When Password Sharing Becomes a Federal Crime

US-CourtOfAppeals-9thCircuit-Seal It has been noted many times that employees are often the weak link when it comes to protecting the proprietary information of their employer. This includes the sharing of passwords, which can cause harm to a company and can become grounds for federal prosecution of violators under the Computer Fraud and Abuse Act (CFAA).

The U.S. Ninth Circuit Court of Appeals recently issued an opinion that upheld a lower court decision in the case of David Nosal, who was convicted of conspiracy, theft of trade secrets, and computer fraud. He was sentenced to prison time, probation, and nearly $900,000 in restitution and fines.

Nosal had been an employee at the executive search firm Korn/Ferry International. He left the firm after being denied a promotion, but remained for a time as a contractor while simultaneously preparing to launch a competing search firm with others who were still at Korn/Ferry. Although his computer access credentials were revoked, Nosal continued to access the firm’s proprietary database, using the login credentials of his former assistant who was still with the firm.

The Appeals Court reaffirmed the lower court decision that found Nosal had knowingly, and with the intent to defraud, “accessed trade secrets in a proprietary database through the back door when the front door had been firmly closed.” The Court also said Nosal blatantly circumvented the affirmative revocation of his computer system access, and that this falls squarely within the CFAA’s prohibition on access “without authorization.”

Although controversial, this case should serve as a reminder for employers to clarify their computer access policies, beef up non-disclosure agreements, and put into place password revocation procedures for when employees, including executives and IT personnel, leave the company.

DataLink can help you avoid this and other problems with an annual Security Risk Assessment, which includes a thorough review of the effectiveness of organizational policies and operational procedures. Contact us today: 410.729.0440 or sales@DataLinkTech.com.