Intellectual Property | Copyright Infringement | Technology | Software

Legal liability of sharing account passwords (CFAA and DMCA)

Nov 1st, 2017 | By | Category: DMCA Litigation

Illegal Account Access – [Sharing unauthorized passwords can lead to legal liability to a company and its officers and directors] – DMCA illegal access and Computer Fraud and Abuse Act discussed.

Password sharing legal iiability


When you produce web based software that offers users access to your product, data or information, there is nothing more frustrating than former employees of a licensed organization accessing your product/service with improper credentials, and sharing passwords that are not properly paid for.  This raises legal issues under both state law, and federal law such as the DMCA “anti-circumvention” and the computer fraud and abuse act (“CFAA”) the CFAA has criminal components and violators can wind up in jail if the prosecution decides to purse the case.

Federal case law

Here is some federal case law that applies to the above two causes of action.  Again, these are only two of the potential causes of action (DMCA and CFAA).

“Fraudulent activity in relation to Computers” – Plaintiff’s § 1030(a)(2)(C) Claim.
Section 18 U.S.C. 1030 
(a) Whoever…
(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—

(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act
(B)  information from any department or agency of the United States; or
(C)  information from any protected computer;

The elements of a civil claim for violation of § 1030(a)(2)(C) requires Plaintiff to plead that Defendants did the following:
(1) intentionally accessed a computer,
(2) without authorization or exceeding authorized access, and that they
(3) thereby obtained information
(4) from any protected computer,
and that
(5) there was a loss to one or more persons during any one-year period aggregating at least $5,000 in value.

Where you have a slew of improper accesses to an online website, you may easily be able to reach the $5,000 in value requirement.

Under the CFAA, an intentional access occurs when someone logs into a “protected computer” to view information,United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010), or to send and receive email, see America Online, Inc. v. Nat’l Health Care Disc., Inc., 121 F. Supp.2d 1255, 1273 (N.D. Iowa 2000).

The Ninth Circuit Does Not Require The “Circumvention of Technological Barriers.”
This is discussed in one case:
“The crux of one of Defendants’ main argument is that because Defendants did not circumvent a technical barrier, they could not have acted without authority or in excess of their authority, pointing specifically to United States v. Nosal, 676 F.3d 854 (9th Cir. 2012). (Mot. 3:3-11.) This position is inconsistent with the courts in the Ninth Circuit, which do not require the circumvention of technical barriers for a violation of the CFAA. In fact, in U.S. v. Nosal, 930 F. Supp.2d 1051 (N.D. Cal. 2013) the Northern District addressed this issue:
“Nowhere does the court’s opinion in Nosal hold that the government is additionally required to allege that a defendant circumvented technological access barriers in bringing charges under § 1030(a)(4).” Id. at 1060. See also Weingand v. Harland Fin. Solutions, Inc. (N.D. Cal. June 19, 2012); Craigslist Inc. v. 3Taps Inc., 942 F.Supp.2d 962 (N.D. Cal. Aug. 16, 2013).
More recently, in NetApp, Inc. v. Nimble Storage, Inc., 2014 U.S. Dist. (N.D. Cal. May 12, 2014), the court rejected the technical access barrier argument:
“furthermore, subsequent cases interpreting Brekka and Nosal indicate that a non-technological barrier can revoke authorization.” In reaching this decision, the NetApp Court examined numerous cases that the defendant argued supported his position but upon more careful analysis, the court found that they did not.  See NOVELPOSTER, a California general partnership, Plaintiff, v. JAVITCH CANFIELD GROUP, a California business entity form unknown, Mark Javitch an individual, Daniel Canfield, an individual, Defendants. And Related Counterclaim and Third-Party Action.:
The Ninth Circuit set forth the standard for access “without authorization” in LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1132 (9th Cir. 2009) where it concluded “that ‘without authorization’ in the CFAA refers only to access without any permissions at all: ‘we hold that a person uses a computer “without authorization” under §§ 1030(a)(2) and (4) when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone’s computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.’ ” See NetApp, Inc., 2014 U.S. Dist.
So this is one claim that needs to be closely looked at by your technology lawyer.  In some cases, the company that has been victimized may want to file a criminal complaint.

DMCA illegal access by sharing account passwords

Where there is illegal online account access (sharing passwords), another cause of action may arise – violation of the Digital Millennium Copyright Act (“DMCA”).

Under the DMCA, “circumvention” has an expansive meaning, including to “avoid,” “bypass” or “otherwise impair[]” a technological protection measure. See 17 U.S.C. §§ 1201(a)(3)(A), 1201(b)(2)(A). The term has been broadly construed, and Microsoft believes that Datel will not be able to seriously dispute the circumvention element. See, e.g., Actuate Corp. v. Int’l Bus. Machs. Corp., (N.D. Cal. Apr. 5, 2010) (even “unauthorized use of a password may constitute circumvention under the DMCA”).   See also DATEL HOLDINGS LTD. v. MICROSOFT CORPORATION (Northern District California).

Remedies for DMCA violations

The remedies for a violation of the DMCA can include either seeking lost profits or statutory damages (similar to the copyright statute).  According to the Code:

(2) Actual damages.—
The court shall award to the complaining party the actual damages suffered by the party as a result of the violation, and any profits of the violator that are attributable to the violation and are not taken into account in computing the actual damages, if the complaining party elects such damages at any time before final judgment is entered.

(3)  Statutory damages.—
(A)  At any time before final judgment is entered, a complaining party may elect to recover an award of statutory damages for each violation of section 1201 in the sum of not less than $200 or more than $2,500 per act of circumvention,device, product, component, offer, or performance of service, as the court considers just.
(B)  At any time before final judgment is entered, a complaining party may elect to recover an award of statutory damages for each violation of section 1202 in the sum of not less than $2,500 or more than $25,000.

Contact a DMCA & Computer Technology Law Firm

We can help you protect your intellectual property and seek recovery due to illegal activity such as hacking, stealing trade secrets, or illegal account access (for ex. sharing passwords).  We have one of the best License Recovery Services in the United States and we have a tremendous amount of experience in Federal Court.  Click here to see our Avvo client reviews.
The following two tabs change content below.
We are a business and civil litigation firm with a focus on copyright infringement cases involving illegal movie downloads (torrent cases such as London Has Fallen, ME2 Productions and Malibu Media defense), software audits (ex. Microsoft audits, SPLA, Autodesk audit notification letter, Siemens PLM defense, SIIA, Adobe and Business Software Alliance defense) and other software vendors threatening piracy and infringement. We also handle cases involving internet law, anti-SLAPP, media law, right of publicity, trademarks & domain name infringement, and we have a niche practice area handling California BRE licensing disputes, accusations, subpoena response, statement of issues and investigations. We have offices in San Francisco, Beverly Hills, Newport Beach, San Diego & Phoenix, Arizona and accept federal copyright and trademark cases nationwide. All content on our website is general legal information only and not a substitute for legal advice, and should not be relied upon. Decisions to hire counsel should not be based on advertising alone. Blogs, videos and podcasts are authored by Steve Vondran, Esq. unless otherwise noted. We can be reached at (877) 276-5084.

Latest posts by Vondran Legal - Civil Litigation firm handling Software audits, Copyright Infringement, Internet law, and general Business & Real Estate law (see all)

Comments are closed.