When Taking Proprietary Information Is Not a Crime

Ninth Circuit Interpretation

In Nosal, the government charged David Nosal with violations of the CFAA and other federal statutes after he recruited some of his former colleagues at Korn/Ferry, an executive search firm, to access the company”s proprietary information and transfer it to Nosal to help him start a competing business. Nosal was charged with violating the provision of the CFAA that states, “Whoever knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value ” shall be punished.” 18 U.S.C. ” 1030(a)(4). The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. ” 1030(e)(6).

Nosal filed a motion to dismiss the CFAA counts, arguing that the statute targets only hackers, not employees who access a computer with authorization and then misuse the information they obtain. The government, on the other hand, argued that the statute reaches beyond hackers to an employee who has unrestricted physical access to information on a computer, but uses it in a way that is prohibited by company policy.

The Ninth Circuit rejected the government”s interpretation, finding that it would “transform the CFAA from an anti-hacking statute into an expansive misappropriation statute.” Accordingly, because Nosal”s accomplices had permission to access the company”s source lists, names, and contact information, they did not “exceed authorized access” and the CFAA dismissal was affirmed.

Circuit Split

The Ninth Circuit”s decision in Nosal creates a circuit split in authority, with the Eleventh, Fifth, Seventh, and First circuits interpreting the CFAA in accordance with the more expansive view advocated by the government. See United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); United States v. John, 597 F.3d 263 (5th Cir. 2010); Int”l Airport Ctrs. V. Citrin, 440 F.3d 418 (7th Cir. 2006); EF Cultural Travel v. Explorica, 274 F.3d 577 (1st Cir. 2001).

Cognizant of its departure with its sister circuits, the Ninth Circuit spent the bulk of Nosal explaining how the broad construction of the CFAA would make “criminals of large groups of people who would have little reason to suspect they are committing a federal crime.” For example, employees who intentionally violate their employers” computer use policies by sending personal e-mails and visiting ESPN.com would be potential criminals for “exceeding authorized access” of their employers” computers. This portion of the court”s opinion reads like a road map to a potential constitutional challenge to the CFAA for overbreadth and vagueness should its decision be reversed.

The majority in Nosal also pointed out that the government was not without criminal recourse against Nosal because it also charged him with misappropriation of trade secrets under the EEA. If Nosal”s case were pending in the Second Circuit, however, Aleynikov would counsel dismissal of that count as well because the source lists, names, and contact information from Korn/Ferry”s confidential database were not “produced for” or “placed in” interstate commerce.

The Dissent

In Nosal”s written dissent, Judge Barry Silverman criticized the majority for introducing “scenarios not remotely presented by this case,” and “presenting far-fetched hypotheticals involving neither theft nor intentional fraudulent conduct, but innocuous violations of office policy.”

Getting back to the facts of the case, the dissent noted that the indictment alleged that Nosal and his co-conspirators knew they were violating company policy because they signed agreements restricting their use and disclosure of information except for legitimate Korn/Ferry business. The indictment also alleged that, before logging in to the Korn/Ferry computer system, the employees were notified that the information stored on the computers was Korn/Ferry property and that accessing it without relevant authority could lead to disciplinary action and criminal prosecution.

Therefore, according to the Nosal dissent, the employees” theft of their employer”s proprietary source lists, names, and contact information with the intent to defraud the employer by setting up a competing business should “adequately state a crime under a commonsense reading of [the CFAA].” Furthermore, the dissent took the majority to task for conjuring up federal prison terms for employees who access sports scores while at work, noting: “that is what an as-applied challenge is for.”

Second Circuit Interpretation

One day after the Ninth Circuit”s decision in Nosal, the Second Circuit issued its written opinion in Aleynikov. The Second Circuit overturned Aleynikov”s conviction for violating the National Stolen Property Act and the Economic Espionage Act for misappropriating Goldman Sachs” proprietary computer source code. The Second Circuit held that Aleynikov”s conduct did not come within the statutory definitions of either federal criminal statute, allowing him to walk free after having been previously convicted by a jury and sentenced to 97 months in prison.

The facts leading to Aleynikov”s conviction were widely publicized, and sound vaguely like the first 10 minutes of a James Bond movie. In 2009, Aleynikov was earning $400,000 a year as a computer programmer for Goldman Sachs; his work focused on developing code for Goldman”s high-frequency trading system. Goldman closely guarded the secrecy of each of the code”s components. Among other things, the company”s confidentiality policies prohibited its employees from disclosing its proprietary information, and from taking it with them when their employment ended.

In April 2009, Aleynikov was recruited to become an executive vice president at a Chicago-based startup company that was looking to develop its own proprietary source code for high-frequency trading. The new company expected its source code quickly ” and was prepared to pay Aleynikov $1 million a year to develop it. On Aleynikov”s last day at Goldman ” just prior to his going-away party ” he encrypted more than 500,000 lines of Goldman”s source code and uploaded it to a server in Germany. When he arrived home that night, he downloaded the source code to his home computer. Aleynikov then flew to Chicago for meetings with his new company, bringing with him portions of the source code; when he returned home, he was arrested by the FBI at the airport.

The government charged him with violating the NSPA, the EEA, and the CFAA. The district court granted Aleynikov”s motion to dismiss count three of the indictment that charged him with violating the CFAA. Just as the Ninth Circuit held in Nosal, the district court in Aleynikov held that Aleynikov had not “exceeded authorized access” under the CFAA because he was authorized to access the source code on the day he misappropriated it to use at his new job. Aleynikov, 737 F.Supp.2d 173, 194 (S.D.N.Y. 2010). The NSPA and EEA claims proceeded to trial, where the jury convicted Aleynikov and sentenced him to 97 months in prison. He appealed his conviction under the NSPA and EEA arguing that his conduct did not fall within the prohibitions set forth in either federal statute. The Second Circuit agreed.

The NSPA makes it a crime to “transport, transmit, or transfer in interstate or foreign commerce any goods, wares, merchandise, securities or money, of the value of $5,000 or more, knowing the same to have been stolen, converted, or taken by fraud.” 18 U.S.C. ” 2314. Relying on the Supreme Court”s decision in Dowling v. United States, 473 U.S. 207 (1985), the Second Circuit held that Aleynikov”s conduct was beyond the scope of the NSPA because his theft and subsequent interstate and foreign transmission were of “purely intangible property” not “goods, wares, merchandise, securities or money.”

The court readily acknowledged that its decision might be different if Aleynikov had copied the code on an inexpensive flash drive or CD when he left Goldman. In such a case, Aleynikov would have assumed physical control over something when he took the source code, thereby depriving Goldman of its use.

The court next turned to the EEA, a federal statute enacted in 1996 making it a federal crime to misappropriate a trade secret “that is related to or included in a product that is produced for or placed in interstate or foreign commerce.” 18 U.S.C. ” 1832. The district court had broadly interpreted the phrase “produced for ” interstate or foreign commerce”; it held that Goldman”s source code fell within the language of the statute because the sole purpose for which Goldman developed the code was to execute high volumes of trades in interstate and foreign commerce. Aleynikov, 737 F.Supp.2d at 179.

The Second Circuit disagreed, reasoning that the source code was neither “produced for” nor “placed in” interstate or foreign commerce because Goldman had no intention of selling the code or licensing it to anyone. Because the code stolen by Aleynikov “was not designed to enter or pass in commerce, or to make something that does,” Aleynikov”s theft was not an offense under the EEA.

In a written opinion concurring with the majority in Aleynikov, Judge Guido Calabresi expressed his frustration with the EEA”s ambiguous language, inviting Congress to “return to the issue and state, in appropriate language, what I believe they meant to make criminal in the EEA.”

Conclusion

It is widely anticipated that the Supreme Court will soon weigh in on the contours of these criminal statutes, or that Congress will take action to clarify their scope. Until then, the Department of Justice (DOJ) ” at least in the Ninth and Second circuits ” will be unable to use the CFAA, the NSPA, and the EEA to prosecute theft of trade secrets unless the information was obtained: 1) by hacking; 2) consisted of more than intangible property; and 3) was designed to enter or pass in commerce.

Wendy H. Schwartz is a partner and Jennifer L. Achilles is a senior associate at Reed Smith in New York. This article also appeared in the New York Law Journal, an ALM sister publication of this newsletter.

”

In two decisions issued back-to-back on April 10 and 11, the U.S. Courts of Appeal for the Ninth and Second circuits interpreted three different federal statutes ” the Computer Fraud and Abuse Act (CFAA), the National Stolen Property Act (NSPA), and the Economic Espionage Act (EEA) ” in ways that narrowed federal prosecutors” ability to charge former employees for stealing proprietary information from their companies.

According to the Ninth Circuit”s decision in United States v. Nosal, ”F.3d”, 2012 WL 1176119 (9th Cir. April 10, 2012), an employee does not always violate the CFAA by intentionally infringing his company”s computer use policy. If an employee was authorized to access the information, and did not gain access through internal hacking, there is no criminal violation of the CFAA regardless of whether the employee misappropriated the information for his own use. Nosal creates a circuit split among the Ninth Circuit on one hand and the Eleventh, Fifth, Seventh and First circuits on the other.

One day after Nosal, the Second Circuit further narrowed the government”s ability to prosecute trade secret theft. In United States v. Aleynikov, ”F.3d”, 2012 WL 1193611 (2d Cir. April 11, 2012), the Second Circuit held that Sergey Aleynikov”s conduct was beyond the scope of the NSPA when he misappropriated Goldman Sachs” proprietary source code for high-frequency trading because the source code consisted of “purely intangible property,” and not “goods, wares, merchandise, securities or money.” The court readily acknowledged that its decision might be different if Aleynikov had copied the code on an inexpensive flash drive or CD when he left Goldman. The court also held that Aleynikov”s theft was not an offense under the EEA because the computer source code “was not designed to enter or pass in commerce, or to make something that does.” Accordingly, Aleynikov”s conviction and eight-year prison sentence were overturned.

Ninth Circuit Interpretation

In Nosal, the government charged David Nosal with violations of the CFAA and other federal statutes after he recruited some of his former colleagues at Korn/Ferry, an executive search firm, to access the company”s proprietary information and transfer it to Nosal to help him start a competing business. Nosal was charged with violating the provision of the CFAA that states, “Whoever knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value ” shall be punished.” 18 U.S.C. ” 1030(a)(4). The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. ” 1030(e)(6).

Nosal filed a motion to dismiss the CFAA counts, arguing that the statute targets only hackers, not employees who access a computer with authorization and then misuse the information they obtain. The government, on the other hand, argued that the statute reaches beyond hackers to an employee who has unrestricted physical access to information on a computer, but uses it in a way that is prohibited by company policy.

The Ninth Circuit rejected the government”s interpretation, finding that it would “transform the CFAA from an anti-hacking statute into an expansive misappropriation statute.” Accordingly, because Nosal”s accomplices had permission to access the company”s source lists, names, and contact information, they did not “exceed authorized access” and the CFAA dismissal was affirmed.

Circuit Split

The Ninth Circuit”s decision in Nosal creates a circuit split in authority, with the Eleventh, Fifth, Seventh, and First circuits interpreting the CFAA in accordance with the more expansive view advocated by the government. See United States v. Rodriguez , 628 F.3d 1258 (11th Cir. 2010); United States v. John , 597 F.3d 263 (5th Cir. 2010); Int”l Airport Ctrs. V. Citrin , 440 F.3d 418 (7th Cir. 2006); EF Cultural Travel v. Explorica , 274 F.3d 577 (1st Cir. 2001).

Cognizant of its departure with its sister circuits, the Ninth Circuit spent the bulk of Nosal explaining how the broad construction of the CFAA would make “criminals of large groups of people who would have little reason to suspect they are committing a federal crime.” For example, employees who intentionally violate their employers” computer use policies by sending personal e-mails and visiting ESPN.com would be potential criminals for “exceeding authorized access” of their employers” computers. This portion of the court”s opinion reads like a road map to a potential constitutional challenge to the CFAA for overbreadth and vagueness should its decision be reversed.

The majority in Nosal also pointed out that the government was not without criminal recourse against Nosal because it also charged him with misappropriation of trade secrets under the EEA. If Nosal”s case were pending in the Second Circuit, however, Aleynikov would counsel dismissal of that count as well because the source lists, names, and contact information from Korn/Ferry”s confidential database were not “produced for” or “placed in” interstate commerce.

The Dissent

In Nosal”s written dissent, Judge Barry Silverman criticized the majority for introducing “scenarios not remotely presented by this case,” and “presenting far-fetched hypotheticals involving neither theft nor intentional fraudulent conduct, but innocuous violations of office policy.”

Getting back to the facts of the case, the dissent noted that the indictment alleged that Nosal and his co-conspirators knew they were violating company policy because they signed agreements restricting their use and disclosure of information except for legitimate Korn/Ferry business. The indictment also alleged that, before logging in to the Korn/Ferry computer system, the employees were notified that the information stored on the computers was Korn/Ferry property and that accessing it without relevant authority could lead to disciplinary action and criminal prosecution.

Therefore, according to the Nosal dissent, the employees” theft of their employer”s proprietary source lists, names, and contact information with the intent to defraud the employer by setting up a competing business should “adequately state a crime under a commonsense reading of [the CFAA].” Furthermore, the dissent took the majority to task for conjuring up federal prison terms for employees who access sports scores while at work, noting: “that is what an as-applied challenge is for.”

Second Circuit Interpretation

One day after the Ninth Circuit”s decision in Nosal, the Second Circuit issued its written opinion in Aleynikov. The Second Circuit overturned Aleynikov”s conviction for violating the National Stolen Property Act and the Economic Espionage Act for misappropriating Goldman Sachs” proprietary computer source code. The Second Circuit held that Aleynikov”s conduct did not come within the statutory definitions of either federal criminal statute, allowing him to walk free after having been previously convicted by a jury and sentenced to 97 months in prison.

The facts leading to Aleynikov”s conviction were widely publicized, and sound vaguely like the first 10 minutes of a James Bond movie. In 2009, Aleynikov was earning $400,000 a year as a computer programmer for Goldman Sachs; his work focused on developing code for Goldman”s high-frequency trading system. Goldman closely guarded the secrecy of each of the code”s components. Among other things, the company”s confidentiality policies prohibited its employees from disclosing its proprietary information, and from taking it with them when their employment ended.

In April 2009, Aleynikov was recruited to become an executive vice president at a Chicago-based startup company that was looking to develop its own proprietary source code for high-frequency trading. The new company expected its source code quickly ” and was prepared to pay Aleynikov $1 million a year to develop it. On Aleynikov”s last day at Goldman ” just prior to his going-away party ” he encrypted more than 500,000 lines of Goldman”s source code and uploaded it to a server in Germany. When he arrived home that night, he downloaded the source code to his home computer. Aleynikov then flew to Chicago for meetings with his new company, bringing with him portions of the source code; when he returned home, he was arrested by the FBI at the airport.

The government charged him with violating the NSPA, the EEA, and the CFAA. The district court granted Aleynikov”s motion to dismiss count three of the indictment that charged him with violating the CFAA. Just as the Ninth Circuit held in Nosal, the district court in Aleynikov held that Aleynikov had not “exceeded authorized access” under the CFAA because he was authorized to access the source code on the day he misappropriated it to use at his new job. Aleynikov, 737 F.Supp.2d 173, 194 (S.D.N.Y. 2010). The NSPA and EEA claims proceeded to trial, where the jury convicted Aleynikov and sentenced him to 97 months in prison. He appealed his conviction under the NSPA and EEA arguing that his conduct did not fall within the prohibitions set forth in either federal statute. The Second Circuit agreed.

The NSPA makes it a crime to “transport, transmit, or transfer in interstate or foreign commerce any goods, wares, merchandise, securities or money, of the value of $5,000 or more, knowing the same to have been stolen, converted, or taken by fraud.” 18 U.S.C. ” 2314. Relying on the Supreme Court”s decision in Dowling v. United States , 473 U.S. 207 (1985), the Second Circuit held that Aleynikov”s conduct was beyond the scope of the NSPA because his theft and subsequent interstate and foreign transmission were of “purely intangible property” not “goods, wares, merchandise, securities or money.”

The court readily acknowledged that its decision might be different if Aleynikov had copied the code on an inexpensive flash drive or CD when he left Goldman. In such a case, Aleynikov would have assumed physical control over something when he took the source code, thereby depriving Goldman of its use.

The court next turned to the EEA, a federal statute enacted in 1996 making it a federal crime to misappropriate a trade secret “that is related to or included in a product that is produced for or placed in interstate or foreign commerce.” 18 U.S.C. ” 1832. The district court had broadly interpreted the phrase “produced for ” interstate or foreign commerce”; it held that Goldman”s source code fell within the language of the statute because the sole purpose for which Goldman developed the code was to execute high volumes of trades in interstate and foreign commerce. Aleynikov, 737 F.Supp.2d at 179.

The Second Circuit disagreed, reasoning that the source code was neither “produced for” nor “placed in” interstate or foreign commerce because Goldman had no intention of selling the code or licensing it to anyone. Because the code stolen by Aleynikov “was not designed to enter or pass in commerce, or to make something that does,” Aleynikov”s theft was not an offense under the EEA.

In a written opinion concurring with the majority in Aleynikov, Judge Guido Calabresi expressed his frustration with the EEA”s ambiguous language, inviting Congress to “return to the issue and state, in appropriate language, what I believe they meant to make criminal in the EEA.”

Conclusion

It is widely anticipated that the Supreme Court will soon weigh in on the contours of these criminal statutes, or that Congress will take action to clarify their scope. Until then, the Department of Justice (DOJ) ” at least in the Ninth and Second circuits ” will be unable to use the CFAA, the NSPA, and the EEA to prosecute theft of trade secrets unless the information was obtained: 1) by hacking; 2) consisted of more than intangible property; and 3) was designed to enter or pass in commerce.

Wendy H. Schwartz is a partner and Jennifer L. Achilles is a senior associate at Reed Smith in New York. This article also appeared in the New York Law Journal, an ALM sister publication of this newsletter.

”