|A divided 9th Circuit Court of Appeals has upheld the criminal conviction of a man who accessed his former employer’s database to gain proprietary information by using a former co-worker’s username and password. The case of US v. Nosal involved a former high-level executive at Korn/Ferry International, an executive search firm.
The executive sought information in Korn/Ferry’s database to help set up his own competing business. At first, he used his own user name and password to download the information. After the company revoked his access, the executive used his former assistant’s user name and password with her permission.
The federal appellate court ruled that the executive blatantly circumvented Korn/Ferry’s computer use policy and its decision to revoke his computer system access. The court explained that a confidentiality agreement Korn/Ferry required each new employee to sign clearly prohibited password sharing.
Writing for the 9th Circuit panel, Circuit Judge M. Margaret McKeown explained that one of the goals of the Computer Fraud and Abuse Act (CFAA) was to “deter and punish certain high-tech crimes, and to penalize thefts of property via computer that occur as part of a scheme to defraud.” Judge McKeown found it significant that Korn/Ferry had categorically barred the executive from accessing its system.
The fact that a current employee had lawful access to the database did not permit that employee to share her password with the former executive. Therefore, the former employee’s access was unauthorized and in violation of the CFAA.