This week, the Ninth Circuit clarified the scope of the Computer Fraud and Abuse Act (CFAA) in upholding the defendant’s criminal conviction in United States v. David Nosal.
The CFAA was enacted in 1984 to target “hackers who accessed computers to steal information or to disrupt or destroy computer functionality….” LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130-31 (9th Cir. 1984) (citing H.R. Rep. No. 98-894, at 8-9 (1984), 1984 U.S.C.C.A.N. 3689, 3694). It criminalizes, among other things, “knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] authorized access, and by means of such conduct further[ing] the intended fraud and obtain[ing] anything of value[.]” 18 U.S.C. § 1030(a)(4). The CFAA broadly defines a “protected computer” as a computer “which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication in the United States.” 18 U.S.C. § 1030(e)(2)(B). The CFAA also establishes a right of action for private parties who were injured by violations of its provisions. 18 U.S.C. § 1030(g).
David Nosal (Nosal) was a regional director at Korn/Ferry International (Korn/Ferry), a global executive search firm. In 2004, despite signing a non-competition agreement and becoming an independent contractor with Korn/Ferry, Nosal prepared to launch his own executive search firm with three of his former colleagues who were still employed at Korn/Ferry. After he became a contractor, Korn/Ferry revoked Nosal’s access to its computer system, although it continued to permit Nosal to ask Korn/Ferry employees to conduct searches on his behalf on Searcher, Korn/Ferry’s internal, confidential and proprietary database of information on over a million executives, to complete the work he was doing for Korn/Ferry. Any Korn/Ferry employee with login credentials could access Searcher. However, Korn/Ferry possessed a policy that stated that Searcher was only to be used for Korn/Ferry business.
When he launched his competing search firm, Nosal convinced his three former Korn/Ferry colleagues to download source lists and other information from Searcher for him, in violation of Korn/Ferry’s computer use policy. After two of Nosal’s colleagues left Korn/Ferry and had their access to Searcher revoked, they borrowed the login credentials of the third colleague, who remained at Korn/Ferry at Nosal’s request, so that they could download confidential information from Searcher to expedite their work at the new search firm. None of the searches conducted by Nosal’s three colleagues related to any of Nosal’s work for Korn/Ferry.
The government obtained a twenty count federal Indictment against Nosal, charging him with eight counts of violating the CFAA, and other criminal offenses. Five of the eight CFAA counts were based on allegations that Nosal’s colleagues had downloaded confidential information while still being employed at Korn/Ferry in violation of its computer use policy. None of the CFAA counts was based on allegations that Nosal had directly accessed Searcher. Instead, they was all based on accomplice liability.
Nosal successfully moved to dismiss the five CFAA counts, relying on Brekka. In Brekka, the Ninth Circuit held that an employee of a company who had emailed confidential company documents from his work computer to himself and his wife did not violate the CFAA because the employee had authorization to use the company’s computers and access the confidential documents by virtue of his employment. See Brekka, 581 F.3d at 1127.
The Ninth Circuit affirmed the dismissal in United States v. Nosal (Nosal I), 676 F.3d 854 (2012) (en banc), interpreting the term, “exceeding authorized access,” in the CFAA to require “the unauthorized procurement or alteration of information, not its misuse or misappropriation.” Nosal I, at 863 (citations omitted). In doing so, the Ninth Circuit expressly rejected the position that “every violation of a private computer use policy” could constitute a violation of the CFAA because such policies are often “lengthy, opaque, subject to change and seldom read,” and that the CFAA should not transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved.” Id. at 859, 860.
The government filed a Second Superseding Indictment, charging Nosal with three counts of violating the CFAA, and other criminal offenses. The remaining CFAA counts were based on the three occasions when Nosal’s two colleagues borrowed the login credentials of their third colleague to log into Searcher for their new search firm. A jury convicted Nosal of all counts in the Second Superseding Indictment.
On July 5, 2016, the Ninth Circuit affirmed Nosal’s CFAA convictions, holding that the post-employment accessing of Searcher by Nosal’s colleagues was “without authorization,” under the CFAA. The Court found that Nosal I did not address “whether Nosal’s access to Korn/Ferry computers after both Nosal and his co-conspirators had terminated their employment and Korn/Ferry revoked their permission to access the computers was ‘without authorization.’” United States v. Nosal (Nosal II), Nos. 14-10037, 10275, at 17 (9th Cir. July 5, 2016) (emphasis added). But, the Court found Brekka “squarely on point.” See id. at 16, 17 (finding that Brekka holds that “a person uses a computer ‘without authorization’ under §§ 1030(a)(3) and (4)... when the employer has rescinded permission to access the computer and the defendant uses the computer anyway”) (citation omitted). Relying on Brekka and decisions from the Second, Fourth, and Sixth Circuits, the Ninth Circuit held that accessing a protected computer “without authorization,” is an “unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.” Id., at 4, 17-18, 20-23. The Court went on to conclude that, once permission to access a protected computer had been revoked, continued access by a former employee was plainly “without authorization,” in violation of the CFAA. Id. at 25. The Ninth Circuit distinguished Nosal I as being based on the “unauthorized use of information,” rather than “unauthorized access – getting into the computer after categorically being barred from entry.” Id. at 17.
The impact of Nosal II is twofold. On the one hand, Nosal II solidifies the protections under the CFAA for confidential and proprietary data stored on company computers against former employees and/or contractors who seek to circumvent the revocation of their access and current employees and/or contractors who seek to exceed the limits of their authorized access. The Ninth Circuit found that only those accesses that were outside the scope of Nosal’s independent contractor agreement were actionable. See Nosal II, Nos. 14-10037, 10275, at 19, fn. 8. Therefore, companies should clearly define the boundaries of authorized computer access for each of their employees. For example, when companies have specific, proprietary data to which they wish to limit access to specific employees or group of employees — also known as role-based restrictions — they should identify those categories of data or databases and then unambiguously communicate which employees, or group of employees, are permitted to access that data. Companies should also affirmatively and unequivocally revoke access to their computer systems in certain situations, such as when an employee is terminated or suspected of working for a competitor. Such a revocation policy should be communicated to all employees.
On the other hand, Nosal II creates risk of potential liability under the CFAA for those companies who use the login credentials of consenting account holders to access third party computers for legitimate business purposes, such as benchmarking. Nosal II gives third parties who have policies against the sharing of login credentials a stronger argument that access using shared credentials is unauthorized, despite the fact that the account holders consented to the use of their credentials and the accessing of their accounts.