Employee Password Sharing Can Be Criminal Activity, 9th Circuit Finds

Author: David B. Weisenfeld, XpertHR Legal Editor

July 22, 2016

A divided 9th Circuit Court of Appeals has upheld the criminal conviction of a man who accessed his former employer's database to gain proprietary information by using a former co-worker's username and password. The case of US v. Nosal involved a former high-level executive at Korn/Ferry International, an executive search firm.

The executive sought information in Korn/Ferry's database to help set up his own competing business. At first, he used his own user name and password to download the information. After the company revoked his access, the executive used his former assistant's user name and password with her permission.

The federal appellate court ruled that the executive blatantly circumvented Korn/Ferry's computer use policy and its decision to revoke his computer system access. The court explained that a confidentiality agreement Korn/Ferry required each new employee to sign clearly prohibited password sharing.

Writing for the 9th Circuit panel, Circuit Judge M. Margaret McKeown explained that one of the goals of the Computer Fraud and Abuse Act (CFAA) was to "deter and punish certain high-tech crimes, and to penalize thefts of property via computer that occur as part of a scheme to defraud." Judge McKeown found it significant that Korn/Ferry had categorically barred the executive from accessing its system.

The fact that a current employee had lawful access to the database did not permit that employee to share her password with the former executive. Therefore, the former employee's access was unauthorized and in violation of the CFAA.

In dissent, Circuit Judge Stephen Reinhardt noted that employees often share passwords for all sorts of reasons. He said, "The CFAA does not make the millions of people who engage in the generally harmless conduct of password sharing into unwitting federal criminals."

While the executive may have acted improperly in his attempt to compete with his former employer, Judge Reinhardt asserted - unsuccessfully - that this conduct did not violate the CFAA. And, he warned, the majority's decision threatens to criminalize all sorts of innocuous conduct, explaining that the CFAA aimed to criminalize "hacking," but did not address consensual password sharing.