John C. Fox and Candee ChambersThe OFCCP Week in Review (WIR) is a simple, fast and direct summary of relevant happenings in the OFCCP regulatory environment, authored by experts John C. Fox and Candee Chambers. Alexa Morgan, a founder and Partner of Fox, Wang & Morgan P.C., joins today’s edition and shares insight into the case now known as Nosal II. In today’s WIR, we cover:

  • Recruiters Sharing a Password Was a Crime
  • OFCCP’s Budget is Going Down Again
  • 10 More States Sue Obama Over Transgender Protections

Tuesday, July 5, 2016: Ninth Circuit Rules that a Recruiter’s Use of a Voluntarily Shared Computer Password is a Federal Crime

A divided 3-Judge panel of the U.S. Court of Appeals for the Ninth Circuit (San Francisco) held that a former manager and recruiter for Korn/Ferry (David Nosal) violated the Computer Fraud and Abuse Act (CFAA) when he accessed Korn/Ferry’s electronic recruiting database after he had terminated from Korn/Ferry. To accomplish the fraud, recruiter Nosal used his Korn/Ferry assistant’s login and password, with her permission while she remained at Korn/Ferry (sleeper cell). Korn/Ferry’s database is considered to be one of the most comprehensive executive candidate databases in the world. United States v. Nosal (Nosal II), 9th Cir., No. 14-10275, 7/5/16.

However, the Korn/Ferry refugees used the Korn/Ferry assistant’s password with her permission…which is the fact which makes this case both interesting and important.

Recruiter Nosal worked as an executive for Korn/Ferry International, an executive search firm. Upon terminating from Korn/Ferry, Nosal launched a plan to start a competing recruiting firm with three current Korn/Ferry employees. Although, Korn/Ferry revoked Nosal’s access to its computers when he left the firm, Nosal’s colleagues (who were still working at the firm) continued to access and download confidential information on the database on Nosal’s behalf. After two of Nosal’s colleagues left to join him, they continued to access the Korn/Ferry database by using the login and password of the third colleague (Nosal’s former assistant, who remained an employee of Korn/Ferry at Nosal’s request). However, the Korn/Ferry refugees used the assistant’s password with her permission….which is the fact which makes this case both interesting and important. Nosal and his three colleagues were later indicted for violations of the CFAA, which subjects to criminal punishment anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access (emphases added), and by means of such conduct furthers the intended fraud and obtains anything of value.” 18 U.S.C. § 1030(a)(4). The indictment alleged that Nosal’s co-conspirators exceeded their authorized access to their employer’s computer system in violation of § 1030(a)(4) by obtaining information from the computer system for the purpose of defrauding their employer and helping Nosal set up a competing business.

In 2012, all 29 active Judges of the Ninth Circuit dismissed five of the eight CFAA counts against Nosal (in a case now called Nosal I). A year later, a jury convicted Nosal of the remaining CFAA counts, as well as two counts of violating the Economic Espionage Act (EEA) for theft of trade secrets. While Nosal I addressed the meaning of the “exceeds authorized access” prohibition under the CFAA, Nosal II addressed the “without authorization” prohibition, emphasized above. The majority last week upheld the jury’s conviction of Nosal, finding that Nosal had knowingly and intentionally accessed a Korn/Ferry computer “without authorization” by downloading information with a current employee’s password. The court relied on its 2009 LVRC Holdings LLC v. Brekka decision, which held that “[A] person uses a computer ‘without authorization’ under [the CFFA] . . . when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” The court stated that “access without authorization” is a simple concept:

“[Access] “without authorization” is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission. This definition has a simple corollary: once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door.”

Although the sole dissenting Judge in last week’s 9th Circuit’s decision thought Nosal did not violate the CFFA because he and his colleagues accessed the database using a current employee’s password with her permission, the majority was not persuaded by this argument. The two Judges in the majority last week noted that Nosal’s former assistant did not have the authority to provide her password to former employee’s whose computer access had been revoked. Although the ultimate outcome of the case seems appropriate in light of the facts of the case, the majority’s decision has the potential to criminalize even innocent password sharing. As the dissenting Judge pointed out:

“It is impossible to discern from the majority opinion what principle distinguishes authorization in Nosal’s case from one in which a bank has clearly told customers that no one but the customer may access the customer’s account, but a husband nevertheless shares his password with his wife to allow her to pay a bill. So long as the wife knows that the bank does not give her permission to access its servers in any manner, she is in the same position as Nosal and his associates. It is not “advisory” to ask why the majority’s opinion does not criminalize this under § 1030(a)(2)(C); yet, the majority suggests no answer to why it does not.”

“…the majority’s decision has the potential to criminalize even innocent password sharing…”

Until the courts provide further clarification as to the limitations, if any, of the Nosal II holding (which may come soon as a result of another pending Ninth Circuit password sharing case, Facebook v. Power Ventures), even seemingly innocuous password sharing, particularly in the recruitment arena, could constitute a criminal offense.

Practice Tip 1: Employees:  If you are going to share a corporate computer password, get written permission from an appropriate superior. Why written permission?  Would you rather be sure…or in jail?

Practice Tip 2: Employees: Read your corporate handbook and follow its password and information sharing rules.

Practice Tip 3: Company Managers: If you do not have a corporate handbook password and information sharing policy…get one. Draw your lines clearly, so employees know what’s right and what’s wrongful conduct and are not left unsure or left to guess whether they are committing a criminal offense.

Wednesday, July 6, 2016:  OFCCP Budget For Next Fiscal Year Appears to be Going Down, Again

The United States House of Representatives Appropriations Committee announced its FY2017 Budget Proposal for OFCCP on this date and proposed to reduce it almost $5 million dollars from last years enacted budget of $105,476,000 (a little over $105 million) to a proposed $100,500,000 (a little over $100 million)….a difference of $4,976,000 (almost $5 million) from the prior FY. The House Appropriations’ Committee’s proposal as to OFCCP came as part of the much larger budget proposal the Committee released in a Bill to fund next year (FY2017) the Departments of Labor, Health and Human Services and Education and related agencies. (Click on the link for the Budget Proposal for OFCCP (above) and then scroll down to the bottom of the Committee’s explanation of its budget Bill, and then click on the link to the Bill itself, and then scroll down to the last two sentences of page 17 to find the Committee’s budget two-line recommendation for OFCCP).

To derive the size of the proposed reduction to OFCCP’s FY2016 budget, you have to first review the OFCCP budget for this year = FY2016. To find that, access OFCCP’s Budget Justification for FY2017 at page 2 which reports OFCCP’s FY2016 budget, AS ENACTED) = $105,476,000.

To put the House Appropriations Committee’s almost $5M proposed budget reduction in context and translate it to an understanding of what it might mean operationally next year to OFCCP, you must also know that OFCCP’s operating expenses increase about $2 million each year. At page 3 of OFCCP’s FY2017 Budget Justification (see above link), OFCCP reported to the Congress, for example, that it expected $1,931,000 (almost $2 million) in increased costs this coming Fiscal Year 2017 above and beyond its FY2016 budget (see far right-hand column of pages 3 and 4: “Changes from prior year’s budget”) and then total $931,000 + $401,000 + $205,000 + $389,000 = $1,931,000).

Next, please remember that earlier this month, The United States Senate Appropriations Committee passed a bi-partisan bill (which was a first in the Obama Administration for that Committee as to these agency budgets) by a vote of 29-1 proposing exactly a $1M reduction to OFCCP’s FY2017 budget. See DirectEmployers’ Week-In-Review article for Monday June 13, 2016. So, the two Appropriations Committees now need to meet in “Conference” and resolve the almost $4M differences in their proposals before sending a  consolidated and agreed budget Bill to The President for signature (or veto).

Committees now need to meet in “Conference” and resolve the almost $4M differences in their proposals before sending a  consolidated and agreed budget Bill to The President for signature (or veto).

Senate OFCCP Budget Proposal $104,476,000
House OFCCP Budget Proposal $100,500,000
Total Difference $3,976,000


If the House and Senate Conference Committee meets in the middle to reconcile their competing views of the budget – their usual convention (except for the big important agencies: DoD/GSA/NASA/Homeland Security), you would expect OFCCP to lose about $2M in budget ($3,976,000 cut in two=$1,988,000) for coming FY2017, and thus OFCCP would have a budget (absent veto) of about $102,488,000 ($104,476,000 – $1,988,000); However, if that almost $2M budget reduction were to in fact occur, that would also mean that OFCCP has to also pay for its $2M of increased costs from that reduced budget…so $2M + $2M = about a $4M budget hole to cover.

CONTEXT: Compliance Officers cost about 10 per $1Million of budget. So, if OFCCP is forced to accept the $4M budget hole, OFCCP would have to thin its ranks by about another 40 Compliance Officers from its existing 615 employee staffing authorization (unless OFCCP were to cut travel to almost nothing, however, OFCCP has already cut its travel budget in past years to the bone to try to save staffing headcount). NOTE: OFCCP always tries to absorb budget reductions through travel cuts and then staff attrition and to force involuntary terminations only if staffing exceeds available budget. A forced RIF may be in the offing for OFCCP for the first time in years depending on what the final budget number is and how many COs decide to transfer out of OFCCP in the 3 or 4 months after the final budget is set.

IMPLICATIONS: Worsening OFCCP morale. More transfers out of OFCCP. Fewer audits. Longer running time on audits in progress. Smaller back pay collections. Fewer on-site audits. Less training of OFCCP personnel. Audit staffing disruptions due to transfers and lack of authority to replace terminating COs. How many fewer audits in FY2017? Probably about 200 fewer, if the above budget numbers come to pass, or maybe about 1800 or 1900 total audit closures at the current pace of OFCCP audit closures. And, even fewer audits will close if a small RIF does ensue and OFCCP managers are diverted to RIF planning, outplacement, work reassignment and morale control duties.

Friday July 8, 2016: Ten More States Challenge The Obama Administration’s Transgender Policies

On Friday, 10 states led by Nebraska filed suit  in Nebraska Federal District Court to block the Obama Administration’s policies under Title VII, Title IX, and pursuant to federal OSHA’s power to regulate bathrooms to insure safety and health. These ten states did NOT join in with the 11 states and two school districts already suing the Obama Administration in Texas, although the new Nebraska lawsuit mimics that of “the Texas 11.” See our prior Week-In-Review from May 25, 2016.

The ten new states now filing their own lawsuit are (in alphabetical order): Arkansas, Kansas, Michigan, Montana, Nebraska, North Dakota, Ohio, South Carolina, South Dakota and Wyoming. The addition of Ohio and Michigan, the 7th and 10th, respectively, most populous states in the country representing almost 7% of the US population, is significant. The Nebraska lawsuit is different from the Texas lawsuit in that the “bathroom access issue” and the threatened cut-off of federal Title IX funds are clearly the primary drivers behind the lawsuit. While those two drivers are also present in the Texas litigation, “the Texas Eleven” also sound a broader attack on the protection of Transgenders generally under federal law, and not just as to the bathroom access issue. (It is possible to support Transgenders while differing as to the proper accommodation of Transgender access to group single-sex (i.e. all-female or all-male) bathrooms as the North Carolina lawsuit (a third lawsuit) in federal court in Raleigh signals). The North Carolina lawsuit does not challenge the federal government’s authority to protect Transgenders across-the-board (The Governor of North Carolina issued an Executive Order protecting Transgenders in state service under state law even while he enforces bathroom use based on biological sex), but rather challenges only the Obama Administration’s decision to require the states to permit Transgender access to bathrooms of their identity, even though different than their biological sex (as stated on one’s birth certificate). See our prior Week-In-Review story from May 16, 2016. Nonetheless, all three suits challenge President Obama’s legal authority under Title VII, Title IX and OSHA to protect Transgenders without a statutory delegation of authority from the Congress to the President authorizing him to do so.

So, the three lawsuits raise identical legal issues although North Carolina’s lawsuit is the narrowest in purpose (bathroom access issue only), now expanded by Nebraska (bathroom access and federal funding) and then expanded further by Texas (bathroom access, federal funding, and protection of Transgenders generally under federal law).

It does not seem likely at this junction that any of the three suits (North Carolina, Texas or Nebraska) will be consolidated under federal multi-district complex litigation rules. Accordingly, it appears that all three lawsuits are headed to litigation and then appeals which would emanate from three different federal circuit courts of appeal (North Carolina = 4th Circuit; Texas = 5th Circuit; and Nebraska = 8th Circuit…which sits in Lincoln, Nebraska and is perhaps the most conservative federal Circuit in the country). This is the kind of profile which often leads to The Supreme Court hearing a case raising issues from multiple circuits, especially if there is a “split (of results) in the Circuits” thus begging for resolution by the United States Supreme Court.


Reminder: If you have specific OFCCP compliance questions and/or concerns or wish to offer suggestions about future topics for the OFCCP Week In Review, please contact your membership representative at 866-268-6206 (for DirectEmployers Association Members), or email Candee at with your ideas.

Receive OFCCP compliance alerts and updates right on your phone! Text the word compliance from your mobile phone to 55678 (all applicable charges and fees set by your cell phone carrier will apply).







John C. Fox
Share This