Author: David Nied
The Ninth Circuit has handed down two significant decisions under the Computer Fraud and Abuse Act in the past week. In the first decision, United States v. Nosal, the court affirmed the CFAA conviction of David Nosal, a former Korn/Ferry employee who left to start his own competing business with several co-workers. After Nosal and his co-workers left, Korn/Ferry revoked their computer access credentials. Nevertheless, the departed employees used the computer access credentials of Mr. Nosal’s executive assistant—who remained at Korn/Ferry—to obtain access to the company’s proprietary database. The court held that “without authorization” under the CFAA was unambiguous and means “accessing a protected computer without permission.” Nosal argued that since his former executive assistant was authorized to access the company’s computers, he had not violated the statute. Not so, said the court: “once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door.” Ad Astra’s David Nied and Michael Dorsi, and former associate, Keenan Ng, submitted an amicus brief on behalf of a former client and in support of the United States in which they discussed the importance of the remedies under the CFAA to small, entrepreneurial businesses in the Bay Area. You can read The Recorder’s summary of the decision here. The Recorder quoted Mr. Nied’s observation that the decision “confirms that [small businesses] have a tool available to them under the CFAA to protect their business, their intellectual property, and their trade secrets from former employees.”
In the second decision, Facebook v. Vachani, the court concluded that a social-media aggregator, Power.com, and its principal, Steven Vachani, had violated the CFAA by continuing to use Facebook users’ accounts to send spam email and messages to other Facebook users to promote Power.com after Facebook had sent them a cease and desist notice. Like Mr. Nosal, the defendants argued that they had not violated the CFAA because they had the consent of the Facebook users to send out the emails and messages. The Ninth Circuit, however, concluded that the cease and desist notice revoked any permission the defendants had to use Facebook’s computers and that the defendants used Facebook’s computers “without authorization” after that point in time. The court returned the case to the trial court to re-calculate Facebook’s damages from the date of the cease and desist notice. The takeaway for small business owners is to send out a cease and desist notice the moment you become aware that a third party may be accessing your computers or cloud-based accounts without permission. You can read more about the decision in The Recorder.