Monday, March 18, 2013

U.S. v. Nosal: Back In the District Court, the Defendant Isn't as Fortunate

One of 2012's most important competition law cases involved the Ninth Circuit's decision in United States v. Nosal, which narrowly construed the Computer Fraud and Abuse Act. Nosal determined that an employee did not violate the CFAA when he accessed a protected computer with permission but with the intent to use the information gained from that access in violation of a use agreement (in that case, an employer policy).

Nosal generated considerable discussion and handwringing among commentators, with the only universal point of agreement seeming to be the disappointment that Nosal did not spur a Supreme Court case that would lead to some uniformity over the CFAA's application. On Episodes 1 and 2 of the Fairly Competing podcast, John Marsh, Russell Beck, and I discuss Nosal at length.

Nosal is back in the district court now, where the defendant tried to get additional counts of the indictment dismissed following the Ninth Circuit's ruling (the Ninth Circuit did not address each count of the indictment - only a few). This time, he met with decidedly less success.

The district court refused to toss three CFAA counts against Nosal based on Section 1030(a)(4) of the CFAA, which generally makes it a crime or a civil offense to access a protected computer without authorization, or in a manner that exceeds authorized access, with the intent to defraud. In one of those counts, the court closed a potentially gaping loophole on the meaning of the term "access."

Here's the scenario: Employee A has a valid, existsing password to a protected database. Employee A then logs in with that password to allow Ex-Employee B to obtain information out of the secure database. Employee B has no authorization on her own to use the database. Is Employee B's use of the database following the proper login "access" within the meaning of the CFAA?

The answer's yes. And the rationale isn't all that difficult to understand. As the court logically reasoned, this fact pattern is no different than if A gave B the password to log in on her own. That clearly would be unauthorized access to a system. In the court's own words, "access encompasses not only the moment of entry, but also the ongoing use of a computer system."

It's relatively safe to say CFAA cases will continue to generate controversy, discussion, and calls for legislative action.

No comments:

Post a Comment