Accessing Database Violates Computer Fraud and Abuse Act and Economic Espionage Act – Ninth Circuit Affirms Criminal Conviction of Former Employee

The Ninth Circuit recently filed its latest installment in the saga involving David Nosal and his former employer, Korn/Ferry International, an executive search firm. Korn/Ferry maintains a proprietary database of executive candidates for its paying customers.  Nosal, a former Korn/Ferry executive, set up a competing business.  Allegedly desiring the information in Korn/Ferry’s database for his competing business, Korn/Ferry alleged that Nosal tried two methods to access it: (1) using his own user name and password to download information before his departure; and (2) after his departure, using the user name and password of a willing accomplice who was still employed by Korn/Ferry.

Nosal was charged with violating a criminal provision of the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”), which states, “[w]hoever…knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value…shall be punished.” This provision also provides for civil liability.  In a prior decision, United States v. Nosal (“Nosal I”), 676 F.3d 854 (9th Cir. 2012) (en banc), the appellate court held the CFAA does not prohibit Nosal’s first act—using his user name and password to obtain Korn/Ferry’s information during his employment—because using information in an unauthorized way is not “exceed[ing] authorized access.”

In United States v. Nosal, No. 14-10037 (9th Cir. July 5, 2016) (“Nosal II”), the court held Nosal’s second act—obtaining Korn/Ferry’s information by logging in to the database with the user name and password of a willing currently-employed accomplice—does violate the CFAA.  The panel, by a vote of 2-1, held such activity violated the unambiguous meaning of the phrase “access a protected computer without authorization.”  The court noted its holding is in accord with all other circuits to have addressed this issue: the Second, Fourth and Sixth Circuits.  Accordingly, the court affirmed Nosal’s conviction.

The dissent, which the majority largely ignored, would have held that because Nosal had the “authorization” of the willing accomplice, he did not violate the CFAA. The dissent was concerned that the majority’s broader reading of “authorization” may criminalize innocent acts—including what the dissent termed “password sharing,” such as a former employee who accesses his former employer’s database using a current employee’s credentials to assist his former colleague for a legitimate reason.

In a portion of the opinion that may be overlooked given the long-running drama over whether the CFAA should be interpreted broadly or narrowly, the Ninth Circuit also affirmed Nosal’s conviction for trade secret theft under the Economic Espionage Act, 18 U.S.C. § 1832 (“EEA”). Nosal appealed his conviction in part on the ground the information contained in the Korn/Ferry database was not a trade secret because it contained publicly-available information and was akin to a customer list.  The appellate court rejected Nosal’s contentions, and held – significantly – that a list of customers may qualify for trade secret protection.  Moreover, the court noted the database was more than a mere list of executive candidates.  The database contained information on over one million executives, including contact information, employment history, salaries, biographies and resumes, all compiled since 1995.  When launching a new search to fill an open executive position, Korn/Ferry could compile a “source list” of potential candidates, which was the result of a query run through a proprietary algorithm that generated a custom subset of possible candidates.  The court held the jury was permitted to find the database contained Korn/Ferry’s trade secrets.

Nosal II has two implications for the civil remedies available to employers to protect their trade secrets and other property. First, because the CFAA provides for civil causes of action, the decision affirms an employer’s right to sue a former employee who accesses its data by using someone else’s credentials.  Second, in light of the Defend Trade Secrets Act—which provides a civil claim for trade secret misappropriation under the EEA and relies on the same definitions supporting the EEA—Nosal II affirms that customer lists and related information deserve legal protection.

Jackson Lewis attorneys are available to answer questions regarding this case and other workplace developments.

Colorado Broadens Whistleblower Protection for State Employees Who Disclose Confidential Information

Tim Kratz and Kristen Baylis in our Denver office have reported on an important new law in Colorado, extending whistleblower protection to state employees who disclose confidential information in the context of reporting waste, mismanagement of public funds, abuses of authority or illegal and unethical practices to a designated “whistleblower review agency.”  To review the article, click here

This type of protection is in line with the whistleblower immunity provided by the new federal Defend Trade Secrets Act (to review our recent article regarding the new federal Defendant Trade Secrets Act, click here) and indicative of a trend placing limits not only on non-competition agreements, but also on the extent to which trade secrets can be protected.

 

 

California Federal Court Grants TRO Under New Federal Trade Secrets Law

In the first decision under the federal Defend Trade Secrets Act of 2016 (DTSA), which was signed into law on May 11, 2016, a California federal court has granted a temporary restraining order (TRO) against a sales consultant who changed employers and allegedly stole confidential data in violation of federal and state trade secret laws and employment agreements. In Henry Schein, Inc. v. Cook, No. 16-cv-03166-JST, 2016 U.S. Dist. LEXIS 76038 (N.D. Cal. June 10, 2016), the district court entered a TRO enjoining the defendant from using or disclosing the plaintiff’s confidential information and trade secrets and from soliciting customers that were assigned to her during her employment.

Background

The defendant Jennifer Cook was employed by the plaintiff Henry Schein, Inc. (“HSI”), a distributor of medical, dental and veterinary supplies and equipment, from April 2005 to May 13, 2016 when she resigned and began working for one of HSI’s competitors, Patterson Dental. Cook was a Field Sales Consultant for HSI who entered into confidentiality and non-solicitation agreements in 2005 and 2011 that prohibited her from copying or taking any of HSI’s confidential information.  HSI alleged that Cook: (1) forwarded from her work email account, to her personal email account, HSI customer practice reports and additional customer-related reports, including an equipment inventory report, price quotations for prospective customers, and equipment proposals; (2) logged into HSI’s system and effectively updated onto her laptop HSI customer related sales and ordering data and then failed to return her laptop for two weeks; (3) accessed HSI’s computer system on the day she resigned, enabling her to obtain on her iPad, large amounts of ordering and purchase data for each of the HSI customers that had been assigned to her; (4) attempted to erase the e-mails she sent from her HSI computer; and (5) attempted to divert HSI customers to Patterson Dental, including by visiting the offices of certain HSI customers and deleting the HSI product ordering icon from their computer systems and destroying HSI catalogues and business cards.

On June 9, 2016, HSI sued Cook in federal district court and asserted a federal claim for misappropriation of trade secrets under the DTSA as well as seven other state law claims, including, among others, claims under the California Uniform Trade Secrets Act and California Unfair Competition Law and for breach of contract. HSI filed an application for a TRO on the same day that it filed its lawsuit.

One day later, on June 10, 2016, the federal district court found that HSI was likely to succeed on the merits of its claims because it demonstrated that Cook e-mailed and downloaded, to her personal devices, confidential information from HSI before leaving her employment to work at a competitor and Cook had signed agreements containing confidentiality and non-solicitation provisions. The court also found that Cook would suffer no undue hardship from the entry of a TRO because HSI only requested that Cook be enjoined from soliciting HSI customers to which she was assigned – conduct that was already prohibited under her confidentiality and non-solicitation agreement.  Finally, the court found that the public interest is served when a defendant is asked to do no more than abide by trade laws and the obligations of contractual agreements signed with her employer.  Accordingly, the court granted a TRO prohibiting Defendant from accessing or using HSI information and from contacting or soliciting HSI customers.  Notably, the court did not require a bond because the TRO would not cause any damage to Cook’s legitimate business and in her contracts with HSI she agreed that HSI could seek injunctive relief without a bond.

Lessons Learned

The swift grant of a TRO by the federal district court demonstrates the utility of the new federal trade secrets law in protecting trade secrets and holding employees accountable for violating contractual and common law obligations to employers who provide them with access to confidential information and trade secrets to further business interests.

To review our prior posts regarding the Defend Trade Secrets Act of 2016, please click here and here.

Jackson Lewis attorneys are available to answer questions regarding this case and assist employers with trade secrets protection under the Defend Trade Secrets Act of 2016.

 

New Connecticut Statute Restricting Physician Non-Compete Agreements

Edward M. Richters has written on the Jackson Lewis website about a new Connecticut law, Senate Bill 351 (as amended), which establishes significant new restrictions on physician non-compete agreements in Connecticut.  http://www.jacksonlewis.com/publication/new-connecticut-statute-restricts-physician-non-compete-agreements

 

 

Defend Trade Secrets Act Set to Become Law

For the first time, there will be a federal private right of action for misappropriation of trade secrets. The Defend Trade Secrets Act (“DTSA”), passed by both houses of Congress, is headed to President Barack Obama for his signature and his office has stated it “strongly supports” the legislation. The DTSA will become effective upon the President’s signature and will apply to any misappropriation of trade secrets that occurs on or after the date it is signed by the President.

On April 4, the U.S. Senate passed the DTSA by a vote of 87-0. In a procedural maneuver, the Senate bill was presented to the House for a vote on April 27, and it passed by a vote of 410-2. For additional information, see our articles, Defend Trade Secrets Act Advances: Getting Closer to Law? and Defend Trade Secrets Act — Congress Tries Again.

Companies that are victims of trade-secret theft will have an alternative to state law (and thus, to the state courts in which cases often are brought) to bring a civil action to enjoin violations of trade-secret theft and to seek a remedy for violations that already have occurred.

State Law

Although there are similarities between the DTSA and state trade secrets acts, the uncertainty of protection for trade secrets from one state to another, as well as the chilly reception in some state courts to out-of-state plaintiff companies, created bi-partisan support for the DTSA. With its federal forum and federal remedy, the DTSA, over time, will create a nationwide body of law and provide a degree of predictability to company litigants.

The DTSA does not preempt state trade secrets laws, and state law and state courts will remain an option for victims of trade secret theft. Companies still will need to consider whether the state law and court is preferable to the DTSA and federal court. However, the DTSA will help protect trade secrets across multiple jurisdictions. Even companies with operations in only one state can benefit significantly from access to federal courts and federal judges under the DTSA, particularly if the relevant state courts have been slow to respond, or even hostile, to trade-secrets litigation. Moreover, the DTSA does not prevent companies from having their cases heard in federal court alongside parallel, “pendent” claims under any state trade secret act — in effect, favorable state trade secret law may accompany federal DTSA claims in the same case.

Inevitable Disclosure

One important distinction between the DTSA and some state trade secret laws may be the potential availability of the “inevitable disclosure” doctrine under state law in some circumstances. The DTSA expressly rejects the “inevitable disclosure” doctrine and precludes a court from enjoining a person from entering into an employment relationship. The Act further requires evidence of threatened misappropriation rather than merely information that the person knows.

Seizure Orders

The DTSA’s most significant substantive addition to trade secret protection, and certainly its most controversial, is its authorization of ex parte seizure orders — a provision that, since the first iteration of the DTSA in 2012, had derailed passage of the legislation. The DTSA strictly limits the ability of a court to issue a seizure order. Such an order must be the “narrowest” necessary to achieve the purpose of the order, according to the Senate bill.

Further, the circumstances under which such an order can be issued also are limited. Filing a complaint does not mean a seizure order will be automatically, even likely, issued; fairly substantial proof will be required to obtain this extraordinary interim remedy. In addition, a court can impose significant sanctions on a plaintiff who wrongfully obtains an order to seize another’s property.

Notice

The DTSA imposes conditions on a successful plaintiff’s recovery of attorneys’ fees and exemplary damages. Attorneys’ fees and exemplary damages are not recoverable unless the employer has provided the defendant employee, consultant, or contractor with notice of certain immunity from criminal and civil prosecution granted by the DTSA to persons who disclose trade secrets by the means provided by the DTSA (principally, to government agencies and under seal in court proceedings).

The notice must be in any contract or agreement that governs the use of trade secrets or confidential information. It applies to contracts and agreements that are entered into, or updated, after enactment of the DTSA. Therefore, all new non-disclosure agreements, confidentiality agreements, employment agreements, consulting agreements, and independent (or other) contractor agreements containing non-disclosure provisions must include the required notice. Failure to include the notice may preclude availability of a significant financial recovery.

***

Significant, too, is what DTSA does not change, in particular, the need to adhere to best practices in protecting trade secrets. The DTSA does not eliminate the need for companies to identify their trade secrets, protect them against inappropriate use or disclosure, and establish the steps taken to maintain their secrecy. For example, documents containing trade secrets should be labeled as confidential, their distribution should be limited, they should be maintained in secure areas (e.g., locked cabinets), and individuals who are privy to such secrets should be trained on the nature of that information and how to safeguard it. Similarly, access to computer files containing such information should be restricted, and those with access should be trained on the files’ confidentiality. Following such steps not only can limit the risk of inappropriate use or disclosure, but also may prove invaluable when seeking a court’s protection for the trade secrets involved. All this will remain true under the DTSA.

For companies with multi-state operations, and even for companies with single-state operations but whose trade secrets are portable across state lines (by hard copy documents or electronically), the DTSA affords a new weapon to protect trade secrets nationwide. In addition, because trade secrets litigation often involves violations of non-competition or non-solicitation agreements, such claims also may be brought in federal court in tandem with the alleged DTSA violation. Thus, the DTSA may provide a new, meaningful alternative to state court litigation when seeking to protect trade secrets and related unfair competition. Finally, all agreements with non-disclosure provisions should include the notice provision required by the DTSA.

Jackson Lewis attorneys are available to answer inquiries regarding this and other workplace developments and assist with trade secrets protection.

9th Circuit: Claims proceed in California despite French forum selection clause

A federal appeals court has held a forum selection clause in a non-disclosure agreement does not cover trade secret misappropriation and related claims that are not based on the agreement. In re Orange, S.A. v. United States District Court, 2016 U.S. Ap. LEXIS 648 (9th Cir. 2016).  Telesocial is a San Francisco start-up, formed in 2008, to solve a unique telecommunications problem: how to enable telephone calls between users of social media without the need for telephone numbers.  To remedy the problem, Telesocial created a custom software application (app) named “Call Friends,” which allows users of social networks (such as Facebook) to place carrier-based phone calls directly to other users.  Orange, a French telecommunications provider, approached Telesocial about a possible agreement to acquire the app.  Orange and Telesocial executed a non-disclosure agreement (“NDA”) to facilitate the discussions, during which Telesocial allowed Orange personnel to download and use the demonstration app.  The NDA included a forum selection clause, which stated, “[a]ny and all dispute, controversy, claim or question arising out of or relating to the Agreement including the validity, binding effect, interpretation, performance or non performance thereof shall first be submitted to the respective authorized management of the Parties for discussion in good faith and amicable resolution.  In the event the Parties cannot resolve such dispute on an amicable basis within (30) thirty days after the beginning of such discussion and after making their best efforts to do so, then the Parties hereto irrevocably consent that the matter shall be submitted to the Court of Paris (France).”

Orange abruptly terminated negotiations, electing instead to create the technology itself. Telesocial subsequently filed an action in the Northern District of California, alleging violations of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, California state law claims for breach of contract for violating Telesocial’s “Terms of Use” regarding the demonstration app, breach of the covenant of good faith and fair dealing, theft of trade secrets, and unfair competition.  The district court denied Orange’s motion to dismiss under the terms of the forum selection clause, holding the claims were outside the clause’s scope.  Orange petitioned the Ninth Circuit for a writ of mandamus.  The Ninth Circuit denied the petition, agreeing that the claims were outside the clause’s scope.

The Ninth Circuit reasoned that Telesocial’s CFAA, theft of trade secrets, and unfair competition claims were predicated on Orange’s using fictitious names to use Telesocial’s app and hacking into Telesocial’s servers after Orange ceased the discussions at the center of the NDA. Telesocial’s contract claims, moreover, stemmed from a breach of Telesocial’s “Terms of Use” agreement.  Nothing in the claims required the district court to interpret, let alone reference, the NDA to issue a ruling on Telesocial’s claims.  The Ninth Circuit distinguished precedent affording a broader interpretation to combination arbitration/forum selection clause, in part on ground that arbitration agreements, unlike forum selection clauses, are to be given broad interpretations where possible.

The takeaway: although forum selection clauses are often an important tool in structuring business relationships to minimize disruptive litigation, they have limits which parties need to consider.

Utah Enacts New Laws Addressing Post-Employment Restrictions and Unauthorized Computer Use

Utah

Conrad S. Kee from our Salt Lake City office and Cliff Atlas, co-chair of the firm’s non-compete practice group have written on the firm’s website about two new important laws in Utah, the Post-Employment Restrictions Act and the Computer Abuse and Data Recovery Act.

LexBlog