Stealing a trade secret (reprehensible though this may be) has generally not attracted federal criminal liability. Yet in the recent prosecution of David Nosal, the Justice Department applied a computer hacking statute to convict a departing employee for a rather run-of-the-mill trade secret theft: the unauthorized taking of customer lists. Many if not most trade secrets -- like the customer lists involved in Nosal -- are stored on computers. As such, aggressive use of the federal Computer Fraud and Abuse Act could convert many trade secret misappropriations -- traditionally civil offenses and a state law matter - into federal crimes. And this policy shift -- criminalizing and federalizing -- results from the determinations of prosecutors and judges, and not from Congress.
David Nosal worked for the executive search firm Korn/Ferry International until 2004 when he left to form a rival firm. Upon departure, he signed a standard non-compete agreement, but also recruited 3 fellow Korn/Ferry employees to join his new firm. Before those employees left, they downloaded proprietary customer information from the Korn/Ferry network and provided the confidential data to Nosal.
The Justice Department charged Nosal with 22 counts under the Computer Fraud and Abuse Act, 18 U.S.C. §1030, which prohibits, inter alia, unauthorized access to computer systems for fraudulent purposes. The fraudulent purpose in this case was theft of trade secrets.
It is important to note that misappropriation of trade secrets is only civilly actionable, except when done for the benefit of foreign governments or entities, which violates the Economic Espionage Act. Nor is violation of a non-compete agreement a crime. Indeed, such agreements are mostly unenforceable in California, where Nosal and Korn/Ferry were based.
On Nosal's pre-trial motion, the District Court dismissed most of the CFAA charges, reasoning that employee access to workplace computers, even with fraudulent intent, was not an "unauthorized access" under §1030. The U.S. appealed to the Ninth Circuit, which reversed. 642 F.3d 781 (2011). Writing for the three-judge panel, Judge Stephen Trott interpreted the CFAA to apply to two kinds of unauthorized access by employees. The first is where an employee accesses information she is not entitled to; e.g., by "hacking." The second is where an employee "uses" information she does have access to, but for purposes other than those authorized by the employer. In that case, the employee would "exceed" her authorized access, thus violating CFAA. It is on this second prong where the troubling expansion of trade secret liability is developing.
Since Korn/Ferry's computer use policy did not authorize employees to use proprietary information for competitive purposes, Judge Trott concluded the departing employees and co-conspirator Nosal's misappropriation was subject to CFAA. Judge Trott spoke to the potential reach of his decision:
We do not dismiss lightly Nosal's argument that our decision will make criminals out of millions of employees who might use their work computers for personal use. [But] an employee violates [§1030(a)(4)] if the employee (1) violates an employer's restriction on computer access, (2) with an intent to defraud...But not all sections of the CFAA require criminal or fraudulent intent, so the panel's interpretation of "unauthorized access" could capture anyone who used a computer or Internet service in violation of her Terms of Service. Moreover, since most trade secrets are now maintained in computer databases, the panel decision essentially federalized and criminalized the business tort of misappropriation of trade secrets. That far-reaching impact prompted the Ninth Circuit to grant rehearing en banc. 661 F.3d 1180 (2011).
On rehearing, the Ninth Circuit reversed the earlier panel decision. 676 F.3d 854 (2012). Judge Kozinski wrote:
The government's interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute.... If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions--which may well include everyone who uses a computer--we would expect it to use language [to that effect].Accordingly, the court limited the CFAA to more familiar forms of "hacking," both outside hacking (intruder attacks) and inside hacking (e.g., employees accessing forbidden areas of the network). Other circuits have reached conflicting results in CFAA cases.
Not to be outdone, the United States returned to District Court where it prosecuted Nosal on the remaining counts of the indictment. Allegedly, after signing on to her office computer, one employee let other co-conspirators use it to access Korn/Ferry's customer list. In declining to dismiss those counts, District Judge Edward Chen held that this action amounted to unauthorized access under the Ninth Circuit's definition, even though no "hacking" had occurred. 930 F.Supp.2d 1051 (2013). Nosal was convicted and sentenced to a year and a day in jail. The U.S. attorney claimed that the conviction and sentence "will go through Silicon Valley like a bell." Indeed it will.
So here's how things stand in the Ninth Circuit (as we read them):
Conversion of a trade secret removed from a computer to which one otherwise had authorized access is not a CFAA violation. That is, the misappropriation of the trade secret does not turn authorized computer access into unauthorized access, thus triggering CFAA liability.
Unauthorized access (such as letting another use your password or exceeding one's network permissions) can trigger criminal liability under CFAA when appropriation of a trade secret results.Nosal's prosecution is another novel application of CFAA, reminiscent of the charges brought against Aaron Swartz when he allegedly breached security measures of an MIT database and downloaded millions of publicly-licensed academic articles. After Swartz's suicide last year, the case set off calls across the nation to reform the law. Zoe Lofgren (D-CA) and James Sensenbrenner (R-WI) have sponsored a bill (H.R. 2454) entitled Aaron's Law that would reduce CFAA penalties and codify the Ninth Circuit decision in Nosal.
Without such reforms, and unless Nosal's conviction is overturned on appeal, it will allow federal criminal prosecution of many routine instances of trade secret misappropriation. Those acts can and should be pursued civilly. But state business torts ought not to be federalized unless overriding federal interests, such as national security, are involved.
As Judge Kozinski observed, Nosal is an appropriate setting for the application of the Rule of Lenity. This principle urges that criminal statutes should be read narrowly; that expansive and surprising interpretations are to be avoided. The Rule of Lenity is consistent with due process notions that we should clearly know beforehand which acts draw criminal consequences. And it respects the primacy of the legislature in determining what is and what is not criminal conduct.
Wrongful intent -- even if demonstrated -- should not convert authorized access to trade secrets stored on a company computer to unauthorized access until and unless Congress makes a clear determination.