Lead Opinion
Dissent by Judge REINHARDT
OPINION
This is the second time we consider the scope of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, with respect to David Nosal. The CFAA imposes criminal penalties on whoever “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.... ” Id. § 1030(a)(4) (emphasis added).
Only the first prong of the section is before us in this appeal: knowingly and with intent to defraud accessing a computer “without authorization.” Embracing our earlier precedent and joining our sister circuits, we conclude that “without authorization” is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission. This definition has a simple corollary: once authorization to access a computer has been affir-. matively revoked, the user cannot sidestep the statute by going through the back door
Nosal worked at the executive search firm Korn/Ferry International when he decided to launch a competitor along with a group of co-workers. Before leaving Korn/Ferry, Nosal’s colleagues began downloading confidential information from a Korn/Ferry database to use at their new enterprise. Although they were authorized to access the database as current Korn/Ferry employees, their downloads on behalf of Nosal violated Korn/Ferry’s confidentiality and computer use policies. In 2012, we addressed whether those employees “exceeded] authorized access” with intent to defraud under the CFAA. United States v. Nosal (Nosal I),
The remaining counts relate to statutory provisions that were not at issue in Nosal /: access to a protected computer “without authorization” under the CFAA and trade secret theft under the Economic Espionage Act (“EEA”), 18 U.S.C. § 1831 et seq. When Nosal left Korn/Ferry, the company revoked his computer access credentials, even though he remained for a time as a contractor. The company took the same precaution upon the departure of his accomplices, Becky Christian and Mark Jacobson. Nonetheless, they continued to access the database using the credentials of Nosal’s former executive assistant, Jacqueline Froehlich-L’Heureaux (“FH”), who remained at Korn/Ferry at Nosal’s request. The question we consider is whether the jury properly convicted Nosal of conspiracy to violate the “without authorization” provision of the CFAA for unauthorized access to, and downloads from, his former employer’s database called Searcher.
We directly answered this question in LVRC Holdings LLC v. Brekka,
Nosal and various amici spin hypotheti-cals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing. Nor is it about violating a company’s internal computer-use policies. The conduct at issue is that of Nosal and his co-conspirators,
The dissent mistakenly focuses on FH’s authority, sidestepping the authorization question for Christian and Jacobson. To begin, FH had no authority from Korn/Ferry to provide her password to former employees whose computer access had been revoked. Also, in collapsing the distinction between FH’s authorization and that of Christian and Jacobson, the dissent would render meaningless the concept of authorization. And, pertinent here, it would remove from the scope of the CFAA any hacking conspiracy with an inside person. That surely was not Congress’s intent.
We also affirm Nosal’s convictions under the EEA for downloading, receiving and possessing trade secrets in the form of source lists from Searcher. We vacate in part and remand the restitution order for reconsideration of the reasonableness of the attorneys’ fees award.
Background
I. Factual Background
Nosal was a high-level regional director at the global executive search firm Korn/Ferry International. Korn/Ferry’s bread and butter was identifying and recommending potential candidates for corporate positions. In 2004, after being passed over for a promotion, Nosal announced his intention to leave Korn/Ferry. Negotiations ensued and Nosal agreed to stay on for an additional year as a contractor to finish a handful of open searches, subject to a blanket non-competition agreement. As he put it, Korn/Ferry was giving him “a lot of money” to “stay out of the market.”
During this interim period, Nosal was very busy, secretly launching his own search firm along with other Korn/Ferry employees, including Christian, Jacobson and FH. As of December 8, 2004, Korn/Ferry revoked Nosal’s access to its computers, although it permitted him to ask Korn/Ferry employees for research help on his remaining open assignments. In January 2005, Christian left Korn/Ferry and, under instructions from Nosal, set up an executive search firm — Christian & Associates — from which Nosal retained 80% of fees. Jacobson followed her a few months later. As Nosal, Christian and Jacobson began work for clients, Nosal used the name “David Nelson” to mask his identity when interviewing candidates.
The- start-up company was missing Korn/Ferry’s core asset: “Searcher,” an internal database of information on over one million executives, including contact information, employment history, salaries, biographies and resumes, all compiled since 1995. Searcher was central to Korn/Ferry’s work for clients. When launching a new search to fill an open executive position, Korn/Ferry teams started by compiling a “source list” of potential candidates. In constructing the list, the employees would run queries in Searcher to generate a list of candidates. To speed up the process, employees could look at old source lists in Searcher to see how a search for a similar position was constructed, or to identify suitable candidates. The resulting source list could include hundreds of names, but then was
Searcher included data from a number of public and quasi-public sources like Linkedln, corporate filings and Internet searches, and also included internal, nonpublic sources, such as personal connections, unsolicited resumes sent to Korn/Ferry and data inputted directly by candidates via Korn/Ferry’s website. The data was coded upon entry; as a result, employees could run targeted searches for candidates by criteria such as age, industry, experience or other data points. However, once the information became part of the Searcher system, it was integrated with other data and there was no way to identify the source of the data.
Searcher was hosted on the company’s internal computer network and was considered confidential and for use only in Korn/Ferry business. Korn/Ferry issued each employee a unique username and password to its computer system; no separate password was required to access Searcher. Password sharing was prohibited by a confidentiality agreement that Korn/Ferry required each new employee to sign. When a user requested a custom report in Searcher, Searcher displayed a message which stated: “This product is intended to be used by Korn/Ferry employees for work on Korn/Ferry business only.”
Nosal and his compatriots downloaded information and source lists from Searcher in preparation to launch the new competitor. Before leaving Korn/Ferry, they used their own usernames and passwords, compiling proprietary Korn/Ferry data in violation of Korn/Ferry’s computer use policy. Those efforts were encompassed in the CFAA accounts appealed in Nosal I. See Nosal I,
After Nosal became a contractor and Christian and Jacobson left Korn/Ferry, Korn/Ferry revoked each of their credentials to access Korn/Ferry’s computer system. Not to be deterred, on three occasions Christian and Jacobson borrowed access credentials from FH, who stayed on at Korn/Ferry at Nosal’s request. In April 2005, Nosal instructed Christian to obtain some source lists from Searcher to expedite their work for a new client. Thinking it would be difficult to explain the request to FH, Christian asked to borrow FH’s access credentials, which Christian then used to log in to Korn/Fer-ry’s computer system and run queries in Searcher. Christian sent the results of her searches to Nosal. In July 2005, Christian again logged in as FH to generate a custom report and search for information on three individuals. Later in July, Jacobson also logged in as FH, to download information on 2,400 executives. None of these searches related to any open searches that fell under Nosal’s independent contractor agreement.
In March 2005, Korn/Ferry received an email from an unidentified person advising that Nosal was conducting his own business in violation of his non-compete agreement. The company launched an investigation and, in July 2005, contacted government authorities.
II. Procedural background
. In the first indictment, Nosal was charged with twenty criminal counts, including eight counts under the CFAA, two trade secrets counts under the Economic Espionage Act and one conspiracy count. Five of the eight CFAA counts were based on allegations that FH and Christian downloaded material from Searcher using their own credentials while employed by Korn/Ferry in violation of company policies. The district court dismissed these counts, citing our decision Brekka,
The government filed a second superseding. indictment in February 2013 with three CFAA counts, two trade secrets counts and one conspiracy count. Nosal’s remaining CFAA counts were based on the three occasions when Christian and Jacobson accessed Korn/Ferry’s system for their new clients using FH’s login credentials. The district court denied Nosal’s motion to dismiss the three remaining CFÁA counts, rejecting the argument that Nosal I limited the statute’s applicability “to hacking crimes where the defendant circumvented technological barriers to access a computer.” United States v. Nosal,
ANALYSIS
1. Convictions Undee the ComputeR Fkaud AND Abuse Act
A. Background of the CFAA
The CFAA. was originally enacted in 1984 as the Counterfeit Access Device and Computer Fraud and Abuse Act, Pub. L. No. 98-473, § 2102(a), 98 Stat. 2190 (1984). The act was aimed at “hackers who accessed computers to steal information or to disrupt or destroy computer functionality....” Brekka,
Just two years later in 1986, Congress amended the statute to “deter[ ] and punish[] certain ‘high-tech’ crimes,” and “to penalize thefts of property via computer that occur as part of a scheme to defraud,” S. Rep. No. 99-432, at 4, 9 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2482, 2486-87. The amendment expanded the CFAA’s protections to private computers. Computer Fraud and Abuse Act of 1986, Pub. L. No. 99-474, § 2(g)(4), 100 Stat. 1213-15.
The key section of the CFAA at issue is 18 U.S.C. § 1030(a)(4), which provides in relevant part:
Whoever ... knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of suchconduct furthers the intended fraud and obtains anything of value ... shall be punished....
The CFAA defines “exceeds authorized access” as “access [to] a computer with authorization and [using] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Id. § 1030(e)(6). The statute does not, however, define “without authorization.”
Both terms are used throughout § 1030. Subsection 1030(a)(2), which mirrors (a)(4) but requires that access be intentional, penalizes access without authorization and exceeding authorization. Subsection 1030(a)(1) also incorporates both terms in relation to accessing a computer and obtaining national security information. Subsection 1030(a)(7)(B) criminalizes extortion by threats to obtain information “without authorization or in excess of authorization.” The remaining subsections pertain only to access “without authorization.” Subsection 1030(a)(3) prohibits access “without authorization” to nonpublic government computers. Subsections 1030(a)(5) and (6) employ the term “without authorization” with respect to, among other things, “transmission of a program, information, code, or command,” § 1030(a)(5)(A); intentional access that “causes damage and loss,” § 1030(a)(5)(C); and trafficking in passwords, § 1030(a)(6). In construing the statute, we are cognizant of the need for congruence among these subsections.
B. Meaning of “Authorization” Under the CFAA
The interpretive fireworks under § 1030(a)(4) of the CFAA have been reserved for its second prong, the meaning of “exceeds authorized access.” Not surprisingly, there has been no division among the circuits on the straightforward “without authorization” prong of this section. We begin with the two Ninth Circuit cases that bind our interpretation of “without authorization” — Brekka and Nosal I— and then move on to address the cases from our sister circuits that are in accord with Brekka, agreeing that “without authorization” is an unambiguous term that should be given its ordinary meaning.
Brekka involved a former employee in circumstances remarkably similar to No-sal: he wanted to compete using confidential data from his former company. Christopher Brekka worked as an internet marketer with LVRC Holdings, LLC (“LVRC”), a residential addiction treatment center. Brekka,
In Brekka we analyzed both the “without authorization” and “exceeds authorization” provisions of the statute under §§ 1030(a)(2) and (4). Id. at 1132-36. Because the CFAA does not define the term “authorization,” we looked to the ordinary, contemporaneous meaning of the term: “ ‘permission or power granted by an authority.’ ” Id. at 1133 (quoting Random House Unabridged Dictionary 139 (2001)). In determining whether an employee has authorization, we stated that, consistent with “the plain language of the statute ... ‘authorization’ [to use an employer’s computer] depends on actions taken by the employer.” Id. at 1135. We concluded that
Brekka’s access after LVRC terminated his employment presented a starkly different situation: “There is no dispute that if Brekka accessed LVRC’s information on the [traffic monitoring] website after he left the company ..., Brekka would have accessed a protected computer ‘without authorization’ for purposes of the CFAA.” Id. at 1136.
Not surprisingly, in Nosal I as in this appeal, both the government and Nosal cited Brekka extensively. The focus of No-sal’s first appeal was whether the CFAA could be interpreted “broadly to cover violations of corporate computer use restrictions or violations of a duty of loyalty.” Nosal I,
In Nosal I, authorization was not in doubt. The employees who accessed the Korn/Ferry computers unquestionably had authorization from the company to access the system; the question was whether they exceeded it. What Nosal I did not address was whether Nosal’s access to Korn/Ferry computers after both Nosal and his co-conspirators had terminated their employment and Korn/Ferry revoked their permission to access the computers was “without authorization.” Brekka is squarely on point on that issue: Nosal and his co-conspirators acted “without authorization” when they continued to access Searcher by other means after Korn/Ferry rescinded permission to access its computer system. As Nosal I made clear, the CFAA was not intended to cover unauthorized use of information. Such use is not at issue here. Rather, under § 1030(a)(4), Nosal is charged with unauthorized access — getting into the computer after categorically being barred from entry.
Implicit in the definition of authorization is the notion that someone, including an entity, can grant or revoke that permission. Here, that entity was Korn/Ferry and FH had no mantle or authority to give permission to former employees whose access had been categorically revoked by the company.
Our analysis is consistent with that of our sister circuits, which have also determined that the term “without authorization” is unambiguous.
Beginning in 1991, in construing § 1030(a)(5)(A),
The Fourth Circuit’s analysis mirrors the conclusion that the “without authorization” language is unambiguous based on its ordinary meaning:
Recognizing that the distinction between [“exceeds authorized access” and access “without authorization”] is arguably minute, we nevertheless conclude based on the ordinary, contemporary, common meaning of “authorization,” that an employee is authorized to access a computer when his employer approves or sanctions his admission to that computer. Thus, he accesses a computer “without authorization” when he gains admission to a computer without approval. Similarly, we conclude that an employee “exceeds authorized access” when he has approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access.
WEC Carolina Energy Solutions LLC v. Miller,
Like the other courts, the Sixth Circuit noted that “[t]he plain meaning of ‘authorization’ is ‘[t]he conferment of legality; ... sanction.’ Commonly understood, then, a defendant who accesses a computer “without authorization’ does so without sanction or permission.” Pulte Homes, Inc. v. Laborers’ Int’l Union of N. Am.,
In the face of multiple circuits that agree with our plain meaning construction of the statute, the dissent would have us ignore common sense and turn the statute inside out. Indeed, the dissent frames the question upside down in assuming that permission from FH is at issue. Under this approach, ignoring reality and practice, an employee could willy nilly give out passwords to anyone outside the company— former employees whose access had been revoked, competitors, industrious hackers, or bank robbers who find it less risky and more convenient to access accounts via the Internet rather than through armed robbery.
Our conclusion does nothing to expand the scope of violations under the CFAA beyond Brekka-, nor does it rest on the grace of prosecutorial discretion. We are mindful of the examples noted in Nosal I — and reiterated by Nosal and various amici — that ill-defined terms may capture arguably innocuous conduct, such as password sharing among friends and family, inadvertently “mak[ing] criminals of large groups of people who would have little reason to suspect they are committing a federal crime.” Nosal I,
C. Jury Instruction on “Without Authorization”
With respect to the meaning of “without authorization,” the district court instructed the jury as follows:
Whether a person is authorized to access the computers in this case depends on the actions taken by Korn/Ferry to grant or deny permission to that person to use the computer. A person uses a computer “without authorization” when the person has not received permission from Korn/Ferry to use the computer for any purpose (such as when a hacker accesses the computer without any permission), or when Korn/Ferry has rescinded permission to use the computer and the person uses the computer anyway.
The instruction is derived directly from our decision in Brekka and is a fair and accurate characterization of the plain meaning of “without authorization.” Although the term “without authorization” is unambiguous, it does not mean that the facts don’t matter; the source and scope of authorization may well be at issue. Here, it was not disputed that Korn/Ferry was the source of permission to grant authorization. The jury instruction left to the jury to determine whether such permission was given.
Nosal challenges the instruction on the basis that the CFAA only criminalizes access where the party circumvents a technological access barrier.
In any event, Nosal’s argument misses the mark on the technological access point. Even if he were correct, any instructional error was without consequence in light of the evidence. The password system adopted by Korn/Ferry is unquestionably a technological barrier designed to keep out those “without authorization.” Had a thief stolen an employee’s password and then used it to rifle through Searcher, without doubt, access would have been without authorization.
The same principle holds true here. A password requirement is designed to be a technological access barrier.
Nosal’s convictions under ■ the CFAA rest on accomplice liability. Nosal claims the government failed to prove the requisite mens rea. Two instructions bear on this issue: aiding and abetting and deliberate ignorance. As .to the former, which is not challenged on appeal, the court instructed that the government must prove Nosal “knowingly and intentionally aided, counseled, commanded, induced or procured [a] person to commit each element of the crime” and did so “before the crime was completed ... with the knowledge and intention of helping that person commit the crime.” The court also instructed that the defendant acted “knowingly” if he was “aware of the act and [did] not act or fail to act through ignorance, mistake, or accident.” The adjunct deliberate ignorance instruction read: the defendant acted “knowingly” if he “was aware of a high probability that [Christian, Jacobson, or FH] had gained unauthorized access to a computer ... or misappropriated trade secrets' ... without authorization .... and deliberately avoided learning the truth.”
At trial, Nosal objected to the deliberate ignorance instruction on the ground that the facts alleged did not permit a deliberate ignorance theory. On appeal, for the first time, he argues that the instruction is erroneous because it undermines the requirement that Nosal had advance knowledge of the crime.
We have repeatedly held that a statutory requirement that a criminal defendant acted “knowingly” is “not limited to positive knowledge, but includes the state of mind of one who does not possess positive knowledge only because he consciously avoided it.” United States v. Heredia,
Nor does the recent case Rosemond v. United States counsel a different result. — U.S. -,
Apart from the instruction, Nosal challenges the sufficiency of the evidence, claiming evidence of intent was insufficient because he didn’t have advance knowledge that Christian and Jacobson would use FH’s password. This attack fails because, “after viewing the evidence in the light most favorable to the prosecution, any rational trier of fact could have found the essential elements of the crime beyond a reasonable doubt.” Jackson v. Virginia,
Although the conviction may be upheld solely under Pinkerton, which “ ‘renders all co-conspirators criminally liable for reasonably foreseeable overt acts committed by others in furtherance of the conspiracy,’ ” United States v. Bingham,
Christian’s testimony is illustrative:
Q. Did the defendant know you were using [FH’s] password, after you left Korn/Ferry, to get source lists and other documents from Korn/Ferry?
A. Yes.
Q. Any doubt in your mind that he knew that?
A. No.
This unequivocal statement, which more than satisfies the Jackson v. Virginia standard, is bolstered by other evidence, including extensive testimony that Nosal wanted his team to obtain information from Searcher while maintaining his distance from their activities but knew and understood that none of them had access credentials. A juror also could have easily surmised that Nosal, having worked with FH for years on a daily basis, would have known that she had herself never run custom reports, developed source lists or pulled old source lists. When Nosal specifically directed Christian to access Korn/Ferry’s computer system to “[g]et what I need,” Nosal knew that the only way Christian and Jacobson could access the source lists was “without authorization” because Korn-Ferry had revoked their access credentials.
We affirm Nosal’s conviction on the CFAA counts.
II. Convictions Under the Economic Espionage Act (EEA)
The jury convicted Nosal of two counts of trade secret theft under the EEA: Count 5 charged “unauthorized downloading, copying and duplicating of trade se
A. Sufficiency of the Evidence— Counts 5 and 6
Violation of the EEA requires, among other things, “intent to convert a trade secret” and “intending or knowing that the offense will[ ] injure [an] owner of that trade secret....” 18 U.S.C. § 1832(a). The jury instruction for Count 5 — downloading, copying and duplicating trade secrets — set out the following elements:
1. At least one of the three source lists is a trade secret (requiring agreement on which one);
2. Nosal knew that the source list was a trade secret;
3. Nosal knowingly, and without authorization, downloaded, copied or duplicated the trade secret;
4. Nosal intended to convert the trade secret to the economic benefit of someone other than the owner;
5. Nosal knew or intended that the offense would injure the trade secret owner; and
6. The trade secret was related to or included in a product in interstate commerce.
The instruction for Count 6 — receiving and possessing trade secrets — replaced the third element with a requirement of knowing receipt or possession of a trade secret with the knowledge that it was “stolen or appropriated, obtained, or converted without authorization” and added the “cut and paste” list as one of the possible trade secrets.
Nosal argues that the government failed to prove: 1) secrecy and difficulty of development, because the search information was derived from public sources and because there was no evidence the source lists had not been circulated outside Korn/Ferry; 2) knowledge of trade secret status; and 3) knowledge of injury to, or an intent to injure, Korn/Ferry.
The notion of a trade secret often conjures up magic formulas, like Coca Cola’s proprietary formula, technical drawings or scientific data. So it is no surprise that such technically complex cases have been brought under the EEA. See, e.g., United States v. Chung,
But the scope of the EEA is not limited to these categories and the EEA, by its terms, includes financial and business information. The EEA defines a trade secret as
all forms and types of financial, business, scientific, technical, economic, or engineering information, including ... compilations ... if (A) the owner thereof has taken reasonable measures to keep such information secret; and (B) the information derives independent economic value, actual or potential, from not being generally known to, and notbeing readily ascertainable through proper means by the public....
18 U.S.C. § 1839(3).
The thrust of Nosal’s argument is that the source lists are composed largely, if not entirely, of public information and therefore couldn’t possibly be trade secrets. But he overlooks the principle that a trade secret may consist of a compilation of data, public sources or a combination of proprietary and public sources. It is well recognized that
it is the secrecy of the claimed trade secret as a whole that is determinative. The fact that some or all of the components of the trade secret are well-known does not preclude protection for a secret combination, compilation, or integration of the individual elements.... [T]he theoretical possibility of reconstructing the secret from published materials containing scattered references to portions of the information or of extracting it from public materials unlikely to come to the attention of the appropriator will not preclude relief against the wrongful conduct. ...
Restatement (Third) of Unfair Competition § 39 cmt. f (1995); see also Computer Care v. Serv. Sys. Enters., Inc.,
The source lists in question are classic examples of a trade secret that derives from an amalgam of public and proprietary source data. To be sure, some of the data came from public sources and other data came from internal, confidential sources. But cumulatively, the Searcher database contained a massive confidential compilation of data, the product of years of effort and expense. Each source list was the result of a query run through a propriety algorithm that generates a custom subset of possible candidates, culled from a database of over one million executives. The source lists were not unwashed, public-domain lists of all financial executives in the United States, nor otherwise related to a search that could be readily completed using public sources. Had the query been “who is the CFO of General Motors” or “who are all of the CFOs in a particular industry,” our analysis might be different. Instead, the nature of the trade secret and its value stemmed from the unique integration, compilation, cultivation, and sorting of, and the aggressive protections applied to, the Searcher database.
Nosal takes the view that the source lists are merely customer lists that cannot be protected as trade secrets. This characterization attempts to sidestep the unique nature of the source lists, which are the customized product of a massive database, not a list of well-known customers. Regardless, courts have deemed customer lists protectable trade secrets. See, e.g., Hollingsworth Solderless Terminal Co. v.
Our approach is not novel. This case is remarkably similar to Conseco Finance Servicing Corp. v. North American Mortgage Co.,
Nosal also takes aim at the secrecy of the three source lists in question, an argument that is intertwined with his public domain/compilation claim. The jury heard more than enough evidence to support its verdict. Christian acknowledged that the only place she could obtain the source lists she needed was on Korn/Ferry’s computer system. Notably, some of the downloaded information came from a source list for an engagement that was opened only twelve days prior to the April 12 downloads underlying the trade secret counts.
Although Nosal claims that Korn/Fer-ry’s sharing of lists with clients and others undermined this claim of secrecy, witnesses who worked at Korn/Ferry did not budge in terms of procedures undertaken to keep the data secret, both in terms of technology protections built into the computer system and the limitations on distribution of the search results. For example, the Vice-President of Information Services testified that, to her knowledge, the source lists had never been released by Korn/Fer-ry to any third parties. As a matter of practice, Korn/Ferry did not show source lists to clients. In the occasional instance when a client was given a source list or shown one at a pitch, it was provided on an understanding of confidentiality, and disclosing the lists was contrary to company policy. It is also well established that “confidential disclosures to employees, licensees, or others will not destroy the information’s status as a trade secret.” Restatement (Third) of Unfair Competition § 39 cmt. f (1995).
In light of the above, it would be naive to conclude that Nosal was unaware that the information pirated by Christian included trade secrets or that the piracy would harm Korn/Ferry. As a former senior executive at Korn/Ferry, Nosal was deeply familiar with the competitive advantage Searcher provided, and was cognizant of the measures the company took to protect the source lists generated. He signed a confidentiality agreement stating that “information databases and company rec
Nosal’s argument that he and his colleagues were unaware their actions would harm Korn/Ferry also holds no water. They launched a direct competitor to Korn/Ferry and went to great lengths to access the source lists, fully aware of the competitive advantage Searcher gave Korn/Ferry as they attempted to populate their own database. Christian underscored the value of the lists through her testimony that she and Nosal used the source lists to complete searches faster and gain credibility with clients. They recognized that the required substantial investment of time, money and elbow grease to even try to replicate the source lists would have destroyed their prime value — immediacy.
At trial, Nosal’s counsel endeavored to attack the secrecy, knowledge and other elements of the trade secret counts. The jury heard extensive testimony and argument. Construing the evidence in the light most favorable to the government, a rational juror could have concluded that the evidence supported convictions under §§ 1832(a)(2), (3) and (4) of the EEA. As the Supreme Court explained just this year, our “limited review does not intrude on the jury’s role ‘to resolve conflicts in the testimony, to weigh the evidence, and to draw reasonable inferences from basic facts to ultimate facts.’ ” Musacchio,
B. Conspiracy Jury Instruction
With respect to trade secrets, the conspiracy jury instruction stated that “the government need not prove the existence of actual trade secrets and that Defendant knew that the information in question was a trade secret. However, the government must prove that Defendant firmly believed that certain information constituted trade secrets.” Nosal argues that the court constructively amended the indictment because the indictment alleges theft of actual trade secrets while the jury instruction did not require proof of actual trade secrets. Constructive amendment occurs where “the crime charged is substantially changed at trial, so that it is impossible to know whether the grand jury would have indicted for the crime actually proved.” United States v. Howick,
In a related vein, Nosal claims that the instruction unfairly removes the requirement to prove an actual trade secret. The instruction reflects our circuit’s precedent on conspiracy charges — a conviction may be upheld even where the object of the crime was not a legal possibility. See United States v. Rodriguez,
C. Evidentiary Challenges
Nosal disputes evidentiary rulings made regarding his non-competition agreement. Although Nosal was permitted to testify that he believed the agreement was illegal, the court struck certain testimony by government witnesses about the agreement and also precluded evidence about the enforceability of the agreement under California law. The jury was instructed that whether “Mr. Nosal breached or did not breach this covenant is not relevant to the question of whether he is guilty of the crimes charged in this case.” The district court did not abuse its discretion.
In closing rebuttal, the government argued that Nosal’s use of the name “David Nelson” showed his intent to conspire to steal information from Korn/Fer-ry. Importantly, the government did not link Nosal’s charade to the legality of the non-competition agreement. This passing reference, which was not objected to at trial, was harmless and certainly does not rise to the level of plain error.
III. Restitution Order
The district court awarded Korn/Ferry $827,983.25 in restitution. We review de novo the legality of the restitution order and review for clear error the factual findings that support the order. United States v. Luis,
The restitution order identified three categories of recoverable losses: 1) Korn/Ferry’s internal investigation costs incurred in attempting to ascertain the nature and scope of Nosal’s breach, in the amount of $27,400; 2) the value of Korn/Ferry’s employee time spent participating in and assisting the government’s investigation and prosecution, in the amount of $247,695; and 3) the attorneys’ fees incurred by Korn/Ferry in aid of the investigation or prosecution of the offense, in the amount of $595,758.25. While the government asked for a higher amount, the district court reduced the award, primarily by cutting the request for attorneys’ fees from $964,929.65 to $595,758.25 for invoices “not demonstrably reasonably necessary to the government’s investigation and prosecution,” for “staffing inefficiencies,” and for “time spent on ‘press’ and file/order reviewing charges.”
The district court relied on the Mandatory Victim Restitution Act (MVRA), which “makes restitution mandatory for particular crimes, including those offenses
We must initially decide whether, as Nosal urges, the restitution award is invalid because it exceeds the actual loss that the district court determined for the purposes of the Sentencing Guidelines U.S.S.G. § 2Bl.l(b) — calculated at $46,907.88. The answer to that question is found in our observation that “calculating loss under the guidelines is not necessarily identical to loss calculation for purposes of restitution.” United States v. Hunter,
In contrast with the MVRA, which includes expenses related to investigation and prosecution, such costs are categorically excluded under the Sentencing Guidelines applicable here. The guidelines provision for actual loss for crimes of fraud explicitly excludes “costs incurred by victims primarily to aid the government in[ ] the prosecution and criminal investigation of an offense.” U.S.S.G. § 2.B.1.1 cmt. 3(D)(ii). From that, Nosal appears to assume, without any support, that “actual loss” is a term-of-art, such that in this category of offenses a restitution order could never include investigation costs or attorneys’ fees in aid of the government. That assumption is not warranted under the plain language of the MVRA, which notably never uses the terminology of actual loss.
In an effort to overcome the differences between the MVRA and the guidelines, Nosal points to our decision in United States v. Stoddard,
Having determined that the restitution award was “within the bounds of the statutory framework,” we turn to whether the district court nevertheless abused its discretion in awarding nearly $1 million in restitution. See Waknine,
We applaud the district court’s thorough review of the voluminous time and fee records submitted by the government and Korn/Ferry. We agree with the award for internal investigation costs to uncover the extent of the breach and for the value of employee- time spent participating in the government’s investigation and prosecution. See, e.g., United States v. De La Fuente,
While the district court’s reduction of the fee award was a step in the right direction, our review of the record convinces us that the court should have gone further. Several principles guide this conclusion. To begin, the fees must be the direct and foreseeable result of the defendant’s conduct. Gordon,
Even after reduction, the total amount of fees awarded is striking, particularly given that the trial ultimately involved only three discrete incidents of criminal behavior. Although resulting in multiple counts, at bottom the events were temporally circumscribed and limited in scope. We note that a highly disproportionate percentage of the fees arose from responding to requests and inquiries related to sentencing, damages, and restitution. The reasonableness of the fees needs to be reexamined to consider (i) whether the sizeable fee related to restitution matters was reasonable; (ii) whether there was unnecessary duplication of tasks between Korn/Ferry staff and its attorneys since the court awarded a substantial sum for the time of Korn/Ferry employees; and (iii) whether the outside attorneys were substituting for or duplicating the work of the prosecutors, rather than serving in a participatory capacity.
We vacate the restitution award with respect to the attorneys’ fees and remand for reconsideration in light of the principles and observations set out above.
AFFIRMED, EXCEPT VACATED IN PART AND REMANDED WITH RESPECT TO THE RESTITUTION AWARD.
Notes
. As in Nosal I, Nosal did not himself access and download information from Korn/Ferry's database. Nosal was convicted of three substantive CFAA counts on either an aiding and abetting or conspiracy theory. Under either, Nosal is liable for the conduct of Christian and Jacobson. See Pinkerton v. United States,
. A computer is defined broadly as “an electronic ... data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device...18 U.S.C. § 1030(e)(1). The CFAA’s restrictions have been applied to computer networks, databases and cell phones. See, e.g., United States v. Valle,
.The act was later expanded to protect any computer "used in interstate or foreign commerce or communication.” Economic Espionage Act of 1996, Pub. L. 104-294, § 201 (4)(B), 110 Stat. 3488, 3493 (codified as amended at 18 U.S.C. § 1030(e)(2)(B)).
. Brekka's authorization terminated when his employment terminated, not because his password expired. Expired passwords do not necessarily mean that authorization terminates: authorized account-holders often let their passwords lapse before updating the password or contacting the company’s technical support team for help, but expiration of a password doesn't necessarily mean that account authorization has terminated.
. For example, Title 18 covers a number of offenses that stem from conduct "without authorization.” See, e.g., 18 U.S.C. § 1388(a)(2)(B) (holding liable any person who "willfully and without proper authorization imped[es]” access to a funeral of a member of the Armed Forces); 18 U.S.C. § 1831(a) (holding liable for economic espionage "[w]hoever, intending or knowing that the offense will benefit any foreign government ... knowingly ... without authorization appropriates, takes, carries away, or conceals” trade secrets); 18 U.S.C. § 2701 (holding liable any person who “intentionally accesses without authorization a facility through which an electronic communication service is provided ... and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage”).
. We do not invoke the rule of lenity because "the touchstone of the rule of lenity is statutory ambiguity,” Bifulco v. United States,
.The dissent rests its argument on the fact that Brekka had "no possible source of authorization.” The same is true here' — Nosal had "no possible source of authorization” since the company revoked his authorization and, while FH might have been wrangled into giving out her password, she and the others knew that she had no authority to control system access.
. Nosal argues that he cannot be held liable because, as a contractor, he was entitled to access information from Korn/Ferry's database. Nosal misconstrues his authorization following his departure from Korn/Ferry: he was only entitled to information related to his open searches, and being entitled to receive information does not equate to permission to access the database. Further, Nosal’s liability as a co-conspirator turns on whether Christian and Jacobson acted "without authorization.”
. We note that the terms "insider” and "outsider” in these circumstances are simply descriptive proxies for the status of the parties here and in Brekka. There obviously could be an "insider” in a company, such as a cleaning or maintenance person, who is not authorized to access any computer or company information but who, nonetheless, accesses the company computer "without authorization.”
. Although the Supreme Court recently affirmed a conviction under the CFAA with facts similar to those here, it did not address interpretation of "without authorization.” See Musacchio v. United States, — U.S.-,
. See discussion in Nosal I,
.This section of the CFAA criminalizes intentional "transmission of a program, information, code, or command” to a protected computer "without authorization” causing damage. 18 U.S.C. § 1030(a)(5)(A).
. Nosal did not object to this instruction at the jury instruction conference. He did, however, raise the issue and offer a circumvention instruction earlier in the proceedings and objected to an earlier version of this instruction. Whether we review the instruction de novo or for plain error, the result is the same because the instruction was correct.
. The district court accommodated Nosal’s many objections to this instruction. In particular, at his request, the instruction included the names of the co-conspirators. When the court asked if this included' “the three peo-pie,” Nosal’s counsel said, “Right.” The instruction thus incorporated, with no further objection or comment, FH’s name. Nosal thus waived any challenge to inclusion of her name, which was not plain error in any event.
. This was the text of § 1839 at the time the offenses were committed. Congress recently amended § 1839, replacing "the public” with "another person who can obtain economic value from the disclosure or use of the information.” Defend Trade Secrets Act of 2016, Pub. L. No. 114-153, § 2(b)(1)(A), 130 Stat. 376, 380.
. See also Rivendell Forest Prods., Ltd. v. Ga.-Pac. Corp.,
. We agree with the district court's decision to accept the hourly rate of Korn/Ferry’s at-tomeys. Recognizing the importance and impact of the breach, Korn/Ferry cannot be
Dissenting Opinion
dissenting:
This case is about password sharing. People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it. In my view, the Computer Fraud and Abuse Act (“CFAA”) does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals. Whatever other liability, criminal or civil, Nosal may have incurred in his improper attempt to compete with his former employer, he has not violated the CFAA.
The first time this case came before us we examined whether Nosal’s former colleagues acted “without authorization, or exceeded] authorized access” when they downloaded information from Searcher while still employed at Korn/Ferry and shared it with Nosal in violation of the firm’s policies. United States v. Nosal (Nosal I),
Today, addressing only slightly different conduct, the majority repudiates important
At issue are three incidents of password sharing. On these occasions while FH was still employed at Korn/Ferry, she gave her password to Jacobson or Christian, who had left the company. Her former colleagues then used her password to download information from Searcher. FH was authorized to access Searcher, but she did not download the information herself because it was easier to let Jacobson or Christian do it than to have them explain to her how to find it. It would not have been a violation of the CFAA if they had simply given FH step-by-step directions, which she then followed. Thus the question is whether because Jacobson and Christian instead used FH’s password with her permission, they are criminally liable for access “without authorization” under the Act.
The majority finds the answer is “yes,” but in doing so commits the same error as the circuits whose views we rejected in Nosal I. My colleagues claim that they do not have to address the effect of their decision on the wider population because Nosal’s infelicitous conduct “bears little resemblance” to everyday password sharing. Notably this is the exact argument the dissent made in Nosal I: “This case has nothing to do with playing sudoku, checking email, [or] fibbing on dating sites.'... The role of the courts is neither to issue advisory opinions nor to declare rights in hypothetical cases.”
We, of course, rejected the dissent’s argument in Nosal I. We did so because we recognized that the government’s theory made all violations of use restrictions criminal under the CFAA, whether the violation was innocuous, like checking your personal email at work, or more objectionable like that at issue here.. Because the statute was susceptible to a narrower interpretation, we rejected the government’s broader reading under which “millions of unsuspecting individuals would find that they are engaging in criminal conduct.” Id. at 859. The same is true here. The majority does not provide, nor do I see, a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners. There simply is no limiting principle in the majority’s world of lawful and unlawful password sharing.
Therefore, despite the majority’s attempt to construe Nosal I as only applicable to “exceeds authorized access,” the case’s central lesson that the CFAA should not be interpreted to criminalize the ordinary conduct of millions of citizens applies equally strongly here. Accordingly, I would hold that consensual password sharing is not the kind of “hacking” covered by the CFAA. That is the case whether or not the voluntary password sharing is with a former employee and whether or not the former employee’s own password had expired or been terminated.
I.
“Congress enacted the CFAA in 1984 primarily to address the growing problem of computer hacking,” Nosal I,
“Without authorization” is used in a number of places throughout the CFAA, but is not defined in the Act. The phrase appears in two subsections relevant to this case: § 1030(a)(2)(C) and (a)(4). Subsection (a)(2)(C) criminalizes “intentionally accessing] a computer without authorization or - exceeding] authorized access, and thereby obtaining] ... information from any protected computer.” This is the “broadest provision” of the CFAA. Nosal 1.
Our definition of “without authorization” in this case will apply not only to (a)(4), but also to (a)(2)(C) and the rest of the Act. In Nosal I, the government contended that “exceeds authorization” could be interpreted more narrowly in (a)(2)(C) than in (a)(4), but we concluded: “This is just not so: Once we define the phrase for the purpose of subsection 1030(a)(4), that definition must apply equally to the rest of the statute pursuant to the ‘standard principle of statutory construction ... that identical words and phrases within the same statute should normally be given the same meaning.’ ”
It is thus necessary to consider the potential breadth of subsection (a)(2)(C) if we construe “without authorization” with less than the utmost care. Subsection (a)(2)(C) criminalizes nearly all intentional access of a “protected computer” without authorization.
II.
The majority is wrong to conclude that a person necessarily accesses a computer account “without authorization” if he does so without the permission of the system owner.
Was access in these examples authorized? Most people would say “yes.” Although the system owners’ policies prohibit password sharing, a legitimate account holder “authorized” the access. Thus, the best reading of “without authorization” in the CFAA is a narrow one: a person accesses an account “without authorization” if he does so without having the permission of either the system owner or a legitimate account holder.
This narrower reading is more consistent with the purpose of the CFAA.. The CFAA is essentially an anti-hacking statute, and Congress intended it as such. Nosal I,
Nosal’s conduct was, of course, unscrupulous. Nevertheless, as the Second Circuit found in interpreting the CFAA,
III.
The majority insists that the text of the statute requires its broad construction, but that is simply not so. Citing our decision in Brekka, the majority defines “authorization” as “permission or power granted by an authority.” After appealing to “ordinary meaning,” “common sense meaning,” and multiple dictionaries to corroborate this definition, the majority asserts that the term is “not ambiguous.”
The majority is wrong. The majority’s (somewhat circular) dictionary definition of “authorization” — “permission conferred by an authority” — hardly clarifies the meaning of the text. While the majority reads the statute to criminalize access by those without “permission conferred by” the system owner, it is also proper (and in fact preferable) to read the text to criminalize access only by those without “permission conferred by” either a legitimate account holder or the system owner. The question that matters is not what authorization is but who is entitled to give it. As one scholar noted, “there are two parties that have plausible claims to [give] authorization: the owner/operator of the computer, and the legitimate computer account holder.” Orin S. Kerr, Computer Crime Law 48 (3d ed. 2013). Under a proper construction of the statute, either one can give authorization.
The cases the majority cites to support its contention that the statute’s text requires a broad construction merely repeat dictionary definitions of “without authorization.” Those cases do nothing to support the majority’s position that authorization can be given only by the system owner. The Fourth Circuit, quoting the Oxford English Dictionary, found that “based on the ordinary, contemporary, common meaning of ‘authorization,’ ” an employee “accesses a computer ‘without authorization’ when he gains admission to a computer without approval.” WEC Carolina Energy Solutions LLC v. Miller,
As the Supreme Court has repeatedly held, “where there is ambiguity in a criminal statute, doubts are resolved in favor of the defendant.” United States v. Bass,
The “venerable” rule of lenity ensures that individuals are on notice when they act. Santos,
Worse, however, the majority’s construction would base criminal liability on system owners’ access policies. That is exactly what we rejected in Nosal I. See
If this were a civil statute, it might be possible to agree with the majority, but it is not. The plain fact is that the Act unquestionably supports a narrower interpretation than the majority would afford it. Moreover, the CFAA is not the only criminal law that governs computer crime. All fifty states have enacted laws prohibiting computer trespassing. A conclusion that Nosal’s actions do not run afoul of the CFAA need not mean that Nosal is free from criminal liability, and adopting the proper construction of the statute need not thwart society’s ability to deter computer crime and punish computer criminals— even the “industrious hackers” and “bank robbers” that so alarm the majority.
IV.
In construing any statute, we must be wary of the risks of “selective or arbitrary enforcement.” United States v. Kozminski,
Simply put, the majority opinion contains no limiting principle.
It is impossible to discern from the majority opinion what principle distinguishes authorization in Nosal’s case from one in which a bank has clearly told1 customers that no one but the customer may access the customer’s account, but a husband nevertheless shares his password with his wife to allow her to pay a bill. So long as the wife knows that the bank does not give her permission to access its servers in any manner, she is in the same position as Nosal and his associates.
Even if the majority opinion could be limited solely to employment, the consequences would be equally untoward. Very often password sharing between a current and past employee serves the interest of the employer, even if the current employee is technically forbidden by a corporate policy from sharing his password. For example, if a current Korn/Ferry employee were looking for a source list for a pitch meeting which his former colleague had created before retirement, he might contact him to ask where the file had been saved. The former employee might say “it’s too complicated to explain where it is; send me your password and I’ll find it for you.” When the current employee complied
Brekka, cited repeatedly in the majority opinion, did not threaten to criminalize the everyday conduct of millions of citizens. Nor does that case foreclose the preferable construction of the statute. Brekka primarily addressed the question of whether an employee’s violation of the duty of loyalty could itself render his access unauthorized.
In sum, § 1030(a)(2)(C) covers so large a swath of our daily lives that the majority’s construction will “criminalize a broad range of day-to-day activity.” Kozminski,
V.
Nosal’s case illustrates some of the special dangers inherent in criminal laws which are frequently violated in the commercial world, yet seldom enforced. To quote a recent comment by a justice of the Supreme Court with regard to a statute that similarly could be used to punish indiscriminately: “It puts at risk behavior that is common. That is a recipe for giving the Justice Department and prosecutors enormous power over [individuals].” Transcript of Oral Argument at 38, McDonnell v. United States, — U.S.-,
To be clear, I am not implying that there is any misconduct on the part of the prosecution in this case. Nevertheless, private assistance of such magnitude blurs the line between criminal and civil law. Courts have long held that “a private citizen lacks a judicially cognizable interest in the prosecution or nonprosecution of another.” Linda R.S. v. Richard D.,
Prosecutors cannot help but be influenced by knowing that they can count on an interested private party to perform and finance much of the work required to convict a business rival. As the Supreme Court found recently: “Prosecutorial discretion involves carefully weighing the benefits of a prosecution against the evidence needed to convict, [and] the resources of the public fisc.” Bond v. United States, — U.S.,
VI.
“There is no doubt that this case is distasteful; it may be far worse than that.” McDonnell v. United States, 579 U.S. -,
. Nosal was charged as criminally culpable for Jacobson’s and Christian’s alleged violations under a theory of either aiding and abetting or conspiracy.
. The penalty for violating § 1030(a)(2)(C) may also be increased if the government proves an additional element under (c)(2)(B).
. Computer is defined under the Act as “an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device.” 18 U.S.C. § 1030(e)(1). See also United States v. Mitra,
To violate § 1030(a)(2)(C) a person must also "obtain information,” but it is nearly impossible to access a computer without also obtaining information. As we noted in Nosal I, obtaining information includes looking up a weather report, reading the sports section online, etc. See also Sen. Rep. No. 104-357, at 7 (1996) (" ‘[0]btaining information’ includes merely reading it.”).
. The term "system owner” refers to the central authority governing user accounts, whether the owner of a single computer with one or several user accounts, a workplace network with dozens, or a social networking site, bank website, or the like, with millions of user accounts.
. For example, a recent survey showed that 46% of parents have the password to their children’s social networking site, despite the fact that the largest site, Facebook, forbids password sharing. See USC Annenberg School Center for the Digital Future, 2013 Digital Future Report 135 (2013), http://www. digitalcenter.org/wp-contenVuploads/2013/06/ 2013-Report.pdf.
. The Tenth Circuit case the majority cites, United States v. Willis,
. Moskal v. United States,
. It is evident that Nosal is not such a person. This case, however, differs from Bush v. Gore,
. In fact, the ubiquity of state regulation targeting computer trespassing counsels in favor of the narrower interpretation of the federal statute. "Congress has traditionally been reluctant to define as a federal crime conduct readily denounced as criminal by the States.” Bond v. United States,-U.S.-,
. The government has not offered a workable standard for distinguishing Nosal's case from innocuous password sharing either in the context of employment or outside of it. With respect to things like Facebook password sharing, for example, the government gamely states that in other "categories of computer users,” aside from employees, defendants might be able to claim password sharing gave them authorization even if it was against the policy of the website, but does not offer any line of its own or even a hint as to what in the statute permits such a distinction.
. The majority tries to dismiss Nosal I as irrelevant because in the end it only interprets "exceeds authorized access.” This is wrong for two reasons. First, while Nosal I’s holding applies directly only to "exceeds authorized access,” its discussion of password sharing affects the meaning of "without authorization” as well. This is because the "close friends [or] relatives” have no right to access Facebook’s or the email provider’s servers, unless the account holder's password sharing confers such authorization. Although in Nosal I we rejected the Seventh Circuit’s holding in Int’l Airport Centers, L.L.C. v. Citrin, that court correctly observed that the distinction between "exceeds authorized access” and "without authorization” is often “paper thin."
.To make the analogy exact, assume the wife had recently closed her account with the bank or withdrawn as a member of a joint-account with her husband and thus had her credentials rescinded.
. This example also demonstrates the problem with the majority's reliance on the fact that — like all former Korn/Ferry employees— Christian and Jacobson’s credentials had expired. The expiration of someone's credentials is not a reliable indicator of criminal culpability in a password sharing case.
. It was recently reported that more than a few corporate firms, including O’Melveny’s rival Gibson, Dunn and Crutcher, charge as much as $2,000 per hour for some partners’ time. Natalie Rodriguez, Meet the $2,000 An Hour Attorney, Law360, June 11, 2016, http:// www.law360.com/articles/80442 l/meet-the-2-000-an-hour-attorney.
. Indeed, the Court has recognized that limited government funds sometimes play an important part in restraining potential executive overreach. See Illinois v. Lidster, 540 U.S.
. The fact that the interested party may be able to recover its attorneys’ fees if the prosecution is successful does not affect this analysis.
. Nosal argues that because the jury was instructed under Pinkerton, if the conspiracy count and substantive CFAA counts are vacated or reversed, so too must both the trade secrets counts. The government does not contest this assertion in its answering brief. I would therefore vacate the trade secrets counts. See United States v. Gamboa-Cardenas,