Stroock & Stroock's Joel Cohen
David Nosal and his accomplices did something wrong. No question. But was it -- should it be viewed as -- criminal? The Ninth Circuit, en banc, dramatically split on that question in interpreting one particular criminal statute designed to deal with the ever-emerging technology of the computer (U. S. v. Nosal). How did the opining judges come to disagree?
The facts are uncomplicated. Nosal was a former employee of executive search firm Korn/Ferry ("KF"). After his departure, he asked his still-employed former colleagues to help him start a competing search firm. Using their log-in credentials to download source lists and contact information from the confidential KF database, they then transferred that valuable information to Nosal. Nosal's accomplices were, without question, authorized to access the database but also specifically forbidden by company policy from disclosing that information ("This product is intended to be used by Korn/Ferry employees for work on Korn/Ferry business only" [emphasis added]). Were their actions criminal?
Clearly, the information obtained was proprietary and its unauthorized transmission outside the company exposed each actor not only to termination of employment but also civil liability. Indeed, these individuals mined deep into the very bedrock of KF's business and gave away its valuable minerals. Nosal wasn't simply asking the current employees to lend him a textbook in KF's library or to use KF computers to type up a business proposal for Nosal's new business. Accordingly, in response, KF didn't merely pursue a civil lawsuit, but actually persuaded the U. S. Attorney in San Francisco to prosecute Nosal for a series of felonies -- most pertinent among them, violation of the Computer Fraud and Abuse Act, 18 U.S. Code Section 1030(a)(4), for aiding and abetting the KF employees in "exceed[ing their]" authorized access with intent to defraud.
However, the language of the CFAA isn't pristinely clear. It defines "exceeds authorized access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."
The ambiguity in this definition leads to two possible interpretations. Under the first, it could refer to someone who is authorized to access only certain data or files, but looks at those to which he is unauthorized -- a "hacker." Under the second, it could refer to someone with unrestricted access to the computer, but who is limited in the use to which he can put the information -- meaning that Nosal's "insider" confederates might clearly, and properly, have sought access to the customer lists in order to do their job, but couldn't properly send them to a then-outsider like Nosal.
After an intervening decision, San Francisco U.S. District Judge Marilyn Hall Patel ultimately decided that the statute did not cover the alleged CFAA offense committed by Nosal and his accomplices. The government appealed her dismissal, leading to the Ninth Circuit's en banc split of opinion -- Chief Judge Alex Kozinski writing for the majority, and Judge Barry G. Silverman for the dissenters.
Both sides ably, but differently, dealt with interpreting the technical nuances of the statute against the backdrop of the problem Congress was seeking to address. We don't address that here -- rather, we look at the fundamental disagreement over how Judge Kozinski used the potential reach of the statute if, as Kozinski argued, the government's interpretation were accepted by the court. He said that if it were accepted, 1) minors could be prosecuted for violating Google's proscription against their use of its services; 2) Facebook owners would be prosecutable for allowing others to log onto their accounts; and 3) users of dating websites could be subject to prosecution for providing false information such as "tall, dark and handsome." While the government assured the court that it wouldn't prosecute minor offenses such as these, the response by Judge Kozinski was, "[b]ut we shouldn't have to live at the mercy of our local prosecutor. ... And it's not clear we can trust the government when a tempting target comes along." A pretty good argument, don't you think?
But then comes along Judge Silverman, with an equally mighty pen, writing: "This case has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values." It's about "stealing an employer's valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants' employment contracts. ... In ridiculing scenarios not remotely presented in this case, the majority does a good job of knocking down straw men -- far-fetched hypotheticals involving neither theft nor intentional fraudulent conduct, but innocuous violations of office policy." Most importantly, Silverman wrote, "even if an imaginative judge [Kozinski] can conjure up far-fetched hypotheticals producing federal prison terms for accessing word puzzles, jokes, and sports scores while at work, well, ... this is what an as-applied challenge is for." Meaning: "As applied" to the Nosal facts, the statute should be upheld for his conduct. Another good argument!
Here's the real issue. When Congress writes a statute, even throwing in the trash bin the statute's legislative intent, it typically won't write statutes limited to a particular wrong, such as the kind of wrong that Nosal and his confederates allegedly committed. Statutes are typically broad, but sometimes overreaching.
What if Congress were to write a statute more tailored to the specific wrong in Nosal, e.g, "It is illegal to knowingly access company-created information from its computer system and give or transmit it to a third party, without the specific approval of the company's chief executive officer"? I suppose that Judge Silverman would easily dismiss a challenge to such a statute by Nosal copycats charged with violating that statute.
What about Judge Kozinski? In deciding Nosal, he said: "We need not decide today whether Congress could base criminal liability on violations of a company or website's computer use restrictions." One imagines that's precisely what a judge should properly say: basically, "We decide only what is before us." Maybe he would uphold the hypothetical statute, maybe he wouldn't. He found that all he needed to do was apply the rule of lenity -- meaning, if two interpretations of a statute are possible, a court is obliged to apply the more lenient one which, in Nosal, for Judge Kozinski, excluded criminality.
When new statutes are enacted to address new evils, courts are understandably reluctant to interpret the statute too broadly. Kozinski was, indeed, imaginative in hypothesizing the potential reach of the statute if a prosecutor woke up on the wrong side of the bed wanting to indict offending individuals across the board for clearly innocuous offenses.
Still, that the able Judges Kozinski and Silverman can apply the law so differently on such clear-cut facts suggests that the problem doesn't necessarily lie with interpretation of statutes. It might suggest that the Congress isn't always careful enough when it drafts a criminal statute. That's precisely the reason for so many problems over the years with broad-brush statutes such as RICO, money laundering and the U.S. Patriot Act. While we don't want statutes that address societal ills to be drawn too narrowly, we also don't want to accord prosecutors too much discretion, as Judge Kozinski saw as being the potential vice under CFAA. It's worth noting that the disagreement between noted libertarian Kozinski, on the one hand, and Silverman, on the other, may not really be about how they interpret the statute, but more about their idiosyncratic views about the proper role of government in "criminalizing" new-fangled wrongdoing in an ever-changing society.
Either way, Congress needs to use considerable caution in drafting criminal statutes, lest it give the public insufficient guidance on their intended reach and scope. Especially when brand-new mala prohibita are created by Congress, they require pristine clarity -- a status that forefends against able judges so articulately disagreeing over how to apply the law to agreed-upon facts. The most effective stop sign for the would-be traffic violator is one that allows him to see the sign clearly way before he gets to the crossing. And, indeed, a stop sign that everyone knows is a stop sign!
Joel Cohen is a partner in the New York office of Stroock & Stroock & Lavan, where he practices white-collar criminal defense law. He also teaches Professional Responsibility at Fordham Law School. The author is a regular columnist for Law.com. The views expressed are his personal opinions.
