prcode 34931845011 MA sequence
I was reading Eric Ostroff's fine post discussing customer lists as trade secrets, in the context of a
recent case involving Farmers Insurance Exchange and several of its former agents, Farmers Ins. Exch.
v. Steele Ins. Agency, 2013 U.S. Dist. LEXIS 70098 (E.D. Cal. May 16, 2013).
The trade secret at issue in that case involved an electronic compilation of data about insurance
customers. Farmers maintains that compilation for its captive agents through something called an
"Agency Dashboard." In the captive insurance setting, the insurer normally owns proprietary rights to
its customer information. This is in stark contrast to the independent agency system, where the agents
themselves retain rights to such data.
Eric does a nice job summarizing the steps Farmers takes to protect its customer data, including the
requirement that agents log in with passwords each time they gain access to the database. They must,
as Eric points out, acknowledge Farmers' proprietary rights upon entry to Farmers' dashboard system.
Full disclosure, now.
I litigated several matters against Farmers Insurance over the years. And I am well-familiar with the
way in which Farmers pursues trade secrets cases against ex-agents, and all too familiar with the
Agency Dashboard, what it looks like, and how it works.
So I won't summarize what Eric wrote, but instead I want to highlight a fact that came up in the case
and try to apply a claim Farmers hasn't (yet?) pursued.
Yes, I am talking about our old pal, the Computer Fraud and Abuse Act.
At least two of the defendants in the Farmers' case used passwords that did not belong to them to
access Agency Dashboard.
One of the defendants was an office employee (seemingly a customer service agent) who used another
Farmers agent's password to download reports out of Agency Dashboard. That agent, apparently not
complicit, had severe health problems.
Another defendant was the son of a Farmers agent (again, it didn't appear the agent was complicit)
and used his father's Farmers password to log in to Agency Dashboard. Though not crystal clear from
the record, the defendant then presumably used proprietary data from the dashboard to switch
customers away from Farmers. Neither of those defendants had password credentials of his or her
This case comes at an interesting time. John Marsh, Russell Beck, and I just recorded another episode
of the Fairly Competing podcast (which will be available Tuesday morning), and we discussed the latest
chapter in United States v. Nosal. The factual matrix in that case (also from California) involved something very similar to what I've just described: gaining access to a protected computer system
through password sharing. (For my prior post discussing Nosal in the District Court, click here.)
That is: X uses Y's password to log in to a protected database, when X can't otherwise gain access
through credentials assigned to him.
As the Nosal jury found, this conduct violated the CFAA because the individual is gaining access to a
protected computer without authorization. A password is the quintessential access barrier, familiar to
The Farmers case was teed up for a preliminary injunction around the time the Nosal verdict came
down, and there isn't much precedent available for extending the CFAA to the password-sharing
paradigm. In fact, given the Ninth Circuit's rather narrow interpretation of the CFAA, it's to be expected
that attorneys would pull back on civil claims under this statute.
But it appears that the agents who accessed Agency Dashboard without proper password credentials
may have violated the CFAA, at least under the statutory interpretation applied by the District Court in
Nosal. The case under the CFAA may be stronger than that against Nosal, because there's no indication
Nosal himself accessed the database with someone else's password. He was just directing traffic.
I still have not reconciled, personally, whether the CFAA should be extended to this fact pattern, though
I think it probably should. I have great reservations about the CFAA for many reasons. And given the
Ninth Circuit's narrow construction of the CFAA, it is possible we'll get further guidance on whether
password sharing implicates a statutory violation when Nosal II is decided.
READ MORE ARTICLES: