Court upholds conviction of ex-employee for conspiring to access company data through “shared” password

Analysis

Is password sharing a crime? It can be under the right circumstances, according to last week’s decision in United States v. Nosal.  In Nosal, the U.S. Court of Appeals for the Ninth Circuit upheld the conviction of a former employee who conspired to use the login credentials of a current employee to access his former employer’s confidential database. Focusing on the Computer Fraud and Abuse Act’s prohibition on accessing a computer or network “without authorization,” the court held that “once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party.”

Background

This case has a long history. David Nosal left his job with Korn/Ferry International, an executive recruiting and placement agency, in 2004 but continued working for several months with Korn/Ferry as a contractor. During his time as a contractor, he was subject to a one-year non-compete agreement, and at some point Korn/Ferry revoked his access to the company’s confidential database and network.

While he worked for Korn/Ferry as a contractor, Mr. Nosal was secretly launching a competing business, and he recruited two of his former colleagues – still employed with Korn/Ferry – to join his new company. Before leaving their employment with Korn/Ferry, the two colleagues downloaded confidential information from the company’s network and gave it to Mr. Nosal for use at the competing company. Because they were employed with Korn/Ferry, they were authorized to access the company network. However, they violated the company’s confidentiality and computer use policies by sharing the information with Mr. Nosal and using it in competition with Korn/Ferry.

The colleagues eventually resigned, but Mr. Nosal’s executive assistant – who was also part of the scheme – remained at Korn/Ferry at his request. She gave her password to the colleagues, which violated company policy, and on three occasions after resigning they accessed the network to download more Korn/Ferry material.

Mr. Nosal was criminally charged with violating the Computer Fraud and Abuse Act and other laws. In 2012, the Ninth Circuit affirmed dismissal of charges brought under the CFAA that he aided and abetted the two colleagues who misappropriated information while they were still employed by Korn/Ferry. The Court held that there was no violation of the CFAA because the employees legitimately had access to the system at the time. In that decision, the Ninth Circuit said that there was no CFAA violation unless the system was accessed by someone without authorization to do so, or by someone who was acting in excess of his authority. Although the colleagues may have been guilty of misappropriation of Korn/Ferry’s confidential and proprietary information, they were not guilty of unauthorized access to Korn/Ferry’s network while they were still employed and still had authorization. Therefore, Mr. Nosal could not be guilty of “aiding and abetting” them.

After the case was remanded, Mr. Nosal was convicted of conspiracy to violate the CFAA (as well as trade secret theft under the federal Economic Espionage Act) based on the three occasions when his two colleagues – by then former employees of Korn/Ferry – gained access to the system using the assistant’s password. The prosecution successfully argued that the CFAA applied because neither Mr. Nosal nor the colleagues were authorized to access Korn/Ferry’s confidential network or database by any means. Mr. Nosal appealed again, this time claiming that the colleagues were “authorized” to use the Korn/Ferry system because the assistant had voluntarily shared her password with them. A panel of the Ninth Circuit affirmed the conviction, 2-1.

Holding

Under the CFAA, it is a crime when a person “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . .” Noting that the CFAA does not define “without authorization,” the court relied on its opinion in LVRC Holdings LLC v. Brekka, in which it held (consistent with other federal courts of appeal) that a person uses a computer “without authorization” when an individual accesses a company’s network even though the access has been revoked.

Put more simply, a person who accesses the company’s system “without permission” is acting “without authorization” within the meaning of the CFAA.

The majority here determined that, as the owner of the proprietary data, the company had the right to revoke access to it. Because Korn/Ferry had revoked the access of Mr. Nosal and his colleagues, they were not “authorized,” even though the assistant had allowed them to use her password.

The dissenter, Judge Stephen Reinhardt, argued that the CFAA’s “without authorization” restriction should not apply because Mr. Nosal’s former assistant had shared her password voluntarily. Judge Reinhardt expressed concern that, under the majority holding, the CFAA would make password-sharers federal criminals for engaging “in this ubiquitous, useful, and generally harmless conduct.” (Since the decision was issued, there has been speculation in the media that sharing, for example, a Netflix password with a family member might be a federal crime.) However, the majority said that the case was not about innocent password-sharing between family and friends, but about an employer’s authority to revoke access to its confidential network and information.

Employer Takeaways

The CFAA, coupled with the Economic Espionage Act, the newly enacted Defend Trade Secrets Act, and state trade secrets statutes, provide formidable weapons for employers who are the victims of data breaches and misuse of confidential and proprietary information.  Employers should require employees to sign strong confidentiality agreements when they are hired, and should periodically review and update the agreements to ensure that they comply with current law. From a data protection standpoint, here are some additional suggestions:

• Require unique user names and passwords for each authorized user of a network, and implement controls on users’ access to the network (including the ability to immediately revoke access).

• Make sure your policies address both network access restrictions (who can access the network) and data use restrictions (the data that they are allowed to access).

• Include a conspicuous warning in the policy and when accessing the network (in the login field or through a pop-up) that access is intended for authorized users and authorized use only.

• Don’t rely on “common sense.” Explicitly prohibit employee password sharing. In the Korn/Ferry case, such a rule did not prevent the misappropriation because the assistant was a co-conspirator, but it did help prosecutors prove that Mr. Nosal and his colleagues were not “authorized” to access the system by way of the assistant’s password.

If you have questions about protecting your system from theft or sabotage by former or current employees, please contact any member of our Data Privacy or e-Law practice groups. If you would like to discuss protection of your trade secrets and confidential and proprietary information, please contact a member of our Unfair Competition and Trade Secrets Practice Group.

For a printer-friendly copy, click here

Subscribe for Updates
Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek