Trading Secrets : Trade Secrets Lawyers & Attorneys : Seyfarth Shaw Law Firm : Computer Fraud, Confidentiality Agreements, Corporate Espionage

By Scott Schaefers

In the age of social media and networking, where employees undoubtedly use their company-issued computers to network with customers, vendors, colleagues, and friends, a legal question presents itself: can employers claim an interest in their employees’ LinkedIn accounts, or other social networking accounts, which the employees use in part to grow and maintain their relationships for the benefit of their employers? 

A.        Can An Employer Claim Ownership Of Its Executive’s LinkedIn Profile?

A federal court in Philadelphia recently said “Yes,” though not definitively. In Eagle v. Morgan, No. 11-4303, 2011 WL 6739448 (E.D. Pa. Dec. 22, 2011), the court held that an employer may claim ownership of its former executive’s LinkedIn connections where the employer required the executive to open and maintain an account, the executive advertised her and her employer’s credentials and services on the account, and where the employer had significant involvement in the creation, maintenance, operation, and monitoring of the account. More specifically, the court refused to dismiss employer Edcomm’s counterclaims for “misappropriation of an idea” and unfair competition against its former chief executive, Dr. Linda Eagle, who allegedly accessed and used her Edcomm-generated LinkedIn account three weeks after she was terminated. Edcomm had an established policy requiring its executives to create LinkedIn accounts using an Edcomm-prepared template, and requiring them to respond to LinkedIn client and colleague inquiries using an Edcomm template. This policy and participation regarding the executive’s LinkedIn account and activities was enough to state a valid claim for misappropriation of Edcomm’s alleged ownership of the account. Notably, the court did not cite any social-networking-related precedent in its decision.

And interestingly, the court dismissed Edcomm’s claims of statutory trade secret misappropriation and common law conversion to the extent they were premised on Eagle’s alleged misuse of the connections and content in her Edcomm LinkedIn account. The court held that such connections could not be trade secret if they were posted on the internet.

There is another active case in the Northern District of California that we previously blogged on that addressed similar issues. 

The lesson here is that employers and their lawyers should consider getting more involved in their employees’ social-networking activities, particularly to the extent that such activities are used for company business and where employees are required or expected to promote themselves on behalf of the company using these networking sites. The day may come where the employer wished it would have kept a closer eye on departing employees’ online profiling.

B.        The Eagle Court Sides With The Pro-Employee Line Of Cases Which Hold That
            Employers Cannot Use The Federal Computer Fraud And Abuse Act To Sue Employees
            Who Misuse Their Employers’ Computers

The Eagle decision is noteworthy for another reason: it agreed with other federal courts which held that employers may not sue unfaithful employees under the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq. (CFAA) for stealing or misusing company computer files, so long as the employees had authorized access to the computers for company business. 

The court noted the existing divide between federal courts – some which hold that employers may sue employees under CFAA (e.g. EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2007), Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), see also U.S. Rodriguez, 628 F.3d 1258 (11th Cir. 2010)), and some which hold they may not (e.g. Int'l Ass'n of Machinists & Aerospace Workers v. Werner–Masuda, 390 F.Supp.2d 479, 498 (D. Md. 2005) and similar Pennsylvania federal cases).  Congress and the Supreme Court have yet to resolve this conflict among lower federal courts. Until then, whether employers may sue their employees under the CFAA may depend largely on the federal circuit court of appeals in which the employer or employee is located.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Robert Milligan

The Ninth Circuit held oral argument on the key United States v. Nosal case yesterday before an en banc panel.

The Court has made the oral argument available on-line.

At stake is whether the government can maintain criminal charges and an employer can maintain a civil cause of action under the Computer Fraud and Abuse Act against an employee who steals company data by "exceeding authorized access" in violation of an employer's computer usage policies.

Ninth Circuit Chief Judge Alex Kozinski repeatedly challenged the Justice Department's position on the scope of the CFAA during the oral argument and questioned why the government should be able to prosecute individuals for providing false information on Facebook, Google, or Match.com in violation of terms of use agreements or using work computers in violation of employer policies.

Ninth Circuit Judge Richard Tallman challenged Nosal's position by questioning why employees should not be held responsible under the CFAA for violating clear and express computer usage policies by stealing company data.

Oral argument revealed that the en banc panel is likely divided on whether to reverse to the Ninth Circuit's April decision which permitted the government to maintain its indictment against the employee for violating the employer's computer usage policies.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Robert Milligan and Joshua Salinas

In connection with proposed Congressional amendments to the federal Computer Fraud and Abuse Act (CFAA), on November 15, 2011, Department of Justice Deputy Chief Richard W. Downing (Computer Crime and Intellectual Property Section) emphasized the importance of an expansive CFAA before the House Committee on the Judiciary and came out against attempts by critics of the CFAA to restrict employers' ability to use the CFAA against employees who steal company data in violation of company computer usage policies. The Department of Justice prepared a statement in advance of Mr. Downing's live testimony.

Mr. Downing addressed concerns that an expansive reading of “exceeds authorized access” under the CFAA might subject computer users to prosecution for merely violating a website’s terms of use. We have blogged about recent cases in which courts have applied an expansive view of the CFAA. In U.S. v. Nosal, the Ninth Circuit Court of Appeal held that an employee’s violations of an  employer’s computer use policies constituted “exceeding authorized access.” A California district court in Facebook v. MaxBounty applied Nosal’s holding and found that Facebook could sufficiently state a claim under the CFAA because the defendant advertising company had violated Facebook’s terms of service policies. Note, the Ninth Circuit Court of Appeal recently ordered that Nosal be heard before an en banc panel. 

Mr. Downing stressed that a restrictive reading of the CFAA would make it difficult or impossible to deter and address serious insider threats, including threats by rogue employees working for competitors to steal their employers' data. Technology has become so pervasive that nearly every employee is required to access database with large amounts of information. Mr. Downing highlighted the importance of protecting the nation’s economic security and not just national security. Indeed, businesses should have confidence that their confidential, proprietary, and/or trade secret information is protected.

Mr. Downing provided several examples in which a restrictive reading of “exceeds authorized access” would allow violators to escape any liability for their wrongdoings. For example, in 2006 a contract systems administrator for a medical services provider used his authorized computer access to download thousands of employee names and social security numbers. See United States v. Salum, 578 F. 3d 682 (7th Cir. 2009).   In 2008, nine employees of Vangent, Inc. used their authorized computer access to obtain and disclose loan records and confidential information regarding President Obama and other well known political figures, celebrities, and sports figures. A restrictive reading of the CFAA would not only hurt employers, but would also hurt the public and customers whose information is often the subject of data theft.

Mr. Downing highlighted that the use of employer agreements and internal computer usage policies are routinely used for prosecuting offenders in such cases. Mr. Downing reiterated the Department of Justice's growing concern that advancements in computer technology have increased the vulnerability of businesses which rely on trade secret, confidential, and/or proprietary information. In the age of Wikileaks, Facebook, Twitter, and rapidly evolving social media, employees are able to leak company information to the entire world in only a matter of minutes. Mr. Downing and the Department of Justice support the ability of companies to be proactive and clearly communicate the restrictions on computer usage to employees and hold them accountable in civil and criminal court for violations of such policies. Restricting the CFAA to only hackers (rather than insiders) through proposed amendments to the CFAA would provide employees a license to steal company data and weaken a company's defenses in protecting its data.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Ninth Circuit Court of Appeals ordered that U.S. v. Nosal be reheard en banc by all of the Appeals Court judges and that the “three-judge panel opinion [in U.S. v. Nosal, 642 F.3d 781 (9th Cir. 2011)] shall not be cited as precedent by or to any court of the Ninth Circuit.”

Accordingly, the ability of employers to sue employees who violate computer usage policies by stealing company data under the CFAA in the Ninth Circuit is again in question.

This comes after the three-judge panel Nosal opinion was beginning to gain momentum in district courts in the Ninth Circuit.

Should the Ninth Circuit reverse the decision, the U.S. Supreme Court may elect to take the decision as a Ninth Circuit reversal would cement the conflict between the Ninth Circuit and other Circuits, such as the Fifth and Eight Circuits. The U.S Supreme Court's decision to take up the case may also be impacted by whether Congress passes amendments to the Computer Fraud and Abuse Act which would curtail the ability of the government and companies to sue for violation of usage policies, including violations of social media sites terms of service.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Robert Milligan and Joshua Salinas

The Ninth Circuit’s important U.S. v. Nosal decision is gaining momentum. On September 14, 2011, a California district court in Facebook v. MaxBounty, the Honorable Jeremy Fogel, presiding, became one of the first courts to apply Nosal, reaffirming that the violation of computer use policies constitutes “exceeding authorized access” under the Computer Fraud and Abuse Act (CFAA). In doing so, Facebook arguably reinforced the legal protections for employers against employees who steal or remove electronic files or data in violation of their employers’ written computer-use restrictions.

Facebook is one of the most popular social networking websites with more than 500 million active users. It requires users to agree to its terms of use, which include regulation and restrictions regarding advertising on its website. Facebook’s advertising guidelines prohibit advertisements that are fraudulent, deceptive, or misleading.

Maxbounty is an online advertising and marketing company that drives internet traffic to its customers’ websites.   

Facebook alleged that MaxBounty engaged in impermissible advertising and commercial activity on its website. Facebook alleged that MaxBounty created Facebook pages that were intended to re-direct unsuspecting Facebook users to third-party commercial websites. 

Facebook brought a claim, inter alia, under the CFAA against MaxBounty for “knowingly and with intent to defraud, access[ing] of a protected computer without authorization or exceeding authority.” 18 U.S.C. § 1030(a)(4).

MaxBounty moved to dismiss Facebook’s CFAA claim per Federal Rule of Procedure 12(b)(6). MaxBounty argued that it could not act “without authorization” or “exceed authority” because Facebook granted MaxBounty access to the Facebook website.

The district court rejected MaxBounty’s argument, citing Nosal’s holding that “an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has ‘exceed [ed] authorized access.” U.S. v. Nosal, 642 F. 3d 781, 789 (9th Cir. 2011). The court stated that MaxBounty agreed to Facebook’s terms of use, which placed restrictions on Maxbounty’s use of Facebook’s website. 

MaxBounty argued that because Facebook granted it access to the Facebook site, it could not have exceeded its “authorized access” within the meaning of the CFAA. However, the court noted that Facebook alleged that MaxBounty and its affiliates registered for Facebook accounts and accepted Facebook’s terms of use, which places restrictions on their use of the Facebook site. In this light, the court found that Facebook’s allegations were sufficient to state a claim under the CFAA.

This case is significant because it is one of the first cases to apply Nosal’s holding that the violation of computer-use policies constitutes “exceeding authorized access” under the CFAA. As discussed in our prior blog, Nosal provides employers in the Ninth Circuit with a clear CFAA remedy against dishonest employees who exceed their authorized access of their employers’ computer systems. Facebook fortifies that protection and encourages employers to take proactive steps with well written computer-use policies and procedures.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Robert Milligan and Joshua Salinas

A New York federal district court recently dismissed Computer Fraud and Abuse Act (CFAA) claims asserted against defendant advertising company Interclick and some of its advertising clients. Plaintiff consumer Sonal Bose alleged that the defendant advertising company’s use of “supercookies” and “history sniffing” invaded her privacy, misappropriated her personal information, and interfered with her computer’s operations. The court dismissed the CFAA claims because Bose failed to show the statutorily required damage or loss.

Bose alleged that Interclick used browser cookies to advertise for various companies online. Cookies are small files placed in a computer user’s web browser to gather information about the user’s online habits and behaviors. Cookies are helpful for users who want to autopopulate data, such as usernames or passwords, when they return to a website. These cookies are also extremely beneficial for marketing companies who can track a users online habits and behaviors.   Thus, an advertising company such as Interclick can use this information to provide specifically tailored advertisements based on the user’s profile. If a user does not want to be tracked or have this information available, he or she can always delete the cookies from the web browser.

The problem Bose alleged in this case was that Interclick used “supercookies” aka “flash cookies.” These supercookies are not as delicious as they sound. When a user deletes his or her cookies, the supercookie “respawns” the deleted cookie without the user’s notice or consent. As in this case, Interclick allegedly continued to track Bose and collect her information, despite her attempt to delete the cookies and protect her privacy. Bose also alleged that Interclick used “history sniffing,” in which it allegedly looked at her computer’s browsing history to tailor its advertisements toward her.

Bose claimed that she suffered: (1) impaired computer services and resources, (2) loss due to collection of personal information, and (3) loss due to interruption of internet service. The defendants moved to dismiss on grounds that Bose failed to allege a cognizable injury to meet the $5,000 threshold statutorily required for CFAA civil claims. (18 U.S.C. § 1030 (c)(4)(A)(I)).

First, the court recognized that physical damage is not necessary for CFAA claims. As we have discussed in previous blogs, courts are expanding the CFAA’s definition of “losses” and have recognized computer forensic investigation costs and outside counsel fees as sufficient to meet the statutory threshold. However, the court here stated that Bose failed to quantify her damage and did not specifically show the impairment of her computer functions or any diminution of value.

Second, the court cited Doubleclick and stated that Bose’s allegations for invasion of privacy, trespass, and misappropriation of confidential data are not cognizable economic losses. (In re Doubleclick Inc. Privacy Litig., 154 F. Supp. 2d 497, 524, n. 33 (S.D.N.Y 2001)). The court found Bose claims similar to the California case La Court v. Specific Media, Inc. No. SACV 10-1256-GW(JCGx), 2011 WL 1661532 (C.D. Cal. Apr. 28, 2011), which also dismissed supercookie CFAA claims for failure to allege an economic injury. The court emphasized that “advertising on the internet is no different from advertising on television or in newspapers,” as marketers and retailers constantly collect consumer personal data and demographic information. In other words, no harm, no foul.

Finally, the court found that Bose failed to allege any specific damage or loss regarding the interruption of her internet service. Bose did not show that the cookies damaged, shutdown, or even slowed her computer.

This case is significant because it demonstrates that courts still require some quantifiable or cognizable loss for CFAA civil claims, despite the growing trend to allow claims absent any damage or interruption of service. Courts will not accept CFAA civil allegations merely based on the invasion of privacy. Indeed, privacy has at least a $5,000 price tag under the statute.

The use of supercookies will continue to rouse privacy advocates. In fact, this summer the European Union issued its “Cookie Directive” to address cookie privacy concerns.

The court dismissed the CFAA claims, but kept the claims against Interclick for alleged deceptive business practices. While supercookies may not be unlawful under the CFAA, how a company uses these tracking devices may still subject them to liability.

This area of law continues to be white hot as the plaintiffs' bar tries to leverage privacy and other claims against companies who collect computer users' data as class actions for large settlements. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By David Monachino

The Computer Fraud and Abuse Act (“CFAA”) requires, among other things, that a plaintiff demonstrate a “loss” of $5,000 or more. See 18 U.S.C. § 1030(c)(4)(A)(i)(I). 

In Animators at Law, Inc. v. Capital Legal Solutions, LLC, et al., Case No. 10-CV-1341 E.D.Va. (May 10, 2011) (unpublished) (TSE) two former employees of Animators’ abruptly left to join a competitor. Shortly thereafter, Animators’ president noticed that one of the former employee’s laptop containing sales and other confidential information was missing.   Thus, Animators initiated an investigation concerning whether defendants copied, deleted, or otherwise misused Animators’ confidential information after leaving Animators’ employment, including an (i) outside forensic analysis, (ii) internal investigation, and (ii) outside counsel investigation. Capital Legal disputed whether the outside forensic analysis constituted a qualified loss under the CFAA, because Animators did not “actually pay” cash for these services, as well as the propriety of the other two investigations. 

 The District Court first noted that “hindsight must not guide such an analysis of whether such actions were reasonably necessary in response to a CFAA violation … perpetrators of unauthorized access should foresee that their actions may result in significant investigations and costs far exceeding the actual damage to the system.” The District Court then held that “the CFAA does not require losses to be paid for in cash. Indeed, a holding that CFAA losses must be reduced to a cash exchange would conflict with the principle that a CFAA plaintiff may recover damages for its own employees’ time spent responding to CFAA violations.” Finally, the District Court stated that it appears that well documented internal investigations and outside lawyer’s fees also “appear to be” qualifying losses: “[w]hile defendants may contend that [the outside lawyer] is not the appropriate person to oversee the investigation and response to the intrusion, given his high hourly rate and legal, rather than technical expertise, even a reduction or outright elimination of [the outside lawyer]  charges would still leave Animators with well over $5,000 in qualified losses.” 

Accordingly, apart from obtaining the return of their valuable data, the potential recovery of outside counsel fees under the CFAA, as well as computer forensic examiner fees, may provide a necessary element and a significant incentive to companies to pursue CFAA claims should their data be compromised by departing employees.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Scott Schaefers and Robert Milligan

On April 28, 2011, the Ninth Circuit Court of Appeals held in an important decision upholding legal protections for employer data that employees may be held liable under the federal Computer Fraud and Abuse Act (18 U.S.C. 1030 et seq.) in cases where employees steal or remove electronic files or data in violation of their employers' written computer-use restrictions.

In U.S. v. Nosal (9th Cir. No. 10-10038), the Ninth Circuit held that a former employee "exceeds authorized access" to data on his employer's computer system under the CFAA where the employee takes actions on the computer that are prohibited by his employer's written policies and procedures concerning acceptable use (e.g. prohibitions against copying or e-mailing files to compete or help a third party compete with the employer).

The court rejected the argument that it was overruling its 2009 decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), which dismissed an employer's CFAA claim against an employee who had e-mailed confidential documents to his personal address when working for the employer, and used those files post-termination to compete with the employer. The Brekka panel said that so long as the employee was authorized to use the computer for any purpose and such authorization had not been completely rescinded, the employee could not be held liable under the CFAA for using files for unauthorized purposes.

In distinguishing Brekka, the Nosal panel held that the employer in Brekka did not place any restrictions on employees e-mailing themselves confidential files, and thus the employees could not be said to have exceeded any such computer-use restriction. The employer in Nosal, on the other hand, had password-protected computers, written computer-use agreements with its employees which restricted access to computers to employer business, and automatically placed restrictive legends on its confidential database printouts advising readers that the printouts were confidential and company property.

The employers' computer-use restrictions, the Nosal court held, were the key distinction from Brekka, and the touchstones for "exceeding authorized access" under the CFAA. The Nosal majority noted that it was siding with the First, Fifth, and Eleventh Circuits' decisions in prior cases which similarly upheld employer CFAA claims against dishonest employees for exceeding authorized access by stealing employer files.

The dissent in Nosal argued that the majority’s decision goes too far, and potentially criminalizes otherwise innocuous employee use and access of his employer's computer. The definition of "exceeding authorized access" under the intent-to-defraud provision of the CFAA (i.e. Section 1030(a)(4)), the dissent said, was inconsistent with the statute's use of the same phrase in section 1030(a)(2), which made such access a crime whether or not the employee intended fraud. Any time the employee even technically violated an employer's restrictions, the employee could be indicted at the whim of the government.

With the Nosal decision, employers in the Ninth Circuit now have a clear CFAA remedy against dishonest employees who exceed their authorized access of their employers' computer systems. Employer computer-use restrictions determine whether an employee exceeds authorized access under the CFAA. Conversely, employees looking to avoid federal indictment or civil liability under federal law should strictly adhere to their employers' computer-use restrictions.

To avail themselves of the helpful Nosal decision, employers should ensure that they have written computer-use policies which prohibit improper computer use and activities. The policies should prohibit the use of company computers to copy, e-mail, or otherwise distribute company files to compete or help a third party compete with the employer. Computer access should be authorized for work activities only. Employers should also consider prohibitions on the distribution of company data to employees' non-work e-mail accounts and prohibitions or limitations on the use of electronic storage devices, such as external hard drives and data sticks. Employers should also audit employee computer use and access activity to ensure that employees are following company policies. Recurring training on acceptable computer usage is also critical. Employers should carefully circumscribe employee access to company prized data to only those employees who truly need to have access to such data to perform their jobs. Employers should also require employees to return all company data upon termination, as well as all company computers and other electronic devices.  

The Nosal decision provides employers with a viable remedy to help address employee data theft but employers must be vigilant and ensure that they have crafted thoughtful computer-use policies to maximize their protections under the CFAA.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Robert Milligan and Joshua Salinas

The Computer Fraud and Abuse Act ("CFAA") remains a potent weapon for employers to use against disgruntled employees who steal company data. The Sixth Circuit in U.S. v. Batti, No. 09-2050, 2011 WL 111745 (6th Cir. 2011) recently upheld the criminal conviction of an employee who allegedly accessed, copied, and leaked confidential information that belonged to his employer’s CEO. The court also awarded the employer restitution for private security investigation costs, despite parallel government investigations. Unfortunately, the court provided no clues into its position regarding the hotly contested “without authorization” interpretation that has split the circuits.

Luay Batti worked in the IT department of Campbell-Ewald, a Michigan advertising company. While employed, Batti allegedly obtained without authorization confidential information that belonged to Campbell-Ewald’s CEO. Six months later, Batti met with Campbell-Ewald’s General Manager to complain about the IT department’s management. Batti also allegedly provided the General Manager a copy of the CEO’s files to reveal the weaknesses in the company’s computer security. Campbell-Ewald fired Batti and contacted the police.

The FBI conducted an investigation into the alleged security breach. Subsequently, Campbell-Ewald hired a security investigation firm and obtained legal advice from outside counsel regarding the alleged security breach.

Butti was convicted for violating the CFAA. The district court awarded Campbell-Ewald $47,565 in restitution for the security firm’s investigation and advice from counsel.

One of the issues Batti raised on appeal was whether Campbell-Ewald could receive restitution when the government had already conducted an investigation.

The Sixth Circuit affirmed the lower court and ordered restitution. The court emphasized that courts are required to award restitution to reimburse necessary expenses incurred when victims investigate offenses. (18 U.S.C. § 3663A). The court echoed the growing majority  of courts that private investigations are necessary responses to security breaches. Thus, Campbell-Ewald could recover for incurred investigation costs, regardless of whether the government already conducted an investigation. In fact, Campbell-Ewald’s continued surveillance allegedly caught Batti attempting to access the company’s computer server after his termination.

This holding is welcome news for employers and other victims of CFAA violations. The growing majority of courts permit the recovery of investigation costs in CFAA civil suits. As reflected in Batti,  criminal proceedings brought by the government against rogue employees who steal company data may be viable options for employers (provided that they can secure the government's attention and support) and reduce the need for costly civil suits, particularly where they can receive restitution for their investigation costs.

Yet, the Sixth Circuit provided no insight into how it would rule regarding the current “without authorization” split. Batti did not raise the issue of authorization on appeal and thus the court was not required to discuss it. The facts of the case provided no opportunity for the court to delve into its interpretation of “without authorization.” Batti’s alleged purpose in providing the GM with a copy of the CEO’s files was to show that someone without authorization could obtain this confidential information. On one side of the circuit split, some courts focus on whether the employee was initially authorized to access the stolen data. On the other side, the Seventh and Eleventh Circuits focus on the purpose and intent of the employee’s conduct, which would terminate any previously granted access. Indeed, Batti apparently never had any authorization to access the CEO’s files and thus his alleged conduct constituted “without authorization” under any circuit’s interpretation.

While Batti provides no clear guidance on how it would side in the "without authorization" split, the Court reinforced the employers’ ability to use the CFAA as a viable claim to combat computer security breaches by employees in certain situations.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Robert Milligan and Joshua Salinas

A Colorado federal district court recently held that the computer forensic investigator costs of investigating Computer Fraud and Abuse Act (CFAA) violations constitute “loss” under the statute. (AssociationVoice, Inc. v. AtHomeNet,Inc.,No. 10-cv-00109-CMA-MEH, 2011 WL 63508 (D.Colo 2011)). The court echoed the growing trend in circuit and district courts, which permit civil claims under the CFAA absent any damage or interruption of service. Consequently, this decision underscores the viability of asserting CFAA claims in cases involving data theft and the importance of utilizing qualified computer forensic investigators in such cases.  

The plaintiff and defendants in AssociationVoice offered competing web-based software applications for homeowners associations (HOA). The defendants allegedly acted as fictitious HOA customers in order to purchase the plaintiff’s software and access the plaintiff’s password-protected “site admin” areas. In order to access the web site, the defendants also allegedly entered into a Services Agreement, which prohibited the defendants from reverse engineering and copying the plaintiff’s source code or using the plaintiff’s confidential and proprietary information. 

The defendants allegedly copied, reverse engineered, and misappropriated information from the plaintiff’s password-protected site and allegedly added at least forty-four new features to the defendants’ own applications.

The plaintiff filed suit against the defendants, alleging, inter alia, violations of the CFAA, copyright infringement, trade secret misappropriation, and breach of the Services Agreement.

The plaintiff moved for two preliminary injunctions. The plaintiff sought to enjoin the defendants, per the Services Agreement, from providing the defendants’ customers with the allegedly copied, reverse engineered, and misappropriated features. Additionally, the plaintiff sought to enjoin the defendants, pursuant to the CFAA, from further accessing the password-protected “site admin” areas.

The court denied the Services Agreement injunction because the plaintiff did not make a “strong showing” of the four injunction factors to justify altering the status quo. However, the court granted the CFAA injunction.

The noteworthy aspect of this case is the court's analysis of the “likelihood of success” factor in granting the plaintiff’s CFAA injunction. 

In order to bring a civil claim under the CFAA, the plaintiff was required to prove that the violations resulted in the loss of at least $5,000 within a one-year period. (18 U.S.C. § 1030(g) and (c)(4)(A)(i)). The parties disputed whether the plaintiff’s hiring of a third-party computer forensic investigator to assist with its investigations constituted a “loss.” Additionally, the defendants argued that the plaintiff could not bring a claim because it suffered no interruption of service. 

The court recognized that the majority of courts find the costs of investigations and responses to security breaches constitute “loss,” regardless of whether service is interrupted. (See, e.g.,A.V. v. iParadigms, LLC, 562 F.3d 630, 646 (4th Cir. 2009);EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 584 (1st Cir. 2001);SuccessFactors, Inc. v. Softscape, Inc., 544 F.Supp.2d 975, 980-81 (N.D.Cal. 2008); Res. Ctr. for Indep. Living v. Ability Res., Inc., 534 F.Supp.2d 1204, 2111 (D.Kan. 2008);Patrick Patterson Custom Homes, Inc. v. Bach, 586 F.Supp.2d 1026, 1036 (N.D.Ill 2008); NCMIC Fin. Corp. v. Artino, 638 F.Supp.2d 1042, 1064 (S.D. Iowa 2009)).

The court reasoned that the plain language of “loss” defined in § 1030(e)(11) distinguishes between the costs of responding to CFAA violations and the consequential damages from interruptions of service. In fact, the legislative history of the CFAA indicates that it the statute was designed to address situations in which damage never occurred. The court found this case almost identical to the California district court decision in SuccessFactors. In SuccessFactors, the court held that  when confidential information is obtained, it is necessary for the violated party to discover who has the confidential information, how they accessed it, and what the violators were doing with it. Thus, the defendants’ alleged access of the plaintiff’s protectable confidential information naturally incurred the costs of an investigation. Specifically, the court stated "[i]t, therefore, is not surprising that Plaintiff also had to go to great lengths to uncover Defendants’ identity, as well as to uncover the extent of their unauthorized access and the methods they used. Accordingly, Defendants should not be allowed to complain about the costs Plaintiff incurred in doing so."

While the court in AssociationVoice followed the growing majority, the Second Circuit and district courts in Florida, Virginia, Connecticut, and Louisiana still require an interruption of service in order to bring a claim under the CFAA. (See, e.g., Nexans Wires S.S. v. Sark-USA, Inc., 166 Fed.Appx. 559, 563 (2d Cir. 2006)).

What does this mean? The CFAA remains a viable option to combat data theft. Although some courts have narrowed the applicability of the CFAA, many courts, like the AssociationVoice court, recognize CFAA claims even where the defendants' actions do not result in any interruptions of service. Some courts have even extended the “costs to respond” to include investigations into ways to improve security. (See, e. g., JedsonEng’g, Inc., v Spirit Construction Services, Inc., (S.D. Ohio 2010). Accordingly, in order to satisfy the "loss" requirement under the CFAA, make sure that  qualified computer forensic investigators are utilized (in coordination with legal counsel) to respond to and assess the computer breach as soon as your company learns of the data theft.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Throughout 2010, Seyfarth Shaw LLP’s dedicated Trade Secrets, Computer Fraud & Non-Competes practice group hosted a series of webinars that addressed key issues facing clients today in this important and ever changing area of law. The series consisted of five webinars: The Computer Fraud and Abuse Act: What You Need to Know, Protecting the Secrets in Your Employees’ Heads, Trade Secret Litigation and Protection in California, Franchise and Dealer Relations: Protecting Your Trade Secrets and Brand, and Protecting Your Trade Secrets in the Global Economy: Non-Compete and Trade Secret Considerations In Europe and Asia. As a conclusion to this well-received 2010 webinar series, we have compiled a list of key takeaway points for each of the webinars. If you were not able to attend the webinars, we invite you to request the archived recordings of the webinars by contacting your Seyfarth Shaw LLP attorney. We are also pleased to announce that Seyfarth Shaw LLP will continue its webinar programming in 2011 and has several exciting topics lined up.

The Computer Fraud and Abuse Act

Our first webinar this year, led by Seyfarth attorneys James Yu, Michael Elkon, and Carolyn Sieve, was entitled The Computer Fraud and Abuse Act: What You Need to Know. The Computer Fraud and Abuse Act (CFAA) is a federal statute that has been used for almost a decade to obtain injunctive relief against, and impose liability on, employees and hackers who steal or interfere with a company’s electronic information. This webinar covered the essential points that employers need to know about the CFAA and its potential uses in protecting electronic assets.

·         CFAA claims often turn on what an employee was authorized to do on an employer’s computer system. Therefore, handbooks, IT policies, sign-in screens, and other materials that cover IT authorization should address what an employee is (and is not) allowed to do on the system. 

·         The CFAA is not limited to employees. An employer should consider what authorization instructions it provides to clients, vendors, potential business partners, and contractors. It should also carefully monitor the security protections for its website and internal servers as hackers remain a continuous threat. 

·         There is a split among federal courts regarding whether the CFAA applies to employees who are initially provided access to company data but then either exceed that authorization or otherwise act in a manner that revokes the initial authorization. Some courts have limited the use of the CFAA to unauthorized users such as hackers. Therefore, the location of a possible violation of the CFAA is important.

Inevitable Disclosure

The second webinar of the 2010 series, led by Erik von Zeipel, Jason Stiehl, and David Countiss, focused on Inevitable Disclosure, an evolving doctrine recognized in a large number of jurisdictions that may prevent an employee from accepting employment when the employee’s duties cannot be performed without the disclosure of a former employer’s trade secrets. This discussion covered what employers need to know about the Inevitable Disclosure Doctrine, including jurisdictions which have adopted the doctrine and its application to both exiting and incoming employees. The panel also discussed best practices for handling the hiring and termination of employees in such jurisdictions.

·         Understand the state of the law regarding inevitable disclosure in your jurisdiction. Injunctive relief may be easier to obtain if your jurisdiction has adopted the doctrine.

·         Require new employees to sign agreements acknowledging their obligation to protect company’s trade secrets, as well as acknowledging that they understand that they need to respect their prior employer’s trade secrets and any related agreements. Be prepared to marshall any breaches of these agreements if litigation ensues.

·         When an employee departs, sequester technology assets, conduct exit interviews and have the employee acknowledge agreements and covenants protecting trade secrets.

California Trade Secrets Law

This third webinar, conducted by Robert Milligan, Robert Niemann, and Jim McNairy, focused on how California trade secret law is similar and diverse from other jurisdictions, including a discussion of the California Uniform Trade Secrets Act, trade secret identification requirements, remedies, and the interplay between trade secret law and Business and Professions Code Section 16600, which codifies California’s general prohibition of employee non-compete agreements. The webinar also covered effective California trade secret protection policies and practices.

·         Aside from a few narrow exceptions, non-competition agreements are presumed void under California law in the typical employment context and recent cases hold that most non-solicitation of customer clauses are synonymous with non-compete agreements and are therefore also unlawful. It remains to be seen whether the so-called “trade secret exception” will be a viable exception to California’s general prohibition against non-competition agreements. Employers should keep these developments in mind when assessing such agreements and make sure that their agreements comport with the recent developments in the law. Failure to do so places employers at risk for unlawful business practice suits. 

·         Because non-compete agreements are typically unenforceable in California, employers typically pursue trade secret misappropriation claims against former employees who steal proprietary company information. In such suits, the employer has the burden of showing that the information is a trade secret, including showing that reasonable secrecy measures were in place to protect the information. Accordingly, prudent companies should consider investing the time and money to conduct a trade secret audit. A trade secret audit generally assesses what company information may be protectable as a trade secret and the security measures the company has in place to protect such information. The results of a successful audit are clearly identified trade secrets with adequate protection measures (including updated trade secret protection agreements) in place: the existence of which are essential to success in trade secret litigation, as well as to ensure that key company assets are adequately protected.

·         Conduct a thorough investigation prior to filing a trade secret misappropriation suit to ensure that the claim can be supported from all lines of attack to enable the court to issue appropriate injunctive relief and award damages. This includes obtaining evidence of the trade secret’s existence and the efforts used to protect it. Employers will need to dedicate the time and resources to arm their counsel with this essential information before and during the litigation. Trade secret plaintiffs are also required to identify their trade secrets with particularity before discovery commences in the case, so be prepared to have a trade secret identification statement prepared in advance of serving your discovery.

Trade Secrets and Franchise Law

The fourth webinar of the 2010 series, led by Andrea Okun, Jim McNairy, and Marcus Mintz, discussed how to protect trade secrets, trademarks, trade dress, and goodwill while maintaining and enhancing successful franchises and dealerships. These are often the core assets of a franchise or dealership, and this webinar presented an overview of what assets are protectable, how those assets can be protected, what state and federal laws can be used to protect these assets, and what can be done if these assets are threatened.

·         One of the best ways to protect trade secrets, trademarks, trade dress and goodwill is by entering into clear, enforceable agreements at the outset of the business relationship. These agreements should clearly identify the assets (such as confidential information and intellectual property) that are being shared/licensed and expressly state the receiving party’s agreement to (a) not make unauthorized use or disclosure of those assets, (b) return all assets at the termination of the relationship, and (c) the need for injunctive relief should the receiving party breach the agreement.

·         In addition to the federal Lanham Act, know the law of your jurisdiction(s). 46 out of 50 states plus the District of Columbia have adopted some variation of the Uniform Trade Secrets Act protecting highly confidential information. Of the remaining 4 states, Massachusetts, New Jersey, and New York have introduced their own versions of the Uniform Trade Secrets Act (only Texas has no trade secret act in place or pending). The franchise acts in Illinois, Indiana, Iowa, Louisiana, Michigan and Minnesota make mention of the enforceability of non-competes. Further, Alabama, California, Colorado, Florida, Georgia, Hawaii, Michigan, Montana, New York, South Dakota, and Texas all have statutes specifically dealing with non-competes.

·         When drafting restrictive covenants and seeking injunctive relief, do not overreach. Drafting overly broad agreements or seeking injunctive relief beyond the scope of legitimate business needs may result in invalidation of the agreements at issue and denial of any form of injunctive relief. Be careful not to assume that every jurisdiction will blue pencil or re-write your restrictive covenants to make them enforceable. Many will not.

International Trade Secrets and Non-Compete Law

The final webinar of the 2010 series, led by Marjorie Culver, Dominic Hodson, and Robert Milligan, focused on non-compete and trade secret considerations from an international perspective. The webinar involved a discussion of non-compete and trade secret issues in Europe and Asia, including the threats to trade secrets and confidential information in these regions. The similarities and differences in approach among the various jurisdictions were discussed and compared to the United States. The panel discussed drafting considerations for confidential/trade secret protection and non-compete agreements as well as appropriate policies in these regions, along with a discussion of sources of protection other than written agreements and policies. This webinar provided valuable insight for companies who compete in the global economy and must navigate the legal landscape in these regions and ensure protection of their trade secrets.

·         One size does not fit all when it comes to drafting employment restrictive covenants for employers operating in international countries. Local jurisdictions take an active interest in agreements that restrict employees from competition as a matter of public policy. Companies must be mindful of the legal requirements for valid non-competes and non-solicits where the employees predominantly provide services or where the employees are likely to later compete. Even where the parties agree on a governing law or forum, the courts in the local jurisdiction often apply local law requirements and void restrictive covenants that do not comply.   

·         Trade secrets: default statutory protections only go so far. Though many countries make trade secret misappropriation unlawful (similar in some respects to the U.S.), this protection may not be helpful unless a company takes active measures to define and protect its proprietary information. Companies should execute confidentiality agreements adequately defining what a company considers confidential and proprietary and also put in place technological and security protocols to restrict access to the company’s most valuable proprietary information. Failure to take such measures can undermine a company’s claim that the information constitutes a trade secret. Companies must also be mindful that their security precautions do not interfere with employees’ privacy rights, particularly in Europe.

·         Non-competes: are they worth the effort in every instance? In some jurisdictions, non-competition restrictions require payment to the former employee during the restrictive period. And, in some cases, even an employer who no longer wishes to oblige the employee cannot waive the non-compete and the obligation to pay. Additionally, injunctive relief may not be available in some countries, making a non-compete the least expedient means for protecting the company from unfair competition. Across the board use of non-competes may not be the most cost-effective or efficient way to protect a company’s competitive position or trade secrets. Rather, companies should formulate a thoughtful strategy that only utilizes non-competes with employees for which there is a legitimate business and legal justification.

2011 Trade Secrets Webinar Series

Beginning in January 2011, we will begin another series of Trade Secret webinars. Planned topics for the 2011 series include Trade Secrets in the Financial Services Industry, Georgia’s New Non-Compete Statute, Choosing the Right IP Protection: Patent or Trade Secret, The Anatomy of a Trade Secret Audit, and Maintaining Trade Secrets in the New World of Cloud Computing. For notifications concerning our upcoming webinars, please sign up for our Trade Secrets, Computer Fraud & Non-Competes mailing list by clicking here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Tomorrow - January 28, 2010, 10 A.M. PDT

Our previous webinars have covered the basics of trade secrets and trade secret litigation.  The third in our webinar series will focus on claims under the federal Computer Fraud and Abuse Act.  The CFAA has, over the last decade, gained traction as a powerful weapon for companies to obtain injunctive and monetary relief when employees steal their employers' proprietary information.  However, asserting a CFAA claim is not as straightforward as it seems.  Over the years, some courts have expanded its applicability in the misappropriation context, while others have tried to limit use of the CFAA.  Our webinar, The Computer Fraud and Abuse Act:  What You Need To Know, will, among other things, describe the basics of a CFAA claim, identify the various interpretations of certain key elements of a CFAA claim as it is asserted in the misappropriation context, and discuss best practices for asserting and defending CFAA claims.  We are joined by a computer forensic expert who will describe the various means of obtaining computer evidence to support a CFAA claim and will provide you with tips on preserving electronic evidence.  You may register here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Amy E. Bivins recently published another article in the Daily Labor Report addressing the effects of the Ninth Circuit's Brekka decision, which we have posted about previously.  Ms. Bivins quotes Seyfarth attorney Carolyn Sieve on the issue.  Carolyn reminded employers that they "should not rely solely on a potential CFAA claim to protect their proprietary information."  Indeed, employers will need to consider what access to computer systems is "authorized." 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On October 27, 2009, Robert Milligan and Carolyn Sieve published their article, "Establishing CFAA Violations By Former Employees," in the Employment Law 360.  The article further examines the Brekka decision we have posted about previously.  In particular, Robert and Carolyn point out that the Brekka decision may require employers to "rethink their strategies" for protecting company property. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The BNA publication, Electronic Commerce & Law Report, recently quoted our own Carolyn Sieve, discussing the Brekka decision.  The Electronic Commerce & Law Report article, "Brekka Case Shows Need for Comprehensive Strategy to Shield Data from Insider Misuse," discussed how the Ninth Circuit recently joined a trend disfavoring Computer Fraud and Abuse Act (CFAA) claims brought by companies against disloyal employees. In LVRC Holdings LLC v. Brekka, the court resolved disagreement among federal district courts within the circuit about how the CFAA’s "authorization" standard applies to cases involving data theft by disloyal employees.

According to the article, the court explained that employers may be able to pursue claims under the CFAA, but only if employees violate clearly defined limits on access to company networks in the course of stealing proprietary information. Carolyn commented that the message from Brekka is that employers should not rely solely on potential CFAA claims to protect their proprietary information. She also noted, "The Brekka decision places more responsibility on the employer’s shoulders to provide notice to employees as to what is ‘authorized access.’" Carolyn recommended that employers determine what information they want to protect, implement security protocols to safeguard that information, and combine those efforts with systemic employee education regarding confidential and data use policies.

 A full copy of the article is available here.  It is reproduced with permission from Electronic Commerce & Law Report, 14 ECLR 1381 (Sept. 20, 2009). Copyright 2009 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a recent decision, the federal Ninth Circuit Court of Appeals joined a growing number of federal courts that have limited the use of the Computer Fraud and Abuse Act ("CFAA") in suits brought against former employees accused of taking data from a company’s computer system before leaving the company.

In LVRC Holdings LLC v. Brekka, Case No. 07-17116, 2009 WL 2928952 (9^th Cir. September 15, 2009), the Court held that an employer could not maintain its claim under the CFAA, 18 U.S.C. § 1030, against a former employee accused of e-mailing company property to his personal e-mail account because the employer could not establish that the former employee accessed its computer system “without authorization” or “in excess of authorization,” causing a loss. The employee argued that he was authorized to access the computer system in connection with his job duties, and was, therefore, authorized to access the computer system. 

In its opinion in Brekka, the Ninth Circuit explicitly rejected the Seventh Circuit Court of Appeals’ reasoning in International Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006) (Judge Posner, presiding), in which the Seventh Circuit held that a defendant employee’s authorization to access his employer’s computer files terminated when he violated his duty of loyalty to his employer.

Concluding that “[n]o language in the CFAA supports [plaintiff’s] argument that authorization to use a computer ceases when an employee resolves to use the computer contrary to the employer’s interest,” the Ninth Circuit switched the focus of inquiry from the former employee’s motive to an objective standard: What actions did the employer take to define what was authorized access and what was not? “If the employer has not rescinded the defendant’s right to use the computer, the defendant would have no reason to know that making personal use of the company computer in breach of a state law fiduciary duty to an employer would constitute a criminal violation of the CFAA.” 

In Brekka, plaintiff allowed its employee to e-mail company documents to his personal computer in the course of his duties. In addition, plaintiff promulgated no employee guidelines to prohibit employees from e-mailing company documents to personal computers. These were facts fatal to its CFAA claim and may provide a basis to distinguish subsequent cases where employers attempt to assert CFAA claims against former employees accused of e-mailing company information to their personal accounts, provided that they have clear policies prohibiting such activities.

The Brekka Court held “that a person uses a computer ‘without authorization’ under §§ 1030(a)(2) and (4) when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone’s computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” 

The Brekka decision is a wake-up call to employers to take measures to define for their employees the type of computer activity that is permissible (and impermissible) so that the employers can, to the extent allowable, avail themselves of a CFAA claim.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Tim Nelson and Robert Milligan

A highly publicized cyberbullying case recently came to an apparent end with the acquittal of a Missouri woman who was accused of violating the Computer Fraud and Abuse Act (“CFAA”).

In the case, a Central District of California court addressed the novel issue of whether a computer user’s violations of an Internet website’s terms of service constitute a crime under the CFAA, 18 U.S.C. § 1030. United States v. Drew, --- F.R.D. ---, 2009 WL 2872855 (C.D. Cal. Aug. 28, 2009).

According to the indictment in Drew, Lori Drew, a resident of O’Fallon, Missouri, allegedly was a member of a conspiracy to intentionally access a computer used in interstate commerce without (and/or in excess of) authorization in order to obtain information for the purpose of committing the tortious act of intentional infliction of emotional distress upon a 13-year old girl named Megan Meier, also a resident of O’Fallon, Missouri. Id.at *1. 

Megan was a classmate of Drew’s daughter, Sarah. Pursuant to the conspiracy, the conspirators established a profile for a fictitious 16 year old male named “Josh Evans” on the website www.myspace.com, on or about September 20, 2006. The conspirators also posted a photo of a boy on this website without that boy’s knowledge or permission. This conduct violated the terms of service of the Myspace website, which prohibited providing information that the user knew was false or misleading, and also prohibited including a photograph of another person that was posted without that person’s consent. 

The conspirators contacted Megan and flirted with her through the Myspace website using the “Josh Evans” profile over several days. Eventually, the conspirators informed Megan that “Josh” was moving away. The conspirators also informed Megan that “Josh” no longer liked her and that “the world would be a better place without her in it.” Later the day this message was delivered, Megan committed suicide. After learning that Megan had killed herself, Drew caused the “Josh Evans” Myspace account to be deleted. Id.

Lori Drew was charged with one count of conspiracy in violation of 18 U.S.C. § 371 and three counts of violating a felony portion of the CFAA (18 U.S.C. §§ 1030(a)(2)(C) and 1030(c)(2)(B)(ii)), which prohibits accessing a computer without authorization or in excess of authorization and obtaining information from a protected computer where the conduct involves an interstate or foreign communication and the offense is committed in furtherance of a crime or tortious act. 

The jury was instructed that they could consider whether Drew was guilty of the lesser included misdemeanor CFAA violation (which involved accessing a protected computer without authorization or in excess of authorization). The jury deadlocked on the conspiracy charge, and found Drew not guilty on the three felony counts of violating the CFAA. The jury did, however, find Drew guilty of the three misdemeanor counts of violating the CFAA. Drew’s attorneys filed a motion for a judgment of acquittal under Federal Rule of Criminal Procedure 29(c).

Judge Wu of the Central District of California addressed the central question raised by Drew: whether a computer user’s intentional violation of one or more provisions in an Internet website’s terms of service satisfies the first element of section 1030(a)(2)(C) (whether the computer access was without authorization or exceeded authorized access). Id.at *6.  The court  noted that the latter two elements of section 1030(a)(2)(C) (obtaining information from a “protected computer” and the accessing of the computer must involve an interstate or foreign communication) would always be met when an individual using a computer contacts or communicates with an Internet website. Id.

To address the central question raised in Drew, the court analyzed and applied the void-for-vagueness doctrine, which has two prongs: 1) a definitional/notice sufficiency requirement; and 2) a guideline setting element to govern law enforcement. Id.at *12. 

The court, quoting Justice Holmes, observed that, as to criminal statutes, there is a “fair warning” requirement:

Although it is not likely that a criminal will care-fully consider the text of the law before he murders or steals, it is reasonable that a fair warning should be given to the world in language that the common world will understand, of what the law intends to do if a certain line is passed. To make the warning fair, so far as possible the line should be clear.

Id. (citing McBoyle v. United States. 283 U.S. 25, 27 (1931)).

The court found that basing a CFAA violation upon the conscious violation of a website’s terms of service runs afoul of the void-for-vagueness doctrine, because of the absence of minimal guidelines to govern law enforcement and because of actual notice deficiencies. Id.at *14. The court found that if any conscious breach of a website’s terms of service is sufficient to constitute a violation of the CFAA, the law would afford too much discretion to the police and too little notice to citizens who wish to use the Internet. Id.at *17.

The Drew decision is significant because it recognizes the limitations of the CFAA and is a victory for internet privacy proponents. According the court, the government’s interpretation of the CFAA in Drew “would convert a multitude of otherwise innocent Internet users into misdemeanant criminals.” Id.at *16. The court recognized that breaching a website’s terms of service, alone, was not sufficient to violate the CFAA.

One news source has indicated that the U.S. Attorney will determine whether the government will appeal after reviewing the written ruling. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Courthouse News reported on an interesting new Computer Fraud and Abuse Act case.   It appears from the article that Duncan Solutions diverted internal and external e-mails directed to its competitor Affiliated Computer Services' employees for the purposes of obtaining not only competitive and confidential internal information but also to obtain information regarding Affiliated Computer Services' clients.  According to The Courthouse News, Affiliated Computer Services sued in Texas and "seeks damages under the Computer Fraud and Abuse Act, Wiretap Act, Stored Communication Act and Texas Harmful Access By Computer Act."  Affiliated Computer Services "is represented by John Cox with Lynn Tillotson."  This could be an interesting case to watch. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting, LLC, 600 F. Supp. 2d 1045 (E.D. Mo. 2009), the United States District Court for the Eastern District of Missouri dismissed an employer’s claim that two former employees violated the Computer Fraud & Abuse Act (“CFAA”), 18 U.S.C. § 1030, et seq., by deleting information from and refusing to return their company laptops after resigning. Lasco brought claims against former sales representatives Ronald Hall and Charles Shaw, as well as their new company, Hall and Shaw Sales, Marketing & Consulting. Included in the action were claims under the CFAA and the Stored Wire and Electronic Communications Act (“SECA”), 18 U.S.C. § 2701, et seq., as well as a number of claims under Missouri law. 

Lasco alleged that Shaw “deleted confidential and trade secret information from Lasco’s computer” and “unlawfully copied or otherwise downloaded Lasco’s Trade Secret Information for his own personal use and for the use of HSSMC.” Lasco further alleged that Hall refused to return his Lasco laptop and that Lasco anticipated that a forensic examination of Hall’s laptop would reveal that he also deleted information from the laptop.

Hall and Shaw moved to dismiss the SECA and CFAA claims. The District Court found that federal courts have found that the general purpose of these two statutes “was to create a cause of action against computer hackers (e.g., electronic trespassers),” rather than rogue employees. Accordingly, because Lasco alleged that Hall and Shaw had unrestricted access to Lasco’s information on its computers, the District Court dismissed the claims under the CFAA and SECA because Lasco had not alleged that Hall and Shaw accessed Lasco’s information without authorization.

The District Court did find that Lasco had alleged sufficiently that it had suffered damage and loss by virtue of Hall and Shaw deleting information and forcing Lasco to take remedial measures. The District Court also found that Lasco had alleged interruption of service by asserting that Hall and Shaw had delayed before returning their computers. However, because Lasco could not show that Hall and Shaw were unauthorized users, its claim under the CFAA was dismissed, leaving Lasco to pursue state law claims.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

BY JASON STIEHL

            In recent years, courts in the Northern District of Illinois have made clear that without actual harm to data, a plaintiff cannot claim “damage” under the Consumer Fraud and Abuse Act, 18 U.S.C. 1030 et seq. (“CFAA”). See, e.g., Garelli Wong & Assoc. v. Nichols, 551 F. Supp. 2d 704, 704 (N.D. Ill. 2008) (holding there was no “damage” because the defendant’s “unauthorized acts of copying and e-mailing [Plaintiff’s] computer files did not impair the integrity or availability of the information in the Database and did not cause any interruption of service.”) To circumvent this strict reading of the CFAA, companies have used the term “loss” in the statute, arguing that a company suffered a “loss” by undertaking efforts to investigate and assess what “damage” may have been caused.   18 U.S.C. 1030 (e)(11) (defining “loss” to include “conducting a damage assessment.”).  A recent case calls into question whether such allegations will continue to suffice.

            In Kluber Skahan & Associates, Inc. v. Cordogan, Clark & Assoc., Inc., the court addressed whether allegations of a “loss” suffered within two years were sufficient to toll the limitation period under the CFAA, which requires a case to be brought within two years of discovery of any “damage.” In answering in the negative, Judge Zagel further shortened the reach of the CFAA. In Kluber, the court defined the elements of CFAA as requiring proof of: (1) damage or loss, (2) as a result of (3) a violation of some other provision of section 1030, and (4) conduct involving one of the facts set forth in section 1030 (c)(4)(A)(i). Kluber Skahan & Associates, Inc. v. Cordogan, Clark & Assoc., Inc., No. 08-cv-1529, 2009 WL 466812, * 6 (N.D. Ill. Feb. 25, 2009). The court undertook an analysis of the definitions of “loss” and “damage” under Section 1030, finding that the words were not only different in definition, but different in concept. Specifically, the court stated “whereas ‘damage’ contemplates harms to data and information, ‘loss’ refers to monetary harms.” Id. at * 7. The court went one step further, announcing that “Section 1030(g) does not require damage for a CFAA claim to arise.” Id. at *8 n. 14.   It is ironic that with such an emphasis on the distinction between these harms, the court would later take effort to amalgamate them.

            Ultimately, the court refused to toll the limitations period, holding that Congress explicitly chose to provide a two-year limitation for injury-discovery regardless of whether a “loss” had occurred. Id. at * 8 (“It was well within Congress’ power to include a separate two-year limitation of the discovery of loss. The text of the CFAA reflects that Congress declined to do so, and so will I.”). It supported its decision by emphasizing that the purpose of the statute is primarily criminal and that the statute was not meant to “cover the disloyal employee who walks off with confidential information.” Id (citing Am. Family Mut. Ins. Co. v. Rickman, 554 F. Supp. 2d 766, 771 (N.D. Ohio 2008)). Thus, it concluded that “[l]osses are monetary harms attenuated from the underlying concern of the Act: damage to data.” Id. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Kalow & Springnut, LLP v. Commence Corp., No. 07-3442, 2009 WL 44748 (D.N.J. Jan. 6, 2009).

The federal district court in New Jersey has declined to dismiss a claim under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, concluding that plaintiff’s allegation that defendant’s software product contained a “time-bomb” causing it to stop working after a period of time sufficiently alleged the statute’s required element of intent to cause harm. 

Plaintiff Kalow & Springnut filed a class action suit claiming that software manufacturer Commence Corp. had inserted a hidden “time-bomb” code in a software program purchased by the class members that caused damage to their protected computers when the code caused the program to stop working after a certain period of time. Among other claims, Plaintiff alleged that this conduct violated the CFAA, which imposes liability on a person “who knowingly causes the transmission of a program, information, code or command, and as a result of such conduct intentionally causes damage…” 18 U.S.C. § 1030(a)(5)(A)(i). However, in June 2008, the court dismissed this count of the complaint with leave to amend because it failed to allege the element of intentional harm required by the CFAA.

Kalow & Springnut subsequently filed an amended complaint that made additional factual allegations, including that because computer software does not “wear out or fail like a mechanical device…for software to stop working, it must either have been intentionally designed to stop working, or the environment in which it is operating must have been altered.” Plaintiff further alleged that it had not altered its computer system immediately before the software stopped working, thus the software must have been intentionally designed to stop working by way of a “time-bomb” in the software’s code.

In ruling on Commence’s motion to dismiss the amended claim, the district court rejected Commence’s argument that the claim relies on faulty logic which fails to consider other possible explanations, such as a programming error in the software. Citing to the Supreme Court’s decision in Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007), and its Third Circuit progeny, which articulate a somewhat more lenient pleading standard than had previously been applied, the court noted that the standard “simply calls for enough facts to raise a reasonable expectation that discovery will reveal evidence of the necessary element.” A plaintiff is required only to allege sufficient facts to give fair notice of its claims, the court concluded, and thus a defendant cannot defeat an allegation upon a motion to dismiss by simply offering an alternative explanation, as Commence did. 

This case serves as a reminder to litigants asserting or defending trade secrets-related claims under the CFAA that, particularly in light of Twombly, the notice pleading standard makes it difficult to defeat a CFAA claim at the motion to dismiss stage based solely on challenges to the logic or plausibility of plaintiff’s factual assertions concerning intent.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

 In Contemporary Services Corp. v. Hartman, 2008 WL 3049891 (C.D. Cal.), the United States District Court for the Central District of California recently declined supplemental jurisdiction over state law claims removed to the court where federal jurisdiction was based solely on the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. Finding that state issues substantially predominated, the court noted that the “[e]lements and facts that Plaintiffs must prove to establish their CFAA claim are different from what they must prove to establish their other claims.”   

 The court retained jurisdiction over the CFAA claim and remanded all of the state law claims.

Plaintiffs filed suit in state court against defendant Hartman, asserting seven claims for relief: (1) violation of the CFAA; (2) Breach of Fiduciary Duty; (3) Conversion; (4) Breach of Contract; (5) Fraud; (6) Intentional Interference with Prospective Economic Advantage; and (7) Breach of Fiduciary Duty.   Defendant removed the case to federal district court.  Defendant moved to remand the case to state court.  Defendant also moved to dismiss several of plaintiff's claims.

Plaintiffs filed a First Amended Complaint in which they abandoned their sixth and seventh causes of action. Defendant answered and filed five counterclaims arising under state law for: (1) Unpaid Wages; (2) Waiting Time Penalties; (3) Violation of Cal. Lab. Code § 2802; (4) Indemnification under Cal. Lab Code § 2802 and Cal. Corp. Code § 317; and (5) Unfair Competition Under Cal. Bus. & Prof. Code § 17200.

Turning to plaintiffs’ motion for remand, the district court held that “[i]n all important respects, this action involves an employment dispute between the parties that has given rise to nine state law claims and counterclaims which substantially predominate over the sole federal claim.” Continuing, the court noted that all of the claims and counterclaims derived from the facts triggered by defendant's decision to leave plaintiffs' employment, including that defendant allegedly breached her fiduciary duties owed to plaintiffs by deleting work product stored on her work computer and defrauding plaintiffs by making false representations about the information contained on plaintiffs' shared drive and computer. 

Defendant's counterclaims for unpaid wages and unfair competition arose from Plaintiffs' alleged conduct after defendant ended her employment.   

Distinguishing the CFAA from the other claims in suit, the court noted “[T]he elements and facts that Plaintiffs must prove to establish their CFAA claim are different from what they must prove to establish their other claims.” Plaintiffs' claims for breach of fiduciary duty and breach of contract derive from the parties' rights and responsibilities under the employment contract. Plaintiffs' claim for fraud arises from Defendant's alleged misrepresentations during her employment. Defendant's counterclaims for unpaid wages and indemnification were based on Plaintiffs' conduct after defendant returned the computer and left their employment.

In contrast, to prove a CFAA claim, one must show that the computer in question was a “protected computer,” and that the conduct involved one of five categories of harm that are a necessary element of a civil action under the CFAA. As plaintiffs did here, claimants most often meet the “harm” element by alleging a loss of at least $5,000 in value. When relying on this element, under 18 U.S.C. § 1030(a)(5)(B), plaintiffs are limited to economic damages.

Finally, the court found it “[n]oteworthy that the relief Plaintiffs seek under the CFAA is not unique to that claim; Plaintiffs also seek compensatory damages and injunctive relief pursuant to all four of their state claims for relief. *** In short, even as to the array of remedies that Plaintiffs seek, their state claims predominate; indeed, rather than “trailing” the federal remedies, the state-based claims encompass additional prayers for relief, such as punitive damages.”

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Although the trial court's analysis was not extensive, it clearly found that allegations in a complaint that an employee used a computer program to delete information from a laptop and knowingly deleted information without authorization sufficiently states a Computer Fraud and Abuse Act claim so as to survive a motion to dismiss for failure to state a claim.

In Alliance International Inc. v. Todd, Civ. Action No. 5:08-CV-214-BR (E.D.N.C. July 22, 2008), the parties contested whether the former employees (now defendants) could be held liable for deleting information from company computers.  Defendants argued, ultimately unsuccessfully, that plaintiff could not bring a cause of action under CFAA Subsection (a)(5)(A)(i) against two of the individual defendants because Alliance did not plead that those individuals downloaded a file erasure program.   Subsection (a)(5)(A)(i) provides a cause of action against someone who

knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer . . .

18 U.S.C. § 1030(a)(5)(A)(i). 

Defendants argued that "[a]n employee's act of knowingly deleting files by hitting the 'delete' key could not plausibly give rise to criminal and civil liability under the CFAA."  (Defs.' Mem. of Law in Support of Mot. to Dismiss at 24 (filed May 29, 2008) (emphasis added).   Not taking the bait to argue whether hitting the delete key constitutes a "command," Alliance merely contended that it met its pleading obligation under the CFAA by alleging that the defendants permanently deleted/destroyed information from Alliance computers. 

The Court side-stepped both parties' arguments, however, and found that the specific allegations in Alliance's complaint, to wit that the defendants

(1) "deleted, removed and destroyed information, documents and/or data contained on . . . protected computers" and

(2) "knowingly caused the transmission of a program, information, code or command, including but not limited to, Net Eraser Trial, and as a result of such conduct, intentionally caused damage without authorization, to a protected computer"  (citing paragraphs 62 & 63 of the complaint),

were sufficient to state a CFAA claim.  Although clearly tailored to the facts at hand, the court's decision could be persuasive authority for a plaintiff to withstand a Rule 12(b)(6) motion targeting similar allegations.

 Not long after the Court's ruling, on August 12, 2008, Alliance filed a stipulation of dismissal of the case, with prejudice, signaling a likely settlement with the defendants following the Court's ruling in Alliance's favor.  The court's opinion, nonetheless, as well as the parties' briefing, is a ready resource for case citations on the issue of deletion as well as "authorization" under the CFAA, as the parties and the court cite to numerous federal cases on these issues.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A company's trade secrets may be some of its most important assets.  Recent headlines underscore their importance, and vulnerability:

1. Recently, an employee was arrested at the airport and over 1,000 company proprietary documents containing trade secrets were seized that the employee was attempting to transport with her to her new job.
   
2.  A national retailer recently was hit with a $21.5 million verdict after a jury found the retailer liable for stealing the design of a popular home improvement tool. 
   
3. A former employee recently pleaded guilty in a U.S. District Court in California to stealing proprietary technologies from his former employer and selling or offering them for sale to foreign governments and military contractors.

A survey of companies estimated that in just one year, companies likely were to have lost as much as $53 to $59 billion dollars in proprietary information and intellectual property through theft and misappropriation.  Seeking trade secret counseling and an audit can assist clients to determine best practices to help protect their most important assets.

• Email This
• Print
• Comments
• Trackbacks
• Share Link