EDWARD M. CHEN, District Judge.
Pending before the Court is Defendant's motion to dismiss three counts of violating the Computer Fraud and Abuse Act ("CFAA"). Docket No. 274, 276.
The original indictment in this case was filed on April 10, 2008. Docket No. 1. The first superseding indictment was filed on June 28, 2008. Docket No. 42. The superseding indictment brings various charges against Defendant, including eight charges of violating the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030(a), for aiding and abetting his co-conspirators in securing unauthorized access to a protected computer with intent to defraud and obtain something of value. Id. ¶ 21 (counts 2-9). The following facts are taken from the first superseding indictment.
Defendant is a former employee of Korn/Ferry, an executive search firm headquartered in Los Angeles with offices in San Francisco and Redwood City, California. Superseding Indictment ("SI") ¶¶ 1-2. The company is a leading provider of executive recruitment services, assisting companies to fill executive and other high level positions. SI ¶ 1. Defendant worked for Korn/Ferry from approximately April 1996 until October 2004. SI ¶ 2. When he ceased his employment with the firm, he entered into Separation and General Release Agreement, and an Independent Contractor Agreement with Korn/Ferry. SI ¶ 2. In these agreements, he agreed to serve as an independent contractor to Korn/Ferry from November 1, 2004 through October 15, 2005. SI ¶ 2. He also agreed not to perform executive search or related services for any other entity during the term of his contract. SI ¶ 2. In return, he received compensation in the amount of $25,000 per month. SI ¶ 2. Despite these agreements, Defendant began to set up his own rival executive search firm with the assistance of three other current or former Korn/Ferry employees, Becky Christian, J.F., and M.J. SI ¶¶ 3-5. J.F. was Defendant's assistant while he was a Korn/Ferry employee, and continued to be employed by Korn/Ferry after Defendant's departure. SI ¶ 4. M.J. was a Korn/Ferry employee until approximately March of 2005. SI ¶ 5.
Christian, who is also named as a defendant in the superseding indictment, was employed by Korn/Ferry from approximately September 1999 to approximately January 2005. SI ¶ 3. After leaving Korn/Ferry, she set up an executive search firm known as Christian & Associates, though she was in fact working with Defendant to set up his executive search firm. SI ¶ 3. Christian generally retained 20% of the revenues from the searches the two conducted, while Defendant retained 80%. SI ¶ 3.
Korn/Ferry maintained the "Searcher" database, a proprietary database of executives and companies. SI ¶ 6. Using the "Custom Report" feature of the database, Korn/Ferry employees were able to created targeted reports on executives, companies, and prior search engagements Korn/Ferry had conducted for clients. SI ¶ 6. The database was also capable of producing "source lists," or candidate lists, which were provided to client companies with regards to a particular position they were trying to fill. SI ¶ 8. Korn/Ferry had built up the information contained in the Searcher database over many years, and considered it to be one of the most comprehensive databases of its kind in the world. SI ¶ 7.
Korn/Ferry took a number of steps to preserve the confidential nature of the Searcher database, including controlling electronic access to the database, and controlling physical access to the servers on which it was stored. SI ¶ 9. Korn/Ferry employees received unique user names and passwords that allowed them to access the company's computer systems, including the Searcher Database. SI ¶ 9. These passwords were intended for use by
Korn/Ferry also explicitly noted the confidential and proprietary nature of the information from the Searcher database on reports and in the computer logon process. SI ¶ 11. All custom reports generated from the database had the phrase "Korn/Ferry Proprietary and Confidential" written across the top. SI ¶ 11. When an individual logged on to the Korn/Ferry computer system, the following notification was displayed
SI ¶ 11.
The superseding indictment alleges that Defendant, along with co-conspirator Christian and others, "did steal, and without authorization knowingly take by fraud, artifice, and deception, trade secrets from Korn/Ferry's computer system, including source lists." SI ¶ 15. The indictment alleges that individual co-conspirators and others obtained these source lists and other trade secrets by using their own Korn/Ferry usernames and passwords prior to and upon termination, and that they did so without authorization and in excess of authorization. SI ¶ 16. Defendant and co-conspirators also obtained trade secrets from Korn/Ferry's computer system by using, either directly or through J.F., J.F.'s Korn/Ferry username and password, and that this was done without authorization and in excess of authorization. SE ¶ 17. The specific factual allegations related to the various CFAA counts in the first superseding indictment are as follows:
During the fourth quarter of 2004, just prior to the end of her employment with Korn/Ferry, Christian downloaded custom reports from the Searcher database containing over 3000 records. SI ¶ 19j. She took copies of these reports with her when she left the firm. SI ¶ 19j.
On or about April 11, 2005, Christian sent an email to J.F. that stated in part, "It is to [sic] difficult to explain the searcher run I would need to log in as you." SI ¶ 19a. The next day, Christian emailed Defendant three Korn/Ferry source lists of Chief Financial Officers ("CFOs") that had been downloaded from the Searcher database earlier that day using J.F.'s username and password. SI ¶ 19b. These source lists were marked as proprietary and confidential. SI ¶ 19b. Defendant and Christian later used individuals on this source list in performing a Chief Financial Officer ("CFO") search for Company B. SI ¶ 19e.
The second superseding indictment specifies that it was Christian who downloaded the source lists after J.F. provided Christian with her password. Second Superseding Indictment ("SSI") ¶ 19a. Christian did not have authorization from Korn/Ferry to access its computer system at that time. Id.
Also in April 2005, Company C retained Defendant to conduct a search for a senior vice president of human resources. SI ¶ 19h. The CEO of Company C emailed Defendant on April 25, 2005, asking Defendant
On or about May 26, 2005, M.J. contacted J.F., requesting that J.F. obtain information from the Searcher database on 17 individuals, and on a specific prior Korn/Ferry search engagement. SI ¶ 19l. M.J. had obtained the names of at least some of the individuals from Defendant. SI ¶ 19l. J.F. obtained the requested information from the Searcher database, and copied the files containing the information onto a C.D., which J.F. then provided to M.J. SI ¶ 19l. Defendant later used at least some of this information in a meeting with a prospective client. SI ¶ 19l.
On or about June 3, 2005, J.F. performed a query within the Searcher database for human resources managers at M.J.'s request. SI ¶ 19m. This query yielded a list of approximately 366 executives, which J.F. then exported to a spreadsheet titled "Choc Chip Cookie Recipes," and burned to a C.D. titled "Choc Chip Cookies." SI ¶ 19m. J.F. later provided this C.D. to M.J. for use in the search for Company C. SI ¶ 19m.
On or about June 23, 2005, J.F. used the Searcher database to create a custom report for senior vice president supply chain managers working at various companies. SI ¶ 19n. This report listed approximately 1,205 executives. SI ¶ 19n. J.F. later provided the custom report to Christian, who used it in an executive search. SI ¶ 19n.
On or about July 12, 2005, an individual used a computer at Defendant's San Francisco offices to remotely log into Korn/Ferry's computer network using J.F.'s username and password. SI ¶ 19f. A co-conspirator then ran queries for information on two of the individuals who were being considered for Company B's CFO position. SI ¶ 19f. The following month, Company B announced that it had hired one of these two individuals. SI ¶ 19f.
The second superseding indictment does not identify who logged onto the computer, but does specify that Christian was the one who ran the queries, and that she additionally downloaded two source lists from the Korn/Ferry system. SSI ¶ 19f.
On or about July 29, 2005, J.F. used M.J.'s computer in Defendant's offices to remotely log into the Korn/Ferry computer network with her username and password. SI ¶ 19o. She then turned the computer over to M.J., who used the Searcher database to download information from the database to the computer, including 25 source lists. SI ¶ 19o.
On January 12, 2009, Defendant filed a motion to dismiss various counts in the superseding indictment, including the CFAA counts. Docket No. 84. Defendant argued that the CFAA does not cover misuse or misappropriation of information obtained by employees with authorization to access the information, and that the counts should thus be dismissed because the indictment alleges nothing more. Id.
In September 2009, the Ninth Circuit decided LVRC Holdings LLC v. Brekka, which interpreted the CFAA's prohibition on accessing computers "without authorization" or "exceeding authorized access." 581 F.3d 1127, 1133-35 (9th Cir.2009). In light of Brekka, Defendant filed a renewed motion to dismiss on October 5, 2009. Docket No. 122. Judge Patel granted Defendant's motion as to counts two, and four through seven, those counts which were predicated on allegations that Christian, J.F., or M.J. accessed Korn/Ferry's computers while they were still employed by Korn/Ferry, and thus still permitted to access the Searcher database. Docket No. 135 at 9.
The government appealed these dismissals to the Ninth Circuit. A three judge panel of the Ninth Circuit reversed, but Defendant successfully sought en banc review, and the en banc panel of the Ninth Circuit upheld the dismissals. United States v. Nosal, 676 F.3d 854 (9th Cir. 2012). Though counts three, eight, and nine were not considered on appeal, Defendant now argues that the Ninth Circuit's decision in Nosal requires that those claims be dismissed as well.
Under Rule 12 of the Federal Rules of Criminal Procedure, a Defendant may make a motion to dismiss before trial raising "any defense, objection, or request that the court can determine without a trial of the general issue." Fed.R.Crim.P. 12(b)(2). In analyzing a motion to dismiss an indictment, the court must accept the truth of the facts alleged in the indictment. United States v. Boren, 278 F.3d 911, 914 (9th Cir.2002). "An indictment will withstand a motion to dismiss `if it contains the elements of the charged offense in sufficient detail (1) to enable the defendant to prepare his defense; (2) to ensure him that he is being prosecuted on the basis of the facts presented to the grand jury; (3) to enable him to plead double jeopardy; and (4) to inform the court of the alleged facts so that it can determine the sufficiency of the charge.'" United States v. Rosi, 27 F.3d 409, 414 (9th Cir.1994) (quoting United States v. Bernhardt, 840 F.2d 1441, 1445 (9th Cir.1988)).
An indictment will be found defective and dismissed if it fails to recite an essential element of the charged offence. United States v. Godinez-Rabadan, 289 F.3d 630, 632 (9th Cir.2002). The Supreme Court has held that "[i]t is generally sufficient that an indictment set forth the offense in the words of the statute itself, as long as those words of themselves fully, directly, and expressly, without any uncertainty or ambiguity, set forth all the elements necessary to constitute the offence intended to be punished." Hamling v. United States, 418 U.S. 87, 117, 94, 94 S.Ct. 2887, 41 L.Ed.2d 590 (1974) (internal citations and quotation marks omitted). The Ninth Circuit has noted, however, that "implied, necessary elements, not present in the statutory language, must be included in an indictment." United States v. Jackson, 72 F.3d 1370, 1380 (9th Cir.1995). On the other hand, indictments are not required to incorporate judicial decisions that have interpreted the statutory language. United States v. Renteria, 557 F.3d 1003, 1006-07 (9th Cir.2009).
The CFAA provides criminal penalties for an individual who:
18 U.S.C. § 1030(a)(4). In order to establish a violation of this provision, the government must show that Defendant "(1) accessed a `protected computer,' (2) without authorization or exceeding such authorization that was granted, (3) `knowingly' and with `intent to defraud,' and thereby (4) `further[ed] the intended fraud and obtain[ed] anything of value." Brekka, 581 F.3d at 1132. The statute does not define the term "authorization," but does define the phrase "exceeds authorized access" as meaning "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." Id. § 1030(e)(6).
Judge Patel initially denied Defendant's motion to dismiss the CFAA counts under this provision. Docket No. 105. Judge Patel recognized that the Ninth Circuit had not yet addressed whether the CFAA applied to a user who was otherwise authorized to access a computer but who did so with the intent to misuse or misappropriate information. Id. at 6. Surveying cases from other circuits, however, she concluded that "A CFAA violation under section 1030(a)(4) occurs when a person accesses a protected computer knowingly and with the intent to defraud — which renders the access unauthorized or in excess of authorization — and then, by means of such conduct, the person furthers the intended fraud." Id. at 8. As Defendant and his co-conspirators had accessed the Searcher database with the intent to make unauthorized use of the information therein, Judge Patel found that they were thus acting without authorization or in excess of authorized access. Id. at 9-10.
Shortly thereafter, the Ninth Circuit considered the interpretation of the term "without authorization" under the CFAA in Brekka. 581 F.3d at 1133-35. In that case, which arose under the provision of the CFAA that allows a private right of action for anyone who suffers damage from violations of one of the criminal provisions of that Act, an employer sued a former employee who had allegedly acted without authorization in emailing certain work files to his personal computer. Id. at 1129-30. At the time the defendant emailed himself the files, he was an employee with authorization to access the files in question in the course of performing his duties. Id. The employer argued, however, that he had violated the CFAA because he accessed and transmitted the files not for the purposes of executing his duties, but to further his own personal interests. Id. at 1132.
The court rejected this argument, and held that whether an employee using an employer's computer is acting with authorization depends not on the user's intent, but on the employer's actions to grant or deny permission to use the computer or relevant content. Id. at 1135. The court held that the prohibition on accessing a computer "without authorization" referred to one who "accesses a computer without any permission at all, while a person who `exceeds authorized access,' has permission to access the computer, but accesses information on the computer that the person is not entitled to access." Id. at 1133. Based on this interpretation of the statute, the court concluded that the defendant had not acted either without authorization or in excess of his authorization because he had possessed authorization to access the relevant files at the time that he emailed them, and his motivation for doing so did not render his access "without authorization." Id. at 1135.
Considering the remaining counts under the CFAA, Judge Patel noted that on its face, the indictment did not explicitly specify who accessed the Searcher database in the incidents that are the basis for counts three and eight. Id. at *12; see SI ¶¶ 19b, 19f, 21. At the December 16, 2009 hearing on the motion to reconsider, the government indicated that at trial it intends to introduce evidence that it was Christian who accessed the database on those occasions. Docket No. 135 at 12; Def.'s Opp. at 3. In light of this disclosure, Judge Patel declined to dismiss those counts. Docket No. 135. at 12. As noted above, the second superseding indictment amends these counts to include allegations that Christian accessed the database on those occasions. SSI ¶ 19. As to count nine, Judge Patel noted that the indictment specifically alleged that J.F. had logged onto the database and then turned over access to M.J., who was then no longer a Korn/Ferry employee. Id. at 12-13; SI ¶¶ 19o, 21. As this count specifically alleged database access by an individual without authorization, Judge Patel denied the motion to dismiss this count. Docket No. 135 at 13.
The government appealed the dismissal of counts two and four through seven. On appeal, the Ninth Circuit sitting en banc rejected the government's argument that this case is distinguishable from Brekka because Korn/Ferry had an explicit policy forbidding use of the contents of the Searcher database for purposes other than performing one's duties as a Korn/Ferry employee. 676 F.3d at 857-58. The court held "that `exceeds authorized access' in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use." Id. at 863-64. In so holding, the court expressed concern that interpreting the CFAA to create criminal penalties for violations of use agreements "would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute." Id. at 857. The court thus rejected the argument that an individual could be liable for accessing a computer in excess of authorization when they had permission to access the information on a computer, but did so for a purpose not condoned by the relevant use agreement. Id.
The court noted that a related provision of the CFAA provided criminal penalties for exceeding authorized access of a computer even without any culpable intent. Id. at 859. Allowing a definition of "exceeds authorized access" that includes actions that violate use agreements (as opposed to access restrictions) would create sweeping criminal liability for users of the numerous websites and computer systems that have lengthy use agreements that often go unread by users. Id. at 860-62. Since the court found that the plain language of the CFAA did not clearly create liability for violations of use agreements, the rule of lenity precluded interpreting
Defendant now argues that the Ninth Circuit's opinion in Nosal limits the applicability of the CFAA to not just unauthorized access but to hacking crimes where the defendant circumvented technological barriers to access a computer. Thus, Defendant argues, the remaining CFAA claims must be dismissed because they do not include allegations that Defendant or his co-conspirators circumvented any technological access barriers.
The Ninth Circuit acknowledged that the CFAA was passed "primarily to address the growing problem of computer hacking." Id. at 858. The court further rejected the government's argument that accessing a computer "without authorization" was intended to refer to hackers, while accessing a computer in a way that "exceeds authorized access" necessarily refers to authorized users who access a computer for an unauthorized purpose.
Id. at 858 (emphasis in original). The court noted that the Defendant's "narrower interpretation [of the CFAA] is also a more sensible reading of the text and legislative history of a statute whose general purpose is to punish hacking — the circumvention of technological access barriers — not misappropriation of trade secrets — a subject Congress has dealt with elsewhere." Id. at 863.
The court did not, however, explicitly hold that the CFAA is limited to hacking crimes, or discuss the implications of so limiting the statute. For example, the court did not revisit the elements of crimes under § 1030(a)(4) as articulated in Brekka, where it held the elements of a violation of that provision were: (1) accessing a protected computer; (2) without authorization or exceeding such authorization that was granted; (3) knowingly and with intent to defraud; and thereby (4) furthering the intended fraud and obtaining anything of value. Brekka, 581 F.3d at 1132. Nowhere does the court's opinion in Nosal hold that the government is additionally required to allege that a defendant circumvented technological access barriers in bringing charges under § 1030(a)(4). Instead, Nosal holds only that it is not a violation of the CFAA to access a computer with permission, but with the intent to use the information gained thereby in violation of a use agreement. 676 F.3d at 863-64. The court did not address limits on liability under the CFAA based on the manner in which access is limited, whether by technological barrier or otherwise. Id. Thus, Defendant's interpretation is not a fair reading of Nosal on this front is simply incorrect. Hacking was only a shorthand term used as common parlance by the court to describe the general purpose of the CFAA, and its use of the phase
Even if Nosal added a "circumventing technological access barriers" element to crimes under § 1030(a)(4), the indictment sufficiently alleges such circumvention. As the government points out "password protection is one of the most obvious technological access barriers that a business could adopt." Gov.'s Opp. at 1. Faced with this reality, Defendant acknowledges that the Ninth Circuit did not offer a definition of hacking, and urges this Court to look to the definition in the Digital Millenium Copyright Act, which provides that to "`circumvent a technological measure' means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner." 17 U.S.C. § 1201(a)(3)(A). However, there is no legal basis to incorporate into the CFAA the Digital Millenium Copyright Act which was passed 14 years after the CFAA and which concerned matters separate and distinct from the CFAA.
Defendant argues that the remaining CFAA claims fail because they do not allege "J.F.'s password was obtained illegally or without her consent." Def.'s Mot. at 5. Defendant's argument is premised in part on the notion that because J.F. allowed Defendant's co-conspirators to use her credentials to access the Korn/Ferry system, the co-conspirators cannot be said to be acting "without authorization" in accessing the Searcher database. In Brekka, however, the Ninth Circuit made clear that it is the actions of the employer who maintains the computer system that determine whether or not a person is acting with authorization. Brekka, 581 F.3d at 1135 ("The plain language of the statute therefore indicates that `authorization' depends on actions taken by the employer."). Further, the CFAA appears to contemplate that one using the password of another may be accessing a computer without authorization, as it elsewhere provides penalties for anyone who "knowingly and with intent to defraud traffics in any password or similar information through which a computer may be accessed without authorization." 18 U.S.C. § 1030(a)(6).
Additionally, Defendant argues that the CFAA does not cover situations where an employee voluntarily provides her password to another by analogizing to the law
The factual scenario presented in count nine, does, however, raises the question of how to interpret the term "access" in the CFAA. Defendant argues that J.F. was the individual "accessing" the Korn/Ferry system when she logged in using her password, and that M.J.'s use of the system after the login does not constitute unauthorized "access" within the meaning of the statute. The government, on the other hand, argues that "access" encompasses ongoing use, including M.J.'s unauthorized use of the system after J.F. logged in.
In support of its argument, the government cites to two Senate Reports from the CFAA's legislative history. The first, from the 1996 amendments to the CFAA, notes that "the term `obtaining information' includes merely reading it." Sen. Rep. No. 104-357, at 7 (1996). The government argues that just as "obtaining information" may include merely reading, so too may access be as simple as reading the materials in question.
The Court need not opine on whether § 1030(a)(4) should be read so broadly as to encompass the situation where an unauthorized person looks over the shoulder of the authorized user to view password protected information or files. The allegation in Count Nine is that J.F. logged on to the computer using her credentials, then handed over the computer terminal to M.J., who ran his own searches through the Korn/Ferry database and then downloaded files therefrom.
Functionally and logically, this is no different than if J.F. gave M.J. the password, and M.J. typed in the password himself. The only distinction differentiating the two scenarios is one based on a constrained and hypertechnical definition of "access" in which access focuses solely on the moment of entry and nothing else. Not only would such a definition produce a non-sensical result; it is not supported by the language of the statute. The crime under § 1030(a)(4) is "accessing" a protected computer, or not "entering" or "logging on to" a protected computer. 18 U.S.C. § 1030(a)(4). Nothing in the CFAA suggests anything other than a common definition of the term "access," applies. The Oxford English Dictionary defines "access" as, inter alia, "[t]he opportunity, means, or permission to gain entrance to or use a system, network, file, etc." See Oxford English Dictionary, www.oed.com (emphasis added); see also Black's Law Dictionary (defining access as, inter alia, "[a]n opportunity or ability to enter, approach, pass to and from, or communicate with"). The common definition of the word "access" encompasses not only the moment of entry, but also the ongoing use of a computer system. Under the facts alleged in the indictment, M.J. "proceeded to query Korn/Ferry's Searcher database and download information, after obtaining initial access." SI ¶ 19o. That J.F. entered the password for him rather than having M.J. type it himself does not alter the fact that in common parlance and in the words of the CFAA, M.J. accessed the protected computer system, and he did not have authorization to do so.
For the foregoing reasons, Defendant's motion to dismiss the third, eighth, and ninth counts of the first superseding indictment is
This order disposes of Docket Nos. 274 and 276.
IT IS SO ORDERED.
Sen. Rep. No. 104-357, at 7 (1996) (quoting Sen. Report No. 99-432, at 6-7 (1986), 1986 U.S.C.C.A.N. 2479, 2483-2484).
