Contractor Convicted for Misappropriating Employee Password

By Jeffrey Rhodes Aug 17, 2016

​Misappropriation of employee passwords can be a criminal offense.

A consultant violated the Computer Fraud and Abuse Act (CFAA) and Economic Espionage Act (EEA) when he instructed former employees to access a company computer using a current employee's user ID and password, the 9th U.S. Circuit Court of Appeals ruled.

Korn/Ferry International, a global executive search firm, employed David Nosal as a regional director until 2004, when Nosal was passed over for a promotion. Nosal sought to resign, but Korn/Ferry negotiated with him to stay on board as an independent contractor for a year. Korn/Ferry offered him substantial compensation in exchange for his continued consulting services and his signature of a blanket noncompetition agreement.

Despite these negotiations, Nosal secretly acted to start his own search firm with other Korn/Ferry employees, including Becky Christian, Mark Jacobson and Nosal's former executive assistant, Jacqueline Froehlich-L'Heureaux. On Dec. 8, 2004, Korn/Ferry revoked Nosal's access to its computers, although it permitted him to ask Korn/Ferry employees for research help on his remaining executive searches. 

To conduct executive searches, Korn/Ferry compiled a database called "Searcher," which contained a list of over 1 million executives and their work histories and contact information that Korn/Ferry had collected from public and private sources. Korn/Ferry maintained this database on its computer system, which was protected by a unique username and password issued to each employee at the start of employment. Korn/Ferry also required each employee to sign a confidentiality agreement that prohibited password-sharing. When Searcher generated a report for a user, it displayed a message that stated "This product is intended to be used by Korn/Ferry employees for work on Korn/Ferry business only."

Christian left Korn/Ferry in January 2005. Under instructions from Nosal, she set up a competing executive search firm called Christian & Associates. Nosal retained 80 percent of fees from that new venture. Jacobson resigned a few months later and joined Christian & Associates, but Froehlich-L'Heureaux remained employed at Korn/Ferry at Nosal's request. Korn/Ferry revoked the access of Christian and Jacobson to its computer system. Nosal assumed the name "David Nelson" in working with Christian & Associates to interview candidates for executive searches.

In April 2005, Nosal instructed Christian to obtain source lists from Korn/Ferry's Searcher database to expedite their work for a new client. Christian asked Froehlich-L'Heureaux for her username and password, and Christian used the credentials to log in to Korn/Ferry's computer system and run queries in Searcher. Christian sent the results of her searches to Nosal. Christian again logged in as Froehlich-L'Heureaux in July 2005 to generate a custom report and search for information on three individuals. Jacobson also logged in as Froehlich-L'Heureaux to download information on 2,400 executives. None of these searches related to any of the searches that Nosal was authorized to conduct for Korn/Ferry as an independent contractor. 

In March 2005, an unnamed source e-mailed Korn/Ferry and informed it that Nosal was running his own business in violation of his noncompetition agreement. Korn/Ferry launched an investigation and, in July 2005, contacted government authorities. The government first prosecuted Nosal under the CFAA and EEA, alleging that Nosal conspired with Christian and Froehlich-L'Heureaux to access Searcher using their own credentials in violation of company policy. The district court dismissed the indictment, and the 9th Circuit affirmed. 

The government filed a second indictment in February 2013 alleging that Nosal conspired with Christian and Jacobson to access Korn/Ferry's system using Froehlich-L'Heureaux's credentials. Nosal was convicted under the CFAA and EEA and sentenced to one year and one day in prison. He was also ordered to pay a $60,000 fine, a $600 special assessment and approximately $828,000 in restitution.

On appeal, the 9th Circuit found that, based on these facts, Nosal was properly convicted under the CFAA as an accomplice and for "unauthorized downloading, copying and duplicating of a trade secret" under the EEA. 

United States v. Nosal, 9th Cir., Nos. 14-10037, 14-10275 (July 5, 2016).

Professional Pointer: This ruling has potentially far-reaching implications due to the common practice of password-sharing at many workplaces. Employers should maintain confidentiality agreements and notify employees of their restricted access to company electronic systems and equipment to preserve the confidentiality of electronic data and to prevent unfair competition by former contractors and employees after their departure.

Jeffrey Rhodes is an attorney with Doumar Martin in Arlington, Va.


Job Finder

Find an HR Job Near You
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect