Use of Employee's Password By Ex-Employee Not OK

The eDiscovery Resource Center™ is Bloomberg BNA’s comprehensive research solution for litigators and in-house counsel who require authoritative guidance on the handling,...

By Tera Brostoff

July 7 — A start-up company's owner violated the Computer Fraud and Abuse Act by using a past colleague's password to access his former employer's computers, the U.S. Court of Appeals for the Ninth Circuit held July 5 ( United States v. Nosal, 2016 BL 214844, 9th Cir., No. 14-10275, 7/5/16 ).

Defining the terms in the CFAA—which, at times, requires courts to rely on the ordinary meaning of the language—has caused headaches for judges who must square the act's language and intent with modern technology and nuanced fact patterns.

The CFAA was developed initially as an anti-hacking statute, but increasingly is seen as a tool for responding to in-house fraud and data theft.

The Ninth Circuit upheld the conviction of recruiter David Nosal and the lower court's interpretation of the CFAA's “without authorization” prohibition, which addresses fraud committed via unauthorized access to a computer.

Court Joins Other Circuits

The court, in an opinion by Judge M. Margaret McKeown, said it had addressed the same issue in LVRC Holdings LLC v. Brekka, 581 F. 3d 1127 (9th Cir. 2009) (9 DDEE 306, 10/1/09), in which it held that a person uses a computer “without authorization” when an employer has rescinded an employee's credentials and the employee uses the computer at issue anyway.

This analysis is consistent with sister circuits, including the Second and Fourth (15 DDEE 521, 12/10/15) (12 DDEE 307, 8/2/12), the court said.

Former Employer Accesses Computer

David Nosal's access to executive search firm Korn/Ferry International's computers was revoked in December 2004, after he resigned as regional director but was still acting as a contractor to finish some work. Eventually he fully left Korn/Ferry to work on his own search firm along with other Korn/Ferry employees.

Korn/Ferry has a “Searcher” database of information regarding executives, which the start-up wished to access. Searcher was hosted on Korn/Ferry's internal computer network and was deemed confidential and for Korn/Ferry business use only. Password sharing for the database was prohibited by a confidentiality agreement.

Nosal and his colleagues borrowed access credentials from current Korn/Ferry employee F.H. so as to obtain some source lists from Searcher.

Korn/Ferry contacted the government in July 2005 about Nosal accessing the information and his violations of his non-compete. Nosal was eventually convicted of violations of the CFAA.

Ordinary Meaning

The Ninth Circuit said the CFAA doesn't define “without authorization.” The court cited Brekka, in which it turned to the ordinary meaning of the term “authorization.”

“In determining whether an employee has authorization, we stated that, consistent with ‘the plain language of the statute … ‘authorization' [to use an employer's computer] depends on actions taken by the employer,' ” the court said.

If evidence had shown that Brekka accessed his former employer's web accounts after he left the company, the court said there would be “no dispute” that he had accessed a protected computer “without authorization.”

Brekka is squarely on point on that issue: Nosal and his co-conspirators acted ‘without authorization' when they continued to access Searcher by other means after Korn/Ferry rescinded permission to access its computer system,” the court said.

Dissent Rejects Definition

Judge Stephen Reinhardt dissented, saying the case was about password sharing.

“In my view, the Computer Fraud and Abuse Act does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals,” Reinhardt said.

The majority lost sight of the anti-hacking purpose of the statute, and that consensual password sharing doesn't qualify as the type of “hacking” the CFAA covers, he said.

According to the dissent, the best reading of “without authorization” applies to a person who accesses an account without the permission of either the system owner or a legitimate account holder.

But the majority disagreed. The dissent “mistakenly” focused on F.H.'s authority, saying FH had “no mantle or authority to give permission to former employees whose access had been categorically revoked by the company,” it said.

“[I]n collapsing the distinction between FH's authorization and that of [the former employees'], the dissent would render meaningless the concept of authorization,” the majority said.

Chief Judge Sidney R. Thomas joined the opinion.

Riordan and Horgan represented Nosal.

The U.S. Department of Justice represented the government.

To contact the reporter on this story: Tera Brostoff in Washington at tbrostoff@bna.com.

To contact the editors responsible for this story: Jessie Kokrda Kamens at jkamens@bna.com, Carol Eoannou at ceoannou@bna.com.

For More Information

Full text at http://src.bna.com/gx7.

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.