On March 12, 2013, the U.S. District Court for the Northern District of California issued a ruling clarifying the reach of the federal Computer Fraud and Abuse Act (CFAA) when employees access computer systems. The decision in United States v. Nosal is the second important ruling in this litigation, following a major Ninth Circuit decision interpreting the CFAA in 2012.1
The most recent Nosal decision provides further guidance regarding the definition of "access" as used in the CFAA and the statute's applicability to "hacking" in a context where a departing employee is accused of accessing an employer's computer system for unauthorized purposes.
At issue in the decision were two specific means of computer system access. The first involved the use of a current company employee's password by a former employee to access and copy the company's trade secrets. The second involved a current company employee using her password to access the company's trade secrets, and then allowing Nosal's associate to view the computer terminal and download information from a company database.
The court rejected Nosal's contention that the CFAA is limited in this context to "hacking crimes" where the defendant "circumvented technological barriers to access a computer." The district court found that the government is not required to allege that a defendant circumvented technological access barriers in order to bring a charge under the CFAA. The court also ruled that even if the Ninth Circuit did create a "circumvention" requirement as Nosal argued, the use of another's password to avoid the technological barrier of password protection would satisfy the requirement.
The court also found that "access" under the CFAA "encompasses not only the moment of entry, but also the ongoing use of a computer system." Having one person enter valid credentials to log into a computer system and then turn over control of the computer terminal to another person to run and download unauthorized searches falls within "access" as used in the CFAA. The crime, as defined in the CFAA, is the accessing of a protected computer, not the mere entering or logging into a protected computer. As a result, the court effectively closed a loophole as to what activities can constitute "access" under the CFAA.
Wilson Sonsini Goodrich & Rosati is following developments around the country with respect to the Computer Fraud and Abuse Act, and the firm is available to assist companies, employees, newly formed businesses, and investors with every aspect of trade secret litigation and counseling. For more information, please contact Fred Alvarez, Rico Rosales, Marina Tsatalis, Laura Merritt, Charles Tait Graves, or another member of the firm's employment and trade secrets litigation practice.