The Ninth Circuit Court of Appeals has upheld the conviction of a former employee who used a friend's password to access confidential information.
David Nosal used to work for Korn/Ferry, an executive search firm. After leaving his position, Mr. Nosal set up a competing business. He wanted access to Korn/Ferry's database. He tried to gain that access in two ways. First, he tried his own user name and password to download the information before he left. Second, after Mr. Nosal left his job, his former assistant willingly used her own user name and password to download information from the database.
Mr. Nosal was convicted for violating the federal Computer Fraud and Abuse Act ("CFAA"), which prohibits "access[ing] a protected computer without authorization." His use of the system prior to his leaving the company did not "exceed authorized access" as permitted and was thus lawful. The fact that company's computer policy was violated by his act did not make the conduct illegal. However, Mr. Nosal's access of the database through other employees, after his own use had been revoked, was "without authorization" and a violation of the act. The big question left: Is the sharing of passwords criminal conduct under the CFAA? The Ninth Circuit's decision left unclear the line between criminal hacking and the innocent sharing of passwords.