He won his case before the U.S. Court of Appeals for the Ninth Circuit and made new law in the process.
But David Nosal’s legal odyssey, which started in 2005, isn’t done yet.
This coming week, the former executive of Korn/Ferry International will stand trial on charges he broke into the recruiting firm’s computerized database and stole information to use in a rival executive search business.
The case, which yielded a key decision narrowing the 1984 Computer Fraud and Abuse Act, gets under way before U.S. District Judge Edward Chen in San Francisco amid new controversy over the law, which critics call vague and outdated.
Civil liberties advocates complain the statute’s language and harsh penalties can be applied to pranksters or pests as readily as to serious criminal hackers and international cyberterrorists. To many, the suicide of computer programmer and Internet activist Aaron Swartz earlier this year while facing prosecution under the statute illustrates the potential for abuse.
If some groups want a narrow reading of the computer crime law, civil practitioners who specialize in employment and trade secret matters are watching Nosal’s case with a very different view, noting the Ninth Circuit decision in U.S. v. Nosal, 676 F.3d 854, has already restricted how companies here can go after rogue employees.
Ruling en banc last year, the Ninth Circuit dealt a major blow to the government’s prosecution, tossing out five charges and adopting one of the nation’s most restrictive interpretations of criminal liability under the statute.
Reflecting that the law was intended to combat computer hacking offenses, the court held that individuals cannot be criminally prosecuted for merely running afoul of their employer’s computer use policies or violating a website’s terms of service. Earlier this year, Chen upheld three remaining computer fraud counts against Nosal which relied on different facts.
Now a jury will consider what’s left of the government’s case and decide whether Nosal directed a criminal conspiracy to hack into Korn/Ferry’s computer system as prosecutors allege or fell victim to a corporation eager to squash an upstart competitor.
The defense team of Dennis Riordan of Riordan & Horgan and S.F. solos Steven Gruel and Martha Boersch hope to convince jurors that the case is an overblown business dispute, not a federal crime. This is a rare trial for Riordan, an appellate specialist. He did not return a phone call and email seeking comment. Boersch, a former federal prosecutor in the Northern District, declined to comment on the case.
Nosal faces three computer hacking charges, one conspiracy count and two charges for theft of trade secrets.
Jury selection starts Monday and the legal lineup not only showcases notable criminal lawyers but also brings together two adversaries from the perjury trial of Barry Bonds — Riordan, who was part of the team that defended the former Giants slugger, and Assistant U.S. Attorney Matthew Parrella, chief of the region’s Computer Hacking and Intellectual Property, or CHIP, unit. Parrella is joined by Assistant U.S. Attorney Kyle Waldinger and DOJ appellate specialist Jennifer Ellickson, who argued the case before the Ninth Circuit.
The government’s witness list includes Nosal’s former girlfriend, Becky Christian, who took a plea deal. The defense indicated last week it may call as witnesses Korn/Ferry’s outside counsel at O’Melveny & Myers, including partner Sharon Bunzel, a former federal prosecutor in the Northern District. O’Melveny assisted in the internal investigation that led to criminal charges in the case.
The last-minute inclusion of Bunzel and other O’Melveny lawyers on Nosal’s witness list caused a scrap last week as it would mean that Korn/Ferry’s lawyers could be barred from court proceedings. "Nosal’s gambit lacks any legitimate justification and would deprive Korn/Ferry of substantial rights," wrote O’Melveny New York partner Mark Robertson.
CFAA on trial
There have not been many criminal trials under the Computer Fraud and Abuse Act, known as CFAA, which provides penalties for an individual who "accesses a protected computer without authorization, or exceeds authorized access" as part of a fraudulent scheme.
In one high-profile case, prosecutors used the statute to go after Missouri mother Lori Drew, who created a false MySpace account and used it taunt a teenage girl. When the girl, Megan Meier, committed suicide, prosecutors in the Central District of California charged Drew under a theory that her violation of the MySpace user agreement constituted unauthorized access to a computer.
A jury, which acquitted on several charges, found Drew guilty of a misdemeanor, though the trial judge dismissed that conviction.
In a more recent case, prosecutors in the Eastern District of California indicted Matthew Keys, a 26-year-old digital journalist, on charges that allege he gave hackers his credentials to access the computer system of The Los Angeles Times.
A different provision of the statute is central to the prosecution of several individuals accused in the 2010 cyberattack on PayPal Inc. as retaliation for the company’s actions against WikiLeaks founder Julian Assange. That case is pending before U.S. District Judge D. Lowell Jensen in San Jose.
Split on the statute
Public opinion is not unified on how to handle such cases and neither are the courts, said Jennifer Granick of the Stanford Center for Internet and Society. Federal appeals courts have adopted conflicting interpretations of what constitutes unauthorized access to a computer and members of Congress are currently debating two proposals to amend the CFAA — one known as "Aaron’s Law," after Swartz, would narrow its application, while the other would expand it and increase maximum penalties for many violations to 20 years or more, she said.
"Because the language is vague and the way we’ve used computers has changed so much, there has been a great amount of litigation and dispute about what unauthorized access means," Granick said. "Some litigants have pushed the idea your access is unauthorized if you’re violating an employment contract, or violating terms of a service agreement, or acting in a manner that is disloyal."
That view, rejected by the Ninth Circuit in Nosal, has been embraced by some appeals courts, including the Fifth and Eleventh circuits, Granick noted. "The political debate then is do we want heavy criminal and civil sanctions for violations of terms of service that people don’t even read."
Debate over the statute has drawn interest from criminal defense lawyers and civil practitioners alike, since the law also provides civil remedies and can be a tool for companies in disputes with departing employees.
Employment lawyers at Wilson Sonsini Goodrich & Rosati issued a client alert last month explaining the latest ruling in Nosal’s case and how it relates to employees who are accused of accessing a company’s computer system for illicit purposes.
Even within the firm, opinions differ. Fred Alvarez, head of the firm’s employment law group, said the Ninth Circuit has taken away an avenue for employers to address unauthorized access to their computer systems. Companies can still go after rogue employees for stealing trade secrets, though that generally requires an extra level of proof, he said.
Wilson partner Charles "Tait" Graves, who focuses on IP litigation and counseling, sees it differently. He said the Ninth Circuit "achieved the right result." The innovation-based economy in Silicon Valley demands that employees are free to leave established companies and start new businesses without reprisal.
"There are two big problems with the statute," Graves said. "It’s not very clearly worded and some courts around the country have allowed it to be twisted."
Paul Hastings partner Bradford Newman, who chairs the firm’s Silicon Valley employment law practice, said the circuit split the case created is confusing to employers and limits their ability to stop data theft.
"It’s absolutely absurd that you can be an employee sitting in one circuit and be liable for misusing your computer access and be sitting here in the Ninth Circuit and do the same thing and not be liable under the same statute," Newman said.
Competition or criminal?
Since Nosal’s indictment in 2008, 16 district and appellate judges have weighed in on the computer hacking charges.
Nosal worked for Korn/Ferry from 1996 to 2004 and ascended to head the firm’s CEO practice based in Silicon Valley. He previously led Korn/Ferry’s West Coast board practice and was managing director for the central and northwest regions.
In 2004 Nosal was passed over for promotion, according to prosecutors, and decided to leave Korn/Ferry and start his own business. In late 2004 Nosal agreed to work as an independent contractor for Korn/Ferry for one year at a salary of $25,000 per month, and pledged in a formal separation agreement not to engage in a competing business.
But Nosal didn’t keep his side of the bargain, according to prosecutors. Starting in early 2005 Nosal persuaded colleagues to use their credentials to run searches on Korn/Ferry’s proprietary database for his private clients.
When word of those activities reached the company’s general counsel, Peter Dunn, the firm launched an investigation that resulted in civil litigation and a referral to the FBI. Nosal now runs Nosal Partners, an executive search business he founded in 2005.
In 2010 then-U.S. District Judge Marilyn Hall Patel dismissed five computer hacking counts against Nosal in a decision appealed by the government. A three-judge panel of the Ninth Circuit reinstated the charges in April 2011, only to be reversed one year later in a 9-2 en banc decision authored by Chief Judge Alex Kozinski.
The court held that so long as the employee accessing Korn/Ferry’s database was authorized to do so, there was no crime under the CFAA, regardless of how information was ultimately used.
"Because Nosal’s accomplices had permission to access the company database and obtain the information contained within, the government’s charges fail to meet the element of ‘without authorization, or exceeds authorized access,’" Kozinski wrote.
Following Nosal’s Ninth Circuit victory, the defense pushed for dismissal of three remaining CFAA counts but were unsuccessful.
On March 12 U.S. District Judge Chen, who inherited the case from Patel, upheld the charges, which allege non-Korn/Ferry employees logged into the firm’s "Searcher" database using a borrowed password or had an employee log in for them. That might not be a sophisticated form of hacking, but it still qualifies as a crime under the Ninth Circuit interpretation of the statute, Chen wrote.
"If the CFAA were not to apply where an authorized employee gave or even sold his or her password to another unauthorized individual, the CFAA would be rendered toothless," Chen stated. "Surely Congress could not have intended such a result."
At a final pretrial hearing, Riordan previewed the argument he’ll make to jurors, insisting Korn/Ferry gave Nosal authorization to use its database as part of his consulting contract. Moreover, Riordan maintains the noncompete agreement Nosal entered with Korn/Ferry was legally invalid.
After the years of appellate wrangling, it will soon be up to a jury to decide Nosal’s guilt or innocence.
As for the fate of the CFAA, Orin Kerr, a professor at George Washington University who is an expert on the law, said the issue is likely to land at the U.S. Supreme Court. "The justices are going to have to answer this," Kerr said.
Vanessa Blum writes for The Recorder, a Daily Report affiliate.