An employee, after leaving a company, is no longer authorized to continue accessing its data–regardless of what steps the company took. This is, and always has been, a no-no. But, not everyone seems to realize it.
The United States Court of Appeals for the Fourth Circuit recently affirmed a Computer Fraud and Abuse Act conviction for a man who used a backdoor into his former employer’s computer system to continue accessing data after he went to a competitor. The fact that his former employer had not changed his password did not dissuade the court.
The district court proceeding
The United States Court of Appeals for the Fourth Circuit, on Christmas Eve 2014, handed down the unpublished opinion United States v. Steele, 2014 WL 7331679 (4th Cir. Dec. 24, 2014). In Steele, the Court upheld the jury conviction for two misdemeanor and twelve felony counts for violating the unauthorized access prong of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030(a)(2)(C).
Steele, while not establishing new law, does illustrates an important distinction in employee computer and data misuse cases: misuse by current employees versus former employees. The notorious Circuit Split involves misuse by current employees but, when it comes to former employees, the law is clear. When the employment relationship terminates, so too does the now-former employee’s authorization to access the computer system and data.
Robert Steele worked as vice president of business development and also the backup systems administrator for Platinum Solutions, Inc. His role as a systems administrator gave him access to the company’s server, which allowed him to monitor email accounts and employee passwords. Platinum was eventually sold and became SRA and Steele resigned to go work for a competitor who also provided contract IT services to government defense agencies.
For nine months after his resignation from SRA, Steele continued to log in to the company’s computer server using a “backdoor” account he had used during his employment. Using this, he accessed the server almost 80,000 times during which he proceeded to access and download documents and emails related to the company’s contract bids–bids that were competitive to his new employer and, therefore, confidential trade secrets.
A jury convicted Steele for fourteen violations of the CFAA; he received a 48 month prison sentence and was ordered to pay $50,000 in fines, $1,200 in fees, and $335,977.68 in restitution. Steele appealed.
The court of appeals opinion
Of his grounds for appeal, the most relevant is Steele’s argument that his post-termination accesses of the servers were not “without authorization.” Steele argued that because the company did not change the password to this “backdoor” account following his resignation, he continued to have authorization to use the account to access the servers. He based this argument on the Fourth Circuit’s opinion in WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012).
In WEC Carolina, the Court dealt with the Circuit Split issue of a current employee using his employer’s computer system to obtain information that he then used for improper purposes and whether such use is in “excess of authorization” under § 1030(a)(2). The WEC Carolina Court adopted the narrow view which holds that § 1030(a)(2) prohibits a current employee from unlawfully accessing a protected computer but not from misusing information that he obtained while lawfully accessing the computer.
The Steele Court explained how this distinction applies to this case:
Importantly, this split focuses on employees who are authorized to access their employer’s computers but use the information they retrieve for an improper purpose. Steele’s case is distinguishable for one obvious reason: he was not an employee of SRA at the time the indictment alleges he improperly accessed the company’s server. In WEC Carolina, authorization did not hinge on employment status because that issue was not in dispute. Here, by contrast, the fact that Steele no longer worked for SRA when he accessed its server logically suggests that the authorization he enjoyed during his employment no longer existed.
* * *
Common sense aside, the evidence provides ample support for the jury’s verdict. SRA took steps to revoke Steele’s access to company information, including collecting Steele’s company-issued laptop, denying him physical access to the company’s offices, and generally terminating his main system access. And Steele himself recognized that his resignation effectively terminated any authority he had to access SRA’s server, promising in his resignation letter that he would not attempt to access the system thereafter. Just because SRA neglected to change a password on Steele’s backdoor account does not mean SRA intended for Steele to have continued access to its information.
As the Steele Court hinted, common sense or basic ethics, however one looks at it, should have been enough to tell Steele that after leaving SRA, he was no longer authorized to continue accessing its data. It wasn’t enough. Now he has 48 months to think about where he went wrong as well as how he is going to come up with nearly $400,000.
Shawn Tuma is a cybersecurity lawyer business leaders trust to help solve problems with cutting-edge issues involving computer fraud, cybersecurity, privacy and intellectual property law. He is a partner at Scheef & Stone, LLP, a full service commercial law firm in Texas that represents businesses of all sizes across the United States.