By Doug Chartier
LAW WEEK COLORADO
Once the mainstream media got a hold of the controversy surrounding United States v. Nosal, everyone from Netflix users to coworkers in various industries were made to wonder if their password sharing, even when benign, could be illegal.
Last month, the U.S. Court of Appeals for the 9th Circuit weighed in on two password-sharing-related cases dealing with the Computer Fraud and Abuse Act. The opinions in United States v. Nosal and Facebook, Inc. v. Power Ventures, Inc. underscored the murky issue regarding the anti-hacking act and under what circumstances its criminal penalties could be extended to more common civil situations. Companies looking for more clarity on what “authorization” means under the CFAA, and just how far the statute’s reach might be over login credentials, might have to wait longer in spite of the recent appellate decisions.
Congress enacted the CFAA of 1986 to combat cyber espionage, as it makes subject to criminal penalties anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.”
But the CFAA’s broad language has allowed its application in contexts outside of espionage. Prior to the enactment of the Defend Trade Secrets Act in May, plaintiffs used the CFAA to pursue trade secret misappropriation cases in federal court — perhaps its most common alternative use. The CFAA creates a private right of action in addition to being a criminal law, and companies have brought suit against individuals whom they claimed accessed their company computers or networks without authorization in order to steal trade secrets or give them to a competitor.