The U.S. Court of Appeals for the Ninth Circuit recently held that using a co-worker’s password to access an employer’s computer databases can be considered a criminal action. The case, United States v. Nosal, has been winding through the court systems for almost a decade, and provides insight into what types of employee actions violate the Computer Fraud and Abuse Act (CFAA).
The case involves David Nosal, a former employee of Korn/Ferry, one of the world’s largest executive search and recruiting firms. In 2004, Nosal resigned from his full-time position with Korn/Ferry and agreed to work as an independent contractor. Before leaving the business, Nosal conspired with three other employees to start a competing executive search firm business by stealing client lists and other proprietary data from the company.
To accomplish this, Nosal and his co-conspirators accessed their former employer’s computer databases by logging in with a current employee’s credentials. Nosal’s own login credentials had been revoked after he resigned, but his former assistant still worked for the company. With her password, Nosal and his co-conspirators were able to gain unauthorized access.
Nosal and his co-conspirators were each charged with 20 counts of violating the CFAA. The law, which was created in 1986, allows for criminal charges if a person intends to defraud someone else by knowingly accessing a computer without authorization or in excess of the person’s authorized access. The district court in the case found Nosal guilty of the charges and sentenced him to one year and one day in prison, three years of supervised release, a $60,000 fine, and over $800,000 in restitution to pay to Korn/Ferry.
Nosal appealed these decisions multiple times. In the Ninth Circuit’s most recent decision about the case, the court interpreted the part of the CFAA which states that the employee must have accessed the employer’s computer “without authorization.” Since Nosal had used his former assistant’s authorized login to access the system, he argued that he could not be convicted under the CFAA. The Ninth Circuit disagreed, and held that the phrase meant that the person must have received permission from the computer system’s owner to access it. Since Nosal’s credentials were revoked, he no longer had permission to access the computer system.
The Nosal case has expanded the use of criminal charges against employees who access their employers’ computer systems without authorization. The CFAA is broad and could technically apply to any employee who uses any employer device for something other than work. For instance, accessing Facebook on a work computer may be outside that employee’s “authorized access.” However, most courts have held that the unauthorized access needs to be with the intent to defraud the employer. Simply killing time online would probably not be a basis for filing criminal charges, though it could be a basis for termination.
Employees who quit, are fired, or resign must remember that they cannot continue accessing the computer systems of their old employer, even with a current employee’s login credentials. If you are caught downloading emails, files, and other documents, you may not only face a lawsuit but could be the subject of criminal charges as well.
Sacramento, CA 95821