Posted by Alexandra Entrup.
In December 2016, the United States v. Nosal (Nosal II) case was heavily questioned. David Nosal worked at KFI, Korn/Ferry International, however, in 2004, he made the decision to leave the company. Despite leaving the company, he resumed working as a contractor under an agreement that forbade competition with KFI. Regardless of the agreement, Nosal among additional employees were in the process of establishing a competing business. The company utilized the database, Searcher, to hold “information about over a million executive search candidates” (Harv. L. Rev.). Though Nosal and his colleagues took information from the database for their own use using their own login information, their credentials were rescinded after their decision to leave the company. Upon noticing that their login information no longer worked, they approached Jacqueline Froehlich-L’Heureaux, Nosal’s assistant during his time at KFI. Froehlich-L’Heureaux remained an employee despite Nosal’s absence so they decided to ask her for her own credentials. She gave them her username and password and Nosal and his partners utilized this information on multiple occasions. The article suggests that they accessed the database using her credentials “on at least three discrete occasions” (Harv. L. Rev.). An anonymous tip was sent to Korn/Ferry International and an investigation ensued.
The defendant was convicted and Nosal was accused of “nineteen criminal counts, five of which alleged CFAA violations under the ‘exceeds authorized access’ clause of §1030(a)(4) while Nosal was a KFI employee” (Harv. L. Rev.). CFAA, the Computer Fraud and Abuse Act, discusses computer use, specifically hacking. The act states that the invasion of a computer system is considered a crime. The article further discusses the CFAA and its application to the case stating, “the CFAA imposes criminal penalties on whoever ‘accesses a protected computer without authorization, or exceeds authorized access’ to perpetrate a fraud” (Harv. L. Rev.). This statement is especially important to the case because it dismisses Froehlich-L’Heureaux’s decision to give Nosal and his partners her credentials. Instead, it blames Nosal for using this information in a deceptive manner, perpetrating a fraud. Throughout the case the term “without authorization” was referred to as “an unambiguous term with a plain meaning”, implying that there aren’t any alternate interpretations.
In the Nosal I case, the CFAA nineteen criminal counts previously mentioned were dismissed. However, following the dismissal of these counts, further counts were filed. “In 2013, the government filed a superseding indictment with three CFAA counts resting on accomplice liability for the three times Nosal’s partners, without authorization, accessed Searcher with FH’s credentials after they had left the firm. The government also indicted Nosal on two trade secret misappropriation counts under the Economic Espionage Act and one count of conspiracy. A jury found him guilty on all counts” (Harv. L. Rev.). All arguments that Nosal proposed were rejected by the court. Looking at previous cases, it was certain that authorization much be approved by the computer owner. Nosal was obviously not given authorization, evident through the revocation of access to the system. The importance of authorization is common knowledge which is evident in the article’s statement, “the majority’s view that only the owner of the system has authority to grant access undermines the authorization upon which many forms of commonplace computer access depend.” The article further explains this belief with a comparison to social media, “it could be a crime for an individual to log in to someone else’s Facebook account with that person’s permission, simply because the system owner prohibits it” (Harv. L. Rev.).
Alexandra is a finance and information technology management major at the Stillman School of Business, Seton Hall University, Class of 2019.
Source:
http://harvardlawreview.org/2017/02/united-states-v-nosal-nosal-ii/