United States v. David Nosal
2016 U.S. App. LEXIS 12382
9th Cir.2016Background
- David Nosal, a former Korn/Ferry executive, conspired with ex-employees to copy and use proprietary "Searcher" database information to found a competing firm after Korn/Ferry revoked their computer credentials.
- After departure, Nosal and two former employees obtained Searcher data by using the login credentials of a current employee (FH) who provided her password; Korn/Ferry had revoked Nosal’s and the others’ own access.
- Earlier en banc appeal (Nosal I) held that the CFAA’s “exceeds authorized access” prong does not reach violations of employer use restrictions; that decision affirmed dismissal of CFAA counts based on employees’ misuse while still authorized.
- This appeal addressed whether accessing a protected computer is criminal under the CFAA when an employer has rescinded authorization and the actor gains entry via a current employee’s credentials (i.e., access "without authorization").
- The Ninth Circuit majority held that "without authorization" has its ordinary meaning — access without permission from the system owner — and affirmed Nosal’s convictions under 18 U.S.C. § 1030(a)(4) and under the Economic Espionage Act for trade-secret theft; restitution award remanded in part.
- Judge Reinhardt dissented, arguing the majority’s reading criminalizes widespread, consensual password-sharing and urging a narrower construction (authorization may come from either system owner or legitimate account holder) under the rule of lenity.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether access is “without authorization” under CFAA when employer revoked access but a current employee’s credentials were used | Government: Once employer rescinds permission, any subsequent access (even via another employee’s credentials) is "without authorization." | Nosal: Authorization can come from an account holder; consensual password-sharing should not be criminalized; CFAA targets hackers who circumvent technical barriers. | Court: "Without authorization" means lack of permission from system owner; revocation by employer makes access unauthorized even if via another employee’s login — conviction affirmed. |
| Whether the district court’s jury instruction on "without authorization" was proper | Government: Brekka-derived instruction accurately states that rescission by employer creates "without authorization." | Nosal: Instruction should require circumvention of technological barriers. | Court: Instruction correct; technological-circumvention requirement not in statute; any error harmless given evidence. |
| Sufficiency of mens rea for accomplice/aiding-and-abetting liability (including deliberate ignorance) | Government: Evidence showed Nosal knowingly induced former employees to access system and deliberately avoided confirming unauthorized access; deliberate-ignorance instruction appropriate. | Nosal: Needed advance knowledge per Rosemond; instruction improperly allowed conviction without advance knowledge. | Court: Deliberate ignorance satisfies "knowing" standard; Rosemond does not foreclose such instruction; evidence sufficient — convictions sustained. |
| Whether source lists were trade secrets under the EEA and whether evidence supported convictions | Government: Source lists are proprietary compilations deriving independent economic value and kept secret; Nosal knew and intended to harm Korn/Ferry. | Nosal: Data drawn from public sources; not sufficiently secret or difficult to develop; lacked knowledge of trade-secret status. | Court: Compilation and unique integration in Searcher support trade-secret status; jury could find secrecy, knowledge, and intent — EEA convictions affirmed. |
Key Cases Cited
- LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) (held access is “without authorization” when employer rescinds permission and former employee uses access anyway)
- United States v. Nosal (Nosal I), 676 F.3d 854 (9th Cir. 2012) (en banc) (held CFAA “exceeds authorized access” does not cover violations of employer use restrictions)
- United States v. Valle, 807 F.3d 508 (2d Cir. 2015) (interpreting "without authorization" as access without permission)
- WEC Carolina Energy Solutions v. Miller, 687 F.3d 199 (4th Cir. 2012) (distinguishing access without authorization from exceeding authorized access based on employer approval)
- Rosemond v. United States, 134 S. Ct. 1240 (2014) (Supreme Court: accomplice must have advance knowledge of the planned crime to be liable for certain offenses)
- Jackson v. Virginia, 443 U.S. 307 (1979) (standard for reviewing sufficiency of the evidence)
- Pinkerton v. United States, 328 U.S. 640 (1946) (conspirator liability for reasonably foreseeable acts in furtherance of conspiracy)