On July 5, 2016, a divided Ninth Circuit panel held that Nosal acted “without authorization” in violation of the CFAA when he or his former coworker co-conspirators used the login credentials of a current employee (Nosal’s former assistant) to circumvent Korn/Ferry’s revocation of authorization in order to gain access to Korn/Ferry’s internal database of information on over one million executives, including contact information, employment history, salaries, biographies and resumes, all compiled since 1995. The panel found that the information qualified as a trade secret and rejected Nosal’s challenges to the sufficiency of the evidence and jury instructions. However, the court vacated as excessive the district court’s award of $827,983 in restitution to Korn/Ferry for investigation costs and attorney fees.
In a dissenting opinion, Judge Reinhardt argued that voluntary sharing of a password in violation of an employer or website’s policies is not the kind of criminal computer “hacking” covered by the CFAA.
The amended opinion explained that the imposition of a mens rea element for Section 1030(a)(4) liability—requiring that a defendant’s access be “knowingly and with intent to defraud”—targeted knowing and specific conduct. The circumstance presented by this case, in which former employees whose computer access was categorically revoked and who surreptitiously accessed data owned by their former employer, bore “little resemblance to asking a spouse to log in to an email account to print a boarding pass,” as suggested by Nosal, the appeals court said. The facts of this case simply did not invoke “the parade of hypotheticals generated by Nosal and amici.”
In view of the amended opinion, Chief Judge Thomas and Judge McKeown voted to deny the petition for rehearing en banc, while Judge Reinhardt voted to grant the petition. No judge of the full court requested a vote on whether to rehear the matter en banc.