Author: Anthony Kaylin, SBAM Approved Partner ASE
It was a simple enough requirement. When leaving the employer, the employee must leave the laptop along with the security password. In the case of Christopher Correa, a St. Louis Cardinal baseball team executive, he was given Jeff Luhnow’s laptop and password when Luhnow left for the General Manager job at the Houston Astros. Using variations of Luhnow’s password, Correa eventually was able to access the Houston Astros’ online statistics database. He retrieved information about scouting reports, trade negotiations and player analytics that impact a team’s performance on many levels. Last month, he was sentenced in a plea deal of 46 months in prison. Lesson learned–change the password before giving a computer to another employee.
This situation is pretty cut and dry. It was obviously hacking. But what if the person was not hacking a computer and instead had access to passwords and permission to use them?
In the case of David Nosal, his situation was an obvious case of criminal activity. Nosal, an executive recruiter based in San Francisco, was convicted of violating the Computer Fraud and Abuse Act (CFAA) and for trade secret theft in violation of the Economic Espionage Act (EEA) in 2013. Nosal was working for Korn/Ferry when they passed him over for a promotion. In 2004 he and two other Korn/Ferry employees accessed proprietary materials from Korn/Ferry’s computer system. He would then use that information for a new business venture that competed directly with Korn/Ferry.
When Nosal left Korn/Ferry, the company revoked his computer access credentials, even though he remained on for a time as a contractor. The company took the same precaution upon the departure of his two accomplices. However, prior to the two accomplices leaving Korn/Ferry, they downloaded a large amount of candidate “source lists.” After leaving Korn/Ferry they asked Nosal’s former assistant (still at the firm upon Nosal’s request) for her password so they could continue to access the database. She gave it to them.
Korn/Ferry learned of Nosal’s activities through an anonymous email, and soon after the US Attorney General became involved. Eventually Nosal was caught and convicted. He was sentenced to one year and one day in prison, three years of supervised release, a $60,000 fine, a $600 special assessment and approximately $828,000 in restitution to Korn/Ferry. On appeal the court upheld the conviction and sentence, but the restitution was reduced.
But the court’s ruling appears to be broader than the court would have thought. As the dissenting judge points out:
It is impossible to discern from the majority opinion what principle distinguishes authorization in Nosal’s case from one in which a bank has clearly told customers that no one but the customer may access the customer’s account, yet a husband shares his password with his wife to allow her to pay a bill. So long as the wife knows that the bank does not give her permission to access its servers in any manner, she is in the same position as Nosal and his associates. It is not “advisory” to ask why the majority’s opinion does not criminalize this under § 1030(a)(2)(C); yet, the majority suggests no answer to why it does not.
Therefore, the wife could be convicted for unauthorized use of her husband’s password for paying bills. To reinforce the absurdity of this situation, family members could be prosecuted for sharing Netflix passwords to watch films. Maybe it is prohibited under the terms of agreement; yet, it is rarely if ever enforced.
And even if this situation was limited to employment only situations, the dissenting judge asks the court how this situation would be handled:
Very often password sharing between a current and past employee serves the interest of the employer, even if the current employee is technically forbidden by a corporate policy from sharing his password. For example, if a current Korn/Ferry employee were looking for a source list for a pitch meeting which his former colleague had created before retirement, he might contact him to ask where the file had been saved. The former employee might say “it’s too complicated to explain where it is; send me your password and I’ll find it for you.”
In other words, would the retired executive be convicted of a crime simply for helping the company in a sales pitch?
The takeaway is that employers need to work with legal counsel to identify scenarios when passwords can and cannot be shared. Once identified, employers should draft a password sharing policy and train employees and managers. Otherwise, a good intentioned employee could lose everything simply because she tried to help the employer, yet to do so, had to share her password.