Friday, May 24, 2013

Password Sharing and the Computer Fraud and Abuse Act, Revisited

I was reading Eric Ostroff's fine post discussing customer lists as trade secrets, in the context of a recent case involving Farmers Insurance Exchange and several of its former agents, Farmers Ins. Exch. v. Steele Ins. Agency, 2013 U.S. Dist. LEXIS 70098 (E.D. Cal. May 16, 2013).

The trade secret at issue in that case involved an electronic compilation of data about insurance customers. Farmers maintains that compilation for its captive agents through something called an "Agency Dashboard." In the captive insurance setting, the insurer normally owns proprietary rights to its customer information. This is in stark contrast to the independent agency system, where the agents themselves retain rights to such data.

Eric does a nice job summarizing the steps Farmers takes to protect its customer data, including the requirement that agents log in with passwords each time they gain access to the database. They must, as Eric points out, acknowledge Farmers' proprietary rights upon entry to Farmers' dashboard system.

Full disclosure, now.

I litigated several matters against Farmers Insurance over the years. And I am well-familiar with the way in which Farmers pursues trade secrets cases against ex-agents, and all too familiar with the Agency Dashboard, what it looks like, and how it works.

So I won't summarize what Eric wrote, but instead I want to highlight a fact that came up in the case and try to apply a claim Farmers hasn't (yet?) pursued.

Yes, I am talking about our old pal, the Computer Fraud and Abuse Act.

At least two of the defendants in the Farmers' case used passwords that did not belong to them to access Agency Dashboard.

One of the defendants was an office employee (seemingly a customer service agent) who used another Farmers agent's password to download reports out of Agency Dashboard. That agent, apparently not complicit, had severe health problems.

Another defendant was the son of a Farmers agent (again, it didn't appear the agent was complicit) and used his father's Farmers password to log in to Agency Dashboard. Though not crystal clear from the record, the defendant then presumably used proprietary data from the dashboard to switch customers away from Farmers. Neither of those defendants had password credentials of his or her own.

This case comes at an interesting time. John Marsh, Russell Beck, and I just recorded another episode of the Fairly Competing podcast (which will be available Tuesday morning), and we discussed the latest chapter in United States v. Nosal. The factual matrix in that case (also from California) involved something very similar to what I've just described: gaining access to a protected computer system through password sharing. (For my prior post discussing Nosal in the District Court, click here.)

That is: X uses Y's password to log in to a protected database, when X can't otherwise gain access through credentials assigned to him.

As the Nosal jury found, this conduct violated the CFAA because the individual is gaining access to a protected computer without authorization. A password is the quintessential access barrier, familiar to everyone.

The Farmers case was teed up for a preliminary injunction around the time the Nosal verdict came down, and there isn't much precedent available for extending the CFAA to the password-sharing paradigm. In fact, given the Ninth Circuit's rather narrow interpretation of the CFAA, it's to be expected that attorneys would pull back on civil claims under this statute.

But it appears that the agents who accessed Agency Dashboard without proper password credentials may have violated the CFAA, at least under the statutory interpretation applied by the District Court in Nosal. The case under the CFAA may be stronger than that against Nosal, because there's no indication Nosal himself accessed the database with someone else's password. He was just directing traffic.

I still have not reconciled, personally, whether the CFAA should be extended to this fact pattern, though I think it probably should. I have great reservations about the CFAA for many reasons. And given the Ninth Circuit's narrow construction of the CFAA, it is possible we'll get further guidance on whether password sharing implicates a statutory violation when Nosal II is decided.

No comments:

Post a Comment