Written by Michael S. Dorsi
San Francisco-based NovelPoster, having settled its Computer Fraud and Abuse Act (“CFAA”) claim against Javitch Canfield Group, filed a brief as amicus curiae in the Ninth Circuit Court of Appeals case of United States v. Nosal (9th Cir. Case Nos. 14-10037 and 14-10275).
While the NovelPoster and Nosal cases originated differently — NovelPoster was a civil action and Nosal is a criminal prosecution — both cases touched on an important question: is a person liable under the Computer Fraud and Abuse Act for acting without authorization — a term that applies equally in civil lawsuits and criminal prosecutions — if the actions in question did not involve circumventing a technical or code-based access barrier.
The Nosal case is a criminal prosecution that commenced with an indictment in 2008. Nosal left his employer, the executive search firm Korn/Ferry, and founded a competing business. According to the indictment, his co-conspirators took Korn/Ferry information for the benefit of his competing business. The CFAA charges against Nosal fell roughly within two categories: (1) Nosal was liable for the acts of his co-conspirators who remained at Korn/Ferry and downloaded information from Korn/Ferry’s computers and gave the information to Nosal, and (2) Nosal was liable for acts of two of his co-conspirators, who after leaving Korn/Ferry (and losing their access credentials) used the username and password of a third co-conspirator to gain access to Korn/Ferry’s computer system.
In Nosal’s first appeal, the Ninth Circuit struck the first category of allegations, explaining that the CFAA restricts access to computers, not the use of data once accessed. United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc) . The case then returned to the United States District Court for the Northern District of California, where a jury found Nosal guilty on the remaining CFAA charges, along with other crimes. Nosal appealed, alleging that the use of a co-conspirator’s password is not a crime under the CFAA, in part because it is not hacking.
After Nosal’s jury trial but before any briefing in his appeal, NovelPoster brought its civil case, NovelPoster v. Javitch Canfield Group, et al. NovelPoster’s complaint alleged that defendants had used the administrator credentials, originally shared as part of a business deal, to change the passwords to NovelPoster’s online accounts, including payment accounts (PayPal and Stripe), social media (Facebook, Twitter), and the two owners’ email accounts. Changing the passwords, according to NovelPoster’s pleadings, locked the owners of the business out of their own accounts because Defendants would not share the new passwords with the owners. Two of the defendants sought to have the computer fraud counts dismissed on the basis that because they already had administrator access to the NovelPoster accounts, they did not circumvent a technological access barrier. The court — in the same district but in front of a different judge than the Nosal case — rejected the defendants’ argument, concluding that the CFAA does not require circumvention of a technological or code-based barrier. NovelPoster v. Javitch Canfield Group, et al., Case No. 3:13-cv-05186-WHO (Aug. 4, 2014).
While NovelPoster settled its case in February 2015, NovelPoster decided to file a brief in the Nosal appeal, informing the Ninth Circuit Court of Appeals the importance of the CFAA to protect the victims of computer fraud and abuse, regardless of whether the perpetrator circumvents a technological access barrier. NovelPoster’s brief draws on its own experience, as well as other cases that show the harm from insider hacking by employees and other persons with the ability to access computer systems.
 The Electronic Frontier Foundation, amicus curiae in support of Defendant-Appellant David Nosal, maintains a website [https://www.eff.org/cases/u-s-v-nosal] with all of the briefs in this case.