by ·1 Comment

A round-up of recent developments in CFAA litigation is in order.  In the last three months, a series of cases have provided answers to important questions about the requirements for bringing a CFAA claim under the Computer Fraud and Abuse Act (CFAA).  The recent cases address three general questions:

1. What kinds of activity are considered “unauthorized access” or “access exceeding authorization”?

2. What computers are subject to the protections of the CFAA?

3. What “losses” count toward the standing requirement to bring a civil claim under the CFAA?

What kinds of activity are considered “unauthorized access” or “access exceeding authorization”?

The CFAA prohibits various activities involving the access of a computer “without authorization” or “exceeding authorized access.”  Whether the defendant’s actions constitute wrongful access is frequently litigated in CFAA cases.  The recent cases are no exception.  The cases considered three different factual situations and found that two of them satisfied the wrongful access requirements.

Downloading Information From a Publicly Accessible Website

Downloading information from a website that any member of the public could access via a hyperlink posted on another site does not constitute access “without authorization,” according to  CollegeSource, Inc. v. AcademyOne, 2012 WL 5269213 (E.D. Pa. Oct. 25, 2012).  The case involved two competing business that offered online access to college catalogs.  One of the plaintiff’s (CollegeSource) services was CataLink, which provides subscribing schools with a link to CollegSource’s digital archive of the school’s course catalogs.  The link could be inserted into the school’s homepage.  If a person browsing on the school’s homepage clicked on the link, he or she would be sent to CollegeSource’s website without being told that they were leaving the school’s web domain.  Unlike CollegeSource’s other offerings, CataLink is not a subscription-based service.

The defendant (AcademyOne) maintained an online course description database.  To populate its database, AcademyOne hired a company to collect college catalogs available on the Internet.  AcademyOne’s contractor obtained over 700 catalogs through CataLink.

The court was not persuaded by CollegeSource’s argument that AcademyOne accessed the CataLink service “without authorization” given that CataLink is available to anyone with an Internet connection.  The court also did not accept CollegeSource’s argument that AcademyOne exceeded its authorization to use CataLink because it violated the terms of use governing the CollegeSource website.  The terms of use were not binding on AcademyOne because the link to CataLink material appeared on the webpage of a school, and clicking on the link did not trigger a notice that the user was leaving the school website and being forwarded to the CataLink page.

Enlisting the Aid of a Person With Authorized Access to Obtain Restricted Information

Asking others to get you information that you’re not entitled to have will get you in trouble.  In Synthes, Inc v. Emerge Medical, Inc., 2012 WL 4205476 (E.D. Pa. Sept. 19, 2012), former employees of a medical devices company who formed a competing business obtained the company’s proprietary information from current employees of the company.  Inducing those with authorization to access a computer to retrieve and give information to a person who is not entitled to access such information constitutes access of a computer “without authorization,” the court held.

Hacking Into an Employees’ Email Account

This seems fairly obvious, but hacking into an employee’s email account could constitute a violation of the CFAA.  The litigants in Mintz v. Mark Bartelstein & Associates, Inc., 2012 WL 5391779 (C.D. Cal. Nov. 1, 2012), didn’t even bother to fight over whether the defendant-employer violated the CFAA by ordering an employee to hack into the plaintiff’s Gmail account.  The wrongfulness of the act was undisputed.  The parties instead dueled over whether the plaintiff sustained “loss” as a result of the unauthorized access (see below).

What constitutes a “protected computer”?

Various prohibitions in the CFAA are tied to the accessing of a “protected computer,” which has two definitions.  A “protected computer” could be a computer used exclusively by a financial institution or the U.S. government, or if not exclusively, then for a use affected by the conduct that violated the CFAA.  A “protected computer” could also be a computer “which is used in or affecting interstate or foreign commerce or communication ….”  18 U.S.C. § 1030.

In Freedom Banc Mortgage Services, Inc. v. O’Harra, 2012 WL 3862209 (S.D. Ohio Sept. 5, 2012), the court held that a computer with a connection to the Internet is enough to satisfy the definition of a “protected computer” because of its use in or effect on interstate commerce.  If a computer is connected to the Internet (and an allegation that the computer is used for email communications sufficiently establishes that fact), no additional link to interstate commerce needs to be shown.

What “losses” count toward meeting the standing requirement?

A claimant must have suffered “damage or loss by reason of a violation of” the CFAA to maintain a civil action under the CFAA.  18 U.S.C. § 1030(g).  One way to meet this standing requirement is to establish loss during any 1-year period aggregating at least $5,000.  § 1030(c)(4)(A)(i)(I). What costs qualify toward the threshold amount, and how they can be aggregated to meet the threshold, is a common issue.

The court in CollegeSource held that the costs to conduct an internal investigation, hire a computer expert, and implement subsequent security measures in response to an incident of unauthorized access count as qualifying “losses.”  To that list, Synthes added expenses to conduct damage assessments; identify and trace the information that has been misappropriated; and restore data, programs, systems, and information to the condition they were in before the defendant engaged in CFAA violation.  Legal expenses, however, are not “losses” unless necessary to remedy the harm caused by the violation.  So in Mintz, attorneys’ fees incurred by the plaintiff to issue subpoenas to confirm the identity of the person who hacked into his email account were not “losses” because the plaintiff already knew who the hacker was before the subpoenas issued.  The Mintz court contrasted another case (SuccessFactors, Inc. v. Softscape, Inc., 544 F. Supp. 2d 975 (N.D. Cal. 2008)) in which the victim of a hacked email account had to hire attorneys to identify the recipients of the victim’s confidential information that the hacker obtained and distributed.  The attorneys’ fees in that case were “losses” because the plaintiff needed to know whom it had to contact to mitigate the damage caused by the hacker.

In regards to whether losses can be aggregated, the Freedom Banc court held that qualifying “losses” need not flow from a single wrongful act.  Losses stemming from multiple CFAA violations could be added together to meet the threshold $5,000 amount.

by ·0 Comments

A civil CFAA claim for damages requires damage to computers, systems, or data Schatzki v. Weiser Capital Mgmt, LLC, 2012 WL 2568973 (S.D.N.Y. July 3, 2012)

As I said in a previous post, we are seeing more activity dealing with the Computer Fraud and Abuse Act (CFAA).  The CFAA is both a criminal and civil statute.  The CFAA imposes criminal penalties on someone who  “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer”  or “intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage.”  A civil claim is available if, in addition to establishing the elements of a criminal violation, the plaintiff can show “damage or loss” as a result of the violation.  The damage or loss must be at least $5,000.00.

Schatzki is the latest case to read the terms “damage” and “loss” narrowly.  The defendants in the case allegedly obtained information from plaintiff’s computer systems without authorization and trafficked in computer passwords.  This access enabled the defendants to obtain valuable private and confidential information about the plaintiff’s clients, the plaintiffs said.  As a result, the plaintiffs had to hire consultants and incur legal fees.

The court said that the plaintiffs did not show the required “damage” or “loss,” and here’s why.  The plaintiffs failed to allege that the defendants’ access to the computer system damaged the data accessed or the system itself, or that the costs to recover the system/data exceeded $5,000.  The court also would not allow the plaintiffs to base their CFAA claim on other kinds of damages like lost profits, invasion of privacy, trespass to personal property, or misappropriation of confidential data.

LegalTXT Lesson: Quantify your damages if you are bringing a civil claim under the CFAA.  Also, remember that the CFAA is more in the nature of an anti-hacking statute than an anti-misappropriation statute.  Attempts to seek damages under the CFAA on a theory that someone gained access to electronic information and used it for improper purposes might not go very far.

by ·0 Comments

Courts continue to read the CFAA narrowly to limit criminal liabilityWentworth-Douglass Hospital v. Young & Novis Prof’l Ass’n, 2012 WL 2522963 (D.N.H. June 29, 2012), and Dana Ltd. v. American Axle & Mfg Holdings, Inc., 2012 WL 2524008 (W.D. Mich. June 29, 2012)

Suppose a terminated employee logs in to her work account one last time (just to copy and delete her personal files, she promises), which the company allows her to do, but she ends up copying files containing the company’s trade secrets and taking them to her new job at a competing company. Employers dealing with this kind of scenario increasingly seem to be turning to the Computer Fraud and Abuse Act (CFAA) for relief (see the post on a recent case just last week).  Under the CFAA, “[w]hoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer” is exposed to both criminal penalties and civil liability.  18 U.S.C. § 1030(a)(2)(C).  Since the CFAA is a criminal statute, a growing number of courts have been reluctant to read the CFAA too broadly.  These courts limit the kind of conduct that would qualify as “access[ing] a computer without authorization” and “exceed[ing] authorized access.”  Case in point is the Ninth Circuit’s en banc decision in United States v. Nosal issued in April of this year.  And last week, two trial courts issued decisions continuing that trend.

In Dana Limited, employees of the plaintiff copied company files and took them with them to their new jobs with a competing company.  Wentworth-Douglass Hospital similarly involved a scenario where ex-employees of a hospital copied data from the hospital’s computers onto portable storage devices.  In both cases, the courts decided there was no criminal liability under the CFAA because there was no evidence that the former employers were unauthorized to access the computer systems in the way that they did.  How they used the information they obtained might have violated company policy, but the act of access itself was not unauthorized.

Wentworth-Douglass Hospital is noteworthy also because it involved an additional scenario that the court did find to be a violation of the CFAA — another ex-employee of the hospital used her wife’s password to access the hospital’s computers.  Although the hospital had issued him his own password, apparently his wife’s account provided access to certain data to which he was not given access.  The court granted judgment as a matter of law on the CFAA claim based on those facts.

Two technical comments in the decisions are worth noting.  The court in Dana Limited addressed the argument that the ex-employees accessed computer files in an unauthorized manner because they deleted files while logged on, which the company argued amounted to unauthorized “altering” of information.  (Note: the CFAA defines “exceeds authorized access” as using unauthorized access to a computer “to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”)  The court rejected the argument because there was no proof that the ex-employees deleted original files.  The company had backups of the deleted files and was able to function without difficulty despite the deletions.  Whether any “altering” occurred was speculative.

The second comment of interest concerns the employer’s argument inWentworth-Douglass Hospital that a company policy stating that employees “are to access only information necessary for completing job responsibilities and to ensure the integrity of the information in their work areas” limited access and use.  The court was unpersuaded by this argument, reasoning that an employer cannot convert a use policy into an access restriction simply by calling it one.  In the court’s view, an access restriction limits the degree of access an employee has to certain systems and data, while a use restriction limits the varying uses to which such systems and information, once access, can be put to legitimate use.  As an example, the court said that a policy prohibiting employees from accessing company data for the purpose of copying it to an external storage device is not an access restriction because its true purpose is to forbid employees from putting company information to personal use.  In other words, the policy does not bar the employee from accessing the information; it just says he cannot copy it on to a personal device, presumably for uses unrelated to his job.

LegalTXT Lesson: This recent line of cases provides two quick takeaways for employers.  First, be intentional in phrasing internal policies relating to use of company computers and other forms digital technology.  Know the difference between an access restriction and a use restriction and be sure the wording of the policy clearly spells out the type of restriction intended.   Second, a CFAA claim may not be the best avenue for getting relief.  Other claims could be more suitable, such as breach of an employment contract, violation of a trade secrets act (if your state adopts one), and unfair competition.

by ·0 Comments

CFAA prohibits accessing computer information that a person can physically obtain, but doesn’t have permission to do soWeingand v. Harland Financial Solutions, 2012 WL 2327660 (N.D. Cal. June 19, 2012)

Under the Computer Fraud and Abuse Act (CFAA), a person commits a federal crime if he or she “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . .”  18 U.S.C. § 1030.  In April, an en banc Ninth Circuit decision (colorfully penned by Chief Judge Kozinski) said the term “exceeds authorized access” excludes unauthorized use of computer information as opposed to unauthorized accessing of such information.  See United States v. Nosal, 676 F.3d 854 (9th Cir. 2012).  In other words, a person who uses his employer’s confidential computer information in an unauthorized manner (say he discloses it to his employer’s competitors) does not violate the CFAA if his physical access to the information was authorized.  As an anti-hacking statute, the CFAA was not intended to criminalize misuse of proprietary information.  Otherwise, millions of people could be subject to federal prosecution.  Many employment policies forbid employees from using work computers for nonbusiness purposes, but employers do not necessarily physically restrict their employees’ access to the Internet.  So, as Judge Kozinski pointed out, an employee subject to such a workplace policy could unwittingly violate the CFAA just by sending a personal email on a work computer, checking a personal Facebook account during work hours, or playing a game of sodoku online.

A recent trial-level decision considered a similar as the one in Nosal–an ex-employee misappropriates confidential computer files from his ex-employer after termination–but came out with a different result.   Weingand v. Harland Financial Solutions, Inc. focused on the concept of authorization.  In Weingand, a financial services company (Harland) requested the court’s permission to file a counterclaim for violations of the CFAA against a terminated employee (Weingand).  Based on Weingand’s representations that he wanted retrieve his “personal files,” Harland allowed him access to its computer system after the termination.  Weingand allegedly took that opportunity to copy over 2,700 business files belonging to Harland, its clients, and third-party software vendors.  Harland claimed that Weingand was not authorized to access those files.

Harland had physical access to the proprietary and confidential files.  Question is, did such physical access translate into “authorized access” under the CFAA?  The court said no.  Although Nosal rejected the argument that “exceeds authorized access” could refer to someone with unrestricted physical access to a computer who is limited as to how he could use that information, this case did not turn on the access/use distinction.  Harland did not authorize Weingand to access its confidential and proprietary business files even though he physically was able to copy the files.  In copying files that he had no permission to access, Weingand exceeded his authorized access to his former employer’s computer system.  The court analogized to the situation where an ex-employee uses his old credentials (which have technically have not changed) to login to his former employer’s computer system and steal sensitive work files.  Even before Nosal, the Ninth Circuit considered such conduct a violation of the CFAA.   This was no different because the accessing of the files, though physically possible, was not authorized.  The court allowed Harland to file its counterclaim.

LegalTXT Lesson:  Weingard gives some breathing room to employers who do not explicitly forbid former employees from accessing proprietary and confidential company information . . . but why chance it?  If a company gives a former employee access to the company’s computer system after termination, set up technical restrictions on access if possible, and monitor what gets copied.  It’s better to avoid being put in the position of having to debate whether an ex-employee’s misconduct consisted of misusing company information versus illegally obtaining the information.