Last week, the DOJ got dinged on both coasts in criminal appeals. Although neither case involved the FCPA, the reasoning of the courts touch upon issues relevant to the recent “foreign official” challenges. For more on those challenges, the DOJ and defense positions, and the trial court rulings, see here, here, here and here (as well as the embedded links in those posts).
In addition to discussing the two cases with similarities to “foreign official” challenges, this post also discusses a decision from the U.S. District Court in the Middle District of Tennessee that is believed to be the first decision concerning the intersection of D0dd-Frank’s whistleblower provisions and the FCPA.
In U.S. v. David Nosal, the Ninth Circuit, sitting en banc, affirmed a lower court dismissal of criminal charges under the Computer Fraud and Abuse Act (“CFAA”) filed against David Nosal who used to work for Korn/Ferry, an executive search firm. (See here for the decision). The issue before the court was how broadly to read the CFAA, particularly its provisions which defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
Without getting into the specific facts of the case here, the court stated that “the government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute” and that “if Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions … we would expect it to use language better suited to that purpose.” In a footnote, the court noted that Congress did just that in other federal statutes where the key terms were broader.
Thereafter, the court stated as follows. “The government’s construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime. While ignorance of the law is no excuse, we can properly be skeptical as to whether Congress, in 1984, meant to criminalize conduct beyond that which is inherently wrongful, such as breaking into a computer.”
The DOJ urged the court to consider the CFAA’s legislative history and pointed to an earlier version of the statute that was more favorable to its position. However, the court stated that “that language was removed and replaced by the current phrase and definition” (emphasis in original).
The court then stated as follows. “The government assures us that, whatever the scope of the CFAA, it won’t prosecute minor violations. But we shouldn’t have to live at the mercy of our local prosecutor. […] And it’s not clear we can trust the government when a tempting target comes along.” (citations omitted, emphasis in original).
In conclusion, the court stated as follows. “We need not decide today whether Congress could base criminal liability on violations of a company or website’s computer use restrictions. Instead, we hold that the phrase ‘exceeds authorized access’ in the CFAA does not extend to violations of use restrictions. If Congress wants to incorporate misappropriation liability into the CFAA, it must speak more clearly. The rule of lenity requires penal laws to construed strictly. When choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite.” (citations omitted, emphasis in original).
In U.S. v. Sergey Aleynikov, the Second Circuit reversed the criminal conviction of Sergey Aleynikov, a former computer programmer employed by Goldman Sach who was found guilty by a jury of violating the National Stolen Property Act (“NSPA”) and the Economic Espionage Act of 1996 (“EEA”). As noted in the opinion (here), Aleynikov argued on appeal that his conduct did not constitute an offense under either statute – namely that the source code at issue was not a “stolen good” within the meaning of the NSPA and that the source code was not “related to or included in a product that is produced for or placed in interstate or foreign commerce” within the meaning of the EEA.
Without getting in to the specific facts of the case here, the Second Circuit began its discussion by noting that “Aleynikov’s challenge requires us to determine the scope of the two federal statutes” and that “federal crimes are solely creatures of statute.” The court stated that “due respect for the prerogatives of Congress in defining federal crimes prompts restraint in this area, where we typically find a narrow interpretation appropriate” and held that Aleynikov’s conduct did not constitute an offense under either the NSPA or the EEA.
As to the EEA, and of note, the Court looked to the statute’s legislative history and found that a key provision did not appear in various draft of the bill and that therefore the words of the final bill that was enacted into law “were deliberately chosen.” As to the DOJ’s argument that the EEA had a broad sweep, the Court stated that one would expect to see such wording in the statute. Citing a prior Supreme Court decision, the Court stated as follows. “And ‘when choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite.”
Recently, Judge Aleta Trauger (M.D. Tenn.) issued a decision (here) in Nollner v. Southern Baptist Convention Inc. that is believed to be the first judicial decision concerning the intersection of D0dd-Frank’s whistleblower provisions and the FCPA.
The basic facts are as follows. Ron and Beverly Nollner responded to a job post by The International Mission Board of the Southern Baptist Convention Inc. (“IMB”) (a wholly-owned subsidiary of Southern Baptist Convention Inc.) to perform missionary related work on the church’s behalf in New Delhi, India – specifically to manage construction of a new office building. After accepting the positions and arriving in New Delhi, the Nollners allege that the “situation was not what had been promised.” Among other things, the Nollners allege that they “became aware of a host of troubling information” including that “the contractor and architect were paying bribes to local Indian officials with money furnished by the defendants for that purpose.” The Nollners alleged that “Mr. Nolnner reported his grave concerns about potential bribery to the defendants’ employees, [but] that they seemed unbothered, if not complicit.” Thereafter, two of Mr. Nollner’s superiors allegedly asked him to resign and when he refused he was terminated.
Among other things, the Nollners brought a retaliatory discharge claim under Dodd-Frank claiming that they were terminated for, among other things, reporting and/or refusing to participate in bribes and other illegal payments. As to the Dodd-Frank claim, the Nollners allege that its whistleblower anti-retaliation provisions protected them against retaliation for reporting the defendants’ violations of the FCPA.
The court began by noting that Dodd-Frank “only protects [an] employee against retaliation if the federal violation falls within the SEC’s jurisdiction.” The court then stated that “the jurisdiction of the SEC with respect to FCPA violations is limited only to civil actions to enforce violations by issuers, but does not encompass FCPA violations by domestic concerns, which are subject to exclusive DOJ enforcement.” (emphasis in original). The court then stated as follows. “Here, because the defendants are not issuers, only the DOJ – not the SEC – has jurisdiction over them with respect to FCPA violations.” Accordingly, the court held, even assuming the allegations to be true, that the “Nollners may not maintain [Dodd-Frank] retaliation claims premised on their reporting of potential FCPA violations by the defendants.”
In addition, the court stated that the “FCPA does not itself protect whistleblowers; it contains no anti-retaliation provisions and affords no private cause of action” (relying on Lamb v. Philip Morris, Inc. 915 F.2d 1024 (6th Circ. 1990)). The court stated that “it falls on Congress to protect individual FCPA whistleblowers who are not otherwise protected from retaliation under state or federal law for disclosing FCPA violations.”
In regards to the reference in Nollner that the jurisdiction of the SEC with respect to FCPA violations is limited only to civil actions to enforce violations by issuers, this is generally true, although in recent years the SEC has brought FCPA enforcement actions against non-issuers (see here for the Panalpina enforcement action and here for the Snamprogetti enforcement action).