David Nosal sentenced; case narrowed the definition of “exceeding authorized access” under CFAA (update1)
I’ve been following the David Nosal case on this blog since April 2011, when the Ninth Circuit held that an employee who violates his employer’s computer use policy is guilty of “exceeding authorized access” to the employer’s computer under the federal anti-hacking statute, CFAA. In June 2011, Nosal filed a petition for rehearing en banc (see Orin Kerr’s post), and the court heard oral argument in December 2011. In April 2012, they handed down their opinion, which narrowed the definition of “exceeding authorized access” and held that violating use restrictions did not constitute “exceeding authorized access” under the CFAA (see Orin Kerr’s post on the ruling).
In April 2013, Nosal was convicted:
Evidence at trial showed that Nosal, 55, of Danville, entered into an agreement with other Korn/Ferry employees in 2004 to take confidential and proprietary materials from Korn/Ferry’s computer system to be used in a new business that Nosal intended to establish with those individuals after he left Korn/Ferry’s employment in late 2004. The evidence showed that two of those employees downloaded large numbers of “source lists” (essentially, targeted lists of candidates developed by Korn/Ferry for the purpose of filling particular positions at particular client-companies) prior to their own departures from Korn/Ferry. Thereafter, those two employees used the Korn/Ferry log-in credentials of another conspirator who was still employed at Korn/Ferry to download additional source lists and other information from Korn/Ferry’s computer system in April and July 2005 for use in Nosal’s new business.
In August, his conviction was upheld on appeal.
Today, Nosal was sentenced to 12 months and one day in prison followed by three years’ supervised release to include community service (according to tweets by Hanni Fakhoury of EFF, who was present in court). I haven’t seen any media coverage of today’s development, but I imagine Orin Kerr will have something to say about it.
You can find some of the court filings in the case on EFF’s site.
Update 1: Media coverage by Julia Love of The Recorder has an interesting quote from Nosal after the verdict:
“We suspect the government has an ulterior motive to expand hacking laws with two or three cases around the country like this,” he said.
Indeed, the cybersecurity bill that Senator Leahy reintroduced this week would expand CFAA along the lines that President Obama had suggested in 2011 by making conspiracy to hack subject to the same criminal penalties as the underlying offense.