David Nosal, an ex-employee of Korn Ferry International (“KFI”), convinced some of his former colleagues to download source lists from KFI using their log-in credentials and the log-in credentials of another employee. In 2008, Mr. Nosal was charged with violating the Computer Fraud and Abuse Act (“CFAA”) and the Economic Espionage Act (“EEA”). The government argued for an interpretation of the CFAA that would make a violation of a private computer use policy a federal crime. Using the Ninth Circuit decision in LVRC Holdings LLC v. Brekka as precedent, the U.S. District Court for the Northern District of California disagreed with the government’s interpretation of the CFAA and dismissed five of the eight charges for failure to state an offense. On appeal, an en banc panel of the U.S. Court of Appeals for the Ninth Circuit affirmed the District Court’s decision and found that the CFAA prohibits unauthorized access of computer information, not the misuse or misappropriation of that information. See United States v. Nosal, 676 F.3d 854 (9th Cir. 2012). The five dismissed charges were based on allegations that two individuals downloaded KFI information using their log-in credentials while they were employees.
After the en banc decision, the remaining three CFAA charges were based on allegations that two former KFI employees used a log-in credential of a current KFI employee to run certain searches of the KFI database. It was undisputed that these former employees had the current employee’s permission to use her log-in credentials, but they did not have permission from KFI. In 2013, a jury convicted Mr. Nosal of three CFAA charges, two EEA charges, and one count of conspiracy to violate the CFAA and the EEA.
Mr. Nosal timely filed an appeal, and the Ninth Circuit heard arguments last Tuesday, October 20th. The CFAA appeal issue is whether obtaining information by using the current employee’s log-in credentials without the company’s permission constitutes a crime under the CFAA. When deciding this issue, the Ninth Circuit must address whether the same meaning of “without authorization” should be applied to the misdemeanor provisions of the CFAA as it is applied to the felony provisions.
Last Tuesday, Mr. Nosal’s lawyer argued that the meaning of “without authorization” must be read consistently throughout the CFAA, and sharing a password should not constitute a criminal act. The government stated that it is not asking the court to adopt a bright line rule that sharing or using someone else’s password without authorization is a criminal act under the CFAA. Rather, the government is urging the court to enforce its holding in the Brekka decision, in which the Ninth Circuit held that a person uses a computer “without authorization” under Section 1030(a)(2) and (4) of the CFAA when the employer rescinds permission to access the computer and the defendant uses the computer anyway. It is worthing noting that during the government’s argument last Tuesday, Judge Reinhardt was quick to note that Brekka “doesn’t say that if you don’t use your authorization but somebody else gives you her authorization, you can’t use that.”
According to the government, enforcing the Brekka rule in Nosal will not have ramifications outside of the employment context. The court disagreed, stating that the limiting principle cannot be employment because the statute is not limited to the employment context. The court seemed concerned about the broader issue raised in the defendant’s briefs and amicus briefs that affirming the District Court’s convictions and judgment would, in effect, criminalize password sharing. Overall, the majority of the court’s questions to the government were fact-specific, possibly indicating that its holding will be narrow.