United States v. Nosal
844 F.3d 1024
| 9th Cir. | 2016Background
- Nosal, a former Korn/Ferry executive, planned a competing search firm; Korn/Ferry revoked his and certain coworkers’ computer credentials when they left or changed status.
- Christian and Jacobson (former employees) accessed Korn/Ferry’s proprietary database (Searcher) after departure by using the active login credentials of a current employee, FH; they sent resulting source lists to Nosal.
- Earlier en banc decision (Nosal I) held that "exceeds authorized access" does not criminalize violations of employer use policies by current employees; that ruling led to dismissal of certain CFAA counts.
- This prosecution charged Nosal with conspiracy and aiding/abetting under 18 U.S.C. § 1030(a)(4) (accessing a protected computer "without authorization" with intent to defraud) and with trade-secret theft under the Economic Espionage Act (EEA).
- Jury convicted Nosal on CFAA and EEA counts; district court imposed prison, fines, and approximately $828,000 restitution; Ninth Circuit affirms convictions but vacates and remands part of restitution (attorneys’ fees).
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether accessing a computer after an employer rescinds access constitutes access "without authorization" under CFAA §1030(a)(4) | Government: "Without authorization" means lack of permission from the computer owner; revocation by employer makes subsequent access unauthorized. | Nosal: CFAA should not criminalize consensual password sharing or use of a current employee’s credentials; authorization may come from either the system owner or a legitimate account-holder. | Court: Adopts Brekka—authorization depends on employer action; rescission by employer means access is "without authorization." Conviction affirmed. |
| Whether use of a current employee’s credentials (FH) shields former employees from liability | Gov: FH had no authority to grant Korn/Ferry’s permission; use of her credentials circumvented employer revocation. | Nosal: FH’s permission was sufficient authorization; criminalizing this would sweep in commonplace password-sharing. | Court: FH could not override Korn/Ferry’s revocation; use of her credentials did not confer authorization. |
| Mens rea for accomplice liability: whether deliberate ignorance instruction and evidence suffice for "knowingly and with intent to defraud" | Gov: Evidence and deliberate-ignorance instruction supported finding Nosal knowingly aided unauthorized access. | Nosal: Lacked advance knowledge that FH’s credentials would be used; instruction improper under Rosemond. | Court: Deliberate ignorance fits Ninth Circuit precedent; evidence (testimony) was sufficient; accomplice liability upheld. |
| Validity and scope of restitution (attorneys’ fees, investigation costs) under MVRA | Gov/Korn/Ferry: MVRA permits restitution for investigation/prosecution expenses, including attorneys’ fees where reasonably necessary and foreseeable. | Nosal: Restitution cannot exceed "actual loss" used for Sentencing Guidelines; attorneys’ fees were excessive/duplicative. | Court: MVRA allows such restitution; award for investigation and employee time affirmed; attorneys’ fees vacated in part and remanded for reconsideration of reasonableness and duplicative work. |
Key Cases Cited
- LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) (held access is "without authorization" when employer rescinds permission and person accesses anyway)
- United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc) (held "exceeds authorized access" cannot be based solely on violations of employer use restrictions)
- United States v. Valle, 807 F.3d 508 (2d Cir. 2015) (construed "without authorization" as access without permission)
- WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012) (interpreted "authorization" by employer approval; distinguished access without approval)
- United States v. Morris, 928 F.2d 504 (2d Cir. 1991) (early CFAA decision addressing classic hacking and "without authorization")
- Pinkerton v. United States, 328 U.S. 640 (U.S. 1946) (co-conspirator liability for reasonably foreseeable overt acts)
- Conseco Finance Servicing Corp. v. North American Mortgage Co., 381 F.3d 811 (8th Cir. 2004) (database compilations from public sources can be trade secrets)