A civil CFAA claim for damages requires damage to computers, systems, or data Schatzki v. Weiser Capital Mgmt, LLC, 2012 WL 2568973 (S.D.N.Y. July 3, 2012)

As I said in a previous post, we are seeing more activity dealing with the Computer Fraud and Abuse Act (CFAA).  The CFAA is both a criminal and civil statute.  The CFAA imposes criminal penalties on someone who  “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer”  or “intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage.”  A civil claim is available if, in addition to establishing the elements of a criminal violation, the plaintiff can show “damage or loss” as a result of the violation.  The damage or loss must be at least $5,000.00.

Schatzki is the latest case to read the terms “damage” and “loss” narrowly.  The defendants in the case allegedly obtained information from plaintiff’s computer systems without authorization and trafficked in computer passwords.  This access enabled the defendants to obtain valuable private and confidential information about the plaintiff’s clients, the plaintiffs said.  As a result, the plaintiffs had to hire consultants and incur legal fees.

The court said that the plaintiffs did not show the required “damage” or “loss,” and here’s why.  The plaintiffs failed to allege that the defendants’ access to the computer system damaged the data accessed or the system itself, or that the costs to recover the system/data exceeded $5,000.  The court also would not allow the plaintiffs to base their CFAA claim on other kinds of damages like lost profits, invasion of privacy, trespass to personal property, or misappropriation of confidential data.

LegalTXT Lesson: Quantify your damages if you are bringing a civil claim under the CFAA.  Also, remember that the CFAA is more in the nature of an anti-hacking statute than an anti-misappropriation statute.  Attempts to seek damages under the CFAA on a theory that someone gained access to electronic information and used it for improper purposes might not go very far.

Courts continue to read the CFAA narrowly to limit criminal liabilityWentworth-Douglass Hospital v. Young & Novis Prof’l Ass’n, 2012 WL 2522963 (D.N.H. June 29, 2012), and Dana Ltd. v. American Axle & Mfg Holdings, Inc., 2012 WL 2524008 (W.D. Mich. June 29, 2012)

Suppose a terminated employee logs in to her work account one last time (just to copy and delete her personal files, she promises), which the company allows her to do, but she ends up copying files containing the company’s trade secrets and taking them to her new job at a competing company. Employers dealing with this kind of scenario increasingly seem to be turning to the Computer Fraud and Abuse Act (CFAA) for relief (see the post on a recent case just last week).  Under the CFAA, “[w]hoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer” is exposed to both criminal penalties and civil liability.  18 U.S.C. § 1030(a)(2)(C).  Since the CFAA is a criminal statute, a growing number of courts have been reluctant to read the CFAA too broadly.  These courts limit the kind of conduct that would qualify as “access[ing] a computer without authorization” and “exceed[ing] authorized access.”  Case in point is the Ninth Circuit’s en banc decision in United States v. Nosal issued in April of this year.  And last week, two trial courts issued decisions continuing that trend.

In Dana Limited, employees of the plaintiff copied company files and took them with them to their new jobs with a competing company.  Wentworth-Douglass Hospital similarly involved a scenario where ex-employees of a hospital copied data from the hospital’s computers onto portable storage devices.  In both cases, the courts decided there was no criminal liability under the CFAA because there was no evidence that the former employers were unauthorized to access the computer systems in the way that they did.  How they used the information they obtained might have violated company policy, but the act of access itself was not unauthorized.

Wentworth-Douglass Hospital is noteworthy also because it involved an additional scenario that the court did find to be a violation of the CFAA — another ex-employee of the hospital used her wife’s password to access the hospital’s computers.  Although the hospital had issued him his own password, apparently his wife’s account provided access to certain data to which he was not given access.  The court granted judgment as a matter of law on the CFAA claim based on those facts.

Two technical comments in the decisions are worth noting.  The court in Dana Limited addressed the argument that the ex-employees accessed computer files in an unauthorized manner because they deleted files while logged on, which the company argued amounted to unauthorized “altering” of information.  (Note: the CFAA defines “exceeds authorized access” as using unauthorized access to a computer “to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”)  The court rejected the argument because there was no proof that the ex-employees deleted original files.  The company had backups of the deleted files and was able to function without difficulty despite the deletions.  Whether any “altering” occurred was speculative.

The second comment of interest concerns the employer’s argument inWentworth-Douglass Hospital that a company policy stating that employees “are to access only information necessary for completing job responsibilities and to ensure the integrity of the information in their work areas” limited access and use.  The court was unpersuaded by this argument, reasoning that an employer cannot convert a use policy into an access restriction simply by calling it one.  In the court’s view, an access restriction limits the degree of access an employee has to certain systems and data, while a use restriction limits the varying uses to which such systems and information, once access, can be put to legitimate use.  As an example, the court said that a policy prohibiting employees from accessing company data for the purpose of copying it to an external storage device is not an access restriction because its true purpose is to forbid employees from putting company information to personal use.  In other words, the policy does not bar the employee from accessing the information; it just says he cannot copy it on to a personal device, presumably for uses unrelated to his job.

LegalTXT Lesson: This recent line of cases provides two quick takeaways for employers.  First, be intentional in phrasing internal policies relating to use of company computers and other forms digital technology.  Know the difference between an access restriction and a use restriction and be sure the wording of the policy clearly spells out the type of restriction intended.   Second, a CFAA claim may not be the best avenue for getting relief.  Other claims could be more suitable, such as breach of an employment contract, violation of a trade secrets act (if your state adopts one), and unfair competition.

CFAA prohibits accessing computer information that a person can physically obtain, but doesn’t have permission to do soWeingand v. Harland Financial Solutions, 2012 WL 2327660 (N.D. Cal. June 19, 2012)

Under the Computer Fraud and Abuse Act (CFAA), a person commits a federal crime if he or she “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . .”  18 U.S.C. § 1030.  In April, an en banc Ninth Circuit decision (colorfully penned by Chief Judge Kozinski) said the term “exceeds authorized access” excludes unauthorized use of computer information as opposed to unauthorized accessing of such information.  See United States v. Nosal, 676 F.3d 854 (9th Cir. 2012).  In other words, a person who uses his employer’s confidential computer information in an unauthorized manner (say he discloses it to his employer’s competitors) does not violate the CFAA if his physical access to the information was authorized.  As an anti-hacking statute, the CFAA was not intended to criminalize misuse of proprietary information.  Otherwise, millions of people could be subject to federal prosecution.  Many employment policies forbid employees from using work computers for nonbusiness purposes, but employers do not necessarily physically restrict their employees’ access to the Internet.  So, as Judge Kozinski pointed out, an employee subject to such a workplace policy could unwittingly violate the CFAA just by sending a personal email on a work computer, checking a personal Facebook account during work hours, or playing a game of sodoku online.

A recent trial-level decision considered a similar as the one in Nosal–an ex-employee misappropriates confidential computer files from his ex-employer after termination–but came out with a different result.   Weingand v. Harland Financial Solutions, Inc. focused on the concept of authorization.  In Weingand, a financial services company (Harland) requested the court’s permission to file a counterclaim for violations of the CFAA against a terminated employee (Weingand).  Based on Weingand’s representations that he wanted retrieve his “personal files,” Harland allowed him access to its computer system after the termination.  Weingand allegedly took that opportunity to copy over 2,700 business files belonging to Harland, its clients, and third-party software vendors.  Harland claimed that Weingand was not authorized to access those files.

Harland had physical access to the proprietary and confidential files.  Question is, did such physical access translate into “authorized access” under the CFAA?  The court said no.  Although Nosal rejected the argument that “exceeds authorized access” could refer to someone with unrestricted physical access to a computer who is limited as to how he could use that information, this case did not turn on the access/use distinction.  Harland did not authorize Weingand to access its confidential and proprietary business files even though he physically was able to copy the files.  In copying files that he had no permission to access, Weingand exceeded his authorized access to his former employer’s computer system.  The court analogized to the situation where an ex-employee uses his old credentials (which have technically have not changed) to login to his former employer’s computer system and steal sensitive work files.  Even before Nosal, the Ninth Circuit considered such conduct a violation of the CFAA.   This was no different because the accessing of the files, though physically possible, was not authorized.  The court allowed Harland to file its counterclaim.

LegalTXT Lesson:  Weingard gives some breathing room to employers who do not explicitly forbid former employees from accessing proprietary and confidential company information . . . but why chance it?  If a company gives a former employee access to the company’s computer system after termination, set up technical restrictions on access if possible, and monitor what gets copied.  It’s better to avoid being put in the position of having to debate whether an ex-employee’s misconduct consisted of misusing company information versus illegally obtaining the information.

Can employers ask job applicants for their Facebook password in a job interview?  Employers and recruiters argue they should be allowed to vet potential employees, and let’s face it–an applicant’s social media profile is likely to be much more revealing than a 30-minute interview.  But what about the privacy rights of applicants?  Some commentators have compared password demands to requests to read a job applicant’s private mail.

Although no law directly prohibits employers from demanding access to the social media accounts of prospective employees, the practice is fraught with legal risks.  Facebook has issued a statement frowning upon password demands and warned that it will “take action to protect the privacy and security of our users, whether by engaging policymakers or, where appropriate, by initiating legal action, including by shutting down applications that abuse their privileges.”  Federal and State legislators are also considering making the practice illegal.  Sen. Robert Blumenthal (D-Conn.) has told Politico he is drafting a bill that will be ready “in the very near future.”  Password demands could also run afoul of federal law.  The New York Times reports that Sen. Blumenthal and Sen. Charles Schumer (D-NY) have asked the Justice Department and Equal Employment Opportunity Commission to investigate whether the practice violates the Stored Communications Act and Computer Fraud and Abuse Act.

The bottom line?  If you’re an employer and you demand to look at the social media accounts of your potential employees, you do so at your peril.