On April 25, 2013, a federal jury convicted Executive Recruiter David Nosal on three counts under the Computer Fraud and Abuse Act (“CFAA”), two counts under the Economic Espionage Act (“EEA”), and one count of conspiracy to violate the CFAA and EEA, for Nosal’s conduct leaving his former employer and establishing a competing business in 2004 and 2005.
The conviction followed an FBI investigation and multiple indictments alleging that Nosal conspired with former co-workers to gain unauthorized access to his former employer’s computers system and to illegally obtain its trade secrets – source lists of candidates compiled for search assignments – to use in his competing business.
On August 7, 2013, U.S. District Judge Edward Chen heard argument on Nosal’s motions for acquittal and a new trial and took both motions under submission. On August 15, 2013, the Court issued its ruling, denying both motions in a 39-page order.
This is Part I of a three part post. In this post we will look at the Court’s order on Nosal’s conviction of the CFAA counts. In Part II, we will review the EEA counts. Finally, in Part III, we will try to foresee what the future may hold for Nosal and look at some lessons employers can learn from this case.
A. Nosal’s Conviction on the CFAA Counts:
Nosal was convicted of three counts under the CFAA for accessing his former employer’s computers and obtaining information on three separate occasions. In relevant part, the CFAA provides criminal penalties for:
[whoever] knowingly and with intent to defraud, accesses a protected computers without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computers and the value of such use is not more than $5,000 in any 1-year period;
18 U.S.C. § 1030(a)(4).
In his motions, Nosal argued broadly that he was entitled to acquittal or a new trial on the CFAA counts because: (1) no person gained unauthorized access to his former employer’s computers within the meaning of the CFAA; (2) the deliberate ignorance jury instruction was confusing; (3) there was insufficient evidence that Nosal had the requisite mental state to commit the CFAA violations; and (4) there was insufficient evidence of a conspiracy.
- Unauthorized Access to his former employer’s Computers
In support of the “no unauthorized access” argument, Nosal argued that: (1) under the Ninth Circuit’s en bancdecision in this case (United States v. Nosal, 676 F.3d 854 (9th Cir. 2012)), there can be no CFAA violation because any access to his former employer’s computers was gained with the permission of the password holder and there was no circumvention of technological barriers; (2) Nosal’s former co-workers were authorized to access the computers; and (3) Nosal was authorized to receive certain information in the course of his work as an independent contractor for his former employer.
The Court rejected Nosal’s first argument, holding that “[n]owhere does the court’s opinion in Nosal hold that the government is additionally required to allege that a defendant circumvented technological access barriers in bringing charges under § 1030(a)(4)” and also noted that the indictment actually does allege circumvention of a technological barrier because “password protection is one of the most obvious technological access barriers that a business could adopt.”
The Court also dismissed Nosal’s second argument that his former co-workers were authorized to access his former employer’s computer, holding that the evidence established they did not have his former employer’s authorization and “that it is the actions of the employer who maintains the computers system that determine whether or not a person is acting with authorization.” In so doing, the Court distinguished Nosal’s argument that the verdict was criminalizing the allegedly common practice of employees sharing passwords with each other to access their employer’s computers systems by explaining that here, an employee of his former employer impermissibly gave her password, not to a co-worker, but to former employees who were not authorized to access the computers.
The Court also rejected Nosal’s argument that his former co-workers were authorized to access his former employer’s computers on the relevant dates, finding that the evidence sufficiently established that they were not authorized. Finally, the Court rejected Nosal’s argument that he was authorized to receive certain information from his former employer’s computers in his work as an independent contractor, holding he was only authorized to receive limited information relevant to specific work he was doing for his former employer, but that the information he received was for his competing business.
- Deliberate Ignorance Jury Instruction
Nosal also argued that an instruction that the jury could find that he had acted “knowingly” to violate the CFAA if he was aware of a high probability that his former executive assistant or former co-workers had gained unauthorized access to the computers or misappropriated trade secrets, and he deliberately avoided learning the truth, was confusing because his former executive assistant was at all relevant times employed by his former employer and was authorized to access the computers while the other former co-workers were not employed by his former employer and were not authorized.
The Court held that Nosal had waived this argument by not raising it earlier. Moreover, the Court held that the instruction was sufficiently clear that the jury could not convict Nosal on the CFAA counts if they concluded his former executive assistant has accessed the computers, because such access would not have been “unauthorized.”
- Evidence Nosal had Knowledge of Unauthorized Downloads
Nosal further argued that there was insufficient evidence he had knowledge of downloads from his former employer’s computers were unauthorized because the downloads were not conducted by his former executive assistant. Reciting substantial evidence presented at trial by the government, including evidence that Nosal gave his former co-workers specific directions about information he wanted from his former employer’s computers, that he knew a former co-worker had a large amount of data taken from the computers, that he knew they were not authorized to obtain the information, and that Nosal’s executive assistant did not know how to do so, the Court concluded the government had proved beyond a reasonable doubt that Nosal knew of, was deliberately indifferent to, and/or had conspired to commit the CFAA violations.
- Evidence of Conspiracy
Nosal also argued that there was not sufficient evidence of conspiracy. The Court dismissed this argument, concluding that the same evidence that Nosal had knowledge of the downloads from his former employer’s computers was sufficient to support the verdict on the conspiracy count.