Is password sharing a crime? It can be under the right circumstances, according to last week’s decision in United States v. Nosal. In Nosal, the U.S. Court of Appeals for the Ninth Circuit upheld the conviction of a former employee who conspired to use the login credentials of a current employee to access his former employer’s confidential database. Focusing on the Computer Fraud and Abuse Act’s prohibition on accessing a computer or network “without authorization,” the court held that “once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party.”
This case has a long history. David Nosal left his job with Korn/Ferry International, an executive recruiting and placement agency, in 2004 but continued working for several months with Korn/Ferry as a contractor. During his time as a contractor, he was subject to a one-year non-compete agreement, and at some point Korn/Ferry revoked his access to the company’s confidential database and network.
While he worked for Korn/Ferry as a contractor, Mr. Nosal was secretly launching a competing business, and he recruited two of his former colleagues – still employed with Korn/Ferry – to join his new company. Before leaving their employment with Korn/Ferry, the two colleagues downloaded confidential information from the company’s network and gave it to Mr. Nosal for use at the competing company. Because they were employed with Korn/Ferry, they were authorized to access the company network. However, they violated the company’s confidentiality and computer use policies by sharing the information with Mr. Nosal and using it in competition with Korn/Ferry.
The colleagues eventually resigned, but Mr. Nosal’s executive assistant – who was also part of the scheme – remained at Korn/Ferry at his request. She gave her password to the colleagues, which violated company policy, and on three occasions after resigning they accessed the network to download more Korn/Ferry material.
Mr. Nosal was criminally charged with violating the Computer Fraud and Abuse Act and other laws. In 2012, the Ninth Circuit affirmed dismissal of charges brought under the CFAA that he aided and abetted the two colleagues who misappropriated information while they were still employed by Korn/Ferry. The Court held that there was no violation of the CFAA because the employees legitimately had access to the system at the time. In that decision, the Ninth Circuit said that there was no CFAA violation unless the system was accessed by someone without authorization to do so, or by someone who was acting in excess of his authority. Although the colleagues may have been guilty of misappropriation of Korn/Ferry’s confidential and proprietary information, they were not guilty of unauthorized access to Korn/Ferry’s network while they were still employed and still had authorization. Therefore, Mr. Nosal could not be guilty of “aiding and abetting” them.
After the case was remanded, Mr. Nosal was convicted of conspiracy to violate the CFAA (as well as trade secret theft under the federal Economic Espionage Act) based on the three occasions when his two colleagues – by then former employees of Korn/Ferry – gained access to the system using the assistant’s password. The prosecution successfully argued that the CFAA applied because neither Mr. Nosal nor the colleagues were authorized to access Korn/Ferry’s confidential network or database by any means. Mr. Nosal appealed again, this time claiming that the colleagues were “authorized” to use the Korn/Ferry system because the assistant had voluntarily shared her password with them. A panel of the Ninth Circuit affirmed the conviction, 2-1.
Under the CFAA, it is a crime when a person “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . .” Noting that the CFAA does not define “without authorization,” the court relied on its opinion in LVRC Holdings LLC v. Brekka, in which it held (consistent with other federal courts of appeal) that a person uses a computer “without authorization” when an individual accesses a company’s network even though the access has been revoked.
Put more simply, a person who accesses the company’s system “without permission” is acting “without authorization” within the meaning of the CFAA.
The majority here determined that, as the owner of the proprietary data, the company had the right to revoke access to it. Because Korn/Ferry had revoked the access of Mr. Nosal and his colleagues, they were not “authorized,” even though the assistant had allowed them to use her password.
The dissenter, Judge Stephen Reinhardt, argued that the CFAA’s “without authorization” restriction should not apply because Mr. Nosal’s former assistant had shared her password voluntarily. Judge Reinhardt expressed concern that, under the majority holding, the CFAA would make password-sharers federal criminals for engaging “in this ubiquitous, useful, and generally harmless conduct.” (Since the decision was issued, there has been speculation in the media that sharing, for example, a Netflix password with a family member might be a federal crime.) However, the majority said that the case was not about innocent password-sharing between family and friends, but about an employer’s authority to revoke access to its confidential network and information.
The CFAA, coupled with the Economic Espionage Act, the newly enacted Defend Trade Secrets Act, and state trade secrets statutes, provide formidable weapons for employers who are the victims of data breaches and misuse of confidential and proprietary information. Employers should require employees to sign strong confidentiality agreements when they are hired, and should periodically review and update the agreements to ensure that they comply with current law. From a data protection standpoint, here are some additional suggestions:
• Require unique user names and passwords for each authorized user of a network, and implement controls on users’ access to the network (including the ability to immediately revoke access).
• Make sure your policies address both network access restrictions (who can access the network) and data use restrictions (the data that they are allowed to access).
• Include a conspicuous warning in the policy and when accessing the network (in the login field or through a pop-up) that access is intended for authorized users and authorized use only.
• Don’t rely on “common sense.” Explicitly prohibit employee password sharing. In the Korn/Ferry case, such a rule did not prevent the misappropriation because the assistant was a co-conspirator, but it did help prosecutors prove that Mr. Nosal and his colleagues were not “authorized” to access the system by way of the assistant’s password.