Last week, the Ninth Circuit Court of Appeals handed down an important decision for employers under the Computer Fraud and Abuse Act (CFAA) in U.S. v. Nosal. While Nosal was a criminal case initiated by the U.S. government against a former private-sector employee, the 2-1 decision may be applied in the civil context due to the CFAA’s joint civil-criminal application.
The case centered around the activities of Nosal and other former employees of Korn/Ferry International, a premier executive search firm. In its business, Korn/Ferry used a proprietary database called Searcher to compile its candidate sourcing lists – invaluable in the staffing industry. At the end of a person’s employment with Korn/Ferry, access to Searcher would be cut off.
The government alleged that former Korn/Ferry employees, Nosal and others, essentially “hacked” Korn/Ferry so he could view the Searcher data, which he then used to compete against Korn/Ferry.
But the hacking here was not the result of sophisticated computer code, phishing, or other means. Instead, it was the result of Nosal and others using the passwords of authorized users, who had allowed them to use these passwords to gain access to Searcher information after their employment ended.
This concept is often referred to as “password sharing” – basically, when a single user has access to online services, and then allows others to use the password without authorization.
The majority issued a heavy-handed rebuke of Nosal’s and his co-conspirators’ conduct, stating that the unauthorized use of company passwords by former employees is not an innocuous thing but, instead, a crime. However, the dissent implied that application of the majority’s decision is virtually unlimited, and would not just apply against former employees gaining unauthorized access to their employer’s data, but also against average American innocuously sharing passwords with their spouses.
Many commentators have interpreted this to mean the majority’s decision “criminalizes” sharing of Netflix and HBO Go passwords. True enough, though, Nosal was not trying to catch up on Game of Thrones. Instead, he was rather attempting to gain access to Korn/Ferry’s Searcher data without authorization – conduct which fits squarely within the CFAA’s prohibitions.
The CFAA as a Mechanism for Employer Lawsuits
The CFAA’s statutory, civil causes of action have long been used by employers against former employees who have retained access to confidential information, as well as former employees in competition in violation of covenants not to compete.
The CFAA allows for civil actions for compensatory damages when there has been access of a “protected computer” (a computer used in interstate commerce, or by a financial institution or the government), when that access was knowing or intentional, and without authorization, or exceeding authorization. With such a broad scope of unauthorized use, the CFAA is therefore often considered in cases against ex-employees.
However, selling these claims to judges and juries is not always easy for employers, in part because the CFAA was not developed in the employment law context. Instead, it was originally developed as a purely anti-hacking statute, put in place to deter hacking of government, banking, and military computers.
The Nosal decision bridges the gap between the CFAA’s hacking prevention foundations and employment law and, therefore, updates CFAA jurisprudence for employers. With respect to password sharing or unauthorized use of company information after employment, Nosal adds arrows to the employer’s quiver when litigating against ex-employees.
You may also think twice about letting your in-laws use your Netflix password, at least those within the Ninth Circuit’s reach.