Ex-Employee Access to Password Protected Computer Violates CFAA

In a second round with the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, Defendant David Nosal’s conviction was affirmed by the Ninth Circuit Court of Appeals because he obtained access credentials (passwords) for his former employer, Korn/Ferry’s, database from his former executive assistant, Jacqueline Froehlich-L’Heureaux (“FH”) who remained at Korn/Ferry at Nosal’s request. “[A] person uses a computer ‘without authorization’ under [the CFAA and violates the CFAA] … when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.”  U.S. v. Nosal, Case No. 14-10037 (9th Cir. July 5, 2016) (Available Here). Earlier, the Ninth Circuit had reversed Nosal’s conviction under the CFAA when he was charged with stealing data while employed by Korn/Ferry.  United States v. Nosal (Nosal I), 676 F.3d 854 (9th Cir. 2012) (en banc).  

The Court considered the scope of CFAA criminal penalties on whoever “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.”  Id. § 1030(a)(4).  In summary, the appeals panel affirmed the convictions for knowingly and with intent to defraud accessing a protected computer ”without authorization,” in violation of the Computer Fraud and Abuse Act (CFAA), and for trade secret theft, in violation of the Economic Espionage Act (EEA).  Nosal’ s convictions under the EEA for downloading, receiving and possessing trade secrets in the form of source lists from Korn/Ferry’s database, Searcher, was affirmed.

The Court stated that “Embracing our earlier precedent and joining our sister circuits, we conclude that ‘’without authorization’ is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission. This definition has a simple corollary: once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party.”

The Court discussed Nosal I as follows.  “Before leaving Korn/Ferry, Nosal’s colleagues began downloading confidential information from a Korn/Ferry database to use at their new enterprise. Although they were authorized to access the database as current Korn/Ferry employees, their downloads on behalf of Nosal violated Korn/Ferry’s confidentiality and computer use policies. In 2012, we addressed whether those employees ‘exceed[ ed] authorized access’ with intent to defraud under the CF AA. United States v. Nosal (Nosal I), 676 F.3d 854 (9th Cir. 2012) (en bane).  The CFAA ‘does not extend to violations of [a company’s] use restrictions.’ Id. at 863.”

The facts were different in the current conviction under review.  Nosal and his co-conspirators, after he left Korn/Ferry continued to access the database using the credentials of Nosal’s former executive assistant FH who remained at Korn/Ferry at Nosal’s request. The question considered was whether the jury properly convicted Nosal of conspiracy to violate the ”without authorization” provision of the CF AA for unauthorized access to, and downloads from, his former employer’s database called Searcher.

The Court stated “We directly answered this question in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), and reiterate our holding here: ‘[A] person uses a computer ‘without authorization’ under [the CFAA] … when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.’ Id. at 1135.”

Password sharing was not the issue in Nosal II.  FH had no authority from Korn/Ferry to provide her password to Nosal and other former employees.  Nosal accessed the Korn/Ferry database, Searcher, which included data from a number of public and quasi-public sources like Linkedln, corporate filings and Internet searches, and also included internal, non-public sources, such as personal connections, unsolicited resumes sent to Korn/Ferry and data inputted directly by candidates via Korn/Ferry’s website. After Nosal left Korn/Ferry, Nosal, and co-defendants Christian and Jacobson borrowed access credentials from FH, who stayed on at Korn/Ferry at Nosal’s request.

The key section of the CFAA at issue is 18 U.S.C. § 1030(a)(4), which provides in relevant part: “Whoever . . . knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . shall be punished.”  The CFAA defines “exceeds authorized access” as “access [to] a computer with authorization and [using] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Id. § 1030(e)(6). The statute does not, however, define “without authorization.”

The Nosal II Court cited cases form other Circuits that have construed “without authorization” as it relates to permitted/not-permitted access while employed. United States v. John, 597 F.3d 263, 272 (5th Cir. 2010) (“Access to a computer and data that can be obtained from that access may be exceeded if the purposes for which access has been given are exceeded.”), and United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010) (holding that an employee who violates employer use restrictions “exceeds authorized access”), and Int’l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 420–21 (7th Cir. 2006) (holding that while the “difference between access ‘without authorization’ and ‘exceeding authorized access’ is paper thin,” an employee who breached a duty of loyalty terminated the agency relationship and exceeded authorized access in using company laptop), and EF Cultural Travel BVv. Explorica, Inc., 274 F.3d 577, 581-84 (1st Cir. 2001) (holding that former employees who violated confidentiality agreements exceeded authorized access).

With respect to the meaning of ”without authorization,” the district court instructed the jury as follows: “Whether a person is authorized to access the computers in this case depends on the actions taken by Korn/Ferry to grant or deny permission to that person to use the computer. A person uses a computer “without authorization” when the person has not received permission from Korn/Ferry to use the computer for any purpose (such as when a hacker accesses the computer without any permission), or when Korn/Ferry has rescinded permission to use the computer and the person uses the computer anyway.”

The password system adopted by Korn/Ferry is unquestionably a technological barrier designed to keep out those ”without authorization.” Had a thief stolen an employee’s password and then used it to rifle through Searcher, without doubt, access would have been without authorization.  The same principle holds true here. A password requirement is designed to be a technological access barrier.

Related Posts