Academic journal article Harvard Law Review

Criminal Law - Computer Fraud and Abuse Act - Ninth Circuit Affirms Conviction of a Former Employee Who Used Another Employee's Password

Academic journal article Harvard Law Review

Criminal Law - Computer Fraud and Abuse Act - Ninth Circuit Affirms Conviction of a Former Employee Who Used Another Employee's Password

Article excerpt

CRIMINAL LAW--COMPUTER FRAUD AND ABUSE ACT--NINTH CIRCUIT AFFIRMS CONVICTION OF A FORMER EMPLOYEE WHO USED ANOTHER EMPLOYEE'S PASSWORD.--United States v. Nosal (Nosal II), 828 F.3d 865 (9th Cir. 2016), reh'g denied and amended by 2016 WL 7190670 (9th Cir. Dec. 8, 2016).

The Computer Fraud and Abuse Act (1) (CFAA), which addresses computer hacking, broadly criminalizes intrusion into computer systems, including all computers "used in or affecting interstate or foreign commerce or communication." (2) Among other provisions, the CFAA imposes criminal penalties on whoever "accesses a protected computer without authorization, or exceeds authorized access" to perpetrate a fraud. (3) Recently, in United States v. Nosal (Nosal II), (4) the Ninth Circuit affirmed the conviction of a defendant whose co-conspirators used someone else's login credentials to access the computers of the defendant's former employer. (5) In doing so, the court held that "without authorization" is an unambiguous term with a plain meaning; the court's interpretation meant that in this case only the system owner--and not a legitimate user of the system--could grant authorization. (6) The court could have minimized the CFAA's risk of overcriminalization by articulating a distinction between individuals who are explicitly denied or revoked access, and those who lack authorization from the system owner but may claim authorization from a legitimate user.

David Nosal was an employee of Korn/Ferry International (KFI), an executive search firm. (7) After he announced in 2004 that he intended to leave the company, he continued to work as a contractor under a noncompetition agreement. (8) Meanwhile, Nosal and other KFI employees were secretly launching a competing business. (9) KFI's "core asset" was a proprietary database called Searcher, hosted on KFI's internal network, which held information about over a million executive search candidates. (10) Nosal and his partners had downloaded data from Searcher while they were employees at KFI, using their own credentials, for use in their competing business. (11) Because KFI revoked their logins when they ceased to work for the firm, they then asked Nosal's former assistant, Jacqueline Froehlich-L'Heureaux (FH), who remained employed at KFI, for her username and password. (12) She gave her credentials to Nosal's partners, who used those credentials to continue accessing Searcher on at least three discrete occasions. (13) After an anonymous tip, KFI launched an investigation and referred the matter to authorities. (14) The government indicted Nosal on nineteen criminal counts, five of which alleged CFAA violations under the "exceeds authorized access" clause of [section] 1030(a)(4) while Nosal was a KFI employee; (15) those CFAA counts were dismissed in Nosal I. (16) In 2013, the government filed a superseding indictment with three CFAA counts resting on accomplice liability for the three times Nosal's partners, without authorization, accessed Searcher with FH's credentials after they had left the firm. (17) The government also indicted Nosal on two trade secret misappropriation counts under the Economic Espionage Act (18) and one count of conspiracy. (19) A jury found him guilty on all counts. (20) Nosal moved for acquittal and for a new trial. (21)

The United States District Court for the Northern District of California denied the motions. (22) The court rejected Nosal's argument that a CFAA violation requires "circumvention of technological barriers," such as evading a firewall by pretending to connect from somewhere else, because neither the statute nor Nosal I requires such circumvention. (23) The court also rejected Nosal's argument that FH's permission to use her credentials to access Searcher was sufficient authorization, (24) explaining that the employer determines authorization, not a password holder defying the employer. (25) Nosal timely appealed. (26)

A divided panel of the Ninth Circuit affirmed Nosal's conviction on all counts. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.