You have access to a database of information that you have paid for, or even a database that belongs to your employer or a client you work for. The owners of the data supply you with a password to access the database. What happens if you give another person or company the password and they access the data, perhaps they even use the data to commit fraud for their own financial benefit?
What are the possible legal ramifications of such a scenario?
This past May a federal jury in Palm Beach County, Florida ruled on such a case involving contractors, paid subscribers and passwords.
The plaintiff, eVestment Alliance, LLC, a company that provides a variety of cloud-based solutions and data to the investment community, filed a lawsuit against a contractor it had hired, Compass iTech LLC. As part of its contract, the contractor was given upload-only login credentials to perform tasks on the extensive database.
The suit claimed the defendant used a password it obtained from a “paid subscriber” to their services, and even hired a third party to download the data, which was then used to market and sell its own services. According to the lawsuit, this went on from 2011 through 2014.
When eVestment discovered what was going on, they immediately terminated the contractor’s login credentials. Oddly enough, Compass, the contractor brought a lawsuit against eVestment before the Federal District Court for the Southern District of Florida for tortious interference and defamation. The suit alleged that eVestment defamed them via derogatory correspondence with their clients.
Federal Computer Fraud and Abuse Act.
It was at this point that eVestment took their own legal action and filed a counterclaim alleging misappropriation of trade secrets, breach of contract and violation of the Federal Computer Fraud and Abuse Act (CFAA).
During the first stage of the lawsuit, a District Court Judge entered a summary judgement in favor of eVestment. The court ruled the actions they took against Compass were lawful and the defamation claim was unfounded.
Then in May of 2017 a jury heard the counterclaim filed by eVestment. Their deliberations found that Compass acted willfully and maliciously and with an intent to defraud, awarding eVestment $3.7 million, which included $2.5 million in compensatory damages and $1.2 million in punitive damages.
The paid subscriber from whom the password was obtained was not included in either of the lawsuits.
A 2016 ruling from the Ninth Circuit U.S. Court of Appeals (USA v. Nosal II) caused much controversy and confusion when it comes to sharing of passwords.
The case centered on David Nosal, who worked as a headhunter for executive search firm Korn-Ferry. After leaving Korn-Ferry and starting his own company, he accessed his former employer’s database using the password of a former co-worker who was still employed by Korn-Ferry. The Ninth Circuit upheld lower court rulings that Mr. Nosal was in violation of the CFAA.
Critics of the ruling, including the dissenting judge in the case, say the ruling makes it easier for employers to prosecute both current and former employees for unauthorized use of passwords, but warn that it now makes consumer password sharing a criminal offense under the Federal Computer Fraud and Abuse Act. Numerous articles in the media appeared after the ruling asking, “is sharing your Netflix password now a federal crime?” Calls for congress to amend the CFAA also grew louder, saying the current legislation, which was enacted in 1986, is too ambiguous in the age of the internet.