by ·0 Comments

Courts continue to read the CFAA narrowly to limit criminal liabilityWentworth-Douglass Hospital v. Young & Novis Prof’l Ass’n, 2012 WL 2522963 (D.N.H. June 29, 2012), and Dana Ltd. v. American Axle & Mfg Holdings, Inc., 2012 WL 2524008 (W.D. Mich. June 29, 2012)

Suppose a terminated employee logs in to her work account one last time (just to copy and delete her personal files, she promises), which the company allows her to do, but she ends up copying files containing the company’s trade secrets and taking them to her new job at a competing company. Employers dealing with this kind of scenario increasingly seem to be turning to the Computer Fraud and Abuse Act (CFAA) for relief (see the post on a recent case just last week).  Under the CFAA, “[w]hoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer” is exposed to both criminal penalties and civil liability.  18 U.S.C. § 1030(a)(2)(C).  Since the CFAA is a criminal statute, a growing number of courts have been reluctant to read the CFAA too broadly.  These courts limit the kind of conduct that would qualify as “access[ing] a computer without authorization” and “exceed[ing] authorized access.”  Case in point is the Ninth Circuit’s en banc decision in United States v. Nosal issued in April of this year.  And last week, two trial courts issued decisions continuing that trend.

In Dana Limited, employees of the plaintiff copied company files and took them with them to their new jobs with a competing company.  Wentworth-Douglass Hospital similarly involved a scenario where ex-employees of a hospital copied data from the hospital’s computers onto portable storage devices.  In both cases, the courts decided there was no criminal liability under the CFAA because there was no evidence that the former employers were unauthorized to access the computer systems in the way that they did.  How they used the information they obtained might have violated company policy, but the act of access itself was not unauthorized.

Wentworth-Douglass Hospital is noteworthy also because it involved an additional scenario that the court did find to be a violation of the CFAA — another ex-employee of the hospital used her wife’s password to access the hospital’s computers.  Although the hospital had issued him his own password, apparently his wife’s account provided access to certain data to which he was not given access.  The court granted judgment as a matter of law on the CFAA claim based on those facts.

Two technical comments in the decisions are worth noting.  The court in Dana Limited addressed the argument that the ex-employees accessed computer files in an unauthorized manner because they deleted files while logged on, which the company argued amounted to unauthorized “altering” of information.  (Note: the CFAA defines “exceeds authorized access” as using unauthorized access to a computer “to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”)  The court rejected the argument because there was no proof that the ex-employees deleted original files.  The company had backups of the deleted files and was able to function without difficulty despite the deletions.  Whether any “altering” occurred was speculative.

The second comment of interest concerns the employer’s argument inWentworth-Douglass Hospital that a company policy stating that employees “are to access only information necessary for completing job responsibilities and to ensure the integrity of the information in their work areas” limited access and use.  The court was unpersuaded by this argument, reasoning that an employer cannot convert a use policy into an access restriction simply by calling it one.  In the court’s view, an access restriction limits the degree of access an employee has to certain systems and data, while a use restriction limits the varying uses to which such systems and information, once access, can be put to legitimate use.  As an example, the court said that a policy prohibiting employees from accessing company data for the purpose of copying it to an external storage device is not an access restriction because its true purpose is to forbid employees from putting company information to personal use.  In other words, the policy does not bar the employee from accessing the information; it just says he cannot copy it on to a personal device, presumably for uses unrelated to his job.

LegalTXT Lesson: This recent line of cases provides two quick takeaways for employers.  First, be intentional in phrasing internal policies relating to use of company computers and other forms digital technology.  Know the difference between an access restriction and a use restriction and be sure the wording of the policy clearly spells out the type of restriction intended.   Second, a CFAA claim may not be the best avenue for getting relief.  Other claims could be more suitable, such as breach of an employment contract, violation of a trade secrets act (if your state adopts one), and unfair competition.

by ·0 Comments

Judge allows disability civil rights claim against Netflix to proceedNational Association of the Deaf v. Netflix, Inc., 2012 WL 2343666 (D. Mass. June 19, 2012)

Whoa, talk about floodgates.  If this case gets upheld on appeal, it might let loose a new wave of American With Disabilities Act (ADA) litigation.  Two groups advocating for the rights of the deaf and hearing impaired sued Netflix under the ADA for failing to provide equal access to its video streaming web site.  Now, live video streaming is critical to Netflix’s business model, so the ruling is certainly a blow to Netflix.  But the ruling has far greater implications.  The basic question is whether websites are “public accommodations” to which the anti-discrimination provisions of the ADA.  The federal district court of Massachusetts said yes.

The ruling was handed down in the context of Netflix’s motion for judgment on the pleadings, which is an attempt to end the case at an early stage.  Netflix argued that websites are not in the list of public accommodations in the ADA statute.  The court rejected the argument, noting that while web-based services are not specifically listed in the statute as public accommodations, Congress intended the ADA to adapt to changes in technology.  Moreover, the streaming video website fell into one or more of the listed ADA categories of public accommodations, including a “place of exhibition or entertainment” and a “rental establishment.”  But the streaming service is different from a bricks-and-mortar establishment, Netflix argued, because the videos are accessed in private residences, not in public spaces.  No matter, said the court.  The ADA covers the services “of” a public accommodation, not services “at” or “in” one.  Many businesses provide services to a customer’s home (plumbers, pizza delivery services, and moving companies are the ones listed in the court opinion) and they are not necessarily exempt from the ADA.

Netflix made two additional arguments relating to captioning.  First, Netflix argued that the plaintiffs failed to allege that Netflix controls the captioning of streaming video content.  According to Netflix, owners of video programming (not distributors like Netflix) hold the exclusive copyrights necessary to caption content.  Without the copyrights, Netflix cannot caption content without the permission of the copyright owners.  The court rejected this argument because Netflix alleged that it is working to provide captioning for the content on its streaming service.  This suggests that Netflix has some degree of control over the captioning of its video streams.

Netflix’s second captioning argument was that interpreting the ADA to cover the captioning of video programming would create an irreconcilable conflict with the Twenty-First Century Communications and Video Accessibility Act of 2010 (CVAA), which regulates the closed captioning of online video content.  This argument did not persuade the court either, as it found that the CVAA did not conflict with ADA even if the latter imposes broader duties on Netflix than the CVAA; it was possible to comply with both laws.

LegalTXT Lesson: Netflix likely will appeal to the First Circuit, and with good reason.  Small business owners are familiar with the rash of lawsuits spawned by the ADA.  If it stands, this ruling exposes a whole new class of businesses to ADA claims.  Many web-based services could be potential targets of ADA lawsuits.  For instance, could a restaurant that allows customers to make reservations online be sued under the ADA if it doesn’t close-caption its website?  Would a hotel booking website violate the ADA by failing to provide a voice activation feature on its site?  It all remains to be seen.  Stay tuned.

by ·0 Comments

ICANN not a “domain name authority” under ACPA; no in rem jurisdiction in district where ICANN is basedVizer v. Vizernews.com, 2012 WL 2367130 (D.D.C. June 22, 2012)

First off, my apologies for writing two consecutive posts with headlines that play off the word “can’t.”  Now on to more serious matters…

This case scuttles one way of getting a quick default judgment against a cybersquatter who is nowhere to be found.  The plaintiff (Vizer) wanted to bring a cybersquatting suit against the registrant of a domain name that contained his last name and was linked to a website dedicated to providing news about him (Vizernews.com).  Vizer couldn’t identify the registrant of the domain name; the domain was registered anonymously and the registrant used a privacy service to hide its contact information.  Vizer therefore brought an in rem action under the Anti-Cybersquatting Consumer Protection Act (ACPA).  Vizer is correct that the ACPA allows a trademark owner to file an in rem civil action against a domain name in the judicial district in which the “domain name registrar, domain name registry, or other domain name authority is located.”  The issue is, did Vizer file in the correct judicial district?

Vizer filed the in rem action in Washington, D.C. on the theory that the Internet Corporation for Assigned Names and Numbers (ICANN) maintains an office there.  The court dismissed the case because ICANN didn’t fit into any category of entities who can be sued in rem under the ACPA.  ICANN is not the domain name registrar (in this case, Melbourne IT, LTD d/b/a Internet Names Worldwide) nor the registry (in this case, VeriSign, Inc.).  Vizer argued that ICANN is a “domain name authority,” but the court rejected that suggestion.  According to the court, the term “domain name authority” refers to an entity that has some authority over the domain name, i.e., it plays a role in registering or assigning domain names.  ICANN doesn’t do either of those things.  Although ICANN coordinates the global domain name system, it doesn’t actually assign specific domain names or maintain a registry of such names.  The court also found persuasive legislative history of the ACPA stating that the in rem provision was not meant to cover ICANN.

LegalTXT Lesson: It looks like Vizer’s attorneys did their homework before going the in rem route.  I’m not sure what they could’ve done differently, except one wonders why they didn’t file in where the registrar (VeriSign) is located.  Verisign is based in Reston, Virginia, just a short distance far from D.C.