The U.S. Court of Appeals for the Ninth Circuit has ruled that a former employee of a company, whose computer access credentials were revoked, had acted “without authorization” in violation of the Computer Fraud and Abuse Act (CFAA), when he and other former employees used the login credentials of a current employee to gain access to data on the employer’s computers.
David Nosal, and two other former employees at executive search firm Korn/Ferry International, used a password shared by Nosal’s former executive assistant, Jacqueline Froehlich-L’Heureaux, to download confidential data. Nosal did not himself access or download any information from the Korn/Ferry database, but was held liable for the conduct of his colleagues who acted on his behalf and at his request. Nosal had set up his own competing firm and hired two other Korn/Ferry employees. Before leaving their employment at Korn/Ferry, Nosal’s colleagues began downloading confidential information from a Korn/Ferry database to use at their new business. Although the former employees were authorized to access the database as current Korn/Ferry employees, their downloads on behalf of Nosal violated Korn/Ferry’s confidentiality and computer use policies, the U.S. Court of Appeals for the Ninth Circuit said in its opinion. The former employees tried to cover their tracks by using the login credentials of Froehlich-L’Heureaux, Nosal’s former assistant. The assistant gave her username and password to Nosal’s colleagues to use. Per the court:
“Nosal knowingly and with intent to defraud Korn/Ferry blatantly circumvented the affirmative revocation of his computer system access,” according to the opinion, which said that the access falls squarely within the CFAA’s prohibition on access “without authorization.” Password sharing was prohibited by a confidentiality agreement that Korn/Ferry required each new employee to sign, the court said.
The dissenting judge on the three judge panel wrote that this case is about password sharing, and that “the CFAA does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals”. What does this mean for end users? It looks like it means that in order for a company to get the protection of the CFAA, there must be a “no-sharing passwords” policy in effect and employees, old and new, will need to acknowledge this in writing. This would put the “authorization” test in place and allow the CFAA to apply. Employees who break the password sharing rule could then be subject to the penalties of the CFAA. It also it means don’t share your password! The full legalese can be found here.