Last week a federal district court in California granted Cisco Systems, Inc. summary judgment on its Computer Fraud and Abuse Act (“CFAA”) claim against an ex-employee who “on multiple occasions and without authorization, . . . used a Cisco employee’s password to gain access to Cisco’s computer systems and download Cisco’s proprietary and copyrighted software.” Multiven, Inc. v. Cisco Systems, Inc., 2010 WL 2889262 *2 (July 20, 2010). This decision underscores the importance of instituting proper corporate computer policies as a predicate to using the CFAA as a tool to protect company data.
Peter Alfred-Adekeye (“Adekeye”), the ex-employee, had founded Multiven, Inc. after he left his employment at Cisco. Multiven “purports to provide service and maintenance support for router and networking systems, including those placed in the market by Cisco.” Id. at *1. The court held that Adekeye accessed Cisco’s computer system without authorization, a key element to finding that Adekeye had violated the CFAA, and that his ex-employment status provided an exception to the Ninth Circuit’s rule in LRVC Holdings LLC v. Brekka, 581 F.3d 1127, 1130-31 (9th Cir. 2009), that an employee cannot access the company computer without authorization because an employee, as part of his responsibilities, is authorized to use the company computers.
The court quoted Brekka’s holding that “’a person uses a computer ‘without authorization’ … when the person has not received permission to use the computer for any purpose … or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.’” Id. at 3, Brekka, 581 F.3d at 1135. The court found that “there is no evidence that any privileges . . . [Adekeye] had as an employee to access secure areas of the Cisco website extended beyond his employment” and that Cisco had “presented unrebutted evidence that upon leaving Cisco’s employ, neither Adekeye nor Multiven had Cisco’s permission or authorization to access Cisco’s network.” Id. at 3.
The court rejected Adekeye’s defense that he was authorized to access Cisco’s computer network by a current Cisco employee who had supplied him with his login and password. The court held that the Cisco employee’s actions “did not constitute a valid authorization” because it was “undisputed that an employee’s giving his login and password to Adekeye was a violation of Cisco’s policies.” Id.
In light of this case the obvious question to be asked is does your company computer policy prohibit employees from providing their user names and passwords to others? In another case decided this month in Connecticut, Westbrook Technologies, Inc. v. Wesler, 2010 WL 2826280 *7 (D. Conn. July 15, 2010 the court, in applying Brekka, found that a current employee “had authority to grant . . . [an ex-employee] direct access to the [company] database.” This is clearly a situation every company should avoid and can avoid with proper computer policies.