Legal Report November 2016
U.S. JUDICIAL DECISIONS
Warrants. The Stored Communications Act (SCA), which allows data held in the United States to be handed over to the U.S. government, does not apply outside of the United States, a federal appeals court ruled.
The ruling means Microsoft does not have to comply with a warrant for customers’ emails if the data is not stored within the United States. The decision stems from a case brought by Microsoft against the U.S. federal government to prevent it from accessing customer data stored in an Irish data center.
In December 2013, a district court judge issued a search and seizure warrant that was served to Microsoft. The warrant was addressed to “[any] authorized law enforcement officer” and commanded the individual to search the “premises known and described as the email account [redacted]@MSN.com,” which is controlled by Microsoft.
The warrant applied to information associated with the specified email account at “premises owned, maintained, controlled, and operated by Microsoft,” and directed the company to disclose to the government contents of all emails stored in the account, all records and information about the identification of the account, and all records pertaining to communication between the account and any other individual about the account, such as contact with support services.
After being served with the warrant, however, Microsoft determined that the email account’s contents were located in its Dublin, Ireland, datacenter. It disclosed all information about the account that it kept in the United States, and moved to have the warrant quashed.
But the judge did not grant Microsoft’s request. Instead, the judge concluded that the SCA authorized the court to issue a warrant for “information that is stored on servers abroad,” according to court documents. The judge said that Microsoft must produce the email account content, wherever it might be stored.
Microsoft appealed the judge’s order to a district court, which upheld the judge’s decision. It then appealed to the U.S. Court of Appeals for the Second Circuit to quash the warrant.
In the appeal, the government argued that nothing in the SCA’s text, structure, purpose, and legislative history indicates that “compelled production of records is limited to those stored domestically.”
The court did not find this argument compelling, however, and ruled that Congress did not intend for the SCA’s warrant provisions to apply outside the United States. This is because the focus of the SCA’s warrant provisions is on protecting users’ privacy interests in stored communications.
“Having thus determined that the Act focuses on user privacy, we have little trouble concluding that execution of the warrant would constitute an unlawful extraterritorial application of the Act,” wrote Judge Susan Carney for the court.
She further explained that “the SCA does not authorize a U.S. court to issue and enforce an SCA warrant against a United States–based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States. The SCA warrant in this case may not lawfully be used to compel Microsoft to produce to the government the contents of the customer’s email account stored exclusively in Ireland.” (Microsoft v. U.S., U.S. Court of Appeals for the Second Circuit, No. 14-2985, 2016)
Passwords. A former employee violated the Computer Fraud and Abuse Act (CFAA) when he knowingly—and with intent to defraud—accessed a protected work computer without authorization, a federal appeals court ruled.
David Nosal worked at executive search firm Korn Ferry International as a high-level regional director. A core asset of Korn Ferry is its Searcher database, which contains information on more than 1 million executives. It is hosted on Korn Ferry’s internal computer network and is considered confidential and for use only in firm business. Employees must log in to Searcher to access it using their unique usernames and passwords, which are issued by Korn Ferry.
In 2004, Nosal was passed over for a promotion and announced that he was planning to leave Korn Ferry. He negotiated with the firm, and decided to stay on for an additional year as a contractor to finish several open executive searches.
Nosal also signed a noncompete agreement with the firm. And, as an added precaution, Korn Ferry revoked Nosal’s access to its computers but allowed him to ask employees for research help on his remaining open assignments.
While working as a contractor, however, Nosal was also secretly working to launch his own search firm with a group of his Korn Ferry coworkers, including Becky Christian and Mark Jacobsen.
Despite his revoked access, Nosal and his accomplices continued to access Searcher using Nosal’s former executive assistant’s credentials; she had stayed on at Korn Ferry at Nosal’s request. They used this access to download information and source lists from Searcher to start their competitor firm.
In March 2005, after Nosal, Christian, and Jacobsen had left the firm, someone emailed Korn Ferry, alerting it that Nosal was conducting his own business in violation of his noncompete agreement. The firm launched an investigation and, later that year, alerted the authorities.
Nosal was later charged with and convicted by a jury of conspiracy to violate the “without authorization” provision of the CFAA for unauthorized access to, and downloads from, Korn Ferry’s database.
Nosal appealed the conviction, which reached the U.S. Court of Appeals for the Ninth Circuit. The court upheld Nosal’s conviction, explaining that the case was not about password sharing or about violating a company’s internal computer-use policies. Instead, it was about Nosal and his coconspirators’ conduct.
“We therefore hold that Nosal, a former employee whose computer access credentials were revoked by Korn Ferry acted ‘without authorization’ in violation of the CFAA when he or his former employee co-conspirators used the login credentials of a current employee to gain access to computer data owned by the former employer and to circumvent the revocation of access,” the court explained. (U.S. v. Nosal, U.S. Court of Appeals for the Ninth Circuit, Nos. 14-10037, 14-10275, 2016)
Access. The U.S. Department of Justice submitted a legislative proposal that would make it easier for foreign governments to acquire electronic data stored by U.S. companies.
The proposal would amend current communications law to make it legal for a U.S. electronic communication service provider to intercept or disclose the contents of a wire or electronic communication in response to an order from a foreign government that is certified by the U.S. attorney general.
The amendment is necessary to implement a potential agreement that would allow the United Kingdom to request that U.S. companies provide electronic data directly to it—instead of making a request through the U.S. government.
The proposal, titled Legislation to Permit the Secure and Privacy-Protective Exchange of Electronic Data for the Purposes of Combating Serious Crime Including Terrorism, was received in the Senate.
Cybersecurity. President Barack Obama approved a presidential policy directive (PPD) on U.S. cyber incident coordination that codifies the policy governing the federal government’s response to significant cyber incidents.
The PPD defines a significant cyber incident as “one that either singularly or as part of a group of related incidents is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”
The PPD establishes clear principles about how the federal government will respond to a cyber incident, differentiates between significant cyber incidents, and categorizes the government’s activities into specific lines of effort, creating a lead agency for each in the event of a significant cyber incident.
Additionally, the PPD creates mechanisms to coordinate the government’s response to significant cyber incidents, such as creating a Cyber Unified Coordination Group like those used for incidents with physical effects.
It also is designed to ensure that U.S. cyber response activities are consistent and integrated with national preparedness and incident response policies “so that our response to a cyber incident can seamlessly integrate with actions taken to address physical consequences caused by malicious cyber activity.”
Preemployment screening. New Orleans Mayor Mitch Landrieu approved legislation that makes it illegal—with few exceptions—for city contractors to use consumer credit history for hiring decisions.
The Equal Access to Employment Act prohibits city contractors from seeking or using consumer credit history of current or prospective employees for any decision on hiring, compensation, or the terms, conditions, or privileges of the individual’s employment.
The act applies to all city contractors, is effective upon the execution of a city contract, and covers all employees who work at least 40 hours in a calendar year in New Orleans on a city contract, with some exceptions.
For instance, the act does not apply to employees with responsibility for assets worth $10,000 or more nor employees who are required to have security clearances or who have access to trade secrets or information from criminal investigations.
The act goes into effect on December 23, 2016.