The Netflix Password Case You’ve Heard About Is Really An Employment Law Case
In recent days, media outlets have enjoyed website hits spreading like wildfire on social media from a case out of the Ninth Circuit that purportedly makes it a federal crime to share your Netflix password (for example, here, here, and here). For anyone concerned, you may take comfort where the majority opinion outright states, “This appeal is not about password sharing.” The headlines rise from the dissenting opinion that does not control. However, any company with critical information stored on electronic devices should pay attention to the U.S. v. Nosal (“Nosal II”) opinion because it does present relevant lessons for the employment.
Nosal II concerns the Computer Fraud and Abuse Act (“CFAA”). This not-so-well-known law prohibits conduct that can be critical in today’s workplace. The CFAA makes it a crime for anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . .” When might this come up in an employment context? Just about any time an employee takes critical information from an employer’s computer systems to compete with his or her former employer.
Nosal II decision involves employees of an executive search firm who launched a competing business. After announcing his resignation from Korn/Ferry International, Nosal negotiated an agreement with the company to stay on for a year. Nosal used that year to prepare to compete with Korn/Ferry International. At first, Nosal used his own password credentials to access the company’s systems and take proprietary information. However, once he was cut off by his employer, he relied on the credentials of a former assistant to continue to access the employer’s computer systems, and specifically their database of candidates and potential candidates. However, when each employee began at Korn/Ferry International, that individual signed a confidentiality agreement that prohibited password sharing. Additionally, a search report of the candidate database always included a message that the information was intended for use by employees for work on the company’s business only.
The recent Nosal II opinion actually follows a decision from the same parties a few years ago in Nosal I, where the Ninth Circuit addressed different language in the CFAA: Nosal I concerned the latter restrictive language quoted above: when does an individual “exceed[] authorized access.” The Ninth Circuit addressed the issue of whether an employee who violates an employer’s policies prohibiting the use of work computers for nonbusiness purposes exceeded authorized access for purposes of the CFAA. The Ninth Circuit’s answer in that decision was that the employee does not violate the CFAA under such circumstances.
Nosal II, however, deals with the earlier CFAA language: when does an individual access a protected computer “without authorization.” The court followed an earlier decision and took a plain meaning approach to define “authorization” as “permission or power granted by authority,” which can be granted or revoked. Here, the Ninth Circuit determined that after Korn/Ferry International revoked Nosal’s permission to the system, he no longer had authorization to access the company database in any form. The court also concluded that the assistant did not have authority to provide her password to Nosal or his cohorts and they knew she could not give out her password. Thus, although Nosal was successful in Nosal I, the Ninth Circuit found he violated the law in Nosal II.
What does this mean for employers? If you have electronic information that is critical to the company’s business success, this is another less that you need to treat it that way today so that you can protect it through the courts tomorrow. First and foremost, make sure that vital information is secured and protected. But this also means identifying to employees that once the employment relationship ends, individuals no longer have authority to access what they previously were allowed to access. Further, employees should be informed in writing that they may not share their access with others. When the employment relationship ends, remind them of these terms.
Wisconsin note: The Seventh Circuit took a different, broader approach to CFAA protections than the Ninth Circuit in Nasal I and conduct that “exceeds authorization.” In International Airport Centers, LLC v. Citrin, (7th Cir. 2006), the court found that an employee who breached his duty of loyalty by taking steps to compete with the employer terminated his authority to access the company’s laptop. This sort of passive revocation of authority was identified by the Ninth Circuit as what it wanted to avoid under the CFAA.