CFAA Double Feature: Ninth Circuit Issues Two Important Decisions on the Scope of Liability Related to Data Scraping and Unauthorized Access to Employer Databases
Unauthorized Access: A former employee, whose access has been revoked, and who uses a current employee’s login credentials to gain network access to his former company’s network, violates the CFAA. [U.S. v. Nosal, 2016 WL 3608752 (9th Cir. July 5, 2016)]
This past week, the Ninth Circuit released two important decisions that clarify the scope of liability under the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. The Act was originally designed to target hackers, but has lately been brought to bear in many contexts involving wrongful access of company networks by current and former employees and in cases involving the unauthorized scraping of data from publicly available websites.
Both cases, issued by the influential Ninth Circuit, may have important implications for the availability of a federal cause of action for data theft cases and also cases of unauthorized website access by commercial entities. A lesson from both cases: while a carefully drafted computer use policy or website terms of service is essential to the protection of corporate networks and digital assets, it is but one element of a strategy that should also include technological barriers (when necessary) and other actions that give former employees and unwanted entities notice that corporate network access or permission to access a website or service has been revoked.
United States v. Nosal
In U.S. v. Nosal, 2016 WL 3608752 (9th Cir. July 5, 2016) (“Nosal II”), the defendant Nosal was charged under the criminal provisions of the CFAA with intent to defraud his former employer and aid his competing venture by obtaining access to his former employer’s network via a current employee’s login credentials. The issue before the court was whether the “without authorization” prohibition of the CFAA extends to a former employee whose computer access credentials were rescinded but who, disregarding the revocation, accesses the computer by using a current employee’s own credentials.
In a 2-1 decision, the panel affirmed the defendant’s CFAA convictions for accessing a protected computer “without authorization” (and also for trade secret theft in violation of the Economic Espionage Act). The court found that “password sharing,” whereby an ex-employee with revoked privileges asks a current employee for login information to gain entry, fell within the CFAA’s prohibition on access “without authorization” under 18 U.S.C. § 1030(a)(4). Put simply: “[O]nce authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party.”
The Nosal case has wended its way through the courts for years, and we previously wrote about the 2012 Ninth Circuit ruling in the case (“Nosal I”), where the Ninth Circuit ruled that information Nosal downloaded while still an employee with login privileges, but done in violation of the company’s computer use policies, did not “exceed authorized access” under the CFAA. Distinguishing between access restrictions and use restrictions, the court in Nosal I concluded that the “exceeds authorized access” prong of the CFAA does not extend to violations of a company’s use restrictions.
“[T]he circumstance here—former employees whose computer access was categorically revoked and who surreptitiously accessed data owned by their former employer—bears little resemblance to asking a spouse to log in to an email account to print a boarding pass.”
Second Show: Facebook v. Power Ventures
In the late show of this Ninth Circuit CFAA double feature, the appeals court issued an opinion in another long-running litigation, Facebook, Inc. v. Power Ventures, Inc., No. 13-17102 (9th Cir. July 12, 2016). We last wrote about the dispute in 2009. The panel affirmed in part and vacated in part the district court’s grant of summary judgment in favor of Facebook on its claims against Power Ventures, Inc. (“Power”), the operator of power.com, the now-defunct social networking aggregation service that allowed users to access all of their social network accounts through one interface. In a marketing campaign to attract new users, Power accessed Facebook users’ data with their permission and initiated form e-mails and other electronic messages promoting its website. While the court reversed the lower court’s ruling on the CAN-SPAM claims, it affirmed the grant of summary judgment on the CFAA claim, and held that Power violated the CFAA for accessing Facebook’s service after it received a cease and desist letter from Facebook and nonetheless continued to access Facebook’s computers without permission. The court remanded the case to the district court to reconsider appropriate remedies under the CFAA and California state law equivalent, including any injunctive relief.
Without making any ruling regarding the open nature of publicly available websites, the court stated that Power initially had “at least arguable permission to access Facebook’s computers” because it was reasonable to believe that consent from Facebook users to share the promotion was permission enough for Power.” Yet, at a certain point, the court found that Facebook made it known through a cease and desist letter and IP blocks that Power’s authorization to access its site was revoked. The court held that any subsequent access to Facebook’s computers was thus “without authorization” within the meaning of the CFAA, making Power liable under the statute.
The Ninth Circuit reasoned that the consent that Power had received from Facebook users was not sufficient to grant continuing authorization to access Facebook’s computers after Facebook’s express revocation of permission.
“[F]or Power to continue its campaign using Facebook’s computers, it needed authorization both from individual Facebook users (who controlled their data and personal pages) and from Facebook (which stored this data on its physical servers). Permission from the users alone was not sufficient to constitute authorization after Facebook issued the cease and desist letter.”