Authorization Isn’t Forever


A defendant in a federal lawsuit in the Northern District of California learned recently that authorized access, like so many things in life, is fleeting. And once it’s gone, there’s no getting it back.

A company called NetApp sued a competitor called Nimble for Nimble’s unauthorized use of NetApp’s proprietary information. One claim in the suit, in fact the only federal law claim, was that Michael Reynolds, a consultant formerly retained by NetApp had taken a job at Nimble and brought the information with him, thereby violating the federal Computer Fraud and Abuse Act.

The CFAA prohibits the “unauthorized” acquisition of computer data. It’s not only a crime, but it gives rise to a civil cause of action if the act satisfies certain prerequisites. While Congress originally adopted the law to guard against traditional “hacking” it has been used increasingly in employment related cases like this one. And in these type of cases, the question becomes what does “authorized” mean exactly? Typically, the case goes like this: employee is employed at ABC Company and while employed there, he is permitted to access computer data. Employee decides to join a competitor, and on his way out the ABC door, he takes some of that data with him.

In the lawsuit that inevitably ensues, ABC includes a CFAA claim, alleging that the employee’s access to the data was unauthorized. The employee, however, argues that whatever he did later on with the data, his access was authorized, since he was a credentialed employee when he logged on. Most, but not all courts have sided with the employee. The courts siding with the employer however, have concluded that access is more than having permission to log on. Even if the employee is technically permitted to use the system, the access isn’t authorized if the employee’s motive isn’t pure. But that position presents something of a metaphysical quandary that not all courts are willing to embrace.

But the NetApp situation is a little different, and probably an easier one to decide.  Reynolds accessed the information he took to Nimble after engagement with NetApp had ended and after his authorization to access the NetApp computer had expired. Reynolds argued that the login protocol had not changed at the time he logged in, and this circumstance constituted “authorization.” The court was unimpressed with Nimble’s argument. It analogized the situation to a situation where a houseguest receives a key, is then told he is no longer welcome but keeps the key, and the homeowner neglects to change the lock. According to the court, “Reynolds’s arguments suggest that if the former houseguest continues to re-enter the house, the houseguest would not be acting ‘without authorization’ or ’exceed[ing] authorized access,’ even though he knows he may not return.” In short, NetApp was not required to immediately reconfigure it’s computer system to revoke Reynolds’ authorization.

Two takeaways here. First, be careful about hiring a former employee or consultant from a competitor. As tempting as it may be to get your hands on competitive information, it may not be worth the hassle. And second, don’t invite Mark Reynolds to stay at your house. Odds are, he’ll overstay his welcome.