Computer Fraud Cases

After a two-week trial before United States District Court Judge Edward Chen of the Northern District of California, David Nosal—the named defendant in the seminal Ninth Circuit case, United States v. Nosal—was convicted of three counts of violating the Computer Fraud and Abuse Act ("CFAA").1 Mr. Nosal's conviction demonstrates that, despite the Ninth Circuit's narrow interpretation of the "exceeds unauthorized access" element of the CFAA, the CFAA is still a useful tool to prevent trade secret misuse.

CFAA Allegations Against Nosal

Mr. Nosal's road to trial neatly illustrates the shifting scope of the CFAA. The CFAA imposes both criminal and civil liability on a person who "intentionally accesses a computer without authorization" or "exceeds authorized access" in using a computer, thereby obtaining "information" from a computer that is "used in or affecting interstate or foreign commerce."2The CFAA is often used in civil litigation as a tool in combination with state law trade secret claims to prevent the misuse of trade secrets and to obtain federal court jurisdiction over such a dispute.

In 2004, Mr. Nosal left the executive search firm Korn/Ferry International and was found to have persuaded current and former employees of the firm to download confidential information from the company's computers and transfer the information to Mr. Nosal to help him start a competing business. After an investigation of Mr. Nosal's conduct that stemmed from an email from Mr. Nosal intercepted by the FBI, he and some of the employees who assisted him in the transfer of information were indicted. The indictment against Mr. Nosal alleged two categories of CFAA violations. Counts 2 and 4-7 alleged that current employees of Korn/Ferry accessed the company's internal database and disclosed competitively sensitive information to Mr. Nosal (the "Insider Counts"). Counts 3 and 8-9 alleged that former employees of Korn/Ferry, including Becky Christian, used a current employee's password to access Korn/Ferry's "Searcher" database and provide Mr. Nosal with confidential source lists (the "Outsider Counts"). The government brought a total of eight criminal counts against Mr. Nosal under the CFAA, accusing him of "aiding and abetting the Korn/Ferry employees in 'exceed[ing] authorized access with intent to defraud.'"3

The Long Road to Trial

The case against Mr. Nosal was filed in the United States District Court for the Northern District of California in 2008. In 2009, in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), the Ninth Circuit limited the scope of the CFAA and held that the term "exceeds authorized access" does not apply to an employee who is authorized to access a computer, but uses the computer in a manner contrary to his employer's interests.

After the Ninth Circuit's ruling in Brekka, Mr. Nosal moved to dismiss the CFAA violations. In 2010, the district court dismissed the Insider Counts, finding that, because current employees had accessed their employer's information "withauthorization," they did not "exceed authorized access."4 However, the district court declined to dismiss the Outsider Counts, recognizing that those counts "presented more complicated questions" because the indictment alleged that former employees, who no longer had access to the database, obtained access to the database and misused confidential information.5

The government appealed the dismissal of the Insider Counts. Initially, a three-judge panel on the Ninth Circuit reinstated those counts, but after the Ninth Circuit heard the decision en banc in 2012, the district court's dismissal of the five Insider Counts was affirmed. There, the Ninth Circuit held that the phrase "exceeds authorized access" in the CFAA is "limited to violations of restrictions on access to information, and not restrictions on its use."6 The court expressed concern about transforming the CFAA into an "expansive misappropriation statute," finding that the purpose of the statute was to "punish hacking—the circumvention of technological access barriers—not misappropriation of trade secrets." Id.

In United States v. Morris, a case prosecuted under a previous version of the CFAA that punished “intentionally accessing a Federal interest computer without authorization,” Morris spread a program known as a “worm” that affected computers across the country and caused damage. U.S. v. Morris, 928 F.2d 504 (2d Cir. 1991) (Internet worm violated CFAA). Morris argued that he had merely exceeded his authorized access and not accessed the computers without authorization. The court noted that Congress “did not mean to insulate from liability the person authorized to use computers at the State Department who causes damage to computers at the Defense Department.” Id at 511. Further, the court goes on to state that, “Congress did not intend an individual's authorized access to one federal interest computer to protect him from prosecution, no matter what other federal interest computers he accesses.” Id. As such, they found that Morris was acting without authorization.

U.S. v. Czubinski, 106 F.3d 1069 (1st Cir. 1997) (unauthorized browsing of computer files did not violate CFAA)

Defendant was convicted of wire fraud and computer fraud by the United States District Court for the District of Massachusetts, Nathaniel M. Gorton, J., and Robert B. Collings, United States Magistrate Judge. Defendant appealed. The Court of Appeals, Torruella, Chief Judge, held that: (1) interstate transmission element of wire fraud could be inferred from circumstantial evidence that defendant's searches of master taxpayer files caused information to be sent to his computer terminal in different state; (2) defendant's unauthorized browsing of confidential taxpayer information did not defraud Internal Revenue Service (IRS) of its property within

meaning of wire fraud statute; (3) defendant's unauthorized browsing of confidential taxpayer information did not deprive taxpayers of their intangible, nonproperty right to honest government services; and (4) defendant could not be convicted of computer fraud in connection with his browsing of confidential taxpayer files.

EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001)

Tour company sued competitor and individual executives of competitor, alleging that competitor's use of “scraper” software program to systematically glean company's prices from its website violated Computer Fraud and Abuse Act (CFAA), Copyright Act, and Racketeer Influenced and Corrupt Organizations Act (RICO). Company moved for preliminary injunction on CFAA claim. The United States District Court for the District of Massachusetts, Lasker, Senior District Judge, granted injunction, and competitor appealed. The Court of Appeals, Coffin, Senior Circuit Judge, held that: (1) use of “scraper” program “exceeded authorized access” within meaning of CFAA, assuming program's speed and efficiency depended on executive's breach of his confidentiality agreement with company, his former employer, and (2) company's payment of consultant fees to assess effect on its website was compensable “loss” under CFAA.

Pinnacle Ins. Solutions, LLC v. Kolbe, 2014 WL 1272212 (D. N.J. Mar. 27, 2014)

Company insider is accused of passing sensitive information to competitor, directing potential clients away from employer and impugning employer’s reputation. Insider resigns.

Former employer sued in state court on several state law claims and then subsequently sued in federal court for violating the Computer Fraud and Abuse Act along with additional state law and federal law claims.

Defendants moved for dismissal of the federal case requesting that the federal court abstain from considering the complaint under the Colorado River doctrine. After determining the cases were parallel proceedings, the court examined the Colorado River factors and determined that the state court could appropriately adjudicate all of the claims at issue while protecting the plaintiff’s interests and granted the motion to dismiss.

CEO Bernard Ebbers became very wealthy from the increasing price of his holdings in WorldCom

common stock.[5] However, in the year 2000 the telecommunications industry was in decline.

WorldCom’s aggressive growth strategy suffered a serious setback when, in July 2000, it was

forced by the U.S. Justice Department to abandon its proposed merger with Sprint. [5] By that

time, WorldCom’s stock price was decreasing and banks were placing increasing demands on

Ebbers to cover margin calls on his WorldCom stock that were used to finance his other

businesses (timber and yachting, among others).[5] In 2001, Ebbers persuaded WorldCom’s

board of directors to provide him corporate loans and guarantees in excess of $400 million to

cover his margin calls.[5] The board hoped that the loans would avert the need for Ebbers to sell

substantial amounts of his WorldCom stock, as his doing so would result in a further decrease of

the stock's price, however, this strategy failed. In April 2002, Ebbers resigned as CEO and was

replaced by John Sidgmore, former CEO of UUNET Technologies, Inc.

Beginning modestly during mid-1999 and continuing at an accelerated pace through May 2002,

the company—directed by Ebbers (as CEO), Scott Sullivan (CFO), David Myers (Controller) and

Buford "Buddy" Yates (Director of General Accounting)—used fraudulent accounting methods to

disguise its decreasing earnings to maintain the price of WorldCom’s stock.[5]

The fraud was accomplished primarily in two ways:

a. Booking "line costs" (interconnection expenses with other telecommunication companies)

as capital expenditures on the balance sheet instead of expenses. And;

b. Inflating revenues with bogus accounting entries from "corporate unallocated revenue

accounts".

In 2002, a small team of internal auditors at WorldCom worked together, often at night and

secretly, to investigate and reveal $3.8 billion worth of fraud. [6][7][8] Soon thereafter, the

company’s audit committee and board of directors were notified of the fraud and acted swiftly:

Sullivan was dismissed, Myers resigned, Arthur Andersen withdrew its audit opinion for 2001,

and the U.S. Securities and Exchange Commission (SEC) began an investigation into these

matters on June 26, 2002 (see accounting scandal). Sidgmore was instrumental in turning

around the ailing company and in revealing Ebbers' fraud to regulators. Sidgmore died suddenly

in December 2003 from acute pancreatitis.

By the end of 2003, it was estimated that the company's total assets had been inflated by about

$11 billion.[5] This made the WorldCom scandal the largest accounting fraud in American history

until the exposure of Bernard Madoff's $64 billion Ponzi scheme in 2008.

Peregrine’s caseIn 2004, a federal grand jury issued an indictment charging eight former executives of Peregrine Systems, Inc., one former outside auditor of Peregrine, and two outside business partners of Peregrine, with conspiracy to commit a multi-billion dollar securities fraud. The case resulted

from an investigation by the Federal Bureau of Investigation, and the Securities and Exchange Commission had pursued a parallel civil enforcement action.[10]

In 2003, the U.S. Securities and Exchange Commission charged Peregrine with "massive financial fraud" for the purposes of inflating the company's revenue and stock price.[11] Peregrine, without admitting or denying the allegations of the complaint, agreed to a partial settlement.[11]

Peregrine filed suit against its auditor Arthur Andersen in 2002 for $1 billion in damages, for allegedly allowing incorrect audits that overstated revenues by as much as $250 million to be filed for the 2000-2002 fiscal years.[12] In 2003, the former Peregrine CFO, Matthew Gless, pled guilty to fraud charges.[13][14] In 2008, the former Peregrine CEO, Stephen Gardner, was sentenced to eight years and one month in prison for his role in the fraud, which resulted in bankruptcy for the company.[15][16] Although former chairman of the board, John Moores, sold more than $800 million of shares during Peregrine's fraudulent period, the court of appeals determined that there was insufficient evidence that Moores knew about the fraud that led to the company’s bankruptcy