The Ninth Circuit Addresses the Scope of the Computer Fraud and Abuse Act

by Fenwick & West LLP
Contact

Fenwick & West LLP

This week, the Ninth Circuit clarified the scope of the Computer Fraud and Abuse Act (CFAA) in upholding the defendant’s criminal conviction in United States v. David Nosal.

Computer Fraud And Abuse Act

The CFAA was enacted in 1984 to target “hackers who accessed computers to steal information or to disrupt or destroy computer functionality…. ” LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130-31 (9th Cir. 1984) (citing H.R. Rep. No. 98-894, at 8-9 (1984), 1984 U.S.C.C.A.N. 3689, 3694). It criminalizes, among other things, “knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] authorized access, and by means of such conduct further[ing] the intended fraud and obtain[ing] anything of value[.]” 18 U.S.C. § 1030(a)(4). The CFAA broadly defines a “protected computer” as a computer “which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication in the United States.” 18 U.S.C. § 1030(e)(2)(B). The CFAA also establishes a right of action for private parties who were injured by violations of its provisions. 18 U.S.C. § 1030(g).

Background

David Nosal (Nosal) was a regional director at Korn/Ferry International (Korn/Ferry), a global executive search firm. In 2004, despite signing a non-competition agreement and becoming an independent contractor with Korn/Ferry, Nosal prepared to launch his own executive search firm with three of his former colleagues who were still employed at Korn/Ferry. After he became a contractor, Korn/Ferry revoked Nosal’s access to its computer system, although it continued to permit Nosal to ask Korn/Ferry employees to conduct searches on his behalf on Searcher, Korn/Ferry’s internal, confidential and proprietary database of information on over a million executives, to complete the work he was doing for Korn/Ferry. Any Korn/Ferry employee with login credentials could access Searcher. However, Korn/Ferry possessed a policy that stated that Searcher was only to be used for Korn/Ferry business.

When he launched his competing search firm, Nosal convinced his three former Korn/Ferry colleagues to download source lists and other information from Searcher for him, in violation of Korn/Ferry’s computer use policy. After two of Nosal’s colleagues left Korn/Ferry and had their access to Searcher revoked, they borrowed the login credentials of the third colleague, who remained at Korn/Ferry at Nosal’s request, so that they could download confidential information from Searcher to expedite their work at the new search firm. None of the searches conducted by Nosal’s three colleagues related to any of Nosal’s work for Korn/Ferry.

The government obtained a twenty count federal Indictment against Nosal, charging him with eight counts of violating the CFAA, and other criminal offenses. Five of the eight CFAA counts were based on allegations that Nosal’s colleagues had downloaded confidential information while still being employed at Korn/Ferry in violation of its computer use policy. None of the CFAA counts was based on allegations that Nosal had directly accessed Searcher. Instead, they was all based on accomplice liability.

Nosal I

Nosal successfully moved to dismiss the five CFAA counts, relying on Brekka. In Brekka, the Ninth Circuit held that an employee of a company who had emailed confidential company documents from his work computer to himself and his wife did not violate the CFAA because the employee had authorization to use the company’s computers and access the confidential documents by virtue of his employment. See Brekka, 581 F.3d at 1127.

The Ninth Circuit affirmed the dismissal in United States v. Nosal (Nosal I), 676 F.3d 854 (2012) (en banc), interpreting the term, “exceeding authorized access,” in the CFAA to require “the unauthorized procurement or alteration of information, not its misuse or misappropriation.” Nosal I, at 863 (citations omitted). In doing so, the Ninth Circuit expressly rejected the position that “every violation of a private computer use policy” could constitute a violation of the CFAA because such policies are often “lengthy, opaque, subject to change and seldom read,” and that the CFAA should not transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved.” Id. at 859, 860.

The government filed a Second Superseding Indictment, charging Nosal with three counts of violating the CFAA, and other criminal offenses. The remaining CFAA counts were based on the three occasions when Nosal’s two colleagues borrowed the login credentials of their third colleague to log into Searcher for their new search firm. A jury convicted Nosal of all counts in the Second Superseding Indictment.

Nosal II

On July 5, 2016, the Ninth Circuit affirmed Nosal’s CFAA convictions, holding that the post-employment accessing of Searcher by Nosal’s colleagues was “without authorization,” under the CFAA. The Court found that Nosal I did not address “whether Nosal’s access to Korn/Ferry computers after both Nosal and his co-conspirators had terminated their employment and Korn/Ferry revoked their permission to access the computers was ‘without authorization.’” United States v. Nosal (Nosal II), Nos. 14-10037, 10275, at 17 (9th Cir. July 5, 2016) (emphasis added). But, the Court found Brekka “squarely on point.” See id. at 16, 17 (finding that Brekka holds that “a person uses a computer ‘without authorization’ under §§ 1030(a)(3) and (4) . . . when the employer has rescinded permission to access the computer and the defendant uses the computer anyway”) (citation omitted). Relying on Brekka and decisions from the Second, Fourth, and Sixth Circuits, the Ninth Circuit held that accessing a protected computer “without authorization,” is an “unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.” Id., at 4, 17-18, 20-23. The Court went on to conclude that, once permission to access a protected computer had been revoked, continued access by a former employee was plainly “without authorization,” in violation of the CFAA. Id. at 25. The Ninth Circuit distinguished Nosal I as being based on the “unauthorized use of information,” rather than “unauthorized access – getting into the computer after categorically being barred from entry.” Id. at 17.

Takeaways

The impact of Nosal II is twofold. On the one hand, Nosal II solidifies the protections under the CFAA for confidential and proprietary data stored on company computers against former employees and/or contractors who seek to circumvent the revocation of their access and current employees and/or contractors who seek to exceed the limits of their authorized access. The Ninth Circuit found that only those accesses that were outside the scope of Nosal’s independent contractor agreement were actionable. See Nosal II, Nos. 14-10037, 10275, at 19, fn. 8. Therefore, companies should clearly define the boundaries of authorized computer access for each of their employees. For example, when companies have specific, proprietary data to which they wish to limit access to specific employees or group of employees — also known as role-based restrictions — they should identify those categories of data or databases and then unambiguously communicate which employees, or group of employees, are permitted to access that data. Companies should also affirmatively and unequivocally revoke access to their computer systems in certain situations, such as when an employee is terminated or suspected of working for a competitor. Such a revocation policy should be communicated to all employees.

On the other hand, Nosal II creates risk of potential liability under the CFAA for those companies who use the login credentials of consenting account holders to access third party computers for legitimate business purposes, such as benchmarking. Nosal II gives third parties who have policies against the sharing of login credentials a stronger argument that access using shared credentials is unauthorized, despite the fact that the account holders consented to the use of their credentials and the accessing of their accounts.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fenwick & West LLP | Attorney Advertising

Written by:

Fenwick & West LLP
Contact
more
less

Fenwick & West LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.