David Nosal, Employee Data Theft, and Why Employment Lawyers Should Understand Their Clients' IT Infrastructure

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/david-nosal-employee-data-theft-and-wh-63924/

Earlier this month, a federal judge in San Francisco sentenced David Nosal
to a year in prison, three years' supervised release, 400 hours of
community service, and $60,000 in fines. His crime? Nosal violated the
Computer Fraud and Abuse Act ("CFAA"), among other federal statutes, when
he departed from his former employer with a stash of its most sensitive
business data.

Employment law doesn't normally develop in criminal courtrooms, but Nosal's
case is an important exception. The outcome of his pending appeal to the
9th Circuit will almost certainly offer important guidance for employers on
how best to prevent and, where necessary, remedy employee data theft. It'll
likely reinforce a familiar lesson: employers should craft their employee
technology policies with an eye toward the law of data security. A
well-developed IT infrastructure can give an employer substantial legal
advantages and lead to better outcomes when employee data theft occurs.

What Is The CFAA?

To understand the practical importance of Nosal's case, employers should
first understand how the CFAA can apply to departing employees who steal
company data. Congress passed the CFAA in 1986 - before the advent of most
modern information technology - to combat computer hacking. The CFAA makes
it a federal offense to obtain information or perpetrate a fraud either by
(a) accessing a computer "without authorization," or (b) by "exceed[ing]
authorized access" on any such computer. In addition to its criminal
penalties, the CFAA creates a parallel civil cause of action for hacking
victims.

For employers, a key benefit of the CFAA is that it may provide a ticket
into federal court in a data theft case. (It's one of only a few federal
statutes that does so.) The benefits of a federal forum can be significant
for an employer. Particularly in multi-state disputes, the federal system
allows for the streamlined discovery of electronically stored information
in ways that many states do not. Additionally, CFAA plaintiffs need not
prove that the stolen information rises to the level of a trade secret,
which is often a central dispute in other types of data theft cases.

When Is Employee Access To Sensitive Data "Unauthorized" Under The CFAA?

That makes the CFAA important for employers. But just how broadly does its
concept of "unauthorized access" sweep? At the time of its passage, the
CFAA seemed only to target "hacking" in the traditional sense of the word,
i.e., external bad actors who - often from remote locations - secretly
program their way into a company's computer system without ever setting
foot on company premises. (Consider, for example, the recent attack on
Target's computer system.)

Today, however, breaches due to external threats make up only a limited
portion of all yearly data theft in the U.S. In May 2013, the Commission on
the Theft of American Intellectual Property found that "[m]uch [data theft]
occurs the old-fashioned way." The culprit is often a disloyal employee who
had legitimate access to the stolen data through her employment: "Hard
drives are either duplicated on site or physically stolen by bribed
employees; employees are planted temporarily in companies or permanent
employees leave and illegally share proprietary information; . . . and
email accounts are compromised."

At first blush, theft by a disloyal employee would seem to fall outside the
scope of the CFAA. Employees are, after all, typically "authorized" to
access and use hard drives, email accounts, and the proprietary information
they contain in connection with their jobs.   So, for employers, is the
CFAA off-limits?

Not quite. In the last decade or so, a handful of federal courts have
applied the CFAA to employee data theft using a duty-of-loyalty theory. The
best-known example is International Airport Centers, L.L.C. v. Citrin, 440
F.3d 418 (7th Cir. 2006), in which Judge Richard Posner reasoned that an
employee who misused a company laptop forfeited his authorization to use
the laptop when he engaged in misconduct. The court held that "Citrin's
breach of his duty of loyalty terminated his agency relationship . . . and
with it his authority to access the laptop, because the only basis of his
authority had been that relationship."

Nosal:  Misuse Is Not Unauthorized Access

But then along came David Nosal. In October 2004, Nosal voluntarily
resigned from Korn/Ferry International, a major executive search firm
headquartered near San Francisco. He departed with confidential business
data from Korn/Ferry's internal database of executive candidates. When it
discovered Nosal's theft, the government indicted him for violating the
CFAA, the Economic Espionage Act, and other federal laws. The district
court eventually dismissed the CFAA counts against Nosal, and the
government appealed.

In United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), the 9th Circuit
affirmed the dismissal of the CFAA counts against Nosal. In a colorful
opinion by Judge Alex Kozinski, the court held that the CFAA does not cover
an employee who merely misuses an employer's information to which he
otherwise has legitimate access. Judge Kozinski viewed the government's
argument to the contrary as giving way to an essentially unlimited category
of criminal liability:

"Minds have wandered since the beginning of time and the computer gives
employees new ways to procrastinate, . . . . Such activities are routinely
prohibited by many computer-use policies, although employees are seldom
disciplined for occasional use of work computers for personal purposes.
Nevertheless, under the broad interpretation of the CFAA, such minor
dalliances would become federal crimes."

Instead, he wrote, "'exceeds authorized access' in the CFAA is limited to
violations of restrictions onaccess to information, and not restrictions on
its use." Because the government had not alleged that Korn/Ferry restricted
Nosal's access to the data at issue, it affirmed the dismissal.

Unfortunately, that rule wasn't good news for employers in the 9th Circuit,
who now face a significant obstacle when pursuing CFAA claims against
thieving employees. According to Nosal, they must allege and prove that the
offending employee had no authorization to access the stolen data for any
purpose.

Nosal's Case Goes On

But the case hasn't ended there. Nosal's indictment contained several other
CFAA counts that the 9th Circuit didn't consider on appeal. On remand,
those counts presented another intriguing question about the CFAA: can a
former employee violate the CFAA through an agent?

Consider, for example, a case in which employees Jack and Jill work for
Acme, Inc. Jack voluntarily resigns from Acme, thereby terminating his
authorization to use its computer systems. Jill, however, still works for
Acme and is authorized to access its computer network. Jack then asks Jill
to steal data from the Acme network on his behalf. By herself, Jill is
immune from CFAA liability under Nosal, because she is authorized to access
the network. But Jack has no such authorization. May the government
prosecute him under the CFAA for asking Jill to pass him data that she
herself may legitimately access?

In United States v. Nosal, 930 F. Supp. 2d 1051 (N.D. Cal. 2013), a federal
district judge overseeing Nosal's prosecution on the remaining counts said
yes. The government alleged that - in addition to the theft he personally
committed - Nosal and a co-conspirator had persuaded then-current
Korn/Ferry employees to steal valuable business data on Nosal's behalf. At
the time of the theft, then employees were authorized to access the
information, but Nosal and the co-conspirator were not. Nosal moved to
dismiss those counts. "[B]ecause [a then-current employee] allowed
Defendant's co-conspirators to use her credentials to access the Korn/Ferry
system, the co-conspirators cannot be said to be acting 'without
authorization'. . . ."

The court disagreed and denied the motion to dismiss. "[T]he Ninth Circuit
made clear," it held, "that it is the actions of the employer who maintains
the computer system that determine whether or not a person is acting with
authorization," a rule established in LVRC Holdings LLC v. Brekka, 581 F.3d
1127 (9th Cir. 2009). Applying Brekka, the court found that "the CFAA
appears to contemplate that one using the password of another may be
accessing a computer without authorization." Nosal has indicated that he
will likely challenge that conclusion on appeal.

So What Does All This Mean For Employers?

On a practical level, what does this mean for employers? Nosal's second
appeal will likely reaffirmBrekka's principle that "it is the actions of
the employer who maintains the computer system that determine whether or
not a person is acting with authorization." In other words, the ways in
which an employer designs its information technology infrastructure can
have far-ranging legal consequences for its business. To anticipate those
consequences, employers should:

- Implement access controls with the law of data security in mind. The
manner in which an employer restricts access to its business data can make
or break a subsequent CFAA claim. For each category of business data,
employers should impose clear requirements dictating who may access it and
who may not. Of course, well-developed access controls have other benefits,
too. The Uniform Trade Secrets Act, for example, defines "trade secret" to
include only information that "is the subject of efforts that are
reasonable under the circumstances to maintain its secrecy." Trade secret
plaintiffs commonly meet that requirement by offering evidence of thorough
access controls.

Deciding to implement effective access controls in the abstract is easy.
Actually doing so isn't, for a number of reasons. For one thing, the
particular controls that an employer should adopt depend heavily on the
specifics of its broader IT infrastructure and business needs. Password
protection alone may in some cases be too lax, especially if the employer
has not developed a clear electronic technology policy for its employees.
On the other hand, overly-restrictive controls might inhibit communication
among employees, hampering productivity and innovation. To achieve the
right balance, employers need more than abstract legal knowledge; they (and
their counsel) should carefully analyze the particulars of their business
goals and IT infrastructure in light of the standards and ground rules set
by the applicable law of data security.

- Use IT to determine the full scope of data theft. Nosal's conviction also
usefully illustrates the value of a well-designed IT infrastructure in
uncovering evidence of theft, particularly when it comes to exiting
tech-savvy employees. Had the evidence shown that only Nosal himself
accessed Korn/Ferry's confidential database, the CFAA charges against him
would likely have failed. However, because the evidence revealed the
involvement of multiple other co-conspirators, the government successfully
showed that Nosal "accessed" its computer system through an agent, and at a
time when he had no right to do so for any purpose.

Careful analysis of a departing employee's company computer media can
easily yield such key evidence. That analysis is as much a lawyer's work as
it is an IT professional's. A normal computer's hard drive contains far too
much information for anybody to digest completely, which means that
computer forensic investigators often need guidance on where and what to
look for. Many investigators are familiar with the basic technical aspects
of data theft - rapid file access, indicia of USB and cloud storage
activity, etc. - but even the best investigators may miss key evidence.
Evidence of illegal solicitation or a fragment of a web-based personal
email to a co-conspirator may be lurking in a computer's slack and
unallocated space, but if an investigator focuses solely on an employee's
use of external storage devices, she may miss it. A lawyer's involvement in
the forensic investigation is often necessary to unearth such key facts.

Nosal's case is an important reminder that employers should plan ahead when
it comes to data security. We will track his appeal as it progresses.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!