Lead Opinion
Dissent by
ORDER
The opinion filed on July 5, 2016, and appearing at
With these amendments, Chief Judge Thomas and Judge McKeown vote to deny the petition -for rehearing en banc. Judge Reinhardt votes to grant the petition for rehearing en banc.
The full 'court has been advised of the petition for rehearing- en banc;- and no judge has requested a vote on whether to rehear the matter en banc. Fed. R. App. P. 35.
The petition for rehearing en banc is denied. No further petitions for en banc or panel rehearing shall be permitted.
OPINION
This is the second time we consider the scope of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, with respect to David Nosal. The CFAA imposes criminal penalties on whoever “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.” Id. § 1030(a)(4) (emphasis added).
Only the first prong of the section is before us in this appeal: “knowingly and with intent to defraud” accessing a computer “without authorization.” Embracing our earlier precedent and joining our sister circuits, we conclude that “without authorization” is an unambiguous, nontechnical term that, given its plain and ordinary meaning, means accessing a protected computer without permission. Further, we have held that authorization is not pegged to website terms and conditions. This definition has a simple corollary: once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door. This provision, coupled with the requirement that access be “knowingly and with intent to defraud,” means that the statute will not sweep in innocent conduct, such as family password sharing.
Nosal worked at the executive search firm Korn/Ferry International when-he decided to launch a competitor along with a group of co-workers. Before lеaving Korn/Ferry, Nosal’s colleagues began downloading confidential information from a Korn/Ferry database to usé at their new enterprise. Although they were authorized
The remaining counts relate to statutory provisions that were not at issue in Nosal I: access to a protected computer “without authorization” under the CFAA and trade secret theft under the Economic Espionage Act (“EEA”), 18 U.S.C. § 1831 et seq. When Nosal left Korn/Ferry, the company revoked his computer access credentials, even though he remained for a time as a contractor. The company took the same precaution upon the departure of his accomplices, Becky Christian and Mark Jacobson. Nonetheless, they continued to access the database using the credentials of Nosal’s former executive assistant, Jacqueline Froehlich-L’Heureaux (“FH”), who remained at Korn/Ferry at Nosal’s request. The question we consider is whether the jury properly convicted Nosal of conspiracy to violate the “without authorization” provision of the CFAA for unauthorized access to, and downloads from, his former employer’s database called Searcher.
We directly answered this question in LVRC Holdings LLC v. Brekka,
Nosal and various amici spin hypotheti-cals about the dire consequences of criminalizing" password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing. Nor is it about violating a company’s internal computer-use policies. The conduct at issue is that of Nosal and his co-conspirators, which is covered by the plain language of the statute. Nosal is charged with conspiring with former Korn/Ferry employees whose user accounts had been terminated, but who nonetheless accessed trade secrets in a proprietary database through the back door when the front door had been firmly closed. Nosal knowingly and with intent to defraud Korn/Ferry blatantly circumvented the affirmative revocation of his computer system access. This access falls squarely within the CFAA’s prohibition on “knowingly and with intent to defraud” accessing a computer “without au
The dissent mistakenly focuses on FH’s authority, sidestepping the authorization question for Christian and Jacobson. To begin, FH had no authority from Korn/Ferry to provide her password to former employees whose computer access had been revoked. Also, in collapsing the distinction between FH’s authorization and that of Christian and Jacobson, the dissent would render meaningless the concept of authorization. And, pertinent here, it would remove from the scope of the CFAA any hacking conspiracy with an inside person. That surely was not Congress’s intent.
We also affirm Nosal’s convictions under the EEA for downloading, receiving and possessing trade secrets in the form of source lists from Searcher. We vacate in. part and remand the restitution order for reconsideration of the reasonableness of the attorneys’ fees award.
Background
I. Factual Background
Nosal was a high-level regional director at the global executive search firm Korn/Ferry International. Korn/Ferry’s bread and butter was identifying and recommending potential candidates for corporate positions. In 2004, after being passed over for a promotion, Nosal announced his intention to leave Korn/Ferry. Negotiations ensued and Nosal agreed to stay on for an additional year as a contractor to finish a handful of open searches, subject to a blanket non-competition. agreement.As he put it, Korn/Ferry was giving him “a lot of money” to “stay out of the market.”
During this interim period, Nosal was very busy, secretly launching his own search firm along with other Korn/Ferry employees, including Christian, Jacobson and FH. As of December 8, 2004, Korn/Ferry revoked Nosal’s access to its computers, although it permitted him to ask Korn/Ferry employees for research help on his' remaining open assignments. In January 2005, Christian left Korn/Ferry and, under instructions from Nosal, set up an executive search firm—Christian & Associates—from which Nosal retained 80% of fees. Jacobson followed her a few months later. As Nosal, Christian and Jacobson began work for clients, Nosal used the name “David Nelson” to mask his identity when interviewing candidates.
The start-up company was missing Korn/Ferry’s core asset: “Searcher,” an internal database of infonnation on over one million executives, including contact information, employment history, salaries, biographies and resumes, all compiled since -1995. Searcher was central to Korn/Ferry’s work for clients. When launching a new search to fill an open executive position, Korn/Ferry teams started by compiling a “source list” of potential candidates. In constructing the list, the employees would run queries in Searcher to generate a list of candidates. To speed up the process, employees could look at old source lists in Searcher to see how a search for a similar position was constructed, or to identify suitablе candidates. The resulting source list could include hundreds of names, but then was narrowed to a short list of candidates presented to the client. Korn/Ferry considered these source lists proprietary.
Searcher included data from a number of public and quasi-public sources like Linkedln, corporate filings and Internet searches, and also included internal, nonpublic sources, such as personal connections, unsolicited resumes sent to Korn/Ferry and data inputted directly by candidates via Korn/Ferry’s website. The data was coded upon entry; as a result, employees could run targeted searches for candidates by criteria such as age, indus
Searcher was hosted on the company’s internal computer network and was considered confidential and for - use only in Korn/Ferry business. Korn/Ferry issued each employee a unique username and password to its computer system; no separate password was required to access Searcher. Password sharing was prohibited by a confidentiality agreement that Korn/Ferry required each new employee to sign. When a user requested a custom report in Searcher, Searcher displayed a message which stated: “This product is intended to be used by Korn/Ferry employees for work on Korn/Ferry business only.”
Nosal and his compatriots downloaded information and source lists from Searcher in preparation to launch the new competitor. Before leaving Korn/Ferry, they used their own usernames and passwords, compiling proprietary Korn/Ferry data in violation of Korn/Ferry’s computer use policy. Those efforts were encompassed in the CFAA accounts appealed in Nosal I. See
After Nosal became a contractor and Christian and Jacobson left Korn/Ferry, Korn/Ferry revoked each of their credentials to access Korn/Ferry’s computer system. Not tо be deterred, on three occasions Christian and Jacobson borrowed access credentials from FH,' who stayed on at Korn/Ferry at Nosal’s request. In April 2005, Nosal instructed Christian to obtain some source lists from Searcher to expedite their work for a new client. Thinking it would be difficult to explain the request to FH, Christian asked to borrow FH’s access credentials, which Christian then used to log in to Korn/Fer-ry’s computer system and run queries in Searcher. Christian sent the results of her searches to Nosal. In July 2005, Christian again logged in as FH to. generate a custom report and search for information on three individuals. Later in July, Jacobson also logged in as FH, -to download information on 2,400 executives. None of these searches related to any open searches that fell under Nosal’s independent contractor agreement.
In March 2005, Korn/Ferry received an email from an unidentified person advising that Nosal was conducting his own business in violation of his non-compete agreement. The company launched an investigation and, in July 2005, contacted government authorities.
II. Procedural Background
In the first indictment, Nosal was charged with twenty criminal counts, including eight counts under the CFAA, two trade secrets counts under the Economic Espionage Act and one conspiracy count. Five of the eight CFAA counts were based on allegations that FH and Christian downloaded material from Searcher using their own credentials while employed by Korn/Ferry in violation of company policies. The district court dismissed these counts, citing our decision in Brehka,
The government filed a second superseding indictment in February 2013 with three CFAA counts, two trade secrets counts and one conspiracy count. Nosal’s remaining CFAA counts were based on the three occasions when Christian and Jacobson accessed Korn/Ferry’s system for their new clients using FH’s login credentials. The district court denied Nosal’s motion to dismiss the three remaining CFAA counts, rejecting the argument that Nosal
Analysis
1. Convictions Under the Computer Fraud and Abuse Act
A. Background of the CFAA
The CFAA was originally enacted in 1984 as the Counterfeit Access Device and Computer Fraud and Abuse Act, Pub. L. No. 98-473, § 2102(a), 98 Stat. 2190 (1984). The act was aimed at “hackers who accessed computers to steal information or to disrupt or destroy computer functionality.” Brekka,
Just two-years later in 1986, Congress amended the statute to “deter[ ] and punish[-] certain ‘high-tech’ crimes,” and “to penalize thefts of property via computer that occur as part of a scheme to defraud,” S. Rep. No. 99-432, at 4, 9 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2482, 2486-87. The amendment expanded the CFAA’s protections to private computers. Computer Fraud and Abuse Act of 1986, Pub. L. No. 99-474, § 2(g)(4), 100 Stat. 1213-15.
The key section of the CFAA at issue is 18 U.S.C. § 1030(a)(4), which provides in relevant part:
Whoever ... knowingly and with intent to defraud, accesses a protected computer -without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value ... shall be punished....
A key element of the statute is the requirement that the access be “knowingly and with intent to defraud.” Not surprisingly, this phrase is not defined in the CFAA as it is the bread and butter of many criminal statutes. Indeed, the district court borrowed the language from the Ninth Circuit model jury instructions in defining “knowingly” and “intent to defraud” for the jury, and Nosal does not renew any challenges to those instructions on appeal. This mens rea element of the statute is critical because imposing the “intent to defraud” element targets knowing and specific conduct and does not em
The CFAA defines “exceeds authorized access” as “access [to] a computer with authorization and [using] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alten” Id. § 1030(e)(6). The statute does not, however, define “without authorization.’’ Both terms are used throughout .§ 1030. Subsection 1030(a)(2), which mirrors (a)(4) but requires that access be intentional, penalizes access without authorization and exceeding authorization. Subsection 1030(a)(1) also incorporates both terms in relation to accessing a computer and obtaining national security information. Subsection 1030(a)(7)(B) criminalizes extortion by threats to obtain information “without authorization or in excess of authorization.” The remaining subsections pertain only to access “without authorization.” Subsection 1030(a)(3) prohibits access “without authorization” to nonpublic government computers. Subsections 1030(a)(5) and (6) employ the term “without authorization” with respect to, among other things, “transmission of a program, information, code, or command,” § 1030(a)(5)(A); intentional access that “causes damage and loss,” § 1030(a)(5)(C); and trafficking in passwords, § 1030(a)(6). In construing .the statute, we are cognizant, of the need for congruence among these subsections.
B. Meaning of “Authorization” Under the CFAA
The interpretive fireworks under § 1030(a)(4) of the CFAA have been reserved for its second prong, the meaning of “exceeds authorized access.” Not surprisingly, there has been no division among the circuits on the straightforward “without authorization” prong of this section. We begin with the two Ninth Circuit cases that bind our interpretation of “without authorization”—Brekka and Nosal I— and then move on to address the cases from our sister circuits that are in accord with Brekka, agreeing that “without authorization” is an unambiguous term that should be given its ordinary meaning.
Brekka involved a former employee in circumstances remarkably similar to Nosal: he wanted to compete using confidential data from his former company. Christopher Brekka worked as an internet marketer with LVRC Holdings, LLC (“LVRC”), a residential addiction treatment center. Brekka,
In Brekka we analyzed both the “without authorization” and “exceeds authorization” provisions of the statute under §§ 1030(a)(2) and (4). Id. at 1132-36. Because the CFAA does not define the term “authorization,” we looked to the ordinary, contemporaneous meaning of the term: “ ‘permission or power granted by an authority.’” Id. at 1133 (quoting Random House Unabridged Dictionary 139 (2001)). In determining whether an employee has authorization, we stated that, consistent with “the plain language of the statute ... ‘authorization’ [to use an employer’s computer] depends on actions taken by the employer.” Id. at 1135. We concluded that because Brekka had permission to use his employer’s computer, “[t]he most straightforward interpretation of §§ 1030(a)(2) and
Brekka’s access after LVRC terminated his employment presented a starkly different situation: “There is no dispute that if Brekka accessed LVRC’s information on the. [traffic monitoring] website after he left the company ..., Brekka would have accessed a protected computer ‘without authorization’ for purposes of the CFAA.” Id. at 1136.
Not surprisingly, in Nosal I as in this appeal, both the government and Nosal cited Brekka extensively. The focus of No-sal’s first appeal was whether the CFAA could be interpreted “broadly to cover violations of corporate computer use restrictions or violations of a duty of loyalty.” Nosal I,
In Nosal I, authorization was' not in doubt. The employees who accessed the Korn/Ferry computers unquestionably had authorization from the company to access the system; the question was whether they exceeded it. What Nosal I did not address was whether Nosal’s access to Korn/Ferry computers after both .Nosal and his co-conspirators had terminated their employment and Korn/Ferry revoked their permission to access the computers was “without authorization.” Brekka is squarely on point on that issue: Nosal and his co-conspirators acted “without authorization” when they continued to access Searcher by other means after Korn/Ferry rescinded permission to access its computer system. As Nosal I made clear, the CFAA was not intended to cover unauthorized use of information. Such use is not at issue here. Rather, under § 1030(a)(4), Nosal is charged with unauthorized access—getting into the computer after categorically being barred from entry.
The text of the CFAA confirms Brekka’s approach. Employing classic statutory interpretation, we сonsider the plain and ordinary meaning of the words “without authorization.” See United States v. Stew
That straightforward meaning is also unambiguous as applied to the facts of this case.
Our analysis is consistent with that of our sister circuits, which have also determined that the term “without authorization” is unambiguous.
Beginning in 1991, in construing § 1030(a)(5)(A),
The Fourth Circuit’s analysis mirrors the conclusion that the “without authorization” language is unambiguous based on its ordinary meaning:
Recognizing that the distinction between [“exceeds authorized access” and access “without authorization”] is arguably minute, we nevertheless conclude based on the ordinary, contemporary, common meaning of “authorization,” that an employee is authorized to access a computer when his employer approves or sanctions his admission to that computer. Thus, he accesses a computer “without authorization” when he gains admission to a computer without approval. Similarly, we conclude that an employee “exceeds authorized access” when he has approval to access a computer, but uses his access'to obtain or alter information that falls outside the bounds of his approved access.
WEC Carolina Energy Solutions LLC v. Miller,
Like the other courts, the Sixth Circuit noted that “[t]he plain meaning of ‘authorization’ is ‘[t]he conferment of legality; ... sanction.’- Commonly understood, then, a defendant who accesses a computer ‘without authorization’ does so without sanction or permission.” Pulte Homes, Inc. v. Laborers’ Int’l Union of N. Am.,
In the face of multiple circuits that agree with our plain meaning construction of the statute, the dissent would have us ignore common sense and turn the statute inside out. Indeed, the dissent frames the question upside down in assuming that permission from FH is at issue. Under this approach, ignoring reality and practice, an employee could undermine the company’s ability to control access to its own computers by willy nilly giving out passwords to anyone outside the company—former employees whose access had been revoked, competitors, industrious hackers or bank robbers who find it less risky and more convenient to access accounts via the Internet rather than through armed robbery. See Orin S. Kerr, Norms of Computer Trespass, 116 Colum. L. Rev. 1143, 1179-80 (2016).
The Brekka analysis of the specific phrase “without authorization”—which is consistent with our sister circuits—remains controlling and persuasive. We therefore hold that Nosal, a former employee whose computer access credentials were affirmatively revoked by Korn/Ferry acted “without authorization” in violation of the CFAA when he or his former employee co-conspirators used the login credentials of a current employee to gain access to confidential computer data owned by the former employer and to circumvent Korn/Ferry’s revocation of access.
C. Jury instruction on “Without Authorization”
With respect to the meaning of “without authorization,” the district court instructed the jury as follows:
Whether a person is authorized to access the computers in this case depends on the actions taken by Korn/Ferry to grant or deny permission to that person to use the computer. A person uses a computer “without authorization” when the person has not received permission from Korn/Ferry to use the computer for any purpose (such as when a hacker accesses the computer without any permission), or when Korn/Ferry has rescinded permission to use .the computer and the person uses the computer anyway.
The instruction is derived directly from our decision in Brekka and is a fair and accurate characterization of the plain meaning of “without authorization.” Although the term.“without authorization” is unambiguous, it does not mean that, the facts don’t matter; the source and scope of authorization may well be at issue. Here, it was not disputed that Korn/Ferry was the source of permission to grant authorization. The jury instruction left to the jury to determine whether such permission was given.
Nosal challenges the instruction on the basis that the CFAA only criminalizes access where the party circumvents a technological access barrier.
In any event, Nosal’s argument misses the mark on the technological access point. Even if he were correct, any instructional error was without consequence in light of the evidence. The password system adopted by Korn/Ferry is unquestionably a technological barrier designed to keep out those “without authorization.” Had a thief stolen an employee’s password and then used it to rifle through Searcher, without doubt, access would have been without authorization.
The same principle holds true here..A password requirement is designed to be a technological access barrier.
D. Accomplice Liability Under the CFAA
Nosal’s convictions under the CFAA rest on accomplice liability. Nosal claims the government failed to prove the requisite mens rea. Two instructions bear on this issue: aiding and abetting and deliberate ignorance. As to the former, which is not challenged on appeal, the court instructed that the government must prove Nosal “knowingly and intentionally aided, counseled, commanded, induced or procured [a] person to commit each element of the crime” and did so “before the crime was completed .., with the knowledge and intention of helping that person commit the crime.” The court also instructed that the defendant acted “knowingly” if he was “aware of the act and [did] not act or fail to act through ignorance, mistake, or accident.” The adjunct deliberate ignorance instruction read: the defendant acted “knowingly” if he “was aware of a high probability that [Christian, Jacobson, or FH] had gained unauthorized access to a computer .,. or misappropriated trade secrets ,.. without authorization ... and deliberately avoided learning the truth.”
At trial, Nosal objected to the deliberate ignorance instruction on the ground that the facts alleged did not permit a deliberate ignorance theory. On appeal, for the first time, he argues that the instruction is erroneous because it undermines the requirement that Nosal had advance knowledge of the crime.
We have repeatedly held that a statutory requirement that a criminal defendant acted “knowingly” is “not limited to positive knowledge, but includes the state of mind of one who does not possess positive knowledge only because he consciously avoided it.” United States v. Heredia,
Nor does the recent case Rosemond v. United States counsel a different result. — U.S. —,
Apart from the instruction, Nosal challenges the sufficiency of the evidence, claiming evidence of intent was insufficient because he didn’t have advance knowledge that Christian and Jacobson would use FH’s password. This attack fails because, “after 'viewing the evidence in the light most favorable to the prosecution, any rational trier of fact could have found the essential elements of the crime .beyond a reasonable doubt.” Jackson v. Virginia,
Although the conviction may be upheld solely under Pinkerton, which “ ‘renders all co-conspirators criminally liable for reasonably foreseeable overt acts committed by others in furtherance of the conspiracy,’ ” United States v. Bingham,
Christian’s testimony is illustrative:
Q. Did the defendant know you were using [FH’s] password, after you left Korn/Ferry, to get source lists and other documents from Korn/Ferry?
A. Yes.
Q. Any doubt to your mind that he knew that?
A. No.
This unequivocal statement, which more than satisfies the Jackson v. Virginia standard, is bolstered by other evidence, including extensive testimony that Nosal wanted his team to obtain information from Searcher while maintaining his distance from their activities but knew and understood that none of them had access
We affirm Nosal’s conviction on the CFAA counts.
II. Convictions Under the Economic Espionage Act (EEA)
The jury convicted Nosal of two counts of trade secret theft under the EEA: Count 5 charged “unauthorized downloading, copying and duplicating of trade secrets” in violation of 18 U.S.C. §§ 1882(a)(2) & (a)(4);- and Count 6 charged unauthorized receipt and possession of stolen trade secrets in .violation of 18 U.S.C. § 1832(a)(3) & (a)(4). Both counts relate to Christian’s use of FH’s login credentials to obtain three, source lists of CFOs from Searcher. Count 6 also included a “cut and paste” of a list of executives derived from Searcher. Christian emailed Nosal the resulting lists, which contained candidate names, company positions and phone numbers. Nosal primarily challenges the sufficiency of the evidence on the trade secret counts.
A. Sufficiency of the Evidence— Counts 5 and 6
Violation of the EEA requires, among other things, “intent to convert a trade secret” and “intending or knowing that the offense will[ ] injure [an] owner of that trade secret....” 18 U.S.C. § 1832(a). The jury instruction for-Count 5—down-loading, copying and duplicating trade secrets—set out the following elements:
1. At least one of the three source lists is a trade secret (requiring agreement on which one);
2. Nosal knew that the source list was a trade secret;
3. Nosal knowingly, and without' authorization, downloaded, copied of duplicated the trade secret;
4. Nosal intended to convert the trade secret to the economic benefit of someone other than the owner;
5. Nosal knew or intended that the offense would injure the trade secret owner; and
6. The trade secret was related to or included in a product in interstate commerce.
The instruction for Count 6—receiving and possessing trade secrets—replaced the third element with a requirement of knowing receipt or possession of a trade secret with the knowledge that it was “stolen or appropriated, obtained, or converted without authorization” and added the “cut and paste” list as one of the possible trade secrets.
Nosal argues that the government failed to prove: 1) secrecy and difficulty of development, because the search information was derived from public sources and because there was no evidence the source lists had not been circulated outside Korn/Ferry; 2) knowledge of trade secret status; and 3) knowledge of injury to, or an intent to injure, Korn/Ferry.
The notion-of a trade secret often conjures up magic formulas, like Coca Cola’s proprietary formula, technical drawings or scientific data. So it is no surprise that such technically complex cases have been brought under the EEA. See, e.g., United States v. Chung,
But the scope of the EEA is not limited to these categories and the EEA, by its terms, includes financial and business information. The EEA defines a trade secret as
all forms and types of financial, business, scientific, technical, economic, or engineering information, including ... compilations ... if (A) the owner thereof has taken reasonable measures to keep such information secret; and (B) the information derives independent economic value, actual or potential, from .not being generally known to, and not being readily ascertainable through proper means by the public....
18 U.S.C. § 1839(3).
The thrust of Nosal’s argument is that the source lists are composed largely, if not entirely, of public information and therefore couldn’t possibly be trade secrets. But he overlooks the principle that a trade secret may consist of a compilation of data, public sources or a combination of proprietary and public sources. It is well recognized that
it is the secrecy of the claimed. trade secret as a whole that is determinative. The fact that some or all'of the components of the trade secret are well-known does not preclude protection for a secret combination, compilation, or integration of the individual elements.... [T]he theoretical possibility of reconstructing the secret-from published materials containing scattered references to portions of the information or of extracting it. from public materials unlikely to come to the attention of the appropriator will not preclude relief against the wrongful conduct. ..:
Restatement (Third) of Unfair Competition § 39 cmt. f (1995); see also Computer Care v. Serv. Sys. Enters., Inc.,
The source lists in question are classic examples of a trade secret that derives from an amalgam of public and proprietary source data. To be sure, some of the data came from public sources and other data came from internal, confidential sources. But cumulatively, the Searcher database contained a massive confidential compilation of data, the product of years of effort and expense. Each source list was the result of a query run through a propriety algorithm that generates a custom subset of possible candidates, culled from a database of over one million executives. The source - lists were not unwashed, public-domain lists of all financial executives in the United States, nor otherwise related to a search that could be readily completed using public sources. Had the query been “who is the CFO of General Motors” or
Nosal takes the view that the source lists are merely customer lists that cannot be protected as trade secrets. This characterization attempts to sidestep the unique nature of the source lists, which are the customized product of a massive database, not a list of well-known customers. Regardless, courts have deemed customer lists protectable trade secrets. See, e.g., Hollingsworth Solderless Terminal Co. v. Turley,
Our approach is not novel. This case is remarkably similar to Conseco Finance Servicing Corp. v. North American Mortgage Co.,
Nosal also takes aim at the secrecy of the three source lists in question,- an argument that is intertwined with his public domain/compilation claim. The jury heard more than enough evidence to support its verdict. Christian acknowledged that the only place she could obtain the source lists she needed was on Korn/Ferry’s computer system. Notably, some of the downloaded information came from a source list for an engagement that was opened only twelve days prior to the April 12 downloads underlying the trade secret counts.
Although Nosal claims that Korn/Fer-ry’s sharing of lists with clients and others undermined this claim of secrecy, witnesses who worked at Korn/Ferry did not budge in terms of procedures undertaken to -keep the data secret, both in terms of technology protections built into the computer system and the limitations on distribution of the search results. For example, the Vice-President of Information Services testified that, to her knowledge, the source lists had never been released by Korn/Fer-ry to any third parties. As a matter of practice, Korn/Ferry did not show source lists to clients. In ,the occasional instance when a client was given a source, list or shown one at a pitch, it was provided on an understanding of confidentiality, and disclosing the lists was contrary to company policy. It is also well established that “confidential disclosures to employees, li-
In light of the above, it would be naive to conclude that Nosal was unaware that the information pirated by Christian included trade secrets or that the piracy would harm Korn/Ferry. As a former senior executive at Korn/Ferry, Nosal was deeply familiar with the competitive advantage Searcher provided, and was cognizant of the measures the company took to protect the source lists generated. He signed a confidentiality agreement stating that “information databases and company records are extremely valuable assets of [Korn/Ferry’s] business and are accorded the legal protection applicable to a company’s trade secrets.” The source lists were also marked “Korn/Ferry Proprietary & Confidential.” While a label or proprietary mаrking alone does not confer trade secret status, the notice and protective measures taken by Kom/Ferry significantly undermine Nosal’s claim he was unaware the source lists were trade secret information.
Nosal’s argument that he and his colleagues‘were unaware their actions would harm Korn/Ferry also holds no water. They latinched a direct competitor to Korn/Ferry and went to great lengths to access the source lists, fully aware of the competitive advantage Searcher gave Korn/Ferry as they attempted to populate their own database. Christian underscored the value of the lists through her testimony that she and Nosal used the source lists to complete searches faster and gain credibility with clients. They recognized that the required substantial investment of time, money and elbow grease to even try to replicate the source lists would have destroyed their prime value—immediacy.
At trial, Nosal’s counsel endeavored to attack the secrecy, knowledge and other elements of the trade secret counts. The jury heard extensive testimony and argument. Construing the evidence in the light most favorable to the government, a rational juror could have concluded that the evidence supported convictions under §§ 1832(a)(2), (3) and (4) of the EEA. As the Supreme Court explained just this year, our “limited review does not intrude on the jury’s role £to resolve conflicts in the testimony, to weigh the evidence, and to draw reasonable inferences from basic facts to ultimate facts.’ ” Musacchio,
B. Conspiracy Jury Instruction
With respect to trade secrets, the conspiracy jury instruction stated that “the government need not prove the existence of actual trade secrets and that Defendant knew that the information in question was a trade secret. However, the government must prove that Defendant firmly believed that certain infоrmation constituted trade secrets.” Nosal argues that the court constructively amended the indictment because the indictment alleges theft of actual trade secrets while the jury instruction did not require proof of actual trade secrets. Constructive amendment occurs where “the crime charged is substantially changed at trial, so that it is impossible to know whether the grand jury would have indicted for the crime actually proved.” United States v. Howick,
In a related vein, Nosal claims that the instruction unfairly removes the requirement to prove an actual trade secret. The instruction reflects our circuit’s precedent on conspiracy charges—a conviction may be upheld even where the object of the crime was not a legal possibility. See United States v. Rodriguez,
C. Evidentiary Challenges
Nosal disputes evidentiary rulings made regarding his non-competition agreement. Although Nosal was permitted to testify that hе believed the agreement was illegal, the court struck certain testimony by government witnesses about the agreement and also precluded evidence about the enforceability of the agreement under California law. The jury was instructed that whether “Mr. Nosal breached or did not breach this covenant is not relevant to the question of whether he is guilty of the crimes charged in this case.” The district court did not abuse its discretion.
In closing rebuttal, the government argued that Nosal’s use of the name “David Nelson” showed his intent to conspire to steal information from Korn/Fer-ry. Importantly, the government did not link Nosal’s charade to the legality of the non-competition agreement. This passing reference, which was not objected to at trial, was harmless and certainly does not rise to the level of plain error.
III. Restitution Order
The district court awarded Korn/Ferry $827,983.25 in restitution. We review de novo the legality of the restitution order and review for clear error the factual findings that support the order. United States v. Luis,
The restitution order identified three categories of recoverable losses; 1) Korn/Ferry’s internal investigation costs incurred in attempting to ascertain the nature and scope of Nosal’s breach, in the amount of $27,400; 2) the value of Korn/Ferry’s employee time spent participating in and assisting the government’s investigation and prosecution, in the amount of $247,695; and 3) the attorneys’ fees incurred by Korn/Ferry in aid of the investigation or prosecution of the offense, in the amount, of $595,758.25; While the government asked for a higher amount,
The district court relied on the Mandatory Victim Restitution Act (MVRA),. which “makes restitution mandatory for particular crimes, including those offenses which involve fraud or deceit.” United States v. Gordon,
We must initially decide whether, as Nosal urges, the restitution award is invalid because it exceeds the actual loss that the district court determined for the purposes of the Sentencing Guidelines U.S.S.G. § 2Bl.l(b)—calculated at $46,907.88. The answer to that question is found in Our observation that “calculating loss under the guidelines is not necessarily identical to loss calculation for purposes of restitution.” United States v. Hunter,
In contrast with the MVRA, which includes expenses related to investigation and prosecution, such costs are categorically excluded under the Sentencing Guidelines applicable here. The guidelines provision for actual loss for crimes of fraud explicitly excludes “costs incurred by victims primarily to aid the government in[ ] the prosecution and criminal investigation of an offense.” U.S.S.G. § 2.B.1.1 cmt. 3(D)(ii). From that, Nosal appears to assume, without any support, that “actual loss” is a term-of-art, such that in this category , of offenses a restitution order could never include investigation costs or attorneys’ fees in aid of the government. That assumption is not warranted under the plain lаnguage of the MVRA, which notably never uses the terminology of actual loss.
In an effort to overcome the differences between the MVRA and the guidelines, Nosal points to our decision, in United States v. Stoddard,
Nosal is also mistaken that this reading of the statute creates a circuit split with the Seventh Circuit. See United States v. Dokich,
Having determined that the restitution award was “within the bounds of the statutory framework,” we turn to whether the district court nevertheless abused its discretion in awarding nearly $1 million in restitution. See Waknine,
We applaud the district court’s thorough review of the voluminous time and fee records submitted by the government and Korn/Ferry. We agree with the award for internal investigation costs to uncover the extent of the breach and for the value of employee time spent participating in the government’s investigation and prosecution. See, e.g., United States v. De La Fuente,
While the district court’s reduction of the fee award was a step in the right direction, our review of the record convinces us that the court should have gone further. Several principles guide this conclusion. To begin, the fees must be the direct and foreseeable result of the defendant’s conduct. Gordon,
Even after reduction, the total amount of fees awarded is striking, particularly given that the trial ultimately involved only three discrete incidents of criminal behavior. Although resulting in multiple counts, at bottom the events were temporally circumscribed and limited in scope. We note that a highly disproportionate percentage of the fees arose from responding to requests and inquiries related to sentencing, damages, and restitution. The reasonableness of the fees needs to be reexamined to consider (i) whether the sizeable fee related to restitution matters was reasonable; (ii) whether there was unnecessary duplication of tasks between Korn/Ferry staff аnd its attorneys since the court awarded a substantial sum for the time of Korn/Ferry employees; and (iii) whether the outside attorneys were substituting for or duplicating the work of the prosecutors, rather than serving in a participatory capacity.
We vacate the restitution award with respect to the attorneys’ fees and remand for reconsideration in light of the principles and observations set out above.
AFFIRMED, EXCEPT VACATED IN PART AND REMANDED WITH RESPECT TO THE RESTITUTION AWARD.
Notes
. As in Nosal I, Nosal did not himself access and download information from .Korn/Ferry’s database. Nosal was convicted of three substantive CFAA counts on either ah aiding and abetting or conspiracy theory. Under either, Nosal is liable for the conduct of Christian and Jacobson. See Pinkerton v. United States,
. A computer is defined broadly as "an electronic ... data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device.” 18 U.S.C. § 1030(e)(1). The CFAA’s restrictions have been applied to computer networks, databases and cell phones. See, e.g., United States v. Valle,
.The act was later expanded to protect any computer "used in interstate or foreign commerce or communication.” Economic Espionage Act of 1996, Pub. L. 104-294, § 201(4)(B), 110 Stat. 3488, 3493 (codified as amended at 18 U.S.C. § 1030(e)(2)(B)).
, Brekka's authorization terminated when his employment terminated, not because his password expired. Expired passwords do not necessarily mean that authorization terminates: authorized account-holders often let their passwords lapse before updating the password or contacting the company’s technical support team for help, but expiration of a password doesn’t necessarily mean that account authorization has terminated.
. For example, Title 18 covers a number of offenses that stem from conduct "without authorization.” See, e.g., 18 U.S.C. § 1388(a)(2)(B) (holding liable any person who "willfully and without proper authorization imped[es]” access to a funeral of a member of the Armed Forces); 18 U.S.C. § 1831(a) (holding liable for economic espionage “[w]hoever, intending or knowing that the offense will benefit any foreign government ... knowingly ... without authorization appropriates, takes, carries away, or conceals" trade secrets); 18 U.S.C. § 2701 (holding liable any person who “intentionally, accesses without authorization a facility through which an electronic communication service is provided ... and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage”).
. We do not invoke the rule of lenity because "the touchstone of the rule of lenity is statutory ambiguity,” Bifulco v. United States,
.The dissent rests its argument on the fact that Brekka had “no possible source of authorization.” The same is true here—Nosal had "no possible source of authorization” since the company revoked his authorization and, while FH might have been wrangled into giving out her password, she and the others knew that she had no authority to control system access.
. Nosal argues that he cannot be held liable because, as a contractor, he was entitled to access information from Korn/Ferry’s database. Nosal misconstrues his authorization following his departure from Korn/Ferry: he was entitled only to information related to his open searches, and being entitled to receive information does not equate to permission to access the database. Further, Nosal’s liability as a co-conspirator turns on whether Christian and Jacobson acted "without authorization.”
. We note that the terms “insider” and "outsider” in these circumstances are simply descriptive proxies for the status of the parties here and in Brekka. There obviously could be an "insider" in a company, such as a cleaning or maintenance person, who is not authorized to access any computer or company information but who, nonetheless, accesses the company computer "without authorization.”
. Although the Supreme Court recently affirmed a conviction under the CFAA with facts similar to those here, it did not address interpretation of “without authorization.” See Musacchio v. United States, — U.S. —,
.See discussion in Nosal I,
. This section of the CFAA criminalizes intentional "transmission of a program, infоrmation, code, or command” to a protected computer "without authorization” causing damage. 18 U.S.C. § 1030(a)(5)(A).
. Nosal did not object to this instruction at the jury instruction conference, He did, however, raise the issue and offer a circumvention instruction earlier in the proceedings and objected to an earlier version of this instruction, Whether we review the instruction de novo or for plain error, the result is the same because the instruction was correct.
. The district court accommodated Nosal's many objections to this instruction. In particular, at his request, the instruction included the names of the co-conspirators. When the court asked if this included "the three peo-pie," Nosal’s counsel said, “Right.” The instruction thus incorporated, with no further objection Or comment, FH’s name. Nosal thus waived any challenge to inclusion of her name, which was not plain error in any event.
. This was the text of § 1839 at the time the offenses were committed. Congress recently amended § 1839, replacing “the public” with "another person who can obtain economic value from the disclosure or use of the information.” Defend Trade Secrets Act of 2016, Pub. L. No. 114-153, § 2(b)(1)(A), 130 Stat. 376, 380.
. See also Rivendell Forest Prods., Ltd. v. Ga.-Pac. Corp.,
. We agree with the district court’s decision to accept the hourly rate of Korn/Ferry’s attorneys. Recognizing the importance and impact of the breach, Korn/Ferry cannot be faulted for selecting an “excellent,” or ‘'premium,” law firm.
Dissenting Opinion
dissenting:
This case is about password sharing. People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it. In my view, the Computer Fraud and Abuse Act (“CFAA”) does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals. Whatever other liability, criminal or civil, Nosal may have incurred in his improper attempt to compete with his former employer, he has not violated the CFAA.
The first time this case came before us wé examined whether Nosal’s former colleagues acted “without authorization, or exceeded] authorized access” when they downloaded information from Searcher while still employed at Korn/Ferry and shared it with Nosal in violation of the firm’s policies. United States v. Nosal (Nosal I),
Today, addressing only slightly different conduct, the majority repudiates important parts of Nosal I, jeopardizing most password sharing. It loses sight of the anti-hacking purpose of the CFAA, and despite our warning, threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.
At issue are three incidents of password sharing. On these occasions while FH was still employed at Korn/Ferry, she gave her password to Jacobson or Christian, who had left the company. Her former colleagues then used her password to download information from Searcher. FH was authorized to access Searcher, but she did not download the information herself because it was easier to let Jacobson or Christian do it than to have them explain to her how to find it. It would not have been a violation of the CFAA if they had simply given FH step-by-step directions, which she then followed. Thus the question is whether because Jacobson and Christian instead used FH’s password with her permission, they are criminally liable for access “without authorization” under the Act.
The majority finds the answer is “yes,” but in doing so cоmmits the same error as the circuits whose views we rejected in Nosal I. My colleagues claim that they do not have to address the effect of their decision on the wider population because Nosal’s infelicitous conduct “bears little resemblance” to everyday password sharing. Notably this is the exact argument the dissent made in Nosal I: “This case has nothing to do with playing sudoku, checking email, [or] fibbing on dating sites.... The role of the courts is neither to issue advisory opinions nor to declare rights in hypothetical cases.”
We, of course, rejected the dissent’s argument in Nosal I. We did so because we recognized that the government’s theory made all violations of use restrictions criminal under the CFAA, whether the violation was innocuous, like checking your personal email at work, or more objectionable like that at issue here. Because the statute was susceptible to a narrower interpretation, we rejected the government’s broader reading under which “millions of unsuspecting individuals would find that they are engaging in criminal conduct.” Id. at 859. The same is true here. The majority does not provide, nor do I see, a workable fine which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners. There simply is no limiting principle in the majority’s world of lawful and unlawful password sharing.
Therefore, despite the majority’s attempt to construe Nosal I as only applicable to “exceeds authorized access,” the case’s central lesson that the CFAA should not be interpreted to criminalize the ordinary conduct of millions of citizens applies equally strongly here. Accordingly, I would hold that consensual password sharing is not the kind of “hacking” covered by the CFAA. That is the case whether or not the voluntary password sharing is with a former employee and whether or not the former employee’s own password had expired or been terminated.
“Congress enacted the CFAA in 1984 primarily to address the growing problem of computer hacking,” Nosal I,
“Without authorization” is used in a number of places throughout the CFAA, but is not defined in the Act, The phrase appears in two subsections relevant to this case: § 1030(a)(2)(C) and (a)(4). Subsection (a)(2)(C) , criminalizes “intentionally accessing] a computer without authorization or exceeding] authorized access, and thereby obtaining] ... information from any protected computer.” This, is the “broadest provision” of the CFAA. Nosal 1.
Our definition of “without authorization” in this case will apply not only to (a)(4), but also to (a)(2)(C) and the rest of the Act. In Nosal I, the government contended that “exceeds authorization” could be interpreted more narrowly in (a)(2)(C) than in (a)(4), but we concluded: “This is just not so: Once we define the phrase for the purpose of subsection 1030(a)(4), that definition must apply equally to the rest of the statute pursuant to the ‘standard principle of statutory construction ... that identical words and phrases within the same statute should normally be given the same meaning.’ ”
It is thus necessary to consider the potential breadth of subsection (a)(2)(C) if we construe “without authorization” with less than the utmost care. Subsection (a)(2)(C) criminalizes nearly all intentional access of a “protected computer” without authorization.
II.
The majority'is wrong to conclude that a person necessarily accesses a computer account “without authorization” if he does so without the permission of the system owner.
Was access in these examples authorized? Most people would say “yes.” Although the system owners’ policies prohibit password sharing, a legitimate account holder “authorized” the access. Thus, the best reading of “without authorization” in the CFAA is a narrow one: a person accesses an account “without authorization” if he does so without having the permission of either the system owner or a legitimate account holder.
This narrower 'reading 'is more consistent with the purpose of the CFAA. The CFAA is essentially an anti-hacking statute, and Congress intended it as such. Nosal /,
Nosal’s conduct was, of course, unscrupulous; Nevertheless, as the Seeond Circuit found’ in interpreting the CFAA, “whatever the apparent merits of imposing criminal liability may seem to be in this case, we must construe the statute knowing that our interpretation of [authorization] will govern many other situations.” Valle,
III.
The majority insists that the text of the statute requires its broad construction, but that is simply not so. Citing our decision in Brekka, the majority defines “authorization” as “permission or power granted by an authority.” After appealing to “ordinary meaning,” “common sense meaning,” and multiple dictionaries to corroborate this definition, the majority asserts that the term is “not ambiguous.”
The majority is wrong. The majority’s (somewhat circular) dictionary definition of “authorization”—“permission conferred by an authority”—hardly clarifies the meaning of thе text. While the majority reads the statute to criminalize access by those without “permission conferred by” the system owner, it is also proper (and in fact preferable) to read the text to criminalize access only by those without “permission conferred by” either a legitimate account holder or the system owner. The question that matters is not what authorization is but who is entitled to give it. As one scholar noted, “there are two parties that have plausible claims to [give] authorization: the owner/operator of the computer, and the legitimate computer account holder.” Orin S. Kerr, Computer Crime Law 48 (3d ed. 2013). Under a proper construction of the statute, either one can give authorization.
The cases the majority cites to support its contention that the statute’s text, requires a broad construction merely repeat dictionary definitions of “without authorization.” Those cases do nothing to support the majority’s position that authorization can be given only by the system owner. The Fourth Circuit, quoting the Oxford English Dictionary, found that “based on the ordinary, contemporary, common meaning of ‘authorization,’ ” an employee “accesses, a computer ‘without authorization’ when he gains admission to a computer without approval.” WEC Carolina Energy Solutions LLC v. Miller,
As the Supreme Court has repeatedly held, “where there is ambiguity in a criminal statute, doubts are resolved in favor of the defendant.” United States v. Bass,
The “venerable” rule of lenity ensures that individuals are on notice when they act. Santos,
Worse, however, the majority’s construction would base criminal liability on system owners’ access policies. That is exactly what we rejected in Nosal I. See
If this were a civil Statute, it might 'be possible to agree with the majority, but it-is not. The plain fact is that the Act unquestionably supports a narrower interpretation than the majority would afford it. Moreover, the CFAA is not the only criminal law that governs computer crime.' All fifty states have enacted laws prohibiting computer trespassing.' A conclusion that Nosal’s actions do not run afoul of the CFAA need not mean that Nosal is free from criminal liability, and adopting the proper construction of the statute need not thwart society’s ability to deter computer crime and punish computer criminals— even the “industrious hackers” and “bank robbers” that so alarm the majority.
IV.
In construing any statute, we must be wary of the risks of “selective or arbitrary enforcement.” United States v. Kozminski,
Simply put, the majority opinion contains no limiting principle.
It is impossible to discern from the majority opinion what principle distinguishes authorization in Nosal’s case from one in which a bank has clearly told customers that no one but the customer may access the customer’s account, but a husband nevertheless shares his password with his wife to allow her to pay a bill. So long as the wife knows that the bank does not give her permission to access its servers in any manner, she is in the same position as Nosal and his associates.
Even if the majority opinion could be limited solely to employment, the consequences would be equally untoward. Very often password sharing between a current and past employee éerves the interest óf the employer, even if the current employee is technically forbidden by a corporate policy from sharing his password. For example, if a current Korn/Ferry employee were looking for a source list for a pitch meeting which his former colleague had created before retirement, he might contact him to ask where the file had been saved. The former employee might say “it’s too complicated to explain where it is; send me your password and I’ll find it for you.” When the current employee complied and the former employee located the file, both would become federal criminals under the majority’s opinion. I am confident that such innocuous password sharing among current and former employees is more frequent than the improper password sharing
Brekka, cited repeatedly in the majority opinion, did not threaten to criminalize the everyday conduct of millions of citizens. Nor does that case foreclose the preferable construction of the statute. Brekka primarily addressed the question of whether an employee’s violation of the duty of loyalty could itself render his access unauthorized.
In sum, § 1030(a)(2)(C) covers so large a swath of our daily lives that the majority’s construction will “criminalize a broad range of day-to-day activity.” Kozminski,
y.
Nosal’s case illustrates some of the special dangers inherent in criminal laws which are frequently violated in the commercial world, yet seldom enforced. To quote a recent comment by a justice of the Supreme Court with regard to a statute that similarly could be used to punish indiscriminately: “It puts at risk behavior that is common. That is a recipe for giving the Justice Department and prosecutors enormous power over [individuals].” Transcript of Oral Argument at 38, McDonnell v. United States,
Nosal was a senior member of Korn/Ferry and intended to start a competing business. He was also due a million dollars from Korn/Ferry if he abided by his departure agreement. When Korn/Ferry began its investigation of Nosal’s possible malfeasance, it brought on ex-FBI agents to search through Christian’s garbage and follow Jacobson around. It also
To be clear, I am not implying that there is any misconduct on the part of the prosecution in this case. Nevertheless, private assistance of such magnitude blurs the line between criminal and civil law. Courts have long held that “a private citizen lacks a judicially cognizable interest in the prosecution or nonprosecution of another.” Linda R.S. v. Richard D.,
Prosecutors cannot help but be influenced by knowing that they can count on an interested private party to perform and finance much of the work required to com vict a business rival. As the Supreme Court found recently: “Prosecutorial discretion involves carefully weighing the benefits of a prosecution against the evidence needed to convict, [and] the resources of the public fisc.” Bond v. United States, — U.S. —,
VI.
“There is no doubt that this case is distasteful; it may be far worse than that.” McDonnell v. United States, 579 U.S. —,
. Nosal was charged as criminally culpable for Jacobson’s and Christian’s alleged violations under a theory of either aiding and abetting or conspiracy.
. The penalty for violating § 1030(a)(2)(C) . may also be increased if the government proves an additional element under (c)(2)(B).
. Computer is defined under the Act as "an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications fаcility directly related to or operating in conjunction with such device.” 18 U.S.C. § 1030(e)(1). See also United States v. Mitra, 405 F.3d 492 (7th Cir. 2005) (finding a radio system is a computer); United States v. Kramer,
To violate § 1030(a)(2)(C) a person must also "obtain information,” but it is nearly impossible to access a computer without also obtaining information. As we noted in Nosal I, obtaining information includes looking up a weather report, reading the sports section online, etc. See also Sen. Rep. No. 104-357, at 7 (1996) (" ‘[O]btaining information', includes merely reading it.”).
. The term "system owner” refers to the central authority governing user accounts, whether the owner of a single computer with one or several user accounts, a workplace network with dozens, or a social networking site, bank website, or the like, with millions of user accounts.
. For example, a recent survey showed that 46% of parents have the password to their children’s social networking site, despite the fact that the largest site, Facebook, forbids password sharing. See , USC Annenberg School Center for the Digital Future, 2013 Digital Future Report 135 (2013), http://www. digitalcenter.org/wp-content/uploads/2013/06/ 2013-Report.pdf.
. The Tenth Circuit case the majority cites, United States v. Willis,
. Moskal v. United States,
. It is evident that Nosal is not such a person. This case, however, differs from Bush v. Gore,
. In fact, the ubiquity of state regulation targeting computer trespassing counsels in favor of the narrower interpretation of the federal statute. "Congress has traditionally been reluctant to define as a federal crime conduct readily denounced as criminal by the States.” Bond v. United States, — U.S. —,
. The government has not offered a workable standard for distinguishing Nosal's case from innocuous password sharing either in the context of employment or outside of it. With respect to things like Facebook password sharing, for example, the government gamely states that in other “categories of computer users,” aside from employees, defendants. might be able to claim password sharing gave them authorization even if it was against the policy of the website, but does not offer any line of its own or even a hint as to what in the statute permits such a distinction.
. The majority tries to dismiss Nosal I as irrelevant because in the end it only interprets “exceeds authorized access.” This is wrong for two reasons. First,' while Nosal I's holding applies directly only to “exceeds authorized access,” its discussion of password sharing affects the meaning of “without authorization” as well. This is because the “close friends [or] relatives” have no right to access Facebook’s or the email provider’s servers, unless the account holder’s password sharing confers such authorization. Although in Nosal I we rejected the Seventh Circuit’s holding in Int’l Airport Centers, L.L.C. v. Citrin, that court correctly observed that the distinction between “exceeds authorized access” and “without authorization” is often paper thin.”
.To make the analogy exact, assume the wife had recently closed her account with the bank or withdrawn as a member of a joint-account with her husband and thus had her credentials rescinded.
. This example also demonstrates the problem with the majority's reliance on the fact that—like all former Korn/Ferry employees— Christian and Jacobson's credentials had expired. The expiration of someone’s credentials is not a reliable indicator of criminal culpability in a password sharing case.
. It was recently reported that more than a few corporate firms, including O’Melveny's rival Gibson, Dunn and Crutcher, charge as much as $2,000 per hour for some partners’ time. Natalie Rodriguez, Meet the $2,000 An Hour Attorney, Law 360, June 11, 2016, http:// www.law360.com/articles/80442 l/meet-the-2-000-an-hour-attomey.
. Indeed, the Court has recognized that limited government funds sometimes play an important part in restraining potential executive overreach. See Illinois v. Lidster,
. The fact that the interested party may be able to recover its attorneys' fees if the prosecution is successful does not affect this analysis.
. Ndsal argues that because the jury was instructed under Pinkerton, if the conspiracy count and substantive CFAA counts are vacated or reversed, so too must both the trade secrets counts. The government does not contest this assertion in its answering brief. I would therefore vacate the trade' secrets counts. See United States v. Gamboa-Cardenas,