Monday, July 25, 2016

Does Nosal II Solve "Without Authorization" Question?

The trade-secrets community has awaited the follow-up decision to the long-running prosecution of former Korn/Ferry executive, David Nosal, based in part on the controversial Computer Fraud and Abuse Act. And with the Ninth Circuit's decision on July 5 in United States v. Nosal, the question remains whether we have answered any questions about the CFAA's potential reach.

Nosal I, a 2012 decision, was largely pro-employee and restricted the scope of the CFAA's most controversial provision - the so-called "exceeds authorized access" prong of Section 1030(a)(4). As a result of Nosal I, the consensus seems to be building that violations of use policies do not mean that a user exceeding his authorized access of a protected computer. In other words, it is not sufficient to base an (a)(4) claim on misuse.

But Nosal I did not address the other part of (a)(4). One cannot obtain anything of value out of a protected computer if he accesses a protected computer "without authorization." And that's where Nosal II squarely lands. The Ninth Circuit upheld Nosal's conviction on multiple CFAA claims under this aspect of (a)(4) under a fact paradigm that is well-known to trade-secret practitioners. Nosal and two ex-employees of Korn/Ferry obtained the password of a then-current Korn/Ferry employee to access a database containing valuable information on executive search candidates.

Was that access "without authorization" under (a)(4)? Yes, said a divided panel of the Ninth Circuit.

The case predictably has produced a lot of commentary, but the most essential read is Orin Kerr's lengthy analysis. The crux of the case hinged on whether it mattered that the current employee gave Nosal's co-conspirators the database password. The majority felt it crucial that Korn/Ferry said that the employee could not disseminate log-in credentials, while the dissenting judge examined whether the employee said yes when her former co-workers asked for the password.

I agree with Professor Kerr that the court reached the right result and that Nosal's accomplice liability conviction was appropriate. But as I read the dueling analyses before Kerr's cogent summary, it was quickly apparent that the case had the chance to be an extremely limited one. For starters, the case doesn't really seem to establish a rule for future application. As Judge Reinhardt notes in dissent, the holding seems to rely heavily on employment-related facts but the CFAA is not an employment law at all.

Professor Kerr then offers his take on where the case should have gone analytically and how the court could have bridged the two opinions. His take is that the  password sharing in the context of the "without authorization" standard really should have embraced an "agency/non-agency" distinction. In other words, because Nosal's co-conspirators used the current employee's password for their own purposes, there was no agency relationship among them. Kerr's argument looks principally to the initial delegation of authority (in Nosal II, that would be the computer access granted from employer to employee) and then to the subsequent conduct and whether it's outside the agency of the initial account holder. This, Kerr argues, would solve the "parade of horribles" laid out by the dissent, which extrapolate innocuous conduct into federal crimes. And in Nosal II itself, it would establish why the employee's grant of her log-in credentials to the ex-employees was "without authorization" - they couldn't have had an agency relationship at that point.

The CFAA, of course, remains a controversial law. Its use in garden-variety employment disputes may be waning in light of the federal Defend Trade Secrets Act. But it is still a potent weapon. What is notable about the plight of David Nosal is that it's not all that far removed from many fact patterns we see in civil cases. The conduct at issue was brazen, to be sure. Still, it seems awfully arbitrary that he has endured criminal prosecution for conduct that many others like him never would face. And on that score, the dissenting opinion's cautionary tale about the influence that Korn/Ferry's firm was able to muster is worth a read in its own right.

No comments:

Post a Comment