A federal appeals court on July 5, 2016, affirmed the conviction of a former executive, David Nosal in a Computer Fraud and Abuse Act (CFAA) case that we’ve extensively covered.
In sum, Mr. Nosal was charged in 2012 and amended charges were filed in 2013 for violating the CFAA by using a shared password to steal headhunting leads from the company’s internal network after he left his job to launch a rival business. He was also charged with violating trade secret laws and one conspiracy count.
A jury convicted him on all counts in 2013. Nosal was sentenced to one year and one day in prison, three years of supervised release, fines, and $828,000 in restitution to his former employer.
In a 2-1 decision issued on 7/6/16, the panel held that Nosal, as a former employee whose computer access credentials were revoked, he acted “without authorization” when he or his former employees used the login credentials of a current employee to gain access to computer data owned by the previous employer. Such actions circumvented the revocation of the employer’s access to the computer data. But the panel remanded back to the district court to reconsider the reasonableness of the restitution award to the former employer’s attorneys’ fees.
Sharing Passwords Makes for Felony Computer Hacker?
Have you used a co-worker’s computer password to log into your employer’s network or website? Did you consider that such sharing could land you in prison? In essence – although greatly simplified – this is exactly what happened to Mr. Nosal. Or at least according to the dissenting judge who offered this stinging critique of the decision:
People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it. In my view, the Computer Fraud and Abuse Act does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals … [The majority] loses sight of the anti-hacking purpose of the CFAA, and despite our warning, threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.
We will continue to monitor this decision as yet further appeals may be on the horizon.
What the CFAA Means for Employers and Employees
Both employers and employees need to be mindful of using and misusing company information of the Computer Fraud and Abuse Act. It is a federal anti-hacking criminal statute that has increasingly been applied to the employer/employee relationship.
From a business perspective, it is critical to have in place procedures and policies that clearly identify what employees have authority to access digital business information and when they have authority to do so. This is because – as was the case in Nosal – such policies determine if and when a CFAA violation occurs:
Whether a person is authorized to access the computers in this case depends on the actions taken by [the Employer] to grant or deny permission to that person to use the computer. A person uses a computer “without authorization” when the person has not received permission from [the Employer] to use the computer for any purpose (such as when a hacker accesses the computer without any permission), or when [the Employer] has rescinded permission to use the computer and the person uses the computer anyway.
For individuals, CFAA violations most often occur when an employee leaves to join a competitor. Innocently or otherwise, it is not uncommon for an employee to copy digital information that may seem harmless, e.g., Outlook contacts, email communications, or work product created by the employee. But such actions are the sort that often give rise to CFAA or related trade secret misappropriation claims. For this reason, carefully planning your exit if you are starting a new business or joining a competitor should be a top priority.
For more information about this article, as well as investigating or responding to trade secret misappropriation, Computer Fraud and Abuse Act, and related claims, contact attorney Jason Shinn. Mr. Shinn routinely investigates and litigates these legal issues in federal and Michigan Courts on behalf of businesses and individuals.