eDiscovery Daily Blog

Accessing Your Former Company’s Data with a Shared Password Could Make You a Hacker: Cybersecurity Trends

Can you spot what’s different about today’s post?  See below…  :o)

According to the Ninth U.S. Circuit Court of Appeals, if you leave your company and then use a former co-worker’s credentials to access your former company’s computer systems, you could be a hacker.

In The Wall Street Journal Law Blog (Appeals Court: Using Shared Password to Steal Company Secrets is Hacking, written by Jacob Gershman), the appellate court affirmed the computer-hacking conviction of a former executive (David Nosal) at a recruiting firm accused of using a shared password to steal headhunting leads from the company’s internal network after he left his job to launch a rival business, ruling that he violated the Computer Fraud and Abuse Act (CFAA).

Reuters reported that Nosal and two friends, who had also left Korn/Ferry, used an employee’s password in 2005 to access the recruiting firm’s computers and obtain information to help start a new firm.

In a 2-1 decision written by Judge M. Margaret McKeown, the majority held that Mr. Nosal acted “without authorization” in violation of the CFAA when he used login credentials shared by his assistant to gain access to the company’s network after his own credentials had been revoked.  The dissenting judge, Judge Stephen Reinhardt, expressed his concerns over the ruling, stating:

“People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it. In my view, the Computer Fraud and Abuse Act does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals…”

However, Judge McKeown, in her opinion, indicated that the circumstances at issue couldn’t be applied to innocuous scenarios, like “asking a spouse to log in to an email account to print a boarding pass.”  Judge McKeown also noted that, without enforcement, “an employee could willy nilly give out passwords to anyone outside the company – former employees whose access had been revoked, competitors, industrious hackers, or bank robbers who find it less risky and more convenient to access accounts via the Internet rather than through armed robbery.”

The appellate court did rule that the more than $800,000 in restitution (about $600,000 of that in attorney’s fees) that Nosal was ordered to pay his old employer was unreasonable and asked a lower court to recalculate it.

So, what do you think?  Have you ever used a shared password to access a system to which you previously had credentials?  Please share any comments you might have or if you’d like to know more about a particular topic.

What’s different about this post?  It doesn’t have the word “eDiscovery” in the title… :o)

New Time!  Just a reminder that I will be moderating a panel at The Masters Conference New York City 2016 IoT, Cybersecurity and Social Media Conference this coming Monday, July 11 (we covered it here) as part of a full day of educational sessions covering a wide range of topics.  CloudNine will be sponsoring that session, titled Faster, Cheaper, Better: How Automation is Revolutionizing eDiscovery at 8:30am, not 4:15pm.  The early bird catches the knowledge.  :o)  Click here to register for the conference.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.