Have you ever logged into your parents’ Netflix account? Let your brother use your login while he was visiting? Then you may have committed a federal crime.
In July 2016, the U.S. Court of Appeals ruled that it was illegal to use another person’s password to access a service without the approval of the company that delivers the service. A three-judge panel upheld the 2013 federal conviction of the defendant, David Nosal, for six counts of violating the Computer Fraud and Abuse Act of 1986 (CFAA).

In 2004 Nosal resigned from his employer, a Los Angeles-based recruiting company. Soon afterward, he persuaded three former coworkers to join him in a new, competing search and recruiting business. Before resigning from the employer, they downloaded proprietary and confidential information from the company’s computers for their own use.

Four years later, Nosal and the three employees were indicted for 20 violations of the Computer Fraud and Abuse Act of 1986. A criminal and civil law simultaneously, the CFAA allows plaintiffs to sue for any damages caused by violations.

Federal prosecutors charged that the four defendants downloaded their former employer’s data with intent to defraud, but the defense argued that the CFAA was intended to stop hackers and did not apply to employees who violate confidentiality agreements or misappropriate information. Nosal’s co-defendants were also still employed at the time of the incident, so the defense countered the charge that they had acted “without authorization.”

The U.S. District Court for the Northern District of California agreed and dropped the CFAA-related charges from the indictment. When the prosecution appealed, the Ninth Circuit Court ruled that an employee “exceeds authorized access” under the CFAA when they access data in violation of an employer’s access policies. The five counts based on the CFAA were promptly reinstated.

Nosal’s attorneys argued that such a ruling turned millions of people into criminals because practically everyone uses their work computer to check personal email, shop online, or view the weather–all harmless acts that technically violate most company policies. The court responded that such acts lack any intent to defraud and do not obtain “something of value” as required for a CFAA prosecution.

When Nosal was retried in 2013, he was convicted on six charges by the U.S. District Court for the Northern District of California. He appealed the conviction, but in July 2016 the Ninth Circuit Court affirmed it.

So what does all of this have to do with the legality of sharing your Netflix password? Although no court has ruled on this particular question yet, any “Terms of Service” violations such as password sharing could be perceived as violations of the Computer Fraud and Abuse Act of 1986. Even someone who uses their company computer to check their email may arguably be seen as “defrauding” their employer. If that’s the case, then there are millions of prospective “defendants” out there.Chances are slim that you will ever be prosecuted for logging into your friend’s Netflix account or sending a Tweet on company time, but if you are charged with any kind of computer crime, contact a New York criminal defense attorney right away. Experienced legal counsel is your best way of avoiding a severe outcome that your actions do not warrant. Julie Rendelman has experience both as a prosecutor and a criminal defense attorney. If you are seeking legal advice whether you have already been charged with a federal or state crime or you are concerned that you may be, then call Ms. Rendelman’s office at 212-951-1232 or visit www.RendelmanLaw.com.