Contact Us Today! (877) 276-5084

Attorney Steve® Blog

Legal liability of sharing account passwords (CFAA and DMCA)

Posted by Steve Vondran | Nov 01, 2017 | 0 Comments

Illegal Account Access – [Sharing unauthorized passwords can lead to legal liability to a company and its officers and directors] – DMCA illegal access and Computer Fraud and Abuse Act discussed.

Dmca illegal password access lawyer 1024x617

Introduction

When you produce web based software that offers users access to your product, data or information, there is nothing more frustrating than former employees of a licensed organization accessing your product/service with improper credentials, and sharing passwords that are not properly paid for.  This raises legal issues under both state law, and federal law such as the DMCA “anti-circumvention” and the computer fraud and abuse act (“CFAA”) the CFAA has criminal components and violators can wind up in jail if the prosecution decides to purse the case.

Federal case law

Here is some federal case law that applies to the above two causes of action.  Again, these are only two of the potential causes of action (DMCA and CFAA).

“Fraudulent activity in relation to Computers” – Plaintiff's § 1030(a)(2)(C) Claim. Section 18 U.S.C. 1030  (a)  Whoever… (1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it; (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains— (A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act ( B)  information from any department or agency of the United States; or (C)  information from any protected computer; The elements of a civil claim for violation of § 1030(a)(2)(C) requires Plaintiff to plead that Defendants did the following: (1) intentionally  accessed a  computer, (2) without authorization or exceeding authorized  access, and that they (3) thereby obtained information (4) from any protected  computer, and that (5) there was a loss to one or more persons during any one-year period aggregating at least $5,000 in value. Where you have a slew of improper accesses to an online website, you may easily be able to reach the $5,000 in value requirement.

Under the CFAA, an intentional access occurs when someone logs into a “protected computer” to view information,United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010), or to send and receive email, see America Online, Inc. v. Nat'l Health Care Disc., Inc., 121 F. Supp.2d 1255, 1273 (N.D. Iowa 2000).

The Ninth Circuit Does Not Require The “Circumvention of Technological Barriers.” This is discussed in one case: “The crux of one of Defendants' main argument is that because Defendants did not circumvent a technical barrier, they could not have acted without authority or in excess of their authority, pointing specifically to  United States v. Nosal, 676 F.3d 854 (9th Cir. 2012). (Mot. 3:3-11.) This position is inconsistent with the courts in the Ninth Circuit, which do not require the circumvention of technical barriers for a violation of the CFAA. In fact, in  U.S. v. Nosal, 930 F. Supp.2d 1051 (N.D. Cal. 2013) the Northern District addressed this issue: “Nowhere does the court's opinion in  Nosal hold that the government is additionally required to allege that a defendant circumvented technological  access barriers in bringing charges under § 1030(a)(4).”  Id. at 1060.  See also Weingand v. Harland Fin. Solutions, Inc. (N.D. Cal. June 19, 2012);  Craigslist Inc. v. 3Taps Inc., 942 F.Supp.2d 962 (N.D. Cal. Aug. 16, 2013). More recently, in  NetApp, Inc. v. Nimble Storage, Inc., 2014 U.S. Dist. (N.D. Cal. May 12, 2014), the court rejected the technical  access barrier argument: “furthermore, subsequent cases interpreting  Brekka and  Nosal indicate that a non-technological barrier can revoke authorization.” In reaching this decision, the  NetApp Court examined numerous cases that the defendant argued supported his position but upon more careful analysis, the court found that they did not.   See NOVELPOSTER, a California general partnership, Plaintiff, v. JAVITCH CANFIELD GROUP, a California business entity form unknown, Mark Javitch an individual, Daniel Canfield, an individual, Defendants. And Related Counterclaim and Third-Party Action.: The Ninth Circuit set forth the standard for  access “ without authorization” in  LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1132 (9th Cir. 2009) where it concluded “that ‘without authorization' in the CFAA refers only to  access without any permissions at all: ‘we hold that a person uses a  computer “without authorization” under §§ 1030(a)(2) and (4) when the person has not received permission to use the  computer  for any purpose (such as when a hacker  accesses someone's  computer without any permission),  or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.' ” See NetApp, Inc., 2014 U.S. Dist. So this is one claim that needs to be closely looked at by your technology lawyer.  In some cases, the company that has been victimized may want to file a criminal complaint.

DMCA illegal access by sharing account passwords

Where there is illegal online account access (sharing passwords), another cause of action may arise – violation of the Digital Millennium Copyright Act (“DMCA”).

Under the  DMCA, “ circumvention” has an expansive meaning, including to “avoid,” “bypass” or “otherwise impair[]” a technological protection measure.  See 17 U.S.C. §§ 1201(a)(3)(A), 1201(b)(2)(A). The term has been broadly construed, and Microsoft believes that Datel will not be able to seriously dispute the  circumvention element.  See, e.g.,  Actuate Corp. v. Int'l Bus. Machs. Corp., (N.D. Cal. Apr. 5, 2010) (even “unauthorized use of a password may constitute circumvention under the DMCA”).   See also DATEL HOLDINGS LTD. v. MICROSOFT CORPORATION ( Northern District California).

Remedies for DMCA violations

The remedies for a violation of the DMCA can include either seeking lost profits or statutory damages (similar to the copyright statute).  According to the Code:

(2) Actual damages.— The court shall award to the complaining party the actual damages suffered by the party as a result of the violation, and any profits of the violator that are attributable to the violation and are not taken into account in computing the actual damages, if the complaining party elects such damages at any time before final judgment is entered. (3)  Statutory damages.— (A)  At any time before final judgment is entered, a complaining party may elect to recover an award of statutory damages for each violation of section 1201 in the sum of not less than $200 or more than $2,500 per act of circumvention, device, product, component, offer, or performance of service, as the court considers just. ( B)  At any time before final judgment is entered, a complaining party may elect to recover an award of statutory damages for each violation of section 1202 in the sum of not less than $2,500 or more than $25,000.

Contact a DMCA & Computer Technology Law Firm

We can help you protect your intellectual property and seek recovery due to illegal activity such as hacking, stealing trade secrets, or illegal account access (for ex. sharing passwords).  We have one of the best License Recovery Services in the United States and we have a tremendous amount of experience in Federal Court.  Click here to see our Avvo client reviews

About the Author

Steve Vondran

Welcome to the SHORT BIO page for Attorney Steve®  (Yes, I was able to get a trademark for Attorney Steve®) Click here to go to a more COMPLETE BIO. AZ Bar Lic. #025911 CA. Bar Lic. #232337 Introduction I have done a lot of things in my 15 years of law practice and in my life in general.  ...

Comments

There are no comments for this post. Be the first and Add your Comment below.

Leave a Comment

Contact us for an initial consultation!

For more information, or to discuss your case or our experience and qualifications please contact us at (877) 276-5084. Please note that our firm does not represent you unless and until a written retainer agreement is signed, and any applicable legal fees are paid. All initial conversations are general in nature. Free consultations are limited to time and availability of counsel and will depend on the type of case you are calling about (no free consultations for other lawyers). All users and potential clients are bound by our Terms of Use Policies. We look forward to working with you!

Menu