Last August, we reported on a Ninth Circuit case in which a former employee was convicted of a crime under the Computer Fraud and Abuse Act (“CFAA”) for accessing and downloading information from his former company’s database “without authorization.” The former employee has now asked that the U.S. Supreme review the Ninth Circuit’s decision.
The question presented to the high Court is, “Whether a person who obtains an account holder’s permission to access a computer nevertheless ‘accesses a computer without authorization’ in violation of the CFAA when he acts without permission from the computer’s owner.”
According to the petition, the Ninth Circuit decision is at odds with other circuit court opinions that look to the computer owner’s “intentions, expectations, and contractual or agency relationships to determine whether access to a computer is authorized.”
The petition argues that the appellate court’s ruling “exposes a broad range of innocuous, day-to-day activity to criminal prosecution” such as an assistant who logs into an executive’s email account or a spouse who logs on to her husband’s email account. However, as the Ninth Circuit majority stated, “[t]his case is not about password sharing” and noted that the case “bears little resemblance to asking a spouse to log in to an email account to print a boarding pass.” The key issue according to the appellate court is whether the access is without authorization. It would seem that an argument comparing a secretary’s access to access by a former employee is hardly compelling. Still, as noted in our earlier post, companies should at a minimum include in their policies and agreements prohibitions on current employees providing their passwords to former employees or even unauthorized current employees.
A full copy of the former employee’s petition can be found here.
We will continue to monitor this case as it develops.