On July 5, 2016, the Ninth Circuit Court of Appeals issued its highly anticipated decision in the most recent chapter of United States v. Nosal, holding that an individual acts “without authorization” as used in the Computer Fraud and Abuse Act (“CFAA”) when, after his/her own access has been revoked, the individual utilizes legitimate log‑in information of another to access company databases. This decision has important consequences for organizations as they consider how to implement policy and technical controls on user access to ensure they are protected against unauthorized access under the CFAA.
Marc represents clients in federal and state court at the trial and appellate levels with a particular focus on class actions, multi-district litigation, and mass joinders. Among Marc’s current engagements, he represents the Regents of the University of California and Santa Clara University in multiple pandemic-related class actions seeking refunds of tuition and fees; Deloitte & Touche in a pay and promotion gender discrimination class action; NCAA in concussion and injury-related cases throughout the country; Marathon Oil Corporation in nationwide climate change litigation; and multiple foreign defendants in a class action in an MDL arising out of allegedly defective drywall. Recently, Marc played a lead role in securing denial of class certification and affirmance by the Ninth Circuit Court of Appeals in an employment discrimination suit against Microsoft. He also successfully secured dismissal on immunity grounds of the Regents of the University of California in a class action before the Northern District of California. In addition, in response to the Covid-19 pandemic, Marc is actively assisting clients in strategizing around litigation arising out of the health crisis.
Marc served as a law clerk to Judge Betty B. Fletcher of the U.S. Court of Appeals for the Ninth Circuit. Prior to joining Orrick, Marc worked as an appellate and post-conviction attorney for the Equal Justice Initiative. In that capacity, he engaged in trial level and appellate representation of clients in both state and federal court, including two cases that were briefed and argued before the United States Supreme Court.
Posts by: Marc Shapiro
On December 3, the Second Circuit Court of Appeals became the most recent entrant into the circuit conflict on the question of when and under what circumstances an employee’s use of a computer to gain access to unauthorized information constitutes a violation of the Computer Fraud and Abuse Act. Over a dissent, the Court held that an employee cannot be convicted of violating the CFAA when he uses a database, to which he has been granted access, in a manner that is prohibited by company policy. With the Second Circuit joining the Fourth and Ninth Circuits in the minority on the issue, the answer continues to turn on the jurisdiction in which the suit was brought. Employers should take note because the decision reinforces the need to consider carefully whether and how to limit employee access to sensitive company information within its network—e.g., by use of written policy or technical access restrictions—and how those protections will play out in court if an employee takes company information for use in future employment.
Yesterday, the United States Supreme Court granted certiorari in Spokeo, Inc. v. Robins, to consider a question critical to the viability of data breach class actions: standing. Since the Court’s most recent standing decision in Clapper v. Amnesty Int’l USA, a majority of lower courts have dismissed data breach claims for failing to satisfy Article III’s injury-in-fact requirement; however, a growing chorus of lower courts have sanctioned such actions. As the Supreme Court prepares to wrestle with that split of authority during oral argument this fall, it will be tasked with deciding whether a plaintiff’s allegations concerning violations of statutory rights under the Federal Credit Reporting Act (“FCRA”) are sufficient to establish standing irrespective of any tangible injury. The ramifications of that determination are deeply significant, as the decision may either open or close the floodgates to data breach litigation throughout the country.