Header graphic for print

Trading Secrets

A Law Blog on Trade Secrets, Non-Competes, and Computer Fraud

Two New England States Pass Legislation Restricting Physician Non-Competes

Posted in Legislation, Non-Compete Enforceability

shutterstock_331572470We’ve written a lot this summer about the Massachusetts legislature’s latest failed attempt at non-compete reform. Two other states in New England, however, are able to claim accomplishments in that regard. Specifically, Connecticut and Rhode Island each enacted statutes this summer imposing significant restrictions on the use of non-compete provisions in any agreement that establishes employment or any other form of professional relationship with physicians. While Connecticut’s simply law limits the duration and geographic scope of physician non-competes, Rhode Island completely banned such provisions in almost all agreements entered into with physicians.

Connecticut

Effective July 1, 2016, any covenants not-to-compete entered into, amended, or renewed in Connecticut can no longer restrict a physician’s competitive activities (i) for longer than one year and (ii) in a geographic region beyond 15 miles from the “primary site” where the physician practices. Primary site refers to “the office, facility or location where a majority of the revenue derived from such physician’s services is generated” or “any other office, facility or location where such physician practices and mutually agreed to by the parties and identified in the covenant not to compete.” The law also renders such provisions enforceable only if (i) the provision is made in anticipation of a partnership or ownership agreement or (ii) the employment or contractual relationship is terminated by the employer for cause.

Rhode Island

Effective July 12, 2016, it is now unlawful in Rhode Island to restrict in any way “the right to practice medicine in any geographic area for any period of time after the termination” of any partnership, employment, or professional relationship with a physician. The law also prohibits any restrictions on the right of physicians “to solicit or seek to establish a physician/patient relationship with any current patient of the employer.” It does not, however, apply in connection with the purchase and sale of a physician practice, provided the restrictive covenant is less than five years in duration.

Takeaway

Entities that employ physicians in Connecticut and Rhode Island should take note of these recent changes to the law and thoroughly review their existing physician non-compete and non-solicitation agreements. These agreements may need significant modifications to be in compliance with the new standards discussed above.

What To Do About Employee Thieves—Catch Them If You Can!

Posted in Trade Secrets

Cross Posted from California Peculiarities.

Seyfarth Synopsis: When employee theft occurs, employers must be cautious in investigating, avoiding self-help, and in deciding if and how to terminate the offending employee.

HiRes-e1470410742878-300x300Companies work hard to hire trustworthy employees, but employee theft can occur in any business. Employee theft takes different shapes—you may discover an employee is stealing products, supplies, confidential information or money from the company; an employee may steal more surreptitiously by padding time on a time sheet; or an employee may intentionally fail to enter vacation time taken in order to get paid for that time when they quit. Whether subtle, or as brazen as a famous thief (see https://en.wikipedia.org/wiki/Catch_Me_If_You_Can), any form of employee theft hurts your business and can present you with a difficult management situation.That’s why we’re here to help with the following tips.

1.“An Honest Man Has Nothing to Fear”—Background Checks:

Inquiring into an applicant’s history can be a useful tool to identify people with a propensity toward dishonesty, but if you use background checks, make sure you follow the rules about collection and use of information.

a) California law prohibits use of consumer credit reports for employment purposes except when hiring for certain specified positions, such as managers, peace officers, positions that involve regular access to personal and banking information of individuals, access to $10,000 or more of cash, or access to confidential or proprietary information of the employer. (Labor Code § 1024.5.)

b) State and local agencies (as well as employers in San Francisco and Richmond) cannot use information about criminal history unless and until a decision about the candidate’s minimum qualifications has already occurred. (See. e.g., Labor Code 432.9 and San Francisco Fair Chance Ordinance.)

c) In addition, under federal law, criminal history may not present an automatic barrier to employment; there must be a relationship between the criminal activity and the important elements of the job, and employers should consider the number of convictions, their nature and seriousness, how recent they are, and evidence of rehabilitation.

Continue Reading

D.C. Circuit Upholds NLRB Finding that Employment Agreement’s Confidentiality and Non-Disparagement Provisions Violated the NLRA

Posted in Restrictive Covenants

Cross Posted from Employer Labor Relations Blog.

Seyfarth Synopsis: The U.S. Court of Appeals for the D.C. Circuit recently denied Quicken Loans, Inc.’s petition for review of an NLRB decision finding that confidentiality and non-disparagement provisions in the company’s Mortgage Banker Employment Agreement unreasonably burdened employees’ rights under Section 7 of the NLRA.

Back in 2013, an NLRB administrative law judge found that certain confidentiality and non-disparagement provisions contained in Quicken’s Mortgage Banker Employment Agreement violated the NLRA (see our earlier blog post here). The Board agreed with the ALJ, and the Company petitioned the D.C. Circuit for review. Recently a three-judge panel of the D.C. Circuit denied the Company’s petition for review and granted the NLRB’s cross-application for enforcement, finding that there was nothing arbitrary or capricious about the Board’s decision and there was no abuse of discretion in the Board’s hearing process (Case No. 14-1231).

Facts

As a condition of employment, mortgage bankers were required to sign a Mortgage Banker Employment Agreement that included a confidentiality provision and a non-disparagement provision. The confidentiality provision prohibited employees from disclosing nonpublic information regarding the company’s personnel, including personnel lists, handbooks, personnel files, and personnel information of coworkers such as phone numbers, addresses, and email addresses. The non-disparagement provision prohibited employees from publicly criticizing, ridiculing, disparaging or defaming the company or its products, services, policies, directors, officers, shareholders or employees.

Court’s Reasoning

The D.C. Circuit noted that its review of the Board’s decision was limited, as Congress has entrusted the Board with implementing Sections 7 and 8(a)(1) of the Act and determining when an employer’s workplace rules run afoul of those provisions. The three-judge panel noted that the Board’s determinations are therefore entitled to considerable deference and will be sustained as long as the Board “faithfully applies” the legal standards and its textual analysis of a challenged rule is “reasonably defensible” and adequately explained.

In finding that the Board properly determined that the confidentiality provision violated employees’ Section 7 rights, the court noted that the very information the provision forbids employees from sharing (i.e., personnel lists and employee rosters) has long been recognized as information that employees must be permitted to gather and share among themselves and with union organizers. With respect to the non-disparagement provision, the court found that the Board “quite reasonably found that such a sweeping gag order would significantly impede mortgage bankers’ exercise of their Section 7 rights because it directly forbids them to express negative opinions about the company, its policies, and its leadership in almost any public forum.”

In reaching its conclusions, the appeals court noted that the validity of a workplace rule turns not on subjective employee understandings or actual enforcement patterns, but on an objective inquiry into how a reasonable employee would understand the rule’s disputed language. The court observed that this approach serves “an important prophylactic function: it allows the Board to block rules that might chill the exercise of employees’ rights by cowing the employees into inaction,” rather than forcing the Board to wait until that chill is manifest and then try to undertake the difficult task of dispelling it. The court also noted that the absence of enforcement “could just as readily show that employees had buckled under the Employment Agreement’s threat of enforcement.”

Employer Takeaway

In recent years, the Board has issued numerous decisions in which workplace rules were found to unlawfully restrict employees’ Section 7 rights, and the D.C. Circuit’s decision demonstrates that employer petitions for review of such decisions may not be successful. The decision also highlights the need to not just draft and review employee handbooks and policies for possible non-compliance with the NLRA, but employment agreements as well.

All or Nothing: Nevada Supreme Court Refuses to Adopt “Blue Pencil” Doctrine for Non-Compete Agreements

Posted in Non-Compete Enforceability

shutterstock_303993722In a recent opinion, the Supreme Court of Nevada refused to adopt the “blue pencil” doctrine when it ruled that an unreasonable provision in a non-compete agreement rendered the entire agreement unenforceable. “Blue penciling” refers to a court’s willingness to strike unreasonable clauses from a non-compete agreement, leaving the rest of the agreement to be enforced; or to modify the agreement to reflect terms that are reasonable under the law. Many jurisdictions permit “blue penciling” while others have refused to adopt the doctrine.

Traditionally, Nevada courts have followed the latter approach by refraining from reforming or “blue penciling” parties’ private contracts, including non-compete agreements. The case of Golden Road Motor Inn, Inc. v. Islam, presented the Supreme Court of Nevada with an opportunity to join the number of jurisdictions that have embraced the doctrine. For various reasons, the Court refused to do so.

The Islam case involved a dispute between a casino worker and his former employer. The worker, who worked as a casino host for the former employer, entered into an agreement with the former employer to refrain from working for any other gaming establishment within 150 miles of the former employer for one (1) year following the end of his employment with the former employer. After resigning from his employment with the former employer, the worker began working as a casino host for a new employer within the prohibited 150-mile radius. The former employer sued the worker to prevent his employment with the new employer.

The Court found the non-compete agreement’s prohibition of all types of employment with a gaming establishment within 150 miles of the former employer was overbroad, as such a prohibition extended beyond what was necessary to protect the former employer’s interests. The Court also found such a prohibition severely restricted the worker’s ability to be gainfully employed. Finding this provision unreasonable, the Court declared the entire agreement unenforceable.

The former employer asked the Court to modify the overbroad provisions of the non-compete agreement to render the agreement enforceable. Rejecting the former employer’s argument, the Court stated that it was not its role to rewrite the parties’ contract and that courts are not empowered to make private agreements. The Court explained that its restraint from “the urge to pick up the pencil” to modify the non-compete agreement avoids trampling the parties’ contractual intent, preserves judicial resources, and holds the employer, as the drafter of the agreement, to a higher standard. The Court explained that under a “blue pencil doctrine,” the employer receives what amounts to a “free ride” on the unreasonable provision, perhaps knowing that the provision would never be enforced. Consequently, the Court stated, the practice of “blue-penciling” encourages employers with superior bargaining power to “insist upon unreasonable and excessive restrictions, secure in the knowledge that the promise will be upheld in part, if not in full.” This, the Court maintained, forces the employee to bear the burden as employers “carelessly, or intentionally overreach.”

In light of this opinion, employers conducting business in Nevada should ensure that non-compete agreements with their employees are reasonably necessary to protect the employers’ interests. This means that the scope of activities prohibited, the time limits, and geographic limitations contained in the non-compete agreements should all be reasonable. If an agreement contains even one overbroad or unreasonable provision, the employer risks having the entire agreement invalidated and being left without any recourse against an employee who violates the agreement. Employers should consult with an attorney if they have any concerns about the enforceability of their non-compete agreements with their employees.

We Traced The Trade Secret Leak … It’s Coming From Inside The Business

Posted in Trade Secrets

Cross Posted from California Peculiarities.

Seyfarth Synopsis:  Protecting trade secrets from employee theft requires more than using an NDA when onboarding employees. If businesses want to protect confidential information, they need a cradle-to-grave approach, reiterating employee obligations regularly, including during exit interviews. (Yes, you need to do exit interviews!)

Headline stories in intellectual property theft tend to involve foreign hackers engaged in high-tech attacks to pilfer vast troves of data stored by big businesses or government entities, such as those involving Russian government hackers or the Chinese military. The losses are staggering. In 2009, McAfee estimated that cybercrime cost worldwide economies $1 Trillion. That number was cited by (a then-youthful) President Obama in his first speech on cybersecurity. Since that time, attacks by professionals and nation states have remained at the forefront of both news reports and the public perception. Since then, hack attacks have remained at the forefront of both news reports and the public perception.

But despite the disproportionate attention given to high value, high-tech attacks by outsiders, many U.S. businesses recognize that threats from the inside are just as costly as revealed by a 2014 PricewaterhouseCoopers survey. Nevertheless, “only 49%” of organizations surveyed had “a plan for responding to insider threats.”

Trade secrets are particularly susceptible to theft because they, by definition, consist of secret information with economic value. Company insiders often find that information too tempting to be leave behind when changing employers, or when seeking new employment. Therein lies the problem.

Trade secret theft by employees may not grab as many headlines as neo-Cold War espionage, but the data suggest that employees, not outsiders, pose the greatest threat of loss from trade secret theft. The good news is that a little proactivity by employers will go a long way toward keeping them out of the 49% who lack a plan to prevent leaks.

Of course, in California, obtaining protection is not all that simple. Non-compete agreements are, with very limited exceptions, a non-starter under Business and Professions Code § 16600, so you need special steps to keep your trade secret house in order. And because a California trade secret plaintiff (e.g., a former employer suing its former employee) likely must identify its trade secrets with reasonable particularity before commencing discovery, it pays to invest time on the front end to identify and inventory your trade secret information before litigation arises.

So, what can employers do?

Update Non-Disclosure Agreements to Comply With the DTSA, and See That Employees Know Why NDAs Are Important

Almost all employers (we hope) have confidential/non-disclosure and trade secret protection provisions in their employment agreements. But have these agreements been updated to comply with the recently enacted Defend Trade Secrets Act (“DTSA”) and its important employee/whistleblower notification provisions? And what are employers doing to help ensure compliance with their agreements? Rolling out new agreements is relatively easy. Making sure they are effective takes some doing.

Remember, your organization will not even have trade secrets to protect unless it has made  “efforts reasonable under the circumstances” (under the California Uniform Trade Secrets Act) or has taken “reasonable measures” (under the DTSA) to maintain the secrecy of the information it claims to be a trade secret. Cal. Civ. Code § 3426.1(d); 18 U.S.C. § 1839(3)(A).

Implement Computer Use and Social Media Agreements and Policies

Most trade secret theft occurs via electronic device. Make sure your company has computer use and access policies and agreements that:

  • Set forth that company computers, network, related devices, and information stored therein belong to the company;
  • Indicate that access to company computers and networks are password-protected, with access authorized only for work-related purposes;
  • Make use of data storage/access hierarchies, with the most valuable information being accessible on only a need-to-know basis, with security access redundancies (housed in a highly secure database that requires unique user credentials distinct from the log-in credentials the employee uses to access a computer workstation);
  • Identify which devices are allowed in the workplace—BYOD practices have become popular, but also present challenges in regulating information flow and return. If employees use their own devices to perform work for the company, make clear that the company data on those devices belong to the company;
  • Notify employees that the company reserves the right to inspect devices used for work to ensure that no company data exist on the devices upon termination of employment;
  • Define whether cloud storage may be used by employees, under what terms, and what happens when employment ends;
  • Define whether external storage devices (e.g., thumb drives) are allowed and under what terms; and
  • Identify whether and how employees may use social media associated with their work—trade secrets must never be publicly disclosed, but beware of any overreach that would suppress employee communications protected by the National Labor Relations Act.

Build a Culture of Confidentiality—Make Sure Employees Know What The Company Regards as Confidential and Then Remind Them Routinely

Employees need to understand what information your company considers confidential.  Educating employees on this subject should start at the beginning of employment, continue  throughout employment,  and recur at the end of employment. Tools that can help in this regard include:

  • Onboarding procedures to emphasize the importance of company confidential information;
  • Including in NDAs an express representation that the employee does not possess and will not use while in your employ confidential information belonging to any former employer or other third party;
  • Using yearly (or more frequent) brief interactive e-modules emphasizing the importance of maintaining the confidentiality of company information;
  • Requiring that the employee sit for an exit interview; and
  • Requiring that the employee certify in writing, during exit interviews, that they have returned all company information and property (the employee may provide property on the spot or make statements about what will be returned—you should inventory all such indicated property and information).

Properly Exiting Employees—Particularly for High Risk Employees—Matters!

Not all employees present the same risk of loss. Generally, the loftier an employee is in the corporate hierarchy the greater the threat that that employee will expose company confidential information. The following recommendations are for mid-to-high risk departing employees:

  • The person conducting the exit interview must be prepared—use a checklist;
  • “Preparedness” for higher-risk employees will include (1) identifying, before the exit interview, the trade secret and confidential information the employee routinely accessed and used during employment, (2) reviewing for unusual activity the departing employee’s computer and work activities (including card key facility access data, where available) in the days and weeks leading up to their exit, (3) using an exit certification as noted above, and (4) inquiring where the employee is going and what position the employee will hold;
  • Where initial investigation warrants, discreetly interview company-friendly co-workers of the departing employee to identify potentially suspicious conduct;
  • Immediately shut down the departing employee’s access to company computers, networks, and other data repositories (e.g., cloud or other off-site storage). Cutting off access to company computer and data may be warranted before exiting the employee, depending on the perceived risk of data theft;
  • Send a reminder-of-obligations letter to the now former employee, reciting ongoing obligations to the company and attaching, where useful, a copy of the NDA the employee has signed;
  • Consider notifying the new employer, but tread carefully here to avoid overstepping or providing a basis to be accused of interfering with the employment relationship between your former employee and the new employer; and
  • Depending on the threat level you perceive, consider having a departing employees’ emails preserved and their electronic devices forensically imaged.

With best practices in place, protecting your company’s trade secrets should be more like routine, but vigilant maintenance, than preparing to do cyber battle with foreign states. Organizations understandably focus on creating the next “big thing,” increasing sales, and building investor value, but slowing down enough to be purposeful in protecting intellectual property is a must.

Federal Precedents Under the DTSA Have Arrived

Posted in Trade Secrets

shutterstock_232392391While the Defend Trade Secrets Act of 2016 (“DTSA”) has only been in effect for a few months, the first wave of cases raising DTSA claims have started to generate federal decisions. In what appears to be the first substantive ruling under the Act, the Northern District of California illustrated some the advantages – and limitations – of DTSA claims in the context of injunctive relief.

Henry Schein, Inc. (“HSI”), a manufacturer of medical, dental and veterinary supplies, sued its former employee, Jennifer Cook, under the DTSA and a host of other California state law claims. Henry Schein, Inc. v. Cook, 16-cv-03166-JST (N.D. Cal.). Cook, a former sales associate, is alleged to have taken HSI’s trade secrets (including customer information) to her new employer, a competing dental supply company, despite her confidentiality agreements with HSI. HSI sought a temporary restraining order and, later, a preliminary injunction under both the DTSA and California state law claims. The court entered a temporary restraining order and preliminary injunction prohibiting Cook from disclosing HSI’s trade secrets to her new employer, but refused to enter a preliminary injunction that would prevent Cook from contacting or doing business with her former HSI customers in light of California’s policy against non-compete agreements.

Perhaps the most striking aspect of the court’s ruling was ultimately how little effect the DTSA had upon it. The DTSA has been widely viewed as an avenue for plaintiffs to bring trade secret claims in federal court, but HSI already had diversity jurisdiction for its state law claims and, as noted by the Court, HSI’s California Uniform Trade Secrets Act claims closely mirror those brought under the DTSA. In other words, HSI could have brought its state law trade secret misappropriation claims against Cook in federal court even if the case had been filed before the passage of the DTSA, with little impact upon the court’s ruling. The Court noted at several points, in both the TRO and PI orders, the similarities between the DTSA and California’s Uniform Trade Secrets Act, and considered HSI’s claims under both statutes without distinguishing between the two.

The court’s rulings also serve as a reminder that the DTSA does not supplant state law concerning the enforceability of non-compete agreements. California’s longstanding adverse treatment of non-compete agreements was the basis for the court’s refusal to enjoin Cook from “contracting or doing business with her clients,” especially when HSI had failed to show “specific evidence that Cook was utilizing trade secret information to solicit customers.” While not the explicit basis for the court’s ruling, the DTSA requires “evidence of threatened misappropriation,” and not merely a showing that the individual has information in their possession, before the issuance of an injunction under the Act. 18 U.S.C. § 1836(b)(3)(A)(i)(I).

While the court’s decision in HSI may not go into great detail in its consideration of the DTSA, it is worth noting why the court did not have to do so. DTSA claims will, in many cases, closely track claims under state law. The plaintiff in HSI already had an avenue to federal court based on the complete diversity of the parties, but other litigants will undoubtedly have to rely on the DTSA as their basis for federal jurisdiction. The DTSA’s most striking feature – its ex parte seizure provision – remains untested in federal court.

In Like A Lion, Out Like A Lamb: Following Much Fanfare, Massachusetts Noncompete Reform Again Fails

Posted in Legislation, Non-Compete Enforceability

shutterstock_444377182-300x213In what has become a highly anticipated annual game of “Will They/Won’t They,” the Massachusetts legislature again failed to pass comprehensive noncompete reform legislation this year, despite much fanfare and high hopes from certain quarters. This should come as no surprise to our loyal readers, who have seen this happen virtually every year over the past decade, but it actually seemed as though something might be different this year, with the House and Senate both passing bills, and the Governor signaling his support for the House version.  Alas, the wheels of state government have again come to a screeching halt with no movement as the 2016 legislative session ended late last night with no compromise.  No controversial matters can now be advanced until the next legislative session, which begins in January 2017.  As we seem to say every summer, maybe next year . . .

Massachusetts Governor Supports Noncompete Reform, But Not Abolition

Posted in Legislation, Non-Compete Enforceability, Trade Secrets

shutterstock_444377182According to The Boston Globe, Massachusetts Governor Charlie Baker has publicly voiced his support for some restrictions on noncompete agreements, but he does not want to abolish them entirely. Specifically, Governor Baker supports the bill passed by the Massachusetts House of Representatives (discussed previously here), but not the far more restrictive bill passed by the Massachusetts Senate (discussed here). According to Governor Baker’s spokesman:

The Governor favors the House version of the noncompete legislation because he believes it better balances workers’ abilities to seek new employment while ensuring cutting edge businesses can protect essential intellectual property. . . . Finding the right compromise on this issue is essential to ensuring innovative businesses want to stay and grow in the Commonwealth.

A conference committee, being led by House Ways and Means Chairman Brian Dempsey and Senator Daniel Wolf, with Representatives John Scibak and Jay Barrows and Senators William Brownsberger and Ryan Fattman, will attempt to resolve the differences between the competing bills by the end of the formal legislative session, which wraps up for the year on July 31.

We will be monitoring and will report on any progress in the conference committee this week, so stay tuned.

When Stealing in Baseball Can Land You in Jail: Computer Fraud Sentencing Announced in MLB Case

Posted in Computer Fraud, Data Theft, Espionage

shutterstock_144630422Although stealing bases, and even signs, in baseball may be part of the game, stealing another team’s trade secrets can land you in federal prison, as one executive recently learned the hard way.

As we previously reported, the FBI has been investigating the St. Louis Cardinals for hacking into the Houston Astros’ internal computer network and stealing proprietary information, including internal discussions about trades, proprietary statistics, and scouting reports. The investigation has now concluded, the Cardinals’ former director of baseball development, Chris Correa, pleaded guilty to five counts of unauthorized access of a protected computer in January, and he has now been sentenced to 46 months in federal prison. He also must pay $279,038 in restitution. According to NPR, “U.S. District Judge Lynn Hughes, as she sentenced Correa, noted that the crime has resulted in stricter security at other baseball teams, according to a press release from the Justice Department. When Correa apologized and called his actions ‘reckless,’ [Judge] Hughes replied, ‘No, you intentionally and knowingly did these acts.’”

As the Department of Justice reported at the time of Correa’s plea:

The plea agreement details a selection of instances in which Correa unlawfully accessed the Astros’ computers. For example, during 2013, he was able to access scout rankings of every player eligible for the draft. He also viewed, among other things, an Astros weekly digest page which described the performance and injuries of prospects who the Astros were considering, and a regional scout’s estimates of prospects’ peak rise and the bonus he proposed be offered. He also viewed the team’s scouting crosscheck page, which listed prospects seen by higher level scouts. During the June 2013 amateur draft, he intruded into that account again and viewed information on players who had not yet been drafted as well as several players drafted by the Astros and other teams.

Correa later intruded into that account during the July 31, 2013, trade deadline and viewed notes of Astros’ trade discussions with other teams.

Another set of intrusions occurred in March 2014. The Astros reacted by implementing security precautions to include the actual Ground Control website address (URL) and required all users to change their passwords to more complex passwords. The team also reset all Ground Control passwords to a more complex default password and quickly e mailed the new default password and the new URL to all Ground Control users.

Shortly thereafter, Correa illegally accessed the aforementioned person’s e mail account and found the e mails that contained Ground Control’s new URL and the newly-reset password for all users. A few minutes later, Correa used this information to access another person’s Ground Control account without authorization. There, he viewed a total of 118 webpages including lists ranking the players whom Astros scouts desired in the upcoming draft, summaries of scouting evaluations and summaries of college players identified by the Astros’ analytics department as top performers.

On two more occasions, he again illicitly accessed that account and viewed confidential information such as projects the analytics department was researching, notes of Astros’ trade discussions with other Major League Baseball teams and reports of players in the Astros’ system and their development.

The parties agreed that Correa masked his identity, his location and the type of device that he used, and that the total intended loss for all of the intrusions is approximately $1.7 million.

Michael McCann provides a good analysis of the sentence for Sports Illustrated and describes potential penalties Major League Baseball may pursue against the Cardinals.

Facebook, Inc. v. Power Ventures, Inc.: Shotgun-Toting Borrowers of Jewelry From Bank Safe Deposit Boxes and the CFAA. Wait. What?

Posted in Computer Fraud, Computer Fraud and Abuse Act, Cybersecurity

shutterstock_236620168On July 12, 2016, the Ninth Circuit filed its published opinion in Facebook, Inc. v. Power Ventures, Inc., et al., Case No. 13-17154 (“Power Ventures”).  Power Ventures is the latest in a series of decisions from the Ninth Circuit relating to the type of activities potentially giving rise to liability under the Computer Fraud and Abuse Act (18 U.S.C. §1030) (“CFAA”). Power Ventures has potentially important implications for the ways that businesses create, store, and monetize data through computers and web-based applications. Unlike the court’s Nosal line of decisions, Power Ventures is focused more on internet-based conduct that may violate the CFAA.

The underlying legal dispute between the parties began in 2008, when Facebook filed suit against Power Ventures, Inc. (“Power”) in the USDC for the Northern District of California. Power, which aggregated data from different social networking sites using, among other things, automated scripts (i.e., “scraping”), enabled people with various social media accounts to access all of their information in one place. Power used user-provided social media log-in information to import people’s information to a Power portal. In an effort to promote itself and attract users, Power then contacted via e-mail Facebook users’ friends, making it appear as if the e-mails came from Facebook.

Upon learning of Power’s activities, Facebook sent Power a cease and desist letter and used IP blocks in an attempt to prevent Power from obtaining Facebook data (IP blocking is a process by which a computer or network is directed to ignore all communications from a particular IP address). But Power continued to copy Facebook data and took measures to evade the IP blocks.

Although the Ninth Circuit analyzed whether Power’s conduct violated the federal CAN-SPAM Act (finding that it did not, and reversing District Court Judge Lucy Koh), the court’s analysis of the CFAA issues are most noteworthy. The court first walked through its United States v. Nosal CFAA decisions (from 2012 and July 5, 2016; see our coverage of these decisions here and here) to “distill two general rules” in analyzing the issue of authorized access under the CFAA:

(1) “a defendant can run afoul of the CFAA when he or she has no permission to access a computer or when such permission has been revoked explicitly” (noting that “once permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability”); and

(2) “a violation of the terms of use of a website—without more—cannot be the basis for liability under the CFAA.”

Applying these rules, the court noted that Power users “arguably gave Power permission to use Facebook’s computers to disseminate messages” (further stating that “Power reasonably could have thought that consent from Facebook users to share the [Power promotion] was permission for Power to access Facebook’s computers”) (emphasis in original). Importantly, the court found that “[b]ecause Power had at least arguable permission to access Facebook’s computers, it did not initially access Facebook’s computers ‘without authorization’ within the meaning of the CFAA.”

The court declined, in a footnote, to “decide whether websites such as Facebook are presumptively open to all comers, unless and until permission is revoked expressly” (citing to a law review article asserting that “websites are the cyber-equivalent of an open public square in the physical world”).
Instead, the court found that a cease and desist letter sent to Power by Facebook expressly rescinded the permission granted by Facebook users to Power and put Power on notice that it “was no longer authorized to access Facebook’s computers.” The letter informed Power that, in Facebook’s view, Power had violated Facebook’s Terms of Use and directed Power to cease using Facebook content or otherwise interacting with Facebook through automated scripts.

Power continued to access Facebook and took steps to evade the IP blocks that Facebook put in place. The court noted discovery from the trial court that appears to reflect a concerted effort by Power to wire around Facebook’s countermeasures and a likely awareness that Power’s conduct implicated the CFAA.

To explain its finding that the Facebook cease and desist letter had revoked Power’s permission to access Facebook, the court analogized the circumstances to a person who wanted to borrow a friend’s jewelry held in a bank safe deposit box. The court said that the borrower would need permission from the bank and the safe deposit box holder to access the box if the bank had determined that it did not want the borrower on its premises (in the court’s example, because the borrower brought a shotgun to the bank when entering to access the safe deposit box).

Although the court’s analogy might have helped it better understand the technology and information flow at issue in Power Ventures, it lacks the nuance that can swirl around alleged “scraping” scenarios where there are sometimes questions concerning whether “access” under the CFAA has occurred and whether there is a protectable or property interest in the data scraped (in the court’s analogy, the jewelry was the safe deposit box holder’s property, but what was the data equivalent in Power Ventures and, under different facts, what might be the bank’s property interest?).

The court then went on to distinguish Power from its Nosal decisions and, in doing so made some interesting observations (arguably in dictum) about the legal effect of Facebook’s Terms of Use. The court observed that “Facebook and Power had no direct relationship, and it does not appear that Power was subject to any contractual terms that it could have breached.” It is unclear whether, by making this statement, the court is saying that, by its conduct, Power and Facebook had not entered into a contract (e.g., the Facebook Terms of Use) or rather there simply were no terms within the Terms of Use that prohibited Power’s conduct.

Notably, Facebook does not appear to have pleaded a breach of contract claim in the trial court.

In any event, whether a website’s terms of use will apply to and bind a party that attempts to “scrape” data from the website is likely to be further litigated as the intersection of traditional contact formation principles meet the evolving standards under “browser-wrap” and “click-wrap” agreements.

This much is clear from Power Ventures: Those who use websites to conduct business would be well-served to (1) carefully consider the drafting and use of website terms of use; (2) diligently monitor their websites and associated computers/servers for any access, and the means of access, by anyone other than authorized users; and (3) where unauthorized access is detected, to act promptly to notify in writing those who have potentially made such access of the conduct alleged to be improper/unlawful and demand that such conduct cease.

Cyberspace and e-commerce law will continue to evolve rapidly, so banks best keep an eye out for those skilled in the programming arts along with shotgun-toting borrowers of jewelry.