About Us  |  About Cheetah®  |  Contact Us

9th Circuit’s Nosal opinion amended to clarify intent is required for CFAA violation

By Cheryl Beise, J.D.

The Ninth Circuit has amended its July 2016 opinion affirming former Korn/Ferry director David Nosal’s criminal convictions for trade secret theft under the Economic Espionage Act (EEA) and unauthorized computer access under the Computer Fraud and Abuse Act (CFAA). The appeals court revised its opinion to clarify that Section 1030(a)(4) of the CFAA requires that a defendant’s unauthorized access be “knowingly and with intent to defraud” and that “violating use restrictions, like a website’s terms of use, is insufficient without more to form the basis for liability under the CFAA.” In view of this clarification, the panel denied Nosal’s petition for a rehearing en banc (U.S. v. Nosal, December 8, 2016, McKeown, M.).

On July 5, 2016, a divided Ninth Circuit panel held that Nosal acted “without authorization” in violation of the CFAA when he or his former coworker co-conspirators used the login credentials of a current employee (Nosal’s former assistant) to circumvent Korn/Ferry’s revocation of authorization in order to gain access to Korn/Ferry’s internal database of information on over one million executives, including contact information, employment history, salaries, biographies and resumes, all compiled since 1995. The panel found that the information qualified as a trade secret and rejected Nosal’s challenges to the sufficiency of the evidence and jury instructions. However, the court vacated as excessive the district court’s award of $827,983 in restitution to Korn/Ferry for investigation costs and attorney fees.

In a dissenting opinion, Judge Reinhardt argued that voluntary sharing of a password in violation of an employer or website’s policies is not the kind of criminal computer “hacking” covered by the CFAA.

The amended opinion explained that the imposition of a mens rea element for Section 1030(a)(4) liability—requiring that a defendant’s access be “knowingly and with intent to defraud”—targeted knowing and specific conduct. The circumstance presented by this case, in which former employees whose computer access was categorically revoked and who surreptitiously accessed data owned by their former employer, bore “little resemblance to asking a spouse to log in to an email account to print a boarding pass,” as suggested by Nosal, the appeals court said. The facts of this case simply did not invoke “the parade of hypotheticals generated by Nosal and amici.”

In view of the amended opinion, Chief Judge Thomas and Judge McKeown voted to deny the petition for rehearing en banc, while Judge Reinhardt voted to grant the petition. No judge of the full court requested a vote on whether to rehear the matter en banc.