Computer Fraud and Abuse Act

On Tuesday, October 10, 2017, the United States Supreme Court denied certiorari in Nosal v. United States, 16-1344. Nosal asked the Court to determine whether a person violates the Computer Fraud and Abuse Act’s prohibition of accessing a computer “without authorization” when using someone else’s credentials (with that other user’s permission) after the owner of the computer expressly revoked the first person’s own access rights. In denying certiorari, the Court effectively killed the petitioner’s legal challenge to his conviction in a long-running case that we have extensively covered here, here, here, here, here, here, and here (among other places). The denial of certiorari leaves further development of the scope of the CFAA in the hands of the lower courts. Continue Reading Supreme Court Refuses to Hear Password-Sharing Case, Leaving Scope of Criminal Liability Under Computer Fraud and Abuse Act Unclear

shutterstock_361749602The Computer Fraud and Abuse Act (“CFAA”) gives rise to an actionable claim if someone “knowingly access[es] a computer without authorization or exceed[s] authorized access.” 18 U.S.C. § 1030(a)(1). The term “exceeds authorized access” is defined as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). In recent years, plaintiffs have attempted to argue that someone “exceeds authorized access” under the CFAA when they access work related information on their employer issued computer for non-work related reasons. In Georgia, courts appear to be divided on whether such an allegation gives rise to a valid CFAA claim.

For example, in United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010), the Eleventh Circuit adopted a broad view of the definition “exceeds authorized access,” holding that when an employer has a policy limiting an employee’s computer access to that done for business purposes, an employee who accesses that information for non-business purposes exceeds authorized access. In Rodriguez, the defendant worked for the Social Security Administration, which had a policy that the use of its databases to obtain personal information was authorized only when done for business reasons. 628 F.3d at 1263. The defendant conceded that his access of personal information at issue was not done in furtherance of his duties as a teleservice representative. Id. As such, the court ruled that the defendant had exceeding his authorized access under the CFAA.

The following year, the Northern District of Georgia applied Rodriguez’s broad interpretation of “exceeding authorized access,” holding that an employee’s e-mailing of confidential employer information to herself without a business purpose exceeded any authorized computer access and, therefore, violated the CFAA. See Amedisys Holding, LLC v. Interim Healthcare of Atlanta, Inc., 793 F.Supp.2d 1302, 1315 (N.D. Ga. 2011) (“[T]here is no question that [an employee] exceeded any authority she had when she sent [documents] to herself after accepting a position at [another company] for use in competing with [the plaintiff].”)

Since Rodriguez and Amedisys, however, several district courts in the Eleventh Circuit, including in at least one in Georgia, have applied a more narrow definition of “exceeds authorized access,” concluding that if a defendant has full administrative access to a computer, a claim for unauthorized access cannot be stated under the CFAA. See, e.g., Power Equip. Maint., Inc. v. AIRCO Power Servs., Inc., 953 F.Supp.2d 1290, 1297 (S.D. Ga. 2013); Enhanced Recovery Co. LLC v. Frady, No. 3:13-cv-1262-J-34JBT, at *26 n.7 (M.D. Fla. Mar. 31, 2015).

The Power Equip. decision is particularly instructive on the issue, explaining that:

the CFAA focuses on an individual’s unauthorized access of information rather than how a defendant used the accessed data. More specifically, the proper inquiry is whether an employer had, at the time, both authorized the employee to access a computer and authorized that employee to access specific information on that computer. 953 F.Supp.2d 1290, 1295 (S.D. Ga. 2013) (emphasis in original).

The court further held that the CFAA

does not confer upon employers the ability to sue their employees in federal court for violations of company policy regarding computer usage… [It] does not speak to employees who properly accessed information, but subsequently used it to the detriment of their employers: either one has been granted access or has not. Employers cannot use the CFAA to grant access to information and then sue an employee who uses that information in a manner undesired by the employer.

Id., at 1296 (emphasis added). Other courts in the Eleventh Circuit have held the same. See Trademotion, LLC v. Marketcliq, Inc., 857 F.Supp.2d 1285, 1291 (M.D. Fla. 2012) (concluding that plaintiff failed to state a claim under CFAA because plaintiff admitted that defendant had “full administrative access” to plaintiff’s computer system).

Takeaway

When deciding whether to assert a cause of action under the CFAA based on “exceeding authorized access,” the safest course of action in Georgia is to only do so when the facts demonstrate that the individual in question did not have permission to access the information in question. If the individual was given access to the information in question, but you believe accessed that they accessed that information for a non-work related purpose, consider relying on alternative theories of liability, such as conversation, breach of contract, or misappropriation.

OverviewWe are pleased to announce the webinar “The Intersection of Trade Secrets Violations and the Criminal Law” is now available as a webinar recording.

In Seyfarth’s eighth installment in the 2016 Trade Secrets Webinar Series, attorneys Andrew Boutros, Katherine Perrelli and Michael Wexler focused on criminal liability for trade secret misappropriation. Trade secret misappropriation is increasingly garnering the attention of federal law enforcement authorities. This reality creates different dynamics and risks depending on whether the company at issue is being accused of wrongdoing or is the victim of such conduct.

As a conclusion to this well-received webinar, we compiled a summary of three takeaways that were discussed during the webinar:

  • The theft of trade secrets is not only a civil violation — it is also a criminal act subject to serious fines and imprisonment.  In an ever-increasing technological age where a company’s crown jewels can be downloaded onto a thumb drive, victims and corporate violators must be mindful of the growing role that law enforcement plays in this active area.  And, in doing so, working with experienced counsel is critical to interfacing with law enforcement (especially depending on which side of the “v.” you are on), while still maintaining control of the civil litigation.
  • With the advent of the Defend Trade Secrets Act, intellectual capital owners have a powerful new tool to both protect assets with as well potentially defend against.  As such, processes must be in place to carefully screen new employees as well as provide vigilance over exiting employees so that one can guard against theft and be prepared to address purported theft brought to ones doorstep with a new hire.  Finally, it is important to review and update agreements with the latest in suggested and required language to maximize protections which is best accomplished through annual reviews of local and federal statutes with one’s counsel.
  • “Protect your own home” by putting tools in place before a trade secret misappropriation occurs. This includes taking a look at your employment agreements to make sure they are updated to comply with the Defend Trade Secrets Act (DTSA) and that they have been signed. In addition, make sure you have agreements in place with third parties (e.g., clients, vendors, contractors, suppliers) to protect your proprietary information. Finally, secure your network and facilities by distributing materials on a need-to-know basis: Don’t let your entire workforce have access.

Tank Connection, LLC v. HaightThe stakes are getting higher: Trade secret misappropriation is increasingly garnering the attention of federal law enforcement authorities. This reality creates different dynamics and risks depending on whether the company at issue is being accused of wrongdoing or is the victim of such conduct.

On Tuesday, October 4, at 12:00 p.m. Central, Seyfarth attorneys Katherine E. Perrelli, Andrew S. Boutros and Michael D. Wexler will present “The Intersection of Trade Secrets Violations and the Criminal Law,” the ninth installment in Seyfarth’s 2016 Trade Secrets Webinar series.

Our presenters will focus on criminal liability for trade secret misappropriation, covering:

  • Key statutes: Economic Espionage Act, Computer Fraud and Abuse Act, and Defend Trade Secrets Act of 2016
  • Key elements for criminal prosecution
  • Factors prosecutors consider when deciding whether and what to prosecute
  • How to work with federal prosecutors and their law enforcement partners: Making your case attractive to the “Feds”
  • Cutting-edge considerations: Civil RICO under the Defend Trade Secrets Act
  • Best practices to avoid misappropriation and what to do when you suspect misappropriation has occurred, including a discussion of forensic investigation options

Our panel consists of experienced attorneys with significant experience investigating and litigating trade secret issues, advising clients on trade secret protection, drafting confidentiality and restrictive covenant agreements, conducting trade secret audits, and handling federal criminal matters. This CLE is recommended for management, HR personnel and in-house counsel.

*CLE Credit for this webinar has been awarded in the following states: CA, IL, NJ and NY. CLE Credit is pending for GA, TX and VA. Please note that in order to receive full credit for attending this webinar, the registrant must be present for the entire session.

register

shutterstock_236620168On July 12, 2016, the Ninth Circuit filed its published opinion in Facebook, Inc. v. Power Ventures, Inc., et al., Case No. 13-17154 (“Power Ventures”).  Power Ventures is the latest in a series of decisions from the Ninth Circuit relating to the type of activities potentially giving rise to liability under the Computer Fraud and Abuse Act (18 U.S.C. §1030) (“CFAA”). Power Ventures has potentially important implications for the ways that businesses create, store, and monetize data through computers and web-based applications. Unlike the court’s Nosal line of decisions, Power Ventures is focused more on internet-based conduct that may violate the CFAA.

The underlying legal dispute between the parties began in 2008, when Facebook filed suit against Power Ventures, Inc. (“Power”) in the USDC for the Northern District of California. Power, which aggregated data from different social networking sites using, among other things, automated scripts (i.e., “scraping”), enabled people with various social media accounts to access all of their information in one place. Power used user-provided social media log-in information to import people’s information to a Power portal. In an effort to promote itself and attract users, Power then contacted via e-mail Facebook users’ friends, making it appear as if the e-mails came from Facebook.

Upon learning of Power’s activities, Facebook sent Power a cease and desist letter and used IP blocks in an attempt to prevent Power from obtaining Facebook data (IP blocking is a process by which a computer or network is directed to ignore all communications from a particular IP address). But Power continued to copy Facebook data and took measures to evade the IP blocks.

Although the Ninth Circuit analyzed whether Power’s conduct violated the federal CAN-SPAM Act (finding that it did not, and reversing District Court Judge Lucy Koh), the court’s analysis of the CFAA issues are most noteworthy. The court first walked through its United States v. Nosal CFAA decisions (from 2012 and July 5, 2016; see our coverage of these decisions here and here) to “distill two general rules” in analyzing the issue of authorized access under the CFAA:

(1) “a defendant can run afoul of the CFAA when he or she has no permission to access a computer or when such permission has been revoked explicitly” (noting that “once permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability”); and

(2) “a violation of the terms of use of a website—without more—cannot be the basis for liability under the CFAA.”

Applying these rules, the court noted that Power users “arguably gave Power permission to use Facebook’s computers to disseminate messages” (further stating that “Power reasonably could have thought that consent from Facebook users to share the [Power promotion] was permission for Power to access Facebook’s computers”) (emphasis in original). Importantly, the court found that “[b]ecause Power had at least arguable permission to access Facebook’s computers, it did not initially access Facebook’s computers ‘without authorization’ within the meaning of the CFAA.”

The court declined, in a footnote, to “decide whether websites such as Facebook are presumptively open to all comers, unless and until permission is revoked expressly” (citing to a law review article asserting that “websites are the cyber-equivalent of an open public square in the physical world”).
Instead, the court found that a cease and desist letter sent to Power by Facebook expressly rescinded the permission granted by Facebook users to Power and put Power on notice that it “was no longer authorized to access Facebook’s computers.” The letter informed Power that, in Facebook’s view, Power had violated Facebook’s Terms of Use and directed Power to cease using Facebook content or otherwise interacting with Facebook through automated scripts.

Power continued to access Facebook and took steps to evade the IP blocks that Facebook put in place. The court noted discovery from the trial court that appears to reflect a concerted effort by Power to wire around Facebook’s countermeasures and a likely awareness that Power’s conduct implicated the CFAA.

To explain its finding that the Facebook cease and desist letter had revoked Power’s permission to access Facebook, the court analogized the circumstances to a person who wanted to borrow a friend’s jewelry held in a bank safe deposit box. The court said that the borrower would need permission from the bank and the safe deposit box holder to access the box if the bank had determined that it did not want the borrower on its premises (in the court’s example, because the borrower brought a shotgun to the bank when entering to access the safe deposit box).

Although the court’s analogy might have helped it better understand the technology and information flow at issue in Power Ventures, it lacks the nuance that can swirl around alleged “scraping” scenarios where there are sometimes questions concerning whether “access” under the CFAA has occurred and whether there is a protectable or property interest in the data scraped (in the court’s analogy, the jewelry was the safe deposit box holder’s property, but what was the data equivalent in Power Ventures and, under different facts, what might be the bank’s property interest?).

The court then went on to distinguish Power from its Nosal decisions and, in doing so made some interesting observations (arguably in dictum) about the legal effect of Facebook’s Terms of Use. The court observed that “Facebook and Power had no direct relationship, and it does not appear that Power was subject to any contractual terms that it could have breached.” It is unclear whether, by making this statement, the court is saying that, by its conduct, Power and Facebook had not entered into a contract (e.g., the Facebook Terms of Use) or rather there simply were no terms within the Terms of Use that prohibited Power’s conduct.

Notably, Facebook does not appear to have pleaded a breach of contract claim in the trial court.

In any event, whether a website’s terms of use will apply to and bind a party that attempts to “scrape” data from the website is likely to be further litigated as the intersection of traditional contact formation principles meet the evolving standards under “browser-wrap” and “click-wrap” agreements.

This much is clear from Power Ventures: Those who use websites to conduct business would be well-served to (1) carefully consider the drafting and use of website terms of use; (2) diligently monitor their websites and associated computers/servers for any access, and the means of access, by anyone other than authorized users; and (3) where unauthorized access is detected, to act promptly to notify in writing those who have potentially made such access of the conduct alleged to be improper/unlawful and demand that such conduct cease.

Cyberspace and e-commerce law will continue to evolve rapidly, so banks best keep an eye out for those skilled in the programming arts along with shotgun-toting borrowers of jewelry.

shutterstock_414545476Not exactly. A divided Ninth Circuit panel recently affirmed the conviction of a former employee under the Computer Fraud and Abuse Act (“CFAA”), holding that “[u]nequivocal revocation of computer access closes both the front door and the back door” to protected computers, and that using a password shared by an authorized system user to circumvent the revocation of the former employee’s access is a crime. United States v. Nosal, (“Nosal II”) Nos. 14-10037, 14-10275 (9th Cir. July 5, 2016). The dissenting opinion raised concerns that the majority opinion would criminalize password-sharing in a wide variety of contexts where the password was shared by an authorized user but in violation of a service provider’s terms of service, such as for email or social networking.

An inside job

David Nosal was a recruiter employed by the executive search firm Korn/Ferry. To serve its clients and help place executives in response to talent searches, Korn/Ferry maintained a confidential, proprietary database containing detailed personal information about over one million executives. Nosal left Korn/Ferry and launched a competing firm with two other Korn/Ferry colleagues. Korn/Ferry revoked Nosal and his colleagues’ authorization to access its database. After Nosal and his colleagues left Korn/Ferry, Nosal’s colleagues accessed the database at his behest using the log-in credentials of Nosal’s former executive assistant, who remained employed at Korn/Ferry and who was authorized to access the database. They used the assistant’s valid credentials in order to run searches for candidates and thereby compete with Korn/Ferry. Nosal was convicted of violating the CFAA on a theory of accomplice liability based on his colleagues’ actions. He was ordered to pay a sizeable restitution award to Korn/Ferry.

What does “without authorization” mean, anyway?

The CFAA imposes criminal penalties on whoever “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . .” 18 U.S.C. § 1030(a)(4) (emphasis added). In a previous appeal in the Nosal case (“Nosal I”), the Ninth Circuit held that the “exceeds authorized access” prong makes criminal conduct out of “violations of [a company’s] use restrictions.” The Ninth Circuit’s decision in Nosal II, however, focused entirely on the “without authorization” prong of the CFAA.

The majority concluded that “without authorization” is unambiguous, and that the Ninth Circuit’s ruling in LVCR Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) applied to Nosal’s conduct: “[A] person uses a computer ‘without authorization’ under [the CFAA] . . . when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” The court stated that refusing to apply the CFAA to circumstances where an authorized user shared log-in credentials with a person whose credentials had been revoked by the owner of a protected computer system would “remove from the scope of the CFAA any hacking conspiracy with an inside person. That surely was not Congress’s intent.”

So is password-sharing now a crime?

Judge Reinhardt dissented from the majority’s opinion, expressing concerns that the ruling would criminalize “password sharing.” Judge Reinhardt warned that the majority opinion “threatens to criminalize all sorts of innocuous conduct” and does not provide “a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners” like email service providers or social networking sites. Judge Reinhardt asserted that, in order to avoid criminalizing such commonplace conduct, the “best reading of ‘without authorization’ in the CFAA is a narrow one: a person accesses an account ‘without authorization’ if he does so without having the permission of either the system owner or a legitimate account holder.” (Emphasis original.)

It will be left to future cases to ascertain the outer boundaries of the majority’s holding. It seems unlikely that the Ninth Circuit would uphold a CFAA conviction of a person who watched Netflix using a friend’s login credentials, but Judge Reinhart correctly points out that there is no inherently limiting language in the statute itself. So, future litigants may focus on the Nosal II majority’s discussion of “revocation of access” as a means to distinguish simple password sharing. It would be one thing for a person to use a friend’s Netflix account to watch movies; it would be another thing if the person had previously had a Netflix account revoked for downloading and selling pirated copyrighted works, then used a friend’s account to circumvent the “revocation of access” and continue such piracy. The problem is, the statute’s language does not make any distinctions based on “revocation of access.” It remains to be seen whether Nosal II provides a workable rule for applying the CFAA in future cases.

Practical Implications for Employers

Setting aside the great password-sharing debate, Nosal II makes clear that criminal sanctions can be imposed against former employees who improperly access their employer’s systems after their authorization to do so is revoked by the employer. Whether former employees use their old log-in credentials or use those of current employees who are themselves authorized to use the employer’s systems, Nosal II means that any such access is “without authorization” under the CFAA.

shutterstock_214450246An ex-employee’s former employer sued him for alleged violations of the Kansas Uniform Trade Secrets Act (KUTSA) and the federal Computer Fraud and Abuse Act (CFAA).  The first claim was based on the company’s hunch that he had misappropriated trade secrets and thereby breached his non-disclosure agreement.  Two forensic experts were paid $38,000 to examine the computers and flash drives he had used, looking for evidence that he had used or disclosed confidential information.  The second claim centered on his admission that, shortly before resigning from the company, he had read a top-secret file which was, but should not have been, accessible to employees.  He moved for summary judgment on both claims.  The court granted the motion, holding that (a) payments to the experts did not satisfy the KUTSA requirement of showing an “actual loss caused by misappropriation” (K.S.A. 60-3322(a)), and (b) he was authorized to access the company’s shared files and, therefore, he did not violate the CFAA. Tank Connection, LLC v. Haight, No. 6:13-cv-01392-JTM (D. Kan., Feb. 5, 2016) (Marten, C.J.).

Summary of the case.  Haight was International Sales Manager of Tank Connection, a  manufacturer of large storage tanks.  He signed a confidentiality agreement (but not a non-compete).   With the company’s consent, he downloaded confidential information onto the laptop and flash drives provided to him by the company.  However, he also downloaded company data onto his own flash drives.  Further, he reviewed — but did not copy — the company’s president’s confidential computer file.  Following his resignation, he returned the company’s laptop and what he asserted were all of its flash drives.  Further, he insisted that he had neither disclosed the company’s secrets to his new employer nor used the information, and that he had deleted all of Tank Connection’s data from his personal flash drives.  Concluding that Tank Connection had produced no evidence contrary to his disavowal of trade secret misappropriation, and that reading the shared file was not a violation of the CFAA, the court entered judgment for Haight.

Why the claim of trade secret misappropriation failed.

Tank Connection’s expert witnesses determined that, shortly before Haight’s resignation, he accessed the company’s server and transferred to the company’s laptop and flash drives, and to his own flash drives, a lot of confidential information.  The company contended that “harvesting” of that data circumstantially supported the claim that he had used proprietary information improperly and/or had disclosed it to his new employer.  However, Chief Judge Marten ruled that without any hard evidence of wrongdoing, and in the face of Haight’s unqualified denial of culpability, Tank Connection’s speculation of improper conduct was insufficient to create KUTSA liability.

Tank Connection alleged that its damages from Haight’s “misappropriation” aggregated $1,238,000: $1.2 million that the company had expended for creating, developing and updating the computer programs, plus $38,000 it had paid to the experts.  Chief Judge Marten rejected the $1.2 million claim because the company did not show any loss of data, damage to its computers or programs, unfair competition, or unjust enrichment.  Further, the statutory alternative of assessing “a reasonable royalty” was inapplicable due to the absence of proof that Haight disclosed or used confidential information.

Finally, the court held that payments to computer forensic experts retained by Tank Connection to investigate an alleged but unproved theft of trade secrets were not an “actual loss caused by misappropriation.”  The judge said that the question has not been decided by Kansas judges, and that Connecticut Appellate and Virginia Supreme Court rulings are in diametric opposition to each other.  Concluding that the payments were “not within the traditional realm of tort damages,” and that they were incurred merely in an attempt to ascertain if there had been a theft, the court held that they were not compensable losses under KUTSA.

Why the claim of a CFAA violation failed. 

A few days before Haight resigned, a co-worker brought to his attention a computerized folder containing highly sensitive information intended solely for the eyes of the company president and one administrator.  The company was unaware that incorrect security settings for the folder enabled employees such as Haight to access it.  He admitted that he had looked at it, which constituted a CFAA violation according to Tank Connection, but he insisted that he and other employees regularly viewed shared files in the course of their work and that he did not copy, disclose or use the folder’s contents.

Chief Judge Marten observed that the president’s folder was in a shared file, and there was no evidence that Tank Connection told its employees not to open the folder.  He said that, therefore, Haight clearly did not violate the statutory prohibition against accessing a computer “without authorization.”  The difficult question under the CFAA was whether Haight exceeded his authorized computer access.  The judge found persuasive U.S. v. Valle, 807 F.3d 508 (2nd Cir. 2015), which held that an employee’s authority to access a computer file is dispositive in determining that the CFAA has not been violated, regardless of the use to or purpose for which the file is accessed.  Thus, summary judgment was granted on the CFAA claim as well.

Takeaways.  Haight prevailed on the trade secrets misappropriation claim largely because he was authorized to use Tank Connection’s confidential data in the course of his employment, and the company had no evidence that he disclosed or used the data other than for company business.  In the absence of a smoking gun or an eye witness to wrongdoing (Tank Connection had neither), employers often have difficulty disproving an ex-employee’s denial of culpability.  Perhaps Tank Connection might have strengthened its case if it had examined Haight’s personal flash drives before he deleted all of the information on them.

The ruling declining reimbursement of Tank Connection’s expenses for computer forensic experts seems to have been driven by the company’s inability to prove that any misappropriation occurred.  A number of courts have held that amounts paid to such experts, for tasks associated with a pretrial investigation launched because of suspected trade secret theft, are recoverable damages.  However, in those cases typically, the experts concluded that the company’s suspicion was well-founded.  Tank Connection is unusual because reimbursement was sought in the face of a failure to prove any impropriety.  Under these circumstances, the expenses did not qualify as an “actual loss caused by misappropriation.”

Chief Judge Marten’s ruling regarding the scope of the CFAA is another in the litany of disputes pitting a narrow statutory interpretation against a broader one.  Compare such decisions as Valle cited by the court (holding that the Act only prohibits computer hacking by an outsider), with, e.g., Epic Systems Corp. v. Tata Consultancy Services Ltd., No. 14-cv-748 (W.D. Wis., Nov. 18, 2015) (opining that the CFAA also criminalizes “insider hacking,” that is, unauthorized use of data by someone authorized to access the computer).  The conflict in these decisions probably can only be resolved by Congress or the U.S. Supreme Court.

shutterstock_261389492Ever since Iqbal and Twombly, it has become imperative that a complaint filed in federal court contains “sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’”  Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 554, 570 (2007)).  The Eastern District of Michigan recently reiterated this point in the context of an alleged violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030.  As detailed below, failure to include the requisite factual allegations can and will result in the dismissal of potential CFAA claims.

SUMMARY

In Fabreeka International Holdings, Inc. v. Robert Haley and Armadillo Noise & Vibration LLC, 2015 U.S. Dist. LEXIS 154869 (E.D. MI, Nov. 17, 2015), Fabreeka Intl. Holdings filed suit against its former employee, Robert Haley, and his new employer, alleging that Haley unlawfully accessed its computers to obtain confidential information in violation of the CFAA.  Specifically, Fabreeka alleged that: (1) during the period of his employment, Haley accessed confidential business information stored on Fabreeka’s servers; (2) Haley did not return all of Fabreeka’s confidential information at the time of his resignation; and (3) Haley authored or assisted in authoring proposals for his new employer using Fabreeka’s confidential information for the purpose of undercutting Fabreeka’s prices.

Fabreeka contended that its allegations establish violations under three sections of the CFAA: 18 U.S.C. §§ 1030(a)(2)(C), 1030(a)(4), 1030(a)(5)(B) and (C).

  • Subsection (a)(2) prohibits (1) intentionally accessing a computer (2) without authorization or exceeding authorized access and (3) thereby obtaining information (4) from any protected computer (if the conduct involved an interstate or foreign communication) where (5) there was loss to one or more persons during any one-year period aggregating at least $5,000 in value.
  • Subsection (a)(4) prohibits (1) accessing a “protected computer” (2) without authorization or exceeding such authorization that was granted, (3) “knowingly” and with “intent to defraud,” and thereby (4) furthering the intended fraud and obtaining anything of value, causing (5) a loss to one or more persons during any one-year period aggregating at least $5,000 in value.
  • Subsection (a)(5)(B) prohibits (1) intentionally accessing (2) a protected computer (3) without authorization, and (4) as a result of such conduct, recklessly causes damage. 18 U.S.C. § 1030(a)(5)(B).
  • Subsection (a)(5)(C) prohibits (1) intentionally accessing (2) a protected computer (3) without authorization, and (4) as a result of such conduct, causing damage and loss. 18 U.S.C. § 1030(a)(5)(C).

The District Court dismissed each of these CFAA claims for the following reasons:

  1. There was no dispute that Haley was authorized to access information on the Fabreeka’s servers, including sales and manufacturing data, during his employment at Fabreeka. Since the facts pled established Haley had authorization, the Court held that Fabreeka’s claims subsections (a)(5)(B) and (a)(5)(C), requiring the access be “without authorization,” should be dismissed. This left Fabreeka’s remaining CFAA claims, which the Court said could proceed so long as Fabreeka pled facts that establish Haley exceeded his authorized access.
  2. Fabreeka’s Complaint asserted that Haley misappropriated confidential information based solely on the similarity of proposals submitted by Fabreeka and his new employer. Based off those proposals, Fabreeka offered unsupported conclusions that Haley stole confidential files and assisted in authoring the competitor’s proposal. The Court held that because “[a] pleading must include factual allegations that exceed mere speculation, see Twombly, 550 U.S. at 555, and Fabreeka’s CFAA allegations fail to meet this standard.”

In addition, the Court noted that a complaint must state sufficient facts to “raise a reasonable expectation that discovery will reveal evidence” of a claim’s required elements.  Although Fabreeka’s Complaint alleged that Haley and his new employer’s owner communicated on Fabreeka’s computer during Haley’s employment, the Court found that the mere fact that the two discussed Haley joining Armadillo does not support a plausible inference that the two colluded to misappropriate confidential information. Thus, the Court held that it did “ not feel” that Fabreeka’s Complaint “pled sufficient facts to raise a reasonable expectation that further evidence of a CFAA violation will be revealed in discovery.”

  1. Fabreeka’s Complaint implied that the company considers all non-public information confidential. Defendants, on the other hand, claimed that Fabreeka’s proposals cannot be considered confidential because they are transmitted to third parties without any steps to protect the proposals or the information they contain.  The Court noted that the Sixth Circuit previously stated, in the context of trade secrets, that if a company did not take reasonable steps to maintain the confidentiality of alleged trade secrets, a misappropriation claim properly fails. See BDT Products, Inc. v. Lexmark Int’l, Inc., 124 F. App’x 329, 333 (6th Cir. 2005).  Accordingly, the Court held that insofar as Fabreeka’s allegations address confidential material taken, the company’s proposals submitted to customers may not be properly considered secret or confidential.
  2. Finally, the Court held that Fabreeka’s Complaint did not allege that the “damage and loss” allegedly suffered arose from the cost of responding to or from investigation into Haley’s alleged violation. Instead, the Complaint merely recited the elements of the CFAA and asserted there had been “damage and loss.”  The Court held this was insufficient.

TAKE-AWAY

When asserting claims under the CFAA, it is critical to not only review and pled the necessary elements that form the claims, but to also include the sufficient factual allegations to support those claims.  The Fabreeka decision highlights how more and more courts are cracking down on insufficient pleading, particularly in the context of CFAA suits.  As a plaintiff, do not fall victim to poor or lazy drafting and, as a defendant, carefully review a complaint’s factual allegations with an eye towards a possible motion to dismiss.

shutterstock_131284286In a recent Computer Fraud and Abuse Act case, the Seventh Circuit Court of Appeals affirmed the district court’s conclusion that the plaintiff had produced no evidence refuting the defendant’s contention that it honestly believed it was engaging in lawful business practices rather than intentionally deceiving or defrauding the plaintiff.  Accordingly, entry of judgment for the defendant was appropriate.  Fidlar Technologies v. LPS Real Estate Data Solutions, Inc., Case No. 4:13-CV-4021 (7th Cir., Jan. 21, 2016).

Summary of the case.  Fidlar licenses technology to county governments enabling them quickly to scan and digitize real estate transaction documents.  The county-licensees pay Fidlar a fee for using its technology.  In turn, county-licensees making the digitized documents available on line charge an access fee.  Persons who access the digitized documents and print copies must remit copying fees to Fidlar.

LPS gathers, analyzes and sells data concerning real estate transactions.  It developed software that permits the company, in exchange for a monthly payment to the county-licensees, to harvest and download en masse documents digitized by the counties using Fidlar’s technology.  The software enables LPS to analyze the digitized data without printing the documents and, thereby, to avoid paying copying fees which otherwise would have been owed to Fidlar.  When Fidlar learned what LPS was doing, Fidlar accused LPS of computer fraud in violation of the CFAA.  LPS denied wrongdoing and prevailed in court on summary judgment.

The parties’ contentions.  According to Fidlar, LPS defrauded Fidlar because LPS knew about the copying fee and had to know that its system for harvesting the information contained in the digitized real estate transaction documents allowed it to benefit from Fidlar’s technology without paying anything to that company.  LPS responded that, far from intending to deceive or defraud, its business practices were driven by its need to access and analyze data quickly and efficiently, and that printing copies of the documents was unnecessary.

Did LPS intend to defraud Fidlar?  Counties pay a fee to Fidlar for using its technology in order to digitize the contents of documents.  LPS pays a fee to counties for enabling its computers to access the digitized data.  LPS avoided remunerating Fidlar by not printing copies of the information.  And, significantly, there was neither disruption nor destruction of Fidlar’s computer system or intellectual property.  Fidlar apparently failed to anticipate, and therefore did not forbid, LPS’ access to and use of the data in this manner.

The CFAA criminalizes fraudulently accessing a computer or computer system with the intent of deceiving or cheating.  In opposition to LPS’s summary judgment motion, Fidlar maintained that whether LPS intended to defraud Fidlar is a question of fact requiring a trial.  However, both the lower and appellate tribunals said that the entry of summary judgment was appropriate because Fidlar was required, but failed, to demonstrate that there was evidence in the record supporting Fidlar’s claim that LPS had a fraudulent intent.

Takeaways.  Proving a CFAA violation requires evidence of an intentional fraud.  Even though Fidlar’s technology did not expressly permit third parties to access the digitized records and use the information without printing copies, thereby avoiding payment of fees to Fidlar, such access and use were not prohibited.  Fidlar lost the case because it failed to design its software to require payments to the company by third parties who figured out how to make use of the data without printing it.

shutterstock_208633174Background

Imagine if you could manage all of your social media platforms on one app.  Believe it or not, there was an app for that (or, at least a website), created by a company named Power Ventures (“Power”).  Back in 2008, Power instituted its “Power 100” campaign, which offered its users the chance to win $100 if they invited 100 friends to join.  After asking its users’ permission, Power would access its users’ Facebook accounts to send messages to friends of its users to encourage them to join Power.  These messages were sent to friends of Power users from email addresses containing Facebook in the source name (e.g., amy@facebookmail.com), thus giving the impression that the messages came from Facebook personnel, not from Power.

Lo and behold, the “real” Facebook became aware of Power’s plan and tried to stop it through the use of an IP block, which Power was able to overcome.  Facebook continued combatting Power’s activity by sending cease and desist letters, reiterating how Power’s activities went beyond the scope of its authorized use, but Power failed to act in compliance with these requests.  Thereafter, Facebook slapped Power with a lawsuit, alleging (among other things) a violation of the Computer Fraud and Abuse Act (“CFAA”), primarily based on Power’s unauthorized use of Facebook data and systems.  Four years later in 2012, the U.S. District Court for the Northern District of California found that Power indeed violated Section (a)(2)(C) of the CFAA.  The following year, the district court issued an order granting not only a permanent injunction against Power, but also prescribed damages in excess of $3 million to be paid to Facebook.

Status of the Case

As perhaps any party would do following such a dismal outcome at district court, Power decided to appeal to the Court of Appeals for the Ninth Circuit.  Oral arguments were heard in December, and a Ninth Circuit court opinion is expected to come down in the coming months.

Ninth Circuit Oral Argument

At oral argument, counsel for Power argued that Power could not have violated the CFAA because it never owned the data at issue in the case.  As such, it was beyond Facebook’s power to grant or deny authorization to user accounts to third-parties.  Counsel pressed that acting with authorization means one has authorization from the owner of the data; Facebook, according to Power’s counsel, explicitly disclaimed ownership of such data.  In other words, because individual Facebook users granted Power access to their accounts, Power was acting within the scope of authorization, and is therefore not liable to Facebook under the CFAA.

From another standpoint came Power’s former CEO, Steve Vachani, who made a statement that Facebook, now a social media giant, is acting anti-competitively by still litigating this case after seven years.  Counsel for Facebook disagreed, saying that his client was not being anti-competitive, but rather acting in compliance with its legal obligations.

Third-Party Perspectives

This is not the only CFAA-related case the Ninth Circuit has faced as of late.  Some time ago, the court heard oral arguments for the U.S. v. Nosal case, blogged here.  Given the recent interest in this CFAA line of cases, commentators have piped up and expressed their thoughts on the CFAA and its application to password sharing scenarios.

For instance, the Electronic Frontier Foundation (“EFF”) wrote as amici in support of Power’s position, noting that Facebook’s use of the CFAA is “dangerous to follow-on innovators and consumers and would criminalize widely accepted Internet behavior.”

Additionally, Professor Orin Kerr appears to support curbing the interpretation and application of the CFAA to password sharing scenarios and believes any user of a personal account may authorize a third-party agent to access the account, but such would not be the case if the individual were acting within the scope of employment.  In other words, if the individual gave her employer’s account credentials to a third-party agent for the third-party’s own purposes, that would not constitute authorization because it would be beyond the employer’s grant of authorization to its employee.

Takeaways

Given the compensatory and equitable damages awarded to Facebook at the district court level, it will be especially interesting to see if the Ninth Circuit upholds the district court findings and damages, especially against a now defunct company.  Upholding the district court’s damages award will certainly call practitioners and their clients to attention.

It will also be interesting to see if the Ninth Circuit somehow consolidates its rationale in Nosal into this case, and finally carves a distinction between password sharing in the workplace and personal password sharing scenarios.