USA v. Nosal (2016)

This case reminds me a bit of the 1992 film, “Glengarry Glen Ross.”  It’s all about the leads.

In a previous post, I briefly addressed the evidentiary value in family court proceedings of data accessed with the password of the other party (usually the spouse or other intimate partner) without consent.  Not only could there be state and federal criminal liability for the party accessing the data, his or her attorney may be subject to discipline by the State Bar of California for using it.  This post focuses specifically on the federal Computer Fraud and Abuse Act (“CFAA,” 18 U.S.C. sec. 1030), and whether, after consent has been revoked, there may be criminal exposure for accessing such information through a third party’s access to the information (i.e., through the “back door”), based on the more-recent holding of a three-judge panel of the Ninth Circuit Court of Appeals.

The Ninth Circuit had already answered the question whether continuing to access company information (through the “front door”) after access had been revoked is “without authorization” under 18 U.S.C. sec. 1030(a)(4): “[A] person uses a computer ‘without authorization’ under [the CFAA] . . . when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.”  (LVRC Holdings LLC v. Brekka (9th Cir. 2009) 581 F.3d 1127.) 

In USA v. Nosal (Nosal II) (2016), one of the questions for the three-judge panel was “whether the ‘without authorization’ prohibition of the CFAA extends to a former employee whose computer access credentials have been rescinded but who, disregarding the revocation, accesses the computer by other means. ” It held among other things that “‘without authorization’ is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission. . . . [O]nce authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door.”

David Nosal was employed by an executive search (i.e., a headhunting) firm, Korn Ferry, when he decided to secretly launch a competing firm with a group of his co-workers.  Before leaving Korn Ferry, Nosal’s co-workers began downloading their employer’s confidential information.  While they were authorized to access such information within the scope of their employment, the downloads on behalf of Nosal violated their employer’s confidentiality and computer use policies.  (In an earlier 2012 appeal en banc (Nosal I), the Ninth Circuit took up the issue of whether access by his co-workers exposed Nosal to five counts of aiding and abetting.  It didn’t.)

When Nosal left his employer, the company revoked his computer access credentials, and when his two accomplices left, the company revoked theirs as well.  Nevertheless, Nosal and his accomplices continued to access the company database using the password of his crony former executive assistant, who remained with Korn Ferry at Nosal’s insistence.

The CFAA,  and specifically 18 U.S.C. sec. 1030(a)(4), imposes criminal penalties on whoever “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . .”  You get the picture.  

How does the CFAA affect a family court case in which the client’s sole intent is to locate winning evidence?  Probably very little because there’s no intent to defraud. Only in the case where there is an intent to defraud is it illegal under the CFAA to access information after such access has been unequivocally revoked.  Getting the information through a third party authorized to access the information is equally illegal under the CFAA if there is an intent to defraud and if the third party’s disclosure of the information is prohibited.  As mentioned in the previous post on this subject, a family court judicial officer could refer the matter to the District Attorney for prosecution under state law rather than the CFAA, and certainly no competent attorney would use such information if he or she knew how it was obtained because of the potential for discipline by the State Bar of California.