Using Password to Access Former Employer's Information Violates the Computer Fraud and Abuse Act: Ninth Circuit

Practical Law Legal Update w-002-7855 (Approx. 8 pages)

Using Password to Access Former Employer's Information Violates the Computer Fraud and Abuse Act: Ninth Circuit

by Practical Law Labor & Employment

Background

David Nosal, a former employee of Korn/Ferry, an executive search firm, convinced some of his former colleagues still working for Korn/Ferry to use their login credentials to download client information from a confidential database on the company's computers and transfer it to Nosal to help him set up a competing business. After being indicted by the US government for violating the CFAA, the Ninth Circuit, in an en banc decision:

Held that:
- employees who are authorized to access their workplace computers but who use them in violation of corporate policy do not "exceed[] authorized access" under the CFAA and therefore cannot be prosecuted under the statute; and
- the clause "exceeds authorized access" in the CFAA does not extend to violations of a company's or website's computer-use restrictions.
Affirmed the dismissal of five CFAA counts.

(See United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc) ("Nosal I"); Legal Update, Internet Surfing on Company Computers Is Not Criminal Conduct: Ninth Circuit.)

The government filed a second indictment with additional CFAA counts based on multiple occasions when other former employees, encouraged by Nosal, accessed Korn/Ferry's computer system using a current employee's login credentials. The district court denied Nosal's motion to dismiss the remaining CFAA counts and a jury ultimately convicted Nosal on all CFAA counts.

In addition, the jury convicted Nosal of two counts of trade secret theft under the Economic Espionage Act (EEA) for engaging in "unauthorized downloading, copying and duplicating of trade secrets."

Nosal appealed to the Ninth Circuit on the remaining CFAA counts and to specifically address whether his conduct involving the former employees accessing Korn/Ferry's system with a current employee's login and password information violated the "access a protected computer without authorization" clause of the CFAA.

Outcome

The Ninth Circuit held that the CFAA's "without authorization" clause:

Applies when a former employee whose computer access credentials have been revoked accesses the former employer's computer using other employees' log-in and password information.
Has a plain, ordinary, unambiguous, and non-technical meaning.
Means accessing a protected computer without the owner's permission.

The Ninth Circuit upheld Nosal's CFAA conviction, as well as his conviction of trade secret theft under the EEA.

The Ninth Circuit noted that:

The CFAA imposes criminal penalties on anyone who "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value" (18 U.S.C. § 1030(a)(4)).
The CFAA does not define the term "authorization. "
It previously reviewed the CFAA's "without authorization" clause in LVRC Holdings LLC v. Brekka and looked to the ordinary, plain meaning of the term, holding that an employee "uses a computer 'without authorization' . . . when the employer has rescinded permission to access the computer and the defendant uses the computer anyway" (581 F.3d 1127, 1135 (9th Cir. 2009)).
In Nosal I:
- the Ninth Circuit distinguished the "without authorization" clause as applying to "outside hackers who have no authorized access to the computer at all" and the "exceeds authorization access" clause applying to inside hackers who have authorized access to a computer but who then access unauthorized information from that computer (676 F.3d at 858);
- the issue of authorization was not in doubt because the employees who accessed the Korn/Ferry computers had Korn/Ferry's authorization to access the system and the issue was whether they exceeded it; and
- the court did not address whether Nosal's access to Korn/Ferry computers after both he and his co-conspirators had terminated their employment and Korn/Ferry revoked their permission to access the computers was "without authorization."
Here, unlike in Nosal I, Nosal was charged with unauthorized access (gaining access to the computer after being prohibited from doing so) so the "without authorization" clause was applicable.

The dissenting judge noted that the majority's decision is effectively prohibiting the widespread practice of password-sharing and will turn those who engage in that common practice into violators of the CFAA.

Practical Implications

The Ninth Circuit's decision in Nosal II addresses the "without authorization" clause of the CFAA Section 1030 and holds, as other circuit court of appeals have held, that it means simply to access a protected computer without permission. The decision contrasts with the Ninth Circuit's narrow reading of the "exceeds authorized access" clause in Nosal I and could serve as a basis for dissuading former employees who no longer have permission to access their former employers' computers from trying to gain access, as well as dissuading current employees from sharing their log-in credentials with former employees.

UPDATE: On December 8, 2016, the Ninth Circuit amended its July 5, 2016 decision in Nosal II, by:

Denying Nosal's petition for a rehearing en banc.
Revising its opinion to clarify that under CFAA Section 1030(a)(4):
- a defendant's unauthorized access is required to be "knowingly and with intent to defraud"; and
- a violation of a "use restriction," such as a website's terms of use, is insufficient by itself to form the basis for CFAA liability.
( (9th Cir. Dec. 8, 2016).)

This clarification prevents innocent conduct, such as family password sharing, from being swept into the CFAA's reach and constituting a violation.

Using Password to Access Former Employer's Information Violates the Computer Fraud and Abuse Act: Ninth Circuit | Practical Law