United States v. Nosal, 2016 WL 3608752 (9th Cir. 2016)

In this criminal proceeding brought under the Computer Fraud and Abuse Act (“CFAA”), the United States government filed a criminal indictment against David Nosal (a former employee of Korn/Ferry International) as a result of his obtaining information from Korn/Ferry’s computer system for the purpose of defrauding Korn/Ferry and setting up a competing executive search firm. The government succeeded in proving under the CFAA that an employee accesses a protected computer without authorization when he or she does so without permission; Nosal also was successfully prosecuted for trade secret theft under the Economic Espionage Act (“EEA”). The district court sentenced Nosal to one year and one day in prison; three years of supervised release; a $60,000 fine and approximately $828,000 in restitution to Korn/Ferry.

The United States Court of Appeals for the Ninth Circuit affirmed the conviction, holding that “Nosal, a former employee whose computer access credentials were revoked by Korn/Ferry acted ‘without authorization’ in violation of the CFAA when he or his former employee co-conspirators used the login credentials of a current employee [Nosal’s former assistant] to gain access to computer data owned by the former employer and to circumvent the revocation of access.” The Court also affirmed Nosal’s conviction under the EEA as a result of his receiving from one of his accomplices a list of CFOs, which included candidates’ names, company positions and telephone numbers. The Court vacated the judgment in part and remanded the matter for reexamination by the district court of the amount of restitution awarded to Korn/Ferry. Cf. United States v. Christensen, 801 F.3d 970 (9th Cir. 2015) (jury instructions defining “computer fraud” and “unauthorized computer access” were erroneous in that they allowed the jury to convict under the CFAA for unauthorized use of information rather than only for unauthorized access).