California federal court finds no CFAA violation for disseminating software updates obtained from subscription to software support service, and requires fraud-based CFAA claims to be pled with particularity – Oracle America, Inc. v. Service Key, LLC, 2012 WL 6019580 (N.D. Cal. Dec. 3, 2012).
DLT was a member of the Oracle Partner Network (OPN), a program for third party companies interested in reselling Oracle hardware and software. To facilitate their role as resellers, OPN members receive login-in credentials to access Oracle’s support websites. Oracle alleged that DLT fraudulently used its access to obtain Oracle’s proprietary software patches and updates, which DLT then provided to its own customers. Oracle further alleged that DLT gave its access credentials to Oracle’s websites to “unwitting third parties” (apparently including the Navy and FDA) who were unaware that DLT lacked authorization to do so. Oracle sued DLT under numerous theories, including violations of the CFAA.
Certain CFAA claims alleged that DLT “exceed[ed] authorized access” in obtaining information from Oracle’s support systems. The court agreed with DLT that dismissal of such claims was required under United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc). In Nosal, an en banc panel of the Ninth Circuit ruled that misuse or misappropriation of information to which one has authorized access does not violate CFAA provisions based on access to a computer “without authorization or exceeding authorized access.” Oracle’s complaint alleged that DLT used its access credentials for an unauthorized purpose (although Oracle apparently tried to distinguish Nosal by re-characterizing the complaint in subsequent briefing as alleging that DLT accessed Oracle’s websites without authorization). That’s precisely the kind of conduct that Nosal said was not actionable under the CFAA, the court ruled. However, DLT could still be liable under the CFAA for trafficking passwords to Oracle’s support sites because such a claim is not based upon unauthorized access to a protected computer.
Oracle also ran into trouble with the requirement in Rule 9(b) of the Federal Rules of Civil Procedure that claims alleging fraud or mistake to be pled with particularity. One of Oracle’s CFAA claims alleged that DLT “knowingly and with intent to defraud . . . exceed[ed] authorized access, and by means of such conduct further[ed] the intended fraud . . . .” 18 U.S.C. § 1030(a)(4). The court concluded that the claim was “grounded” or “sounded” in fraud and thus subject to Rule 9(b). Oracle did not adequately detail its fraud to meet the Rule 9(b) pleading requirement.
The one bright spot for Oracle in the decision was the court’s rebuff of DLT’s argument that Oracle did not properly allege damages. Oracle alleged that it incurred costs as a result of investigating and conducting a damage assessment in response to DLT’s actions, and the court found that enough to satisfy the damage requirement. The court also rejected a similar argument that Oracle did not sustain damages in excess of $5,000. That argument referred to the fraud-based CFAA violation, an element of which is that the fraud resulted in the defendant obtaining “anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period[.]” 18 U.S.C. § 1030(a)(4) (emphasis added). The $5,000 threshold is not meant to be a measure of damages, the court held. Rather, the threshold refers to the value of the computer use relevant in determining whether a CFAA violation exists. In any event, the court said, Oracle did allege that DLT obtained something of value, i.e., its software.
LegalTXTS Lesson: If you’re in the Ninth Circuit, recovery under the CFAA for illicit use or dissemination of proprietary computer information is a challenge. Liability for hacking into a computer system is well-established, see Mintz v. Mark Bartelstein & Associates, Inc., 2012 WL 5391779 (C.D. Cal. Nov. 1, 2012), and so is giving away passwords to protected sites as the Oracle decision teaches. Asking permission to access your work computer “one last time” to delete personal files before switching jobs and then downloading a bunch of proprietary data also will get you in trouble (see Weingand v. Harland Financial Solutions, 2012 WL 2327660 (N.D. Cal. June 19, 2012), and my post on it here).
When it comes to misuse or misappropriation of information that was obtained with authorized access, however, Nosal makes it pretty clear that’s not a violation of the CFAA. The Oracle decision follows that rule. Other circuits, like the Third Circuit, go the opposite direction—hence decisions like Synthes, Inc v. Emerge Medical, Inc., 2012 WL 4205476 (E.D. Pa. Sept. 19, 2012), which held that it is a violation of the CFAA to induce employees of a competing company who have authorized access to the company’s computer system to download proprietary information and give it to you (see my post on it here).
DMCA safe harbor provision applies to copyright infringement claims brought under state common law — UMG Recordings, Inc. v. Escape Media Group, Inc., 2012 WL 2847859 (N.Y. Sup. Ct. July 10, 2012)
A New York court ruled that the “safe harbor” provisions of the Digital Millennium Copyright Act (DMCA) apply to copyright infringement claims brought under state copyright law. UMG Recordings (UMG), a division of Universal Music Group, sued the owners of the online music service Grooveshark for violation of copyrights in sound recordings created before February 15, 1972. Why that specific date? We’ll find out shortly. According to UMG, Grooveshark allows its users to upload digital copies of songs through its website. Grooveshark then copies the songs to its servers, from which users of the website can retrieve and access the songs by running a search by song title or artist.
Grooveshark argued that it qualified for the “safe harbor” provision of the DMCA that protects a service provider from copyright infringement claims based on its storage of the offending materials at the direction of a user. UMG countered that the safe harbor applies only to copyrights created under and protected by the U.S. Copyright Act. The claims at issue, however, were based on New York State common law, not the federal Copyright Act. And while the Copyright Act preempts state law in certain instances, common law copyrights created before February 15, 1972 are not federally preempted until 2067.
The court doesn’t buy UMG’s argument. The court found no indication in the text of the DMCA that Congress intended to limit the applicability of the safe harbors to just recordings made after February 15, 1972. The terms “copyright owner” and “infringing” in the DMCA safe harbor provisions were no less applicable to common law copyright than to statutory copyright. Therefore, the court refused to dismiss the safe harbor defense.
Photographer barred from claiming statutory damages and attorneys’ fees for copyright infringement of unregistered photographs – Davis v. Tampa Bay Arena, Ltd., 2012 WL 2116136 (M.D. Fla. June 11, 2012)
This case is a good illustration of a basic concept in copyright litigation. If you want to preserve the right to seek statutory damages and attorneys’ fees in case someone infringes on copyrights you own, make sure you register the copyright with the U.S. Copyright Office.
The plaintiff (“Davis”) photographed events at the Tampa Bay Times Forum under contract with the owner of the Forum (the “Forum”). The contract allowed the Forum use Davis’ photos for limited purposes, but apparently, publishing the photos on its Facebook page was not one of them. Davis maintained ownership and copyright of all the photos he took at the Forum’s events. Davis sued the Forum for copyright infringement for posting 255 of his photos on the Forum’s Facebook page, where other users could download the photos free of charge and without restriction.
In the face of as motion to dismiss filed by the Forum, the court let most of the claims in Davis’ complaint proceed because factual allegations in a complaint are assumed to be true at that early stage of the case. However, Davis admitted that he had a registration certificate for only 40 of the 255 photographs. The court therefore dismissed Davis’ infringement claims for statutory damages and attorneys’ fees for based on the 215 photographs for which Davis did not allege he had a registration certificate.
LegalTXT Lesson: The takeaway from Davis is pretty straightforward. A copyright registration with the U.S. Copyright Office is required to recover statutory damages and attorneys’ fees for copyright infringement. Without being able to recover statutory damages, the copyright holder has to prove actual damage or profit from the alleged infringement, which could be a difficult exercise. The prospect of shifting attorneys’ fees to the loser in a copyright infringement case also gives the copyright holder added leverage. Consult an attorney to make sure you satisfy all the requirements for bringing a copyright infringement action.