Privacy Law

Using worker's password to access info at former workplace is illegal hacking, 9th Circuit says

  • Print.


A federal appeals court has ruled that using a former assistant’s password to access information from a previous employer is hacking that is banned by the Computer Fraud and Abuse Act.

The San Francisco-based 9th U.S. Circuit Court of Appeals ruled 2-1 Tuesday that former Korn/Ferry employee David Nosal violated the law when he used the password to collect information for his new, competing company, the Wall Street Journal Law Blog, Reuters, the Hill and Courthouse News Service report. How Appealing linked to the coverage and the opinion (PDF).

Dissenting Judge Stephen Reinhardt argued that the majority decision “threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.”

“People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it,” Reinhardt wrote. “In my view, the Computer Fraud and Abuse Act does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals.”

The court was interpreting a section of the Computer Fraud and Abuse Act that imposes criminal penalties on anyone who, with an intent to defraud, “accesses a protected computer without authorization.”

Judge M. Margaret McKeown wrote the majority decision upholding Nosal’s 366-day sentence for violating the law. Once permission to access a computer is affirmatively revoked, she said, a computer user “cannot sidestep the statute by going through the back door and accessing a computer through a third party.”

The 9th Circuit had previously ruled that the law did not apply to Nosal’s colleagues, who had used their own passwords to download confidential information from Korn/Ferry before they left the company. That 2012 opinion tossed criminal counts against Nosal that claimed he aided and abetted the co-worker’s violation of corporate computer policies. The court was interpreting a different prong of the NFAA that criminalized access to computers by those whose use “exceeds authorized access.”

The new decision applies to Nosal’s access to the Korn/Ferry computers using his former executive assistant’s password after his own credentials were revoked. “Nosal knowingly and with intent to defraud Korn/Ferry blatantly circumvented the revocation of his computer system access,” the majority opinion said. “This access falls squarely within the CFAA’s prohibition on access ‘without authorization.’ ”

McKeown said the dissent “would have us ignore common sense and turn the statute inside out. … Under this approach, ignoring reality and practice, an employee could willy nilly give out passwords to anyone outside the company,” including to “bank robbers who find it less risky and more convenient to access accounts via the internet rather than through armed robbery.”

See also:

ABA Journal: “Hacker’s Hell: Many want to narrow the Computer Fraud and Abuse Act”

Give us feedback, share a story tip or update, or report an error.