The eDiscovery Resource Center™ is Bloomberg BNA’s comprehensive research solution for litigators and in-house counsel who require authoritative guidance on the handling,...
July 7 — A start-up company's owner violated the Computer Fraud and Abuse Act by using a past colleague's password to access his former employer's computers, the U.S. Court of Appeals for the Ninth Circuit held July 5 ( United States v. Nosal, 2016 BL 214844, 9th Cir., No. 14-10275, 7/5/16 ).
Defining the terms in the CFAA—which, at times, requires courts to rely on the ordinary meaning of the language—has caused headaches for judges who must square the act's language and intent with modern technology and nuanced fact patterns.
The CFAA was developed initially as an anti-hacking statute, but increasingly is seen as a tool for responding to in-house fraud and data theft.
The Ninth Circuit upheld the conviction of recruiter David Nosal and the lower court's interpretation of the CFAA's “without authorization” prohibition, which addresses fraud committed via unauthorized access to a computer.
The court, in an opinion by Judge M. Margaret McKeown, said it had addressed the same issue in LVRC Holdings LLC v. Brekka, 581 F. 3d 1127 (9th Cir. 2009) (9 DDEE 306, 10/1/09), in which it held that a person uses a computer “without authorization” when an employer has rescinded an employee's credentials and the employee uses the computer at issue anyway.
This analysis is consistent with sister circuits, including the Second and Fourth (15 DDEE 521, 12/10/15) (12 DDEE 307, 8/2/12), the court said.
David Nosal's access to executive search firm Korn/Ferry International's computers was revoked in December 2004, after he resigned as regional director but was still acting as a contractor to finish some work. Eventually he fully left Korn/Ferry to work on his own search firm along with other Korn/Ferry employees.
Korn/Ferry has a “Searcher” database of information regarding executives, which the start-up wished to access. Searcher was hosted on Korn/Ferry's internal computer network and was deemed confidential and for Korn/Ferry business use only. Password sharing for the database was prohibited by a confidentiality agreement.
Nosal and his colleagues borrowed access credentials from current Korn/Ferry employee F.H. so as to obtain some source lists from Searcher.
Korn/Ferry contacted the government in July 2005 about Nosal accessing the information and his violations of his non-compete. Nosal was eventually convicted of violations of the CFAA.
The Ninth Circuit said the CFAA doesn't define “without authorization.” The court cited Brekka, in which it turned to the ordinary meaning of the term “authorization.”
“In determining whether an employee has authorization, we stated that, consistent with ‘the plain language of the statute … ‘authorization' [to use an employer's computer] depends on actions taken by the employer,' ” the court said.
If evidence had shown that Brekka accessed his former employer's web accounts after he left the company, the court said there would be “no dispute” that he had accessed a protected computer “without authorization.”
“ Brekka is squarely on point on that issue: Nosal and his co-conspirators acted ‘without authorization' when they continued to access Searcher by other means after Korn/Ferry rescinded permission to access its computer system,” the court said.
Judge Stephen Reinhardt dissented, saying the case was about password sharing.
“In my view, the Computer Fraud and Abuse Act does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals,” Reinhardt said.
The majority lost sight of the anti-hacking purpose of the statute, and that consensual password sharing doesn't qualify as the type of “hacking” the CFAA covers, he said.
According to the dissent, the best reading of “without authorization” applies to a person who accesses an account without the permission of either the system owner or a legitimate account holder.
But the majority disagreed. The dissent “mistakenly” focused on F.H.'s authority, saying FH had “no mantle or authority to give permission to former employees whose access had been categorically revoked by the company,” it said.
“[I]n collapsing the distinction between FH's authorization and that of [the former employees'], the dissent would render meaningless the concept of authorization,” the majority said.
Chief Judge Sidney R. Thomas joined the opinion.
Riordan and Horgan represented Nosal.
The U.S. Department of Justice represented the government.
To contact the reporter on this story: Tera Brostoff in Washington at email@example.com.
Full text at http://src.bna.com/gx7.
Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)