CFAA prohibits accessing computer information that a person can physically obtain, but doesn’t have permission to do so — Weingand v. Harland Financial Solutions, 2012 WL 2327660 (N.D. Cal. June 19, 2012)
Under the Computer Fraud and Abuse Act (CFAA), a person commits a federal crime if he or she “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . .” 18 U.S.C. § 1030. In April, an en banc Ninth Circuit decision (colorfully penned by Chief Judge Kozinski) said the term “exceeds authorized access” excludes unauthorized use of computer information as opposed to unauthorized accessing of such information. See United States v. Nosal, 676 F.3d 854 (9th Cir. 2012). In other words, a person who uses his employer’s confidential computer information in an unauthorized manner (say he discloses it to his employer’s competitors) does not violate the CFAA if his physical access to the information was authorized. As an anti-hacking statute, the CFAA was not intended to criminalize misuse of proprietary information. Otherwise, millions of people could be subject to federal prosecution. Many employment policies forbid employees from using work computers for nonbusiness purposes, but employers do not necessarily physically restrict their employees’ access to the Internet. So, as Judge Kozinski pointed out, an employee subject to such a workplace policy could unwittingly violate the CFAA just by sending a personal email on a work computer, checking a personal Facebook account during work hours, or playing a game of sodoku online.
A recent trial-level decision considered a similar as the one in Nosal–an ex-employee misappropriates confidential computer files from his ex-employer after termination–but came out with a different result. Weingand v. Harland Financial Solutions, Inc. focused on the concept of authorization. In Weingand, a financial services company (Harland) requested the court’s permission to file a counterclaim for violations of the CFAA against a terminated employee (Weingand). Based on Weingand’s representations that he wanted retrieve his “personal files,” Harland allowed him access to its computer system after the termination. Weingand allegedly took that opportunity to copy over 2,700 business files belonging to Harland, its clients, and third-party software vendors. Harland claimed that Weingand was not authorized to access those files.
Harland had physical access to the proprietary and confidential files. Question is, did such physical access translate into “authorized access” under the CFAA? The court said no. Although Nosal rejected the argument that “exceeds authorized access” could refer to someone with unrestricted physical access to a computer who is limited as to how he could use that information, this case did not turn on the access/use distinction. Harland did not authorize Weingand to access its confidential and proprietary business files even though he physically was able to copy the files. In copying files that he had no permission to access, Weingand exceeded his authorized access to his former employer’s computer system. The court analogized to the situation where an ex-employee uses his old credentials (which have technically have not changed) to login to his former employer’s computer system and steal sensitive work files. Even before Nosal, the Ninth Circuit considered such conduct a violation of the CFAA. This was no different because the accessing of the files, though physically possible, was not authorized. The court allowed Harland to file its counterclaim.
LegalTXT Lesson: Weingard gives some breathing room to employers who do not explicitly forbid former employees from accessing proprietary and confidential company information . . . but why chance it? If a company gives a former employee access to the company’s computer system after termination, set up technical restrictions on access if possible, and monitor what gets copied. It’s better to avoid being put in the position of having to debate whether an ex-employee’s misconduct consisted of misusing company information versus illegally obtaining the information.
A university may discipline a student for social media posts that violate academic rules based on the ethical code of the profession the student is studying to become part of — Tatro v. University of Minnesota, 2012 WL 2328002 (Minn. June 20, 2012)
When a student sues under the First Amendment for being disciplined by the school for his or her expression, a court will likely apply the line of cases stemming from Tinker v. Des Moines Independent Community School District, 393 U.S. 503 (1969), or Hazelwood School District v. Kuhlmeier, 484 U.S. 260 (1988). Tinker ruled that a school district may limit or discipline student expression if school officials reasonably conclude that the expression will “materially and substantially disrupt the work and discipline of the school.” Hazelwood said that a school may exercise editorial control over the style and content of student speech in school-sponsored activities if their actions are “reasonably related to legitimate pedagogical concerns.” But what if the student expression isn’t disruptive per se, and isn’t sponsored by the school, but contrary to the professional code of ethics the students are being trained to follow? It isn’t unconstitutional for the school to discipline the student for such expression, the Supreme Court of Minnesota recently said.
Amanda Tatro worked on human cadavers as part of the anatomy lab work for the University of Minnesota’s mortuary science program in which she was enrolled. Tatro agreed to abide by various rules as a condition of being granted access to the cadavers, including the code of professional conduct governing mortuary science students and anatomy lab rules. The lab rules prohibited “blogging” about the anatomy lab or cadaver dissection. The lab students were told during orientation that blogging included Facebook and Twitter.
Tatro posted a series of comments on her Facebook page about the human cadaver she was assigned to. As a result of the comments, the university imposed sanctions against Tatro, including a failing grade in the lab course and placement on probation for the remainder of her undergraduate career. Tatro sued the school for violations of her constitutional right to free speech.
The court first considered the Tinker and Hazelwood lines of cases, but concluded that neither applied. The university disciplined Tatro not because her Facebook posts created a substantial disruption on campus or within the mortuary science program, but because the posts violated established rules that require respect, discretion, and confidentiality in connection with work on human cadavers. The Tinker analysis was therefore inapplicable. Hazelwood did not apply either because no one would reasonably consider the Facebook posts as speech that the university sponsored or promote.
The discipline was constitutional for a different reason, the court said. Dignity and respect for the human cadaver is an established part of the professional conduct standards for the mortuary science profession. The academic rules that Tatro violated were narrowly tailored to the objective of promoting such professional standards. The rules permitted “respectful and discreet” discussion of cadaver dissection outside the lab in a private setting, but prohibited blogging about cadaver dissection or the anatomy lab, which could reach a wide audience. Tatro’s Facebook posts, for example, could be seen by the hundreds of people who were “friends” with Tatro on Facebook, as well as “friends of friends.”
LegalTXT Lesson: Academic programs that prepare students to work in a particular profession may be able to limit off-campus student expression that violates the ethical standards of that profession. The limits must still be “narrowly tailored” to the interest in training students to uphold professional standards, however, which means blanket bans on student expression often will not pass muster.
LinkedIn announced on June 6 that it experienced a data breach compromising the passwords of some of its members. Ten days later, LinkedIn got hit with a class action lawsuit. The lawsuit was filed in a California federal district court. You can read the complaint here.
A few key points about the lawsuit:
- The plaintiffs consist of two classes — (1) anyone in the U.S. who had a LinkedIn account on or before June 6, 2012, and (2) anyone in class #1 who paid for a premium account.
- In simple terms, adding “salt” to a password means assigning random values to a password to make it more difficult to decipher. For example, if the password were “JohnDoe,” you could salt it by adding the characters “5a6b7c,” giving you “JohnDoe5a6b7c.”
- Hashing refers to the process of running a password into a cryptographic function to convert it into an unreadable and encrypted format. The plaintiffs say that LinkedIn used an outdated hashing function that was first published by the NSA in 1995.
- The plaintiffs say that LinkedIn should have at least salted the passwords before running them through the hash function. Better yet, LinkedIn should have salted the passwords, input them into the hash function, salt the resulting hash value, and then run the hash value through a hash function. Then, LinkedIn should have stored the fully encrypted password on a separate and secure server apart from all other user information.
- The lawsuit brings claims based on California’s unfair competition law, California’s Consumers Legal Remedies Act, breach of contract, breach of implied covenant of good faith and fair dealing, breach of implied contract, and negligence.
- The plaintiffs in the first class (all LinkedIn users) say they were in the form of loss of value in their personal information. (Whether the court will accept that damage theory is questionable.) Those in the second class (premium members who paid fees) say they were injured in the form of the fees they paid to LinkedIn for premium membership.
Photographer barred from claiming statutory damages and attorneys’ fees for copyright infringement of unregistered photographs — Davis v. Tampa Bay Arena, Ltd., 2012 WL 2116136 (M.D. Fla. June 11, 2012)
This case is a good illustration of a basic concept in copyright litigation. If you want to preserve the right to seek statutory damages and attorneys’ fees in case someone infringes on copyrights you own, make sure you register the copyright with the U.S. Copyright Office.
The plaintiff (“Davis”) photographed events at the Tampa Bay Times Forum under contract with the owner of the Forum (the “Forum”). The contract allowed the Forum use Davis’ photos for limited purposes, but apparently, publishing the photos on its Facebook page was not one of them. Davis maintained ownership and copyright of all the photos he took at the Forum’s events. Davis sued the Forum for copyright infringement for posting 255 of his photos on the Forum’s Facebook page, where other users could download the photos free of charge and without restriction.
In the face of as motion to dismiss filed by the Forum, the court let most of the claims in Davis’ complaint proceed because factual allegations in a complaint are assumed to be true at that early stage of the case. However, Davis admitted that he had a registration certificate for only 40 of the 255 photographs. The court therefore dismissed Davis’ infringement claims for statutory damages and attorneys’ fees for based on the 215 photographs for which Davis did not allege he had a registration certificate.
LegalTXT Lesson: The takeaway from Davis is pretty straightforward. A copyright registration with the U.S. Copyright Office is required to recover statutory damages and attorneys’ fees for copyright infringement. Without being able to recover statutory damages, the copyright holder has to prove actual damage or profit from the alleged infringement, which could be a difficult exercise. The prospect of shifting attorneys’ fees to the loser in a copyright infringement case also gives the copyright holder added leverage. Consult an attorney to make sure you satisfy all the requirements for bringing a copyright infringement action.
School district not liable under Title IX for harassing Facebook comments posted by students off-campus — Doe v. Round Valley Unified School District, 2012 WL 2064382 (D. Ariz. June 7, 2012)
Is a school liable under Title IX for student-on-student sexual harassment in the form of Facebook posts? Apparently not, if the posting occurred outside of the “context” of the school.
To bring a Title IX claim against a school for student-on-student sex harassment, one element the student-victim must prove is that the school exercised substantial control over both the harasser and the context in which the known harassment occurred. In Doe v. Round Valley Unified School District, a female student (Jane Doe) alleged that a male classmate (Rance Allen) sexually assaulted her on three occasions and was abusive toward her in other ways, such as by making disparaging comments about her on Facebook. After Doe and her parents reported Rance to the police, which led to his arrest and indictment for sexual misconduct, students at the school allegedly criticized Doe on Facebook, making Doe fearful of attending school. For example, some female students said they wanted to “kick [Doe’s] ass” because they thought Rance’s arrest was unfair.
Doe brought a Title IX claim against the school district. The Arizona federal district court found the claim faulty on several grounds, including that harassing Facebook postings did not necessarily occur in a “context” over which the school district had substantial control over the harasser. In a footnote, the court noted that Facebook comments may not be within the school district’s control if the students posted them off-campus or on their personal computers or phones.
LegalTXT Lesson: A school district can only do so much to limit student activity off-campus, but it can, and should, take steps to deter abusive social media use occurring on campus, such as by setting rules on when students may use school equipment to access their social media accounts.