butter was identifying and recommending potential candidates for corporate positions. In 2004, after being passed over for a promotion, Nosal announced his intention to leave Korn/Ferry. Negotiations ensued and Nosal agreed to stay on for an additional year as a contractor to finish a handful of open searches, subject to a blanket non-competition agreement. As he put it, Korn/Ferry was giving him "a lot of money" to "stay out of the market."

During this interim period, Nosal was very busy, secretly launching his own search firm along with other Korn/Ferry employees, including Christian, Jacobson and FH. As of December 8, 2004, Korn/Ferry revoked Nosal's access to its computers, although it permitted him to ask Korn/Ferry employees for research help on his remaining open assignments. In January 2005, Christian left Korn/Ferry and, under instructions from Nosal, set up an executive search firm—Christian & Associates—from which Nosal retained 80% of fees. Jacobson followed her a few months later. As Nosal, Christian and Jacobson began work for clients, Nosal used the name "David Nelson" to mask his identity when interviewing candidates.

The start-up company was missing Korn/Ferry's core asset: "Searcher," an internal database of information on over one million executives, including contact information, employment history, salaries, biographies and resumes, all compiled since 1995....