The parties in a Computer Fraud and Abuse Act case moved for partial summary judgment. Among the issues were whether the plaintiff had incurred the requisite $5,000 in qualifying losses, and whether the complaint was time-barred. The motions were denied, but the court had to do a lot of explaining. Quantlab Technologies Ltd. v. Godlevsky, Case No. 4:09-CV-4039 (S.D.Tex., Apr. 14, 2015) (Ellison, J.).
Status of the case. Judge Ellison ruled that the CFAA damages threshold was met. He held that (a) the value of time spent in an internal investigation could be aggregated with (b) sums paid to two consultants to investigate the intrusions and to assist in the prosecution of resulting litigation. He also decided that the statute of limitations began to run when the plaintiff first learned of the supposed CFAA violations, even though the identity of the perpetrator was unknown. And he ruled that claims against an individual whose alleged wrongdoing was mentioned in the body of the initial CFAA count filed in 2009, but who was not named as a defendant in that count until a third amended complaint was filed in 2014, related back to the 2009 filing.
The alleged violations. Quantlab is a financial research firm that claimed to have valuable trade secrets relating to high frequency stock trading programs. In September 2007, six months after the company terminated its employee Kuharsky, Quantlab discovered that its computer network apparently had been accessed without authorization on four separate occasions between March and August 2007. An internal probe indicated that he was the culprit.
Additional investigation prior to filing the complaint, In 2008, Quantlab retained network security consulting firm Grey Hat to ascertain whether Kuharsky could gain future unauthorized access. No conclusions were reached. Later, Quantlab concluded that he had not accessed the company’s files after all. Rather, it was his friend Andreev, a Quantlab employee, who acted at Kuharsky’s behest and used Kuharsky’s home computer.
The pleadings. Quantlab’s original CFAA count named Kuharsky as a defendant. Quantlab employee Maravina was not named as a defendant, but she was described as a “sleeper mole” who had assisted Kuharsky in stealing trade secrets and confidential information. She was added as a CFAA defendant in the third amended complaint.
Calculating qualifying losses.
- Qualifying losses relating to Kuharsky. Quantlab calculated that its internal investigation in 2007 took 10-12 hours and cost the company $2,500-3,000. That sum was not enough, however, to satisfy the $5,000 requirement for bringing a CFAA lawsuit. Gray Hat billed the company $13,400 in 2008 for consulting services, but Kuharsky contended that those services did not include investigation of the supposed computer incursion. The court accepted as true the sworn declaration of Quantlab’s CEO that Gray Hat was hired in response to Kuharsky’s actions. Thus, the requisite qualifying loss total was deemed established.
- Qualifying losses relating to Maravina. After the complaint was filed, Quantlab hired consulting firm Pathway Forensics and asserted that payment of its $31,900 bill constituted qualifying losses. Maravina insisted that Pathway’s assignments concerned litigation, not investigating her role in the 2007 events. Quantlab maintained, however, that the lawsuit work was not included in that bill. The court concluded that since Pathway may have contributed to Quantlab’s 2014 decision to add Maravina as a defendant, $5,000 in damages was demonstrated. The court said it was unnecessary to rule on the question of whether all expenses incurred investigating several persons’ intrusions can be used in computing the amount of losses attributable to each person’s involvement.
Statute of limitations.
- Kuharsky. Quantlab moved for summary judgment against Kuharsky. He asserted that the two-year statute of limitations began to run in September 2007. Quantlab argued that it had two years from early 2008 when the company first learned that Andreev, not Kuharsky, had accessed the network. The court said that the motion could not be granted because no evidence had been presented regarding the material question of whether Andreev was authorized to access the network from Kuharsky’s home.
- Maravina. Seven years elapsed between the intrusions in 2007 and the first time Maravina was named as a CFAA defendant. She asserted a statute of limitations defense. The court reiterated that the original CFAA count called her a “sleeper mole” and said she was “on notice that the lawsuit concerned the same conduct that now underpins the CFAA claim against her.” So, that claim was held to relate back to the 2009 litigation commencement date. Although not mentioned in its recent ruling, an earlier written decision on other motions in the same case stated that she was a named defendant (but not in the CFAA count) in the original complaint, and the court added that she was Kuharsky’s wife.
Takeaways. CFAA litigation can be very complex. For example, judges have not consistently ruled on the two primary issues involved in Quantlab: (a) the meaning of the statutory requirement of a “loss . . . of at least $5,000,” and (b) the date the statute of limitations regarding a CFAA violation begins to run. Moreover, judicial interpretations of the statutory phrases “without authorization” and “exceeding authorized access” as they relate to prohibited contact with a computer network are sharply divided. Some courts hold that those phrases refer only to hacking by an outsider. Other jurists say the statute also is directed at persons who make unauthorized use of their employer’s computer. Both a prospective plaintiff considering filing a CFAA claim, and a defendant who is or may be named, should consult experienced counsel.