By Jeffrey M. Schlossberg, Esq. of Jackson Lewis P.C.
Many companies have experienced the departure of an employee and the elimination of that former employees access to the companyaEUR(TM)s computers and networks. In the recent case of USA v. Nosal, D.C. No. 3:08-cr-00237-EMC-1 (July 5, 2016)
, the Ninth Circuit Court of Appeals was presented with the following facts: Nosal, a former employee of Korn/Ferry departed and launched a competitive entity. When Nosal left the company, the company revoked his computer access credentials. After his departure, Nosal was nevertheless able to continue accessing the companyaEUR(TM)s confidential and proprietary information when his former secretary provided Nosal with her database access credentials. In Nosal
, the question for the court was whether the jury properly convicted David Nosal of the crime of conspiracy under the Computer Fraud and Abuse Act (aEURoeCFAAaEUR?)
for accessing and downloading information from the companyaEUR(TM)s database aEURoewithout authorization.aEUR? The Court in a 2-1 decision held that indeed Nosal violated the criminal provisions of CFAA even though he did not himself access and download the information.
The CFAA prohibits access to a computer or computer system by ones who are either exceeding authorized use or are not authorized users. 18 U.S.C. ? 1030. The applicable section of the CFAA addressed in the Nosal
case provides that:
Whoever . . . knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct further the intended fraud and obtains anything of value. . .shall be punished. . . . .
The prosecution successfully argued that after Nosal left the company, he lacked any rights to use the companyaEUR(TM)s network. Because he lacked rights to access the network, the use of the secretaryaEUR(TM)s login credentials violated the CFAAaEUR(TM)s ban on access aEURoewithout authorization.aEUR? The court found that Nosal violated the CFAA because he aEURoeknowingly and with intent to defraud blatantly circumvented the affirmative revocation of his computer access. This access falls squarely within the CFAAaEUR(TM)s prohibition on access aEUR~without authorizationaEUR(TM) and thus we affirm NosalaEUR(TM)s conviction for violations of . . . the CFAA.aEUR?
But, what about the fact that a person who did have authorization aEUR" NosalaEUR(TM)s secretary aEUR" granted Nosal permission to access the database? On this point, the court stated that access:
aEUR~without authorizationaEUR(TM) is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission. This definition has a simple corollary: once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door.
The court further stated that an aEURoeemployee could willy nilly give out passwords to anyone outside the company aEUR" former employees whose access had been revoked, competitors, industrious hackers, or bank robbers who find it less risky and more convenient to access accounts via the Internet rather than through armed robbery.aEUR?
As a result of this decision, some privacy groups have expressed concern that the courtaEUR(TM)s ruling could make it easier to prosecute people for ordinary password sharing, such as when a husband logs into his wifeaEUR(TM)s Facebook account with her credentials and permission, or to print a boarding pass.
However, the majority addressed this concern square on stating that aEURoehypotheticals about the dire consequences of criminalizing password sharing. . . miss the mark in this case. This case is not about password sharingaEUR? and noted that the case aEURoebears little resemblance to asking a spouse to log in to an email account to print a boarding pass.aEUR?
While this decision involved a criminal prosecution, with which most companies would not be involved, it is still worthy of consideration for employers. Many employers have some form of agreement in place that would make accessing the companyaEUR(TM)s database after termination a violation. In light of Nosal
it would be prudent for a company to also include in its policies and agreements what is seemingly obvious aEUR" prohibit current employees from providing their passwords to former employees. At least with this statement in writing, the company will have (1) a basis upon which to take appropriate disciplinary action aEUR" including termination aEUR" against the current employee who provided their password to a former employee, and (2) the ability to commence a civil legal action against the former employee under the CFAA.
For additional information, please contact Jeffrey