Can Insiders be Guilty of Computer Hacking? Ad Astra attorney Michael Dorsi is interviewed

Among the questions posed in the Ninth Circuit Court of Appeals case of United States v. Nosal is whether a person can be convicted under an “anti-hacking statute” if they do not circumvent a technical or code-based access barrier. Ross Todd from The Recorder[1] interviewed Ad Astra associate Michael Dorsi and quoted Mr. Dorsi on the difficulty of defining a technical access barrier. The underlying events in the Nosal case took place in 2004. As stated in The Recorder:

Dorsi said one need only look at how long Nosal’s case has been pending to see the problem with tying CFAA allegations to some sort of technology-based standard.

Said Dorsi, “If we do end up with a ‘technological access barrier’ standard we will constantly be catching up with the question of ‘What is a barrier?’

In addition to its work on NovelPoster, Ad Astra Law Group presently represents workers’ compensation law firm Reyes & Barsoum in ongoing CFAA litigation in Los Angeles County Superior Court against another law firm, Knox Ricksen.

[1] Ross Todd, Nosal Appeal Could Extend Limits on Computer Hacking Law, The Recorder, October 16, 2015, available at http://www.therecorder.com/id=1202740085781/Nosal-Appeal-Could-Extend-Limits-on-Computer-Hacking-Law

Not Exactly A Midsummer Night’s Dream for Some

Author: David Nied

The Ninth Circuit has handed down two significant decisions under the Computer Fraud and Abuse Act in the past week.   In the first decision, United States v. Nosal, the court affirmed the CFAA conviction of David Nosal, a former Korn/Ferry employee who left to start his own competing business with several co-workers.  After Nosal and his co-workers left, Korn/Ferry revoked their computer access credentials.  Nevertheless, the departed employees used the computer access credentials of Mr. Nosal’s executive assistant—who remained at Korn/Ferry—to obtain access to the company’s proprietary database.  The court held that “without authorization” under the CFAA was unambiguous and means “accessing a protected computer without permission.”  Nosal argued that since his former executive assistant was authorized to access the company’s computers, he had not violated the statute.  Not so, said the court:  “once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door.”  Ad Astra’s David Nied and Michael Dorsi, and former associate, Keenan Ng, submitted an amicus brief on behalf of a former client and in support of the United States in which they discussed the importance of the remedies under the CFAA to small, entrepreneurial businesses in the Bay Area.  You can read The Recorder’s summary of the decision here. The Recorder quoted Mr. Nied’s observation that the decision “confirms that [small businesses] have a tool available to them under the CFAA to protect their business, their intellectual property, and their trade secrets from former employees.”

In the second decision, Facebook v. Vachani, the court concluded that a social-media aggregator, Power.com, and its principal, Steven Vachani, had violated the CFAA by continuing to use Facebook users’ accounts to send spam email and messages to other Facebook users to promote Power.com after Facebook had sent them a cease and desist notice.  Like Mr. Nosal, the defendants argued that they had not violated the CFAA because they had the consent of the Facebook users to send out the emails and messages.  The Ninth Circuit, however, concluded that the cease and desist notice revoked any permission the defendants had to use Facebook’s computers and that the defendants used Facebook’s computers “without authorization” after that point in time.  The court returned the case to the trial court to re-calculate Facebook’s damages from the date of the cease and desist notice.  The takeaway for small business owners is to send out a cease and desist notice the moment you become aware that a third party may be accessing your computers or cloud-based accounts without permission.  You can read more about the decision in The Recorder.