Trading Secrets : Trade Secrets Lawyers & Attorneys : Seyfarth Shaw Law Firm : Computer Fraud, Confidentiality Agreements, Corporate Espionage

By Robert Milligan and Joshua Salinas

The best things in life are free, except for screensavers, games, and other software provided on-line that spy on your computer activity and gather your personal information, at least according to the consumer Plaintiffs in the recent data collection/privacy suit filed in Illinois federal court captioned Harris v. comScore, Inc., No. 11 C 5807, 2011 WL 4738357 (N.D. Ill. Oct. 7, 2011). The Plaintiffs in the case won't be forced to litigate the action in Virginia after a federal court recently denied comScore's attempt to enforce the forum selection provision contained in its licensing agreement.

The District Court for the Northern District of Illinois, Honorable Chief Judge James Holderman presiding, recently denied defendant comScore’s motions to dismiss and transfer venue because he found that comScore’s forum-selection clause was not reasonably communicated to the plaintiff consumers. In doing so, the court found that the terms and conditions of license agreements for free software downloads require a higher standard of notice to consumers.

According to Plaintiffs' complaint, Defendant comScore is an internet research company that allegedly monitors the computer and online activity of consumers that download its software. ComScore allegedly bundles its surveillance software with free programs, such as screensavers and games, to encourage consumers to download and install the software. Once installed, comScore’s surveillance software allegedly collects the computer user’s information and activity, which comScore then allegedly sells to its clients for marketing research.

Plaintiffs Mike Harris and Jeff Dunstan allegedly downloaded and installed comScore’s screensavers and games. Harris and Dunstan allegedly soon realized that comScore’s software continually and surreptitiously monitored their computer activity. Additionally, the software allegedly collected usernames, passwords, and credit card information. They brought a class action against comScore in Illinois federal court, and asserted claims, inter alia, under the Computer Fraud and Abuse Act, Electronic Communications Privacy Act, Stored Communications Act, and Illinois Consumer Fraud and Deceptive Practices Act.

ComScore moved to dismiss the case for improper venue or in the alternative, to transfer venue from Illinois to Virginia. ComScore argued that the terms and conditions in its User License Agreement contained a forum-selection clause that limited all litigation to courts in the State of Virginia. ComScore claimed that before anyone can install its software, the individual must first click a box acknowledging that he or she has read and agreed to the terms and conditions of the license agreement. Thus, comScore alleged that Harris and Dunstan agreed to the license agreement, and more importantly, the forum-selection clause that prohibited their lawsuit in Illinois.

Harris and Dunstan argued that comScore’s forum-selection clause was not enforceable because it was not reasonably communicated to them when they downloaded the software. They alleged that the comScore software’s installation process obscured the hyperlink to the license agreement, and thus the terms and conditions were not readily available.

Chief Judge Holderman cited several cases that enforced “click through” agreements, including some with forum-selection clauses. He noted that the key difference in this case was Harris and Dunstan’s allegation that the hyperlink to the User License Agreement was obscured.   Normally, click through agreements place consumers on at least inquiry or constructive notice. Consequently, in this case Harris and Dunstan should have known about the agreement because they were required to acknowledge their acceptance of the agreement before downloading comScore’s games and screensavers. In fact, Harris and Dunstan each clicked a box acknowledging that they read the terms and conditions of the agreement. Chief Judge Holderman held, however, that while there is a lower expectation of notice for free software: “Nonetheless, it is not reasonable to expect a user casually downloading free software to search for such an agreement if it is not immediately available and obvious where to obtain it.” Harris, 2011 WL 4738357, at *2. Thus, comScore could not hold Harris and Dunstan to its license agreement, and the included forum-selection clause, because it never provided them reasonable access to the terms and conditions.

The court concluded that the forum-selection clause was not reasonably communicated to the plaintiffs, and thus their action could proceed in Illinois.

Additionally, the court declined to transfer the case because at least one of the plaintiffs resided in Illinois, and also he downloaded and installed the software there.

This case is important because of its impact on requirement of notice for online license agreements. Online license agreements are now ubiquitous and users cannot avoid their obligations merely because they clicked “agree” without reading the terms of the agreement. Courts will generally enforce agreements where consumers are required to click the box and acknowledge that they read the agreement’s terms and conditions. This case is interesting because the court refused to find that the plaintiffs read the agreement even though they clicked a box confirming that they read the agreement. This case requires software and service providers to ensure that agreement terms and conditions are readily available; providers cannot merely rely on evidence that the consumer clicked a box.  For free software downloads, Harris concludes that consumers have less of a burden to look for any potential license agreements. Indeed, this case is favorable to consumers seeking to invalidate provisions in licensing agreements, but also reminds us that free rarely means free.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Robert Milligan and Joshua Salinas

The Ninth Circuit’s important U.S. v. Nosal decision is gaining momentum. On September 14, 2011, a California district court in Facebook v. MaxBounty, the Honorable Jeremy Fogel, presiding, became one of the first courts to apply Nosal, reaffirming that the violation of computer use policies constitutes “exceeding authorized access” under the Computer Fraud and Abuse Act (CFAA). In doing so, Facebook arguably reinforced the legal protections for employers against employees who steal or remove electronic files or data in violation of their employers’ written computer-use restrictions.

Facebook is one of the most popular social networking websites with more than 500 million active users. It requires users to agree to its terms of use, which include regulation and restrictions regarding advertising on its website. Facebook’s advertising guidelines prohibit advertisements that are fraudulent, deceptive, or misleading.

Maxbounty is an online advertising and marketing company that drives internet traffic to its customers’ websites.   

Facebook alleged that MaxBounty engaged in impermissible advertising and commercial activity on its website. Facebook alleged that MaxBounty created Facebook pages that were intended to re-direct unsuspecting Facebook users to third-party commercial websites. 

Facebook brought a claim, inter alia, under the CFAA against MaxBounty for “knowingly and with intent to defraud, access[ing] of a protected computer without authorization or exceeding authority.” 18 U.S.C. § 1030(a)(4).

MaxBounty moved to dismiss Facebook’s CFAA claim per Federal Rule of Procedure 12(b)(6). MaxBounty argued that it could not act “without authorization” or “exceed authority” because Facebook granted MaxBounty access to the Facebook website.

The district court rejected MaxBounty’s argument, citing Nosal’s holding that “an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has ‘exceed [ed] authorized access.” U.S. v. Nosal, 642 F. 3d 781, 789 (9th Cir. 2011). The court stated that MaxBounty agreed to Facebook’s terms of use, which placed restrictions on Maxbounty’s use of Facebook’s website. 

MaxBounty argued that because Facebook granted it access to the Facebook site, it could not have exceeded its “authorized access” within the meaning of the CFAA. However, the court noted that Facebook alleged that MaxBounty and its affiliates registered for Facebook accounts and accepted Facebook’s terms of use, which places restrictions on their use of the Facebook site. In this light, the court found that Facebook’s allegations were sufficient to state a claim under the CFAA.

This case is significant because it is one of the first cases to apply Nosal’s holding that the violation of computer-use policies constitutes “exceeding authorized access” under the CFAA. As discussed in our prior blog, Nosal provides employers in the Ninth Circuit with a clear CFAA remedy against dishonest employees who exceed their authorized access of their employers’ computer systems. Facebook fortifies that protection and encourages employers to take proactive steps with well written computer-use policies and procedures.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Scott Schaefers and Robert Milligan

On April 28, 2011, the Ninth Circuit Court of Appeals held in an important decision upholding legal protections for employer data that employees may be held liable under the federal Computer Fraud and Abuse Act (18 U.S.C. 1030 et seq.) in cases where employees steal or remove electronic files or data in violation of their employers' written computer-use restrictions.

In U.S. v. Nosal (9th Cir. No. 10-10038), the Ninth Circuit held that a former employee "exceeds authorized access" to data on his employer's computer system under the CFAA where the employee takes actions on the computer that are prohibited by his employer's written policies and procedures concerning acceptable use (e.g. prohibitions against copying or e-mailing files to compete or help a third party compete with the employer).

The court rejected the argument that it was overruling its 2009 decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), which dismissed an employer's CFAA claim against an employee who had e-mailed confidential documents to his personal address when working for the employer, and used those files post-termination to compete with the employer. The Brekka panel said that so long as the employee was authorized to use the computer for any purpose and such authorization had not been completely rescinded, the employee could not be held liable under the CFAA for using files for unauthorized purposes.

In distinguishing Brekka, the Nosal panel held that the employer in Brekka did not place any restrictions on employees e-mailing themselves confidential files, and thus the employees could not be said to have exceeded any such computer-use restriction. The employer in Nosal, on the other hand, had password-protected computers, written computer-use agreements with its employees which restricted access to computers to employer business, and automatically placed restrictive legends on its confidential database printouts advising readers that the printouts were confidential and company property.

The employers' computer-use restrictions, the Nosal court held, were the key distinction from Brekka, and the touchstones for "exceeding authorized access" under the CFAA. The Nosal majority noted that it was siding with the First, Fifth, and Eleventh Circuits' decisions in prior cases which similarly upheld employer CFAA claims against dishonest employees for exceeding authorized access by stealing employer files.

The dissent in Nosal argued that the majority’s decision goes too far, and potentially criminalizes otherwise innocuous employee use and access of his employer's computer. The definition of "exceeding authorized access" under the intent-to-defraud provision of the CFAA (i.e. Section 1030(a)(4)), the dissent said, was inconsistent with the statute's use of the same phrase in section 1030(a)(2), which made such access a crime whether or not the employee intended fraud. Any time the employee even technically violated an employer's restrictions, the employee could be indicted at the whim of the government.

With the Nosal decision, employers in the Ninth Circuit now have a clear CFAA remedy against dishonest employees who exceed their authorized access of their employers' computer systems. Employer computer-use restrictions determine whether an employee exceeds authorized access under the CFAA. Conversely, employees looking to avoid federal indictment or civil liability under federal law should strictly adhere to their employers' computer-use restrictions.

To avail themselves of the helpful Nosal decision, employers should ensure that they have written computer-use policies which prohibit improper computer use and activities. The policies should prohibit the use of company computers to copy, e-mail, or otherwise distribute company files to compete or help a third party compete with the employer. Computer access should be authorized for work activities only. Employers should also consider prohibitions on the distribution of company data to employees' non-work e-mail accounts and prohibitions or limitations on the use of electronic storage devices, such as external hard drives and data sticks. Employers should also audit employee computer use and access activity to ensure that employees are following company policies. Recurring training on acceptable computer usage is also critical. Employers should carefully circumscribe employee access to company prized data to only those employees who truly need to have access to such data to perform their jobs. Employers should also require employees to return all company data upon termination, as well as all company computers and other electronic devices.  

The Nosal decision provides employers with a viable remedy to help address employee data theft but employers must be vigilant and ensure that they have crafted thoughtful computer-use policies to maximize their protections under the CFAA.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By Paul Freehling and Scott Schaefers

The Eleventh Circuit Court of Appeals’ December 27, 2010 decision in U.S. v. Rodriguez, Appeal No. 09-15265, -- F.3d --, 2010 WL 5253231 (11th Cir. Dec. 27, 2010) may mark a significant split among the federal appellate circuits over the meaning of the phrases “without authorization” and “exceeds authorized access” under the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq. (“CFAA”). On one side of the fence sit decisions which reject such suits due to the employer’s prior grant of access, regardless of the employee’s purpose of access or subsequent use of the files. On the other side are decisions which allow CFAA claims where the employee’s purpose for accessing the files was unauthorized, even if the access itself was permitted.

In Rodriguez, the court upheld the criminal CFAA conviction of defendant Roberto Rodriguez, a former Social Security Administration (“SSA”) telephone service representative, because he accessed confidential and sensitive files for “a non-business reason.” The SSA had previously established a policy prohibiting employee access of confidential databases “without a business reason,” of which Rodriguez was made aware several times. Despite these clear warnings from his employer, Rodriguez accessed more than 100 times confidential, personal information from Social Security files concerning women with whom he had a romantic relationship. Even though Rodriguez’s access of the database itself was authorized, the purpose of the access was not, thus triggering the “without authorization” or “exceeds authorized access” provisions of the CFAA.

The Eleventh Circuit thus aligned itself with the Seventh Circuit, which in Int’l Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), held that an employee violates the CFAA where he already has decided to quit, and thereafter accesses company files for unauthorized purposes in furtherance of his “breach of duty of loyalty” to the company (i.e. to erase valuable company data). That is, when an employee accesses computer files with a purpose to injure his employer, his access is necessarily unauthorized because by law because he never had permission to work against the company. 

On the other side of the split is the Ninth Circuit‘s September 2009 decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009). There, the court dismissed the CFAA suit against the former employee for subsequent misuse of company files because the purpose and misuse of the employee’s access was irrelevant, so long as the access itself for was permitted, for any purpose. According to Brekka, reading a purpose-related qualification into the CFAA terms “without authorization” and “exceeds authorized access” would run counter to the plain meaning of those statutory requirements. In fact, Brekka explicitly rejected Citrin’s suggested interpretation along those lines.

Rodriguez did not explicitly reject Brekka. Rodriguez instead distinguished Brekka because in Brekka there was no express prohibition against the employee’s accessing files and e-mailing them to his home address, whereas in Rodriguez, a prohibition against non-business-related access was in place. Nevertheless, Rodriguez implicitly rejected Brekka, because Brekka limited CFAA claims to those instances in which an employee had not received permission to access a computer for “any purpose,” or where the permission had been previously rescinded and the employee accessed the computer anyway. Rodriguez had permission to access the SSA database, albeit for a limited purpose, so his conviction likely would have been overturned by the Ninth Circuit, not upheld as the Eleventh Circuit did. Also, because of the unique circumstances in Rodriguez, there is a possibility that it could be distinguished on its facts alone.

In any event, the lessons to be learned by corporate counsel and management from this conflict are not limited to whether an employer can sue an employee for violating the CFAA. These decisions serve as reminders to management that they must carefully and vigilantly create and enforce employee computer-use policies, including the following:

*Write clear computer-access policies, disseminate those policies among employees, and periodically remind employees of their obligations;

*Require employees, whether professional, clerical, or otherwise, to sign non-disclosure and computer confidentiality agreements, where access to computers is strictly limited to furthering company business; and

*Develop a limited-permission structure so that employees are provided access only to those files needed to do their job.

You may contact Seyfarth Shaw’s Trade Secret Protection attorneys for further ideas and discussion of issues related to employee misuse or theft of company intellectual property.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

We are pleased to announce that the Trade Secrets, Computer Fraud, and Non-Competes Group's first webinar on November 5, 2009 entitled Monitoring the Revolving Door: Protecting Your Trade Secrets in Today's Economy was a tremendous success.

There were over 550 registered attendees in various legal and business positions, including business leaders, general and associate in-house counsel, human resource professionals, franchise professionals, competitive intelligence professionals, and outside counsel, from numerous domestic and international locations.

The first webinar covered best practices for protecting your company’s trade secrets and managing risk from trade secret claims. Rarely does a day go by without a news report of another high profile theft of important data from a company or the loss of key employees to competitors. Employer downsizing and competitive pressures have increased the need for companies to ensure that they have adequate protections in place to safeguard company assets.

Topics discussed in the first series of informative discussions included:

• Identifying trade secrets
• Adequately protecting trade secrets
• Conducting trade secret "audits"
• Implementing effective trade secrets policies and procedures
   

As discussed during the presentation, seeking trade secret counseling and a secret audit can assist clients to determine best practices to help protect their most important assets.

For those interested professionals who were not able to attend the first webinar and would like to listen to the recorded audio webinar or would like a copy of the presentation materials, please submit your request to sguigliano@seyfarth.com

Coming up on December 9th, we will host the second in our series, Trade Secret Triage and Restrictive Covenant Relief.  Please register (link to website registration) to join us to discuss what to do when you fear that someone has misappropriated your trade secrets.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

 In Contemporary Services Corp. v. Hartman, 2008 WL 3049891 (C.D. Cal.), the United States District Court for the Central District of California recently declined supplemental jurisdiction over state law claims removed to the court where federal jurisdiction was based solely on the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. Finding that state issues substantially predominated, the court noted that the “[e]lements and facts that Plaintiffs must prove to establish their CFAA claim are different from what they must prove to establish their other claims.”   

 The court retained jurisdiction over the CFAA claim and remanded all of the state law claims.

Plaintiffs filed suit in state court against defendant Hartman, asserting seven claims for relief: (1) violation of the CFAA; (2) Breach of Fiduciary Duty; (3) Conversion; (4) Breach of Contract; (5) Fraud; (6) Intentional Interference with Prospective Economic Advantage; and (7) Breach of Fiduciary Duty.   Defendant removed the case to federal district court.  Defendant moved to remand the case to state court.  Defendant also moved to dismiss several of plaintiff's claims.

Plaintiffs filed a First Amended Complaint in which they abandoned their sixth and seventh causes of action. Defendant answered and filed five counterclaims arising under state law for: (1) Unpaid Wages; (2) Waiting Time Penalties; (3) Violation of Cal. Lab. Code § 2802; (4) Indemnification under Cal. Lab Code § 2802 and Cal. Corp. Code § 317; and (5) Unfair Competition Under Cal. Bus. & Prof. Code § 17200.

Turning to plaintiffs’ motion for remand, the district court held that “[i]n all important respects, this action involves an employment dispute between the parties that has given rise to nine state law claims and counterclaims which substantially predominate over the sole federal claim.” Continuing, the court noted that all of the claims and counterclaims derived from the facts triggered by defendant's decision to leave plaintiffs' employment, including that defendant allegedly breached her fiduciary duties owed to plaintiffs by deleting work product stored on her work computer and defrauding plaintiffs by making false representations about the information contained on plaintiffs' shared drive and computer. 

Defendant's counterclaims for unpaid wages and unfair competition arose from Plaintiffs' alleged conduct after defendant ended her employment.   

Distinguishing the CFAA from the other claims in suit, the court noted “[T]he elements and facts that Plaintiffs must prove to establish their CFAA claim are different from what they must prove to establish their other claims.” Plaintiffs' claims for breach of fiduciary duty and breach of contract derive from the parties' rights and responsibilities under the employment contract. Plaintiffs' claim for fraud arises from Defendant's alleged misrepresentations during her employment. Defendant's counterclaims for unpaid wages and indemnification were based on Plaintiffs' conduct after defendant returned the computer and left their employment.

In contrast, to prove a CFAA claim, one must show that the computer in question was a “protected computer,” and that the conduct involved one of five categories of harm that are a necessary element of a civil action under the CFAA. As plaintiffs did here, claimants most often meet the “harm” element by alleging a loss of at least $5,000 in value. When relying on this element, under 18 U.S.C. § 1030(a)(5)(B), plaintiffs are limited to economic damages.

Finally, the court found it “[n]oteworthy that the relief Plaintiffs seek under the CFAA is not unique to that claim; Plaintiffs also seek compensatory damages and injunctive relief pursuant to all four of their state claims for relief. *** In short, even as to the array of remedies that Plaintiffs seek, their state claims predominate; indeed, rather than “trailing” the federal remedies, the state-based claims encompass additional prayers for relief, such as punitive damages.”

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Although the trial court's analysis was not extensive, it clearly found that allegations in a complaint that an employee used a computer program to delete information from a laptop and knowingly deleted information without authorization sufficiently states a Computer Fraud and Abuse Act claim so as to survive a motion to dismiss for failure to state a claim.

In Alliance International Inc. v. Todd, Civ. Action No. 5:08-CV-214-BR (E.D.N.C. July 22, 2008), the parties contested whether the former employees (now defendants) could be held liable for deleting information from company computers.  Defendants argued, ultimately unsuccessfully, that plaintiff could not bring a cause of action under CFAA Subsection (a)(5)(A)(i) against two of the individual defendants because Alliance did not plead that those individuals downloaded a file erasure program.   Subsection (a)(5)(A)(i) provides a cause of action against someone who

knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer . . .

18 U.S.C. § 1030(a)(5)(A)(i). 

Defendants argued that "[a]n employee's act of knowingly deleting files by hitting the 'delete' key could not plausibly give rise to criminal and civil liability under the CFAA."  (Defs.' Mem. of Law in Support of Mot. to Dismiss at 24 (filed May 29, 2008) (emphasis added).   Not taking the bait to argue whether hitting the delete key constitutes a "command," Alliance merely contended that it met its pleading obligation under the CFAA by alleging that the defendants permanently deleted/destroyed information from Alliance computers. 

The Court side-stepped both parties' arguments, however, and found that the specific allegations in Alliance's complaint, to wit that the defendants

(1) "deleted, removed and destroyed information, documents and/or data contained on . . . protected computers" and

(2) "knowingly caused the transmission of a program, information, code or command, including but not limited to, Net Eraser Trial, and as a result of such conduct, intentionally caused damage without authorization, to a protected computer"  (citing paragraphs 62 & 63 of the complaint),

were sufficient to state a CFAA claim.  Although clearly tailored to the facts at hand, the court's decision could be persuasive authority for a plaintiff to withstand a Rule 12(b)(6) motion targeting similar allegations.

 Not long after the Court's ruling, on August 12, 2008, Alliance filed a stipulation of dismissal of the case, with prejudice, signaling a likely settlement with the defendants following the Court's ruling in Alliance's favor.  The court's opinion, nonetheless, as well as the parties' briefing, is a ready resource for case citations on the issue of deletion as well as "authorization" under the CFAA, as the parties and the court cite to numerous federal cases on these issues.

• Email This
• Print
• Comments
• Trackbacks
• Share Link