shutterstock_261389492Ever since Iqbal and Twombly, it has become imperative that a complaint filed in federal court contains “sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’”  Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 554, 570 (2007)).  The Eastern District of Michigan recently reiterated this point in the context of an alleged violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030.  As detailed below, failure to include the requisite factual allegations can and will result in the dismissal of potential CFAA claims.

SUMMARY

In Fabreeka International Holdings, Inc. v. Robert Haley and Armadillo Noise & Vibration LLC, 2015 U.S. Dist. LEXIS 154869 (E.D. MI, Nov. 17, 2015), Fabreeka Intl. Holdings filed suit against its former employee, Robert Haley, and his new employer, alleging that Haley unlawfully accessed its computers to obtain confidential information in violation of the CFAA.  Specifically, Fabreeka alleged that: (1) during the period of his employment, Haley accessed confidential business information stored on Fabreeka’s servers; (2) Haley did not return all of Fabreeka’s confidential information at the time of his resignation; and (3) Haley authored or assisted in authoring proposals for his new employer using Fabreeka’s confidential information for the purpose of undercutting Fabreeka’s prices.

Fabreeka contended that its allegations establish violations under three sections of the CFAA: 18 U.S.C. §§ 1030(a)(2)(C), 1030(a)(4), 1030(a)(5)(B) and (C).

  • Subsection (a)(2) prohibits (1) intentionally accessing a computer (2) without authorization or exceeding authorized access and (3) thereby obtaining information (4) from any protected computer (if the conduct involved an interstate or foreign communication) where (5) there was loss to one or more persons during any one-year period aggregating at least $5,000 in value.
  • Subsection (a)(4) prohibits (1) accessing a “protected computer” (2) without authorization or exceeding such authorization that was granted, (3) “knowingly” and with “intent to defraud,” and thereby (4) furthering the intended fraud and obtaining anything of value, causing (5) a loss to one or more persons during any one-year period aggregating at least $5,000 in value.
  • Subsection (a)(5)(B) prohibits (1) intentionally accessing (2) a protected computer (3) without authorization, and (4) as a result of such conduct, recklessly causes damage. 18 U.S.C. § 1030(a)(5)(B).
  • Subsection (a)(5)(C) prohibits (1) intentionally accessing (2) a protected computer (3) without authorization, and (4) as a result of such conduct, causing damage and loss. 18 U.S.C. § 1030(a)(5)(C).

The District Court dismissed each of these CFAA claims for the following reasons:

  1. There was no dispute that Haley was authorized to access information on the Fabreeka’s servers, including sales and manufacturing data, during his employment at Fabreeka. Since the facts pled established Haley had authorization, the Court held that Fabreeka’s claims subsections (a)(5)(B) and (a)(5)(C), requiring the access be “without authorization,” should be dismissed. This left Fabreeka’s remaining CFAA claims, which the Court said could proceed so long as Fabreeka pled facts that establish Haley exceeded his authorized access.
  2. Fabreeka’s Complaint asserted that Haley misappropriated confidential information based solely on the similarity of proposals submitted by Fabreeka and his new employer. Based off those proposals, Fabreeka offered unsupported conclusions that Haley stole confidential files and assisted in authoring the competitor’s proposal. The Court held that because “[a] pleading must include factual allegations that exceed mere speculation, see Twombly, 550 U.S. at 555, and Fabreeka’s CFAA allegations fail to meet this standard.”

In addition, the Court noted that a complaint must state sufficient facts to “raise a reasonable expectation that discovery will reveal evidence” of a claim’s required elements.  Although Fabreeka’s Complaint alleged that Haley and his new employer’s owner communicated on Fabreeka’s computer during Haley’s employment, the Court found that the mere fact that the two discussed Haley joining Armadillo does not support a plausible inference that the two colluded to misappropriate confidential information. Thus, the Court held that it did “ not feel” that Fabreeka’s Complaint “pled sufficient facts to raise a reasonable expectation that further evidence of a CFAA violation will be revealed in discovery.”

  1. Fabreeka’s Complaint implied that the company considers all non-public information confidential. Defendants, on the other hand, claimed that Fabreeka’s proposals cannot be considered confidential because they are transmitted to third parties without any steps to protect the proposals or the information they contain.  The Court noted that the Sixth Circuit previously stated, in the context of trade secrets, that if a company did not take reasonable steps to maintain the confidentiality of alleged trade secrets, a misappropriation claim properly fails. See BDT Products, Inc. v. Lexmark Int’l, Inc., 124 F. App’x 329, 333 (6th Cir. 2005).  Accordingly, the Court held that insofar as Fabreeka’s allegations address confidential material taken, the company’s proposals submitted to customers may not be properly considered secret or confidential.
  2. Finally, the Court held that Fabreeka’s Complaint did not allege that the “damage and loss” allegedly suffered arose from the cost of responding to or from investigation into Haley’s alleged violation. Instead, the Complaint merely recited the elements of the CFAA and asserted there had been “damage and loss.”  The Court held this was insufficient.

TAKE-AWAY

When asserting claims under the CFAA, it is critical to not only review and pled the necessary elements that form the claims, but to also include the sufficient factual allegations to support those claims.  The Fabreeka decision highlights how more and more courts are cracking down on insufficient pleading, particularly in the context of CFAA suits.  As a plaintiff, do not fall victim to poor or lazy drafting and, as a defendant, carefully review a complaint’s factual allegations with an eye towards a possible motion to dismiss.

shutterstock_131284286In a recent Computer Fraud and Abuse Act case, the Seventh Circuit Court of Appeals affirmed the district court’s conclusion that the plaintiff had produced no evidence refuting the defendant’s contention that it honestly believed it was engaging in lawful business practices rather than intentionally deceiving or defrauding the plaintiff.  Accordingly, entry of judgment for the defendant was appropriate.  Fidlar Technologies v. LPS Real Estate Data Solutions, Inc., Case No. 4:13-CV-4021 (7th Cir., Jan. 21, 2016).

Summary of the case.  Fidlar licenses technology to county governments enabling them quickly to scan and digitize real estate transaction documents.  The county-licensees pay Fidlar a fee for using its technology.  In turn, county-licensees making the digitized documents available on line charge an access fee.  Persons who access the digitized documents and print copies must remit copying fees to Fidlar.

LPS gathers, analyzes and sells data concerning real estate transactions.  It developed software that permits the company, in exchange for a monthly payment to the county-licensees, to harvest and download en masse documents digitized by the counties using Fidlar’s technology.  The software enables LPS to analyze the digitized data without printing the documents and, thereby, to avoid paying copying fees which otherwise would have been owed to Fidlar.  When Fidlar learned what LPS was doing, Fidlar accused LPS of computer fraud in violation of the CFAA.  LPS denied wrongdoing and prevailed in court on summary judgment.

The parties’ contentions.  According to Fidlar, LPS defrauded Fidlar because LPS knew about the copying fee and had to know that its system for harvesting the information contained in the digitized real estate transaction documents allowed it to benefit from Fidlar’s technology without paying anything to that company.  LPS responded that, far from intending to deceive or defraud, its business practices were driven by its need to access and analyze data quickly and efficiently, and that printing copies of the documents was unnecessary.

Did LPS intend to defraud Fidlar?  Counties pay a fee to Fidlar for using its technology in order to digitize the contents of documents.  LPS pays a fee to counties for enabling its computers to access the digitized data.  LPS avoided remunerating Fidlar by not printing copies of the information.  And, significantly, there was neither disruption nor destruction of Fidlar’s computer system or intellectual property.  Fidlar apparently failed to anticipate, and therefore did not forbid, LPS’ access to and use of the data in this manner.

The CFAA criminalizes fraudulently accessing a computer or computer system with the intent of deceiving or cheating.  In opposition to LPS’s summary judgment motion, Fidlar maintained that whether LPS intended to defraud Fidlar is a question of fact requiring a trial.  However, both the lower and appellate tribunals said that the entry of summary judgment was appropriate because Fidlar was required, but failed, to demonstrate that there was evidence in the record supporting Fidlar’s claim that LPS had a fraudulent intent.

Takeaways.  Proving a CFAA violation requires evidence of an intentional fraud.  Even though Fidlar’s technology did not expressly permit third parties to access the digitized records and use the information without printing copies, thereby avoiding payment of fees to Fidlar, such access and use were not prohibited.  Fidlar lost the case because it failed to design its software to require payments to the company by third parties who figured out how to make use of the data without printing it.

WebinarOn Friday, January 29, 2016 at 12:00 p.m. Central, Seyfarth attorneys Michael Wexler, Robert Milligan and Joshua Salinas will present the first installment of the 2016 Trade Secrets Webinar series. The presenters will review noteworthy cases and other legal developments from across the nation this past year in the areas of trade secrets and data theft, non-competes and other restrictive covenants, computer fraud, as well as provide their predictions for what to watch for in 2016.

The Seyfarth panel will specifically address the following topics:

  • New trade secret cases addressing damages, injunctive relief, and preemption;
  • Practical implications of new state non-compete legislation in Alabama, Oregon, and New Mexico;
  • Growing circuit split concerning applicability of Computer Fraud and Abuse Act in typical employee data theft scenarios;
  • National and international efforts to improve trade secret protections, including the continuing attempt in the U.S. Congress with the proposed Defend Trade Secrets Act to create a federal civil cause of action for trade secrets theft, the European Union’s proposed directive to harmonize trade secret protection among the EU’s 28-member states as well as the Trans Pacific Partnership Agreement’s impact on trade secrets;
  • Significant new federal and state court decisions on non-competes and other restrictive covenants that may impact their enforcement, including concerns regarding adequate consideration for agreements and growing efforts by government agencies and employees to challenge and narrow their use;
  • Recent NLRB pronouncements on employer policies and agreements and their implications for protecting trade secrets;
  • Noteworthy data breaches and criminal prosecutions and criminal sentences for trade secret misappropriation, data theft, and computer fraud and discussion of lessons learned.

register

*CLE Credit for this webinar has been awarded in the following states: CA, IL, NJ and NY. CLE Credit is pending for GA, TX and VA. Please note that in order to receive full credit for attending this webinar, the registrant must be present for the entire session.  If you have any questions, please contact events@seyfarth.com.

shutterstock_276783140We are pleased to announce the webinar “Social Media Privacy Legislation Update” is now available as a podcast and webinar recording.

In Seyfarth’s eighth installment in its series of Trade Secrets Webinars, Seyfarth social media attorneys discussed their recently released Social Media Privacy Legislation Desktop Reference and addressed the relationship between trade secrets, social media, and privacy legislation.

As a conclusion to this well-received webinar, we compiled a list of  brief summaries of the more significant cases that were discussed during the  webinar:

  • In KNF&T Staffing Inc. v. Muller, Case No. 13-3676 (Mass. Super. Oct. 24, 2013) a Massachusetts court held that updating a LinkedIn account to identify one’s new employer and listing generic skills does not constitute solicitation. The court did not address whether a LinkedIn post could ever violate a restrictive covenant.
  • Outside of the employment context, the Indiana Court of Appeals in Enhanced Network Solutions Group Inc. v. Hypersonic Technologies Corp., 951 N.E.2d 265 (Ind. Ct. App. 2011) held that a nonsolicitation agreement between a company and its vendor was not violated when the vendor posted a job on LinkedIn and an employee of the company applied and was hired for the position, because the employee initiated all major steps that led to the employment.
  • In the context of Facebook, a Massachusetts court ruled in Invidia LLC v. DiFonzo, 2012 WL 5576406 (Mass. Super. Oct. 22, 2012) that a hairstylist did not violate her nonsolicitation provision by “friending” her former employer’s customers on Facebook because “one can be Facebook friends with others without soliciting those friends to change hair salons, and [plaintiff] has presented no evidence of any communications, through Facebook or otherwise, in which [defendant] has suggested to these Facebook friends that they should take their business to her chair.”
  • Similarly, in Pre-Paid Legal Services, Inc. v. Cahill, Case No. CIV-12-346-JHP, 2013 U.S. Dist. LEXIS 19323 (E.D. Okla., Jan. 22, 2013) a former employee posted information about his new employer on his Facebook page “touting both the benefits of [its] products and his professional satisfaction with [it]” and sent general requests to his former co-employees to join Twitter. A federal court in Oklahoma denied his former employer’s request for a preliminary injunction, holding that communications were neither solicitations nor impermissible conduct under the terms of his restrictive covenants
  • The Virginia Supreme Court in Allied Concrete Co. v. Lester, 285 Va. 295 (2013) upheld a decision sanctioning a plaintiff and his attorney a combined $722,000 for deleting a Facebook account and associated photographs that undermined the plaintiff’s claim for damages stemming from the wrongful death of his wife in an car accident. The deleted photographs showed plaintiff holding a beer while wearing a T-shirt with the message, “I Love hot moms.” Subsequent testimony revealed that the plaintiff’s attorney had instructed his paralegal to tell the plaintiff to “clean up” his Facebook entries because “we do not want blowups of this stuff at trial.”
  • PhoneDog v. Noah Kravitz, No. C11-03474 MEJ, 2011 U.S. Dist. LEXIS 129229 (N.D. Cal., 2012) involved a dispute over whether a Twitter account’s followers constitute trade secrets even when they are publically visible. The court denied the defendant’s motion to dismiss and ruled that PhoneDog, an interactive mobile news and reviews web resource, could proceed with its lawsuit against Noah Kravitz, a former employee, who PhoneDog claimed unlawfully continued using the company’s Twitter account after he quit.  The court held that PhoneDog had described the subject matter of the trade secret with “sufficient particularity” and satisfied its pleading burden as to Kravitz’s alleged misappropriation by alleging that it had demanded that Kravitz relinquish use of the password and Twitter account, but that he has refused to do so.  With respect to Kravitz’s challenge to PhoneDog’s assertion that the password and the Account followers do, in fact, constitute trade secrets — and whether Kravitz’s conduct constitutes misappropriation, the court ruled that the such determinations require the consideration of evidence outside the scope of the pleading and should, therefore, be raised at summary judgment, rather than on a motion to dismiss.  The parties ultimately resolved the dispute.
  • The Second Circuit Court of Appeals in Triple Play v. National Labor Relations Board, No. 14-3284 (2d. Cir. Oct. 21, 2015) affirmed an NLRB decision that a Facebook discussion regarding an employer’s tax withholding calculations and an employee’s “like” of the discussion constituted concerted activities protected by Section 7 of the National Labor Relations Act. The Facebook activity at issued involved a former employee posting to Facebook, “[m]aybe someone should do the owners of Triple Play a favor and buy it from them. They can’t even do the tax paperwork correctly!!! Now I OWE money . . . Wtf!!!!” A current employee “liked” the post and another current employee posted, “I owe too. Such an asshole.” The employer terminated the two employees for their Facebook activity. The 2nd Circuit affirmed the NLRB’s decision that the employer’s termination of the two employees for their aforementioned Facebook activity was unlawful.

The following is a collection of social media policies that have been implemented by various companies:  http://socialmediagovernance.com/policies/. While these policies can serve as a helpful guide, companies should tailor their own social media policies and consult with counsel.

For more information, please contact your Seyfarth Shaw LLP attorney, Robert B. Milligan at rmilligan@seyfarth.com, Daniel P. Hart at dhart@seyfarth.com or Joshua Salinas at jsalinas@seyfarth.com.

shutterstock_299582249On October 20, 2015, a Ninth Circuit panel consisting of Chief Judge Sidney Thomas and Judges M. Margaret McKeown and Stephen Reinhardt heard oral argument from the U.S. Department of Justice and counsel for David Nosal on Nosal’s criminal conviction arising under the Computer Fraud and Abuse Act (CFAA).   In 2013, Nosal was found to have violated the CFAA by allegedly conspiring to obtain access to company information belonging to his former employer, executive search firm Korn Ferry, through the borrowing of another employee’s login password. He was also convicted of trade secret misappropriation under the Economic Espionage Act.

The panel focused most of its questions around one main point of contention between the parties: the interpretation of the “without authorization” language appearing throughout Section (a) of the CFAA.  Such a focus makes sense given that the interpretation of this short phrase could completely change the legal landscape surrounding password sharing, not only in professional settings, but also in personal, consensual settings.

Nosal’s Points

Counsel for Nosal urged the panel to adopt a limited reading of the CFAA, based on the reasoning laid out in the Ninth Circuit’s previous en banc opinion (Nosal I).  Nosal I held that the CFAA was an “anti-hacking” statute and did not contemplate, nor criminalize, the misappropriation of trade secrets.  As an “anti-hacking” statute, the CFAA, the court held, criminalizes “the circumvention of technological access barriers.”  In other words, a person cannot be found to have accessed a computer “without authorization” if he did not circumvent a technological access barrier, or “hack” into a computer.

This time around, counsel for Nosal argued that password sharing is not hacking, and therefore, such an action cannot amount to a federal crime.  Further, counsel urged the panel to limit its interpretation of the “without authorization” language appearing throughout the Act, so as to prevent the over-criminalization of actions otherwise not prohibited by law (e.g., password sharing over a cloud system, or another consensual password sharing arrangement).   Nosal’s counsel also argued that the “without authorization” language be read consistently throughout the Act, so that the same interpretation would apply to both the misdemeanor and felony provisions of the Act.

U.S. Government’s Arguments

On the other side of the spectrum lie the government’s arguments.  Counsel for the government argued that protecting computers with passwords to prevent unintended user access indeed creates a “technological access barrier,” and any circumvention thereof (consensual or otherwise) constitutes a violation of the CFAA.  Such a broad interpretation was met with raised brows from the members of the judicial panel.

Counsel for the government repeatedly argued that the interpretation of the “without authorization” language should mirror the interpretation in the LVRC Holdings LLC v. Brecka case.  Per Brecka, a person accesses information “without authorization” under Sections (a)(2) and (4) of the CFAA when he has not received permission to use a computer for any purpose, or when the person’s employer has rescinded permission to access a computer and the person uses it anyway.  In other words, the government’s counsel seemed to advocate the criminalization of any sort of password sharing.  After receiving some push-back from the panel after making such an argument, counsel suggested limiting this interpretation to the employment context only, but members of the panel shot back because the CFAA includes no such limiting language. The government’s counsel argued that the person must have shared or used the password while also knowing it was prohibited by an employer to do so.

With regard to Nosal’s trade secrets conviction, the panel pressed the government’s counsel for a good portion of her allotted argument time.  Counsel argued the record revealed sufficient evidence to establish the element that source lists derive independent economic value for not being generally known by the general public.

Possible Outcomes for Nosal and Beyond

Though the panel did not give a clear indication one way or the other whose side it was likely to advocate in Nosal’s case, recent Ninth Circuit precedent may prove enlightening on the topic.  In the U.S. v. Christensen (9th Cir. 2015) decision, the Ninth Circuit (composed of a panel of different judges than those deciding Nosal’s fate) vehemently upheld the holdings in Nosal I, despite the different facts of each case.  In particular, the Christensen panel relied heavily on the Nosal I rationale that the CFAA only deals with violations of restrictions on access to information, not restrictions on use.  At the very least, Christensen demonstrates that the CFAA has been on the Ninth Circuit’s radar, even though its rationale may not impact the outcome in Nosal II.

Moreover, the panel’s surprise at the government’s assertion that all password sharing should be subject to criminal sanctions indicates an unwillingness to adopt such an argument.  As a previous post hypothesized, the panel’s final ruling will likely put to bed the password sharing issue, and limit it to certain situations (on which ground is still unclear), at least in the Ninth Circuit.  The ruling will hopefully provide helpful guidance on how to formulate acceptable computer policies prohibiting conduct running afoul of the CFAA. That way, employers and businesses can better protect their trade secrets from escaping the confines of their walls.

shutterstock_242602567While employee Lehman was employed by Experian and allegedly subject to various employment covenants, he incorporated Thorium, a competitor.  After Experian laid him off, he operated Thorium.  Experian sued Lehman and Thorium in a Michigan federal court, accusing them of wrongdoing including violations of the federal Computer Fraud and Abuse Act.  Holding that the CFAA is intended to criminalize hacking and that Experian’s allegations of hacking were oblique at best, the court dismissed most of Experian’s claims under that statute.

Status of the case.  Because some of Experian’s common law causes of action and one of its CFAA contentions were not dismissed, discovery is proceeding. Experian Marketing Solutions, Inc. v. Lehman, Case No. 15:cv-476 (W.D. Mich., Sept. 29, 2015).

Background.  Experian is part of a world-wide marketing services conglomerate that collects and analyzes business data.  At the time he was laid off, Lehman was Experian’s executive vice president.  He was based in Grand Rapids, Michigan, and was authorized to access the company’s computer files.  As a condition of his initial hire, and again later in connection with settlement of a claim he brought against the company while still its employee, he executed non-compete, non-solicitation, and confidentiality agreements.  He allegedly violated those agreements and the CFAA by creating and operating Thorium and by downloading Experian’s confidential information (both while he was an Experian employee and after he was laid off) to a hard drive that company had provided to him.  He also was accused of violations by purportedly instructing three Experian employees, whom Thorium later hired, to provide him with data from Experian’s computers, and by erasing all information on Experian’s hard drive before returning it.

Broad and narrow interpretations of the CFAA.  Federal courts are divided on the meaning of the phrases “[access] without authorization” and “exceeds authorized access” as used in the CFAA with respect to computers.  Four courts of appeal have interpreted the statute broadly, ruling that the purpose for accessing a computer is relevant in determining whether access was authorized.  Two federal appellate courts disagree.

The Sixth Circuit Court of Appeals.  The Sixth Circuit has not ruled definitively as to the meaning of those statutory phrases.  However, that court seemed to signal that it favored the majority position when it wrote, in a 2011 decision (quoting from a 2009 Ninth Circuit opinion), that “an individual who is authorized to use a computer for certain purposes but goes beyond those limitations . . . has exceed[ed] authorized access.”  Pulte Homes, Inc. v. Laborers’ Int’l Union of N. Amer., 648 F.3d 295, 304.

The ruling in Experian.  Concluding that the Sixth Circuit has not weighed in definitively on the meaning of “authorized” as used in the CFAA, and that the quote from Pulte Homes is mere dicta, the district court found the minority interpretation to be the most satisfying.  Since Lehman was “authorized” to access Experian’s computers when he downloaded its confidential data before he was laid off, the court held that the CFAA was not violated regardless of what he did with the data.  Similarly, the court ruled that the defendants did not violate the statute by obtaining, from three Experian employees who had “authorization” to access its computers, the company’s proprietary secrets after Lehman was terminated.  Although his continued use of an Experian computer after he was terminated clearly was not “authorized,” such use was held to be not actionable under the CFAA because Experian failed to allege that he or Thorium thereby obtained anything of value.

One of Experian’s CFAA claims was not dismissed.  The allegation that Lehman caused “impairment to the integrity or availability of data” by wiping the hard drive clean before returning it was held to state a statutory violation.

Takeaways.  A CFAA claim for unauthorized use of a computer not based on hacking is likely to be dismissed in the Fourth and Ninth circuits.  Four other Courts of Appeal — the First, Fifth, Seventh and Eleventh — disagree, holding that the CFAA also prohibits accessing a computer for an unauthorized purpose even though the user has authority to use the computer.  Individual district court judges in the circuits that have not ruled have reached varying decisions on this issue.  Eventually, either Congress must amend the statute to resolve this inconsistencies or the U.S. Supreme Court may be asked to do so.  In the meantime, litigants and their counsel can only guess how those circuit courts which have yet to decide, and the district courts in those circuits, will rule.

California -- brick wallIn United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc), the court held that the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, prohibits unlawful access to a computer but not unauthorized use of computerized information.  Although that holding represents a minority position, two recent opinions — one in a Ninth Circuit criminal case and one by a California district court in a civil proceeding — indicate that the ruling in Nosal still is the law out west.

Recent Ninth Circuit and California district court CFAA cases. 

Christensen.  The 100+ page opinion in U.S. v. Christensen, Nos. 08-50531, et al. (9th Cir., Aug. 25, 2015), details what the court described as “a widespread criminal enterprise offering illegal private investigation services in Southern California.”  Six individuals were accused and convicted in the District Court for the Central District of California pre-Nosal of computer fraud, bribery, racketeering, wiretapping, identity theft, and more.  On appeal, several convictions were affirmed, and some others were remanded but just for resentencing.  Of particular interest to readers of this blog, however, all three convictions for violating the CFAA were vacated on the ground that Nosal rendered the jury instructions clearly erroneous and prejudicial.  A retrial may be possible.

Loop AI Labs.  In Loop AI Labs Inc. v. Gatti, No. 15-cv-00798 (N.D. Cal., Sept. 2, 2015), the defendants’ motion to dismiss certain counts of the amended complaint was granted in part and denied in part.  The defendant was Loop AI Labs’ former CEO.  Although she had left the company and worked for a competitor, she continued to log in to Loop AI Labs’ computers.  The court ruled that until Loop AI Labs formally revoked her authorization to access the company’s computers, she did not violate the CFAA by logging in, regardless of her motive.

Faulty jury instructions in Christensen.  One of the defendants was a Los Angeles police officer.  He was charged with violating the CFAA, among other statutes, by (a) logging in to confidential state and federal law enforcement databases — which he had the right to access — and (b) in exchange for a bribe, providing to two other defendants information they requested from those databases but to which they were not entitled.  The prosecutor simply assumed, and did not attempt to prove, that the officer thereby committed a CFAA violation.  According to the Ninth Circuit, that assumption was unwarranted after Nosal was decided.

By the same token, at trial the three defendants accused of CFAA violations did not object when the court instructed the jurors — before Nosal — that they should find a CFAA violation if they determined that a computer had been knowingly accessed with the intent to use the information to commit a fraud.  In Christensen, the appellate court held that those jury instructions were plainly erroneous in light of Nosal and clearly were prejudicial.  For these reasons, the CFAA convictions were vacated.

Takeaways.  Approximately one-half of the circuit courts of appeal have ruled on the meaning of the phrase “exceeds authorized access” as used in the CFAA.  In the circuits where there has not yet been a ruling, obviously, there is uncertainty as to which position the court will adopt.

The majority — so-called liberal — view is exemplified by holdings in cases such as International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (CFAA violated by accessing a computer for an unauthorized purpose).  Nosal, and now Christensen, represent the minority (or narrow) position that an individual with authorization to access a computer does not commit a CFAA violation regardless of what the individual does with the information so obtained.

Adding to the confusion, courts are not in agreement over the meaning of Nosal.  For example, in the recent case of U.S. v. Shen, Case No. 4:14-CR-122 (W.D. Mo. Apr. 21, 2015), the facts were somewhat similar to those in Loop AI Labs.  Citing Nosal, the court in Shen stated: “There is some disagreement as to whether an employee who properly accesses a computer and then misuses the information can be convicted” of violating the CFAA.  The Missouri court added: “However, courts are clear that employees who gain access to a computer through their employment lose authorization once they have resigned or been terminated.  Moreover, persons of common intelligence would understand as much.”  Id. at p.4 (citations omitted).  As is apparent, the judge who decided Loop AI Labs does not concur. Further, there are also federal courts in California who have concurred with the Shen reasoning.

Similarly, one cannot be sure that all courts agreeing with the “narrow view” set forth in Nosal also would accept the holding implicit in Christensen that a corrupt police officer does not exceed his “authorized access” to confidential government data bases when he logs in solely for the purpose of providing other persons, in exchange for a bribe, information to which they have no right. With all this uncertainty, the one thing that is certain is that the Ninth Circuit continues to embrace a very narrow and restrictive view of CFAA liability, in contrast to most of the other circuits in the nation.

Top_tier_firmsThe 2015 edition of The Legal 500 United States recommends Seyfarth Shaw’s Trade Secrets group as one of the best in the country.

Nationally, our Trade Secrets practice retained its position in Tier 2. For the second year in a row, our practice has been named to the shortlist for best trade secrets practice in the U.S., and we are very pleased to report that Seyfarth is one of four firms shortlisted for 2015 Law Firm Award for Trade Secrets Litigation. We expect the award winner to be announced on Wednesday, June 10th.

Based on feedback from corporate counsel, two Seyfarth partners, Michael D. Wexler and Jason P. Stiehl were recommended in the editorial.

The Legal 500 United States is an independent guide providing comprehensive coverage on legal services and is widely referenced for its definitive judgment of law firm capabilities. The Legal 500 United States Awards 2015 is a new concept in recognizing and rewarding the best in-house and private practice teams and individuals over the past 12 months. The awards are given to the elite legal practitioners, based on comprehensive research into the U.S. legal market.

shutterstock_176119643The parties in a Computer Fraud and Abuse Act case moved for partial summary judgment. Among the issues were whether the plaintiff had incurred the requisite $5,000 in qualifying losses, and whether the complaint was time-barred. The motions were denied, but the court had to do a lot of explaining. Quantlab Technologies Ltd. v. Godlevsky, Case No. 4:09-CV-4039 (S.D.Tex., Apr. 14, 2015) (Ellison, J.).

Status of the case. Judge Ellison ruled that the CFAA damages threshold was met. He held that (a) the value of time spent in an internal investigation could be aggregated with (b) sums paid to two consultants to investigate the intrusions and to assist in the prosecution of resulting litigation. He also decided that the statute of limitations began to run when the plaintiff first learned of the supposed CFAA violations, even though the identity of the perpetrator was unknown. And he ruled that claims against an individual whose alleged wrongdoing was mentioned in the body of the initial CFAA count filed in 2009, but who was not named as a defendant in that count until a third amended complaint was filed in 2014, related back to the 2009 filing.

The alleged violations. Quantlab is a financial research firm that claimed to have valuable trade secrets relating to high frequency stock trading programs. In September 2007, six months after the company terminated its employee Kuharsky, Quantlab discovered that its computer network apparently had been accessed without authorization on four separate occasions between March and August 2007. An internal probe indicated that he was the culprit.

Additional investigation prior to filing the complaint, In 2008, Quantlab retained network security consulting firm Grey Hat to ascertain whether Kuharsky could gain future unauthorized access. No conclusions were reached. Later, Quantlab concluded that he had not accessed the company’s files after all. Rather, it was his friend Andreev, a Quantlab employee, who acted at Kuharsky’s behest and used Kuharsky’s home computer.

The pleadings. Quantlab’s original CFAA count named Kuharsky as a defendant. Quantlab employee Maravina was not named as a defendant, but she was described as a “sleeper mole” who had assisted Kuharsky in stealing trade secrets and confidential information. She was added as a CFAA defendant in the third amended complaint.

Calculating qualifying losses.

  1. Qualifying losses relating to Kuharsky. Quantlab calculated that its internal investigation in 2007 took 10-12 hours and cost the company $2,500-3,000. That sum was not enough, however, to satisfy the $5,000 requirement for bringing a CFAA lawsuit. Gray Hat billed the company $13,400 in 2008 for consulting services, but Kuharsky contended that those services did not include investigation of the supposed computer incursion. The court accepted as true the sworn declaration of Quantlab’s CEO that Gray Hat was hired in response to Kuharsky’s actions. Thus, the requisite qualifying loss total was deemed established.
  2. Qualifying losses relating to Maravina. After the complaint was filed, Quantlab hired consulting firm Pathway Forensics and asserted that payment of its $31,900 bill constituted qualifying losses. Maravina insisted that Pathway’s assignments concerned litigation, not investigating her role in the 2007 events. Quantlab maintained, however, that the lawsuit work was not included in that bill. The court concluded that since Pathway may have contributed to Quantlab’s 2014 decision to add Maravina as a defendant, $5,000 in damages was demonstrated. The court said it was unnecessary to rule on the question of whether all expenses incurred investigating several persons’ intrusions can be used in computing the amount of losses attributable to each person’s involvement.

Statute of limitations.

  1. Kuharsky. Quantlab moved for summary judgment against Kuharsky. He asserted that the two-year statute of limitations began to run in September 2007. Quantlab argued that it had two years from early 2008 when the company first learned that Andreev, not Kuharsky, had accessed the network. The court said that the motion could not be granted because no evidence had been presented regarding the material question of whether Andreev was authorized to access the network from Kuharsky’s home.
  2. Maravina. Seven years elapsed between the intrusions in 2007 and the first time Maravina was named as a CFAA defendant. She asserted a statute of limitations defense. The court reiterated that the original CFAA count called her a “sleeper mole” and said she was “on notice that the lawsuit concerned the same conduct that now underpins the CFAA claim against her.” So, that claim was held to relate back to the 2009 litigation commencement date. Although not mentioned in its recent ruling, an earlier written decision on other motions in the same case stated that she was a named defendant (but not in the CFAA count) in the original complaint, and the court added that she was Kuharsky’s wife.

Takeaways. CFAA litigation can be very complex. For example, judges have not consistently ruled on the two primary issues involved in Quantlab: (a) the meaning of the statutory requirement of a “loss . . . of at least $5,000,” and (b) the date the statute of limitations regarding a CFAA violation begins to run. Moreover, judicial interpretations of the statutory phrases “without authorization” and “exceeding authorized access” as they relate to prohibited contact with a computer network are sharply divided. Some courts hold that those phrases refer only to hacking by an outsider. Other jurists say the statute also is directed at persons who make unauthorized use of their employer’s computer. Both a prospective plaintiff considering filing a CFAA claim, and a defendant who is or may be named, should consult experienced counsel.

As part of our annual tradition, we are pleased to present our discussion of the top 10 developments/headlines in trade secret, computer fraud, and non-compete law for 2014. Please join us for our complimentary webinar on January 27, 2015, at 1:00 p.m. e.s.t., where we will discuss them in greater detail. As with all of our other webinars (including the 10 installments in our 2014 Trade Secrets webinar series), this webinar will be recorded and later uploaded to our Trading Secrets blog to view at your convenience.

Here is our listing of top developments/headlines in trade secret, computer fraud, and non-compete law for 2014, as well as our predictions for 2015, in no particular order:

1) Increased Threat to Trade Secrets by Hackers.   As demonstrated by the suspected North Korean-linked cyber-attacks, hackers represent a significant and growing threat to the intellectual property of U.S. and multinational companies.  ICANN recently reported its own data breach and indicated that the email credentials of some ICANN staff members were compromised. Security company Mandiant published a report finding that the government of the People’s Republic of China (“PRC”) is sponsoring cyber-espionage to attack top U.S. companies.  Moreover, CREATe.org released a whitepaper that highlighted how far-reaching and deeply challenging trade secret theft is for companies operating on a global scale and identified “hacktivists,” some foreign governments, and organized crime (as well as competitors and rogue employees) as major threats to trade secrets.  While much of the attention on foreign threats to trade secrets has focused on the PRC, recent decisions from courts in Shanghai suggest that some courts in the PRC may be adopting an enforcement approach in trade secrets and non-compete cases that is closer to the approach of U.S. courts.  Notwithstanding this potentially significant development in the PRC, hackers, especially those tied to foreign governments, will likely continue to pose a major threat to U.S. and multinational companies in the near future. Please see our recent  webinar on addressing data security breaches.

2) More High-Profile Prosecutions under the Computer Fraud and Abuse Act and Economic Espionage Act.  In response to the growing threat to the trade secrets of U.S. companies, the Obama Administration released a 150-page report that unveiled a government-wide strategy designed to reduce trade secret theft by hackers, employees, and companies.  Consistent with this strategy, in 2014 the U.S. Department of Justice continued to pursue high-profile prosecutions under the CFAA and Economic Espionage Act, particularly against defendants tied to the Chinese government.  As we previously reported, earlier this year the DOJ obtained the first-ever federal jury conviction under the Economic Espionage Act in the U.S. v. Liew case.  Following the jury’s conviction of two individuals and one company in that case, a federal court sentenced defendant Walter Liew to 15 years in prison for theft of trade secrets from chemical giant DuPont and selling them to an overseas company controlled by the government of the PRC.  In another high-profile criminal case, a federal grand jury indicted five high-ranking officials of the PRC’s People’s Liberation Army for computer hacking, economic espionage and other offenses directed at American companies in the nuclear power, metals and solar products industries.   More high-profile prosecutions will likely continue in the next year as the federal government further cracks down on trade secret theft. 

3) Continued Attempt to Create Civil Cause of Action for Trade Secrets Theft in Federal Court.  As we previously reported, the past several years have seen increased attempts to create a civil cause of action for trade secrets misappropriation at the federal level.  2014 was no exception.   Earlier this year, Sens. Christopher Coons (D-Del.) and Orrin Hatch (R-Utah) introduced the Defend Trade Secrets Act of 2014 in the U.S. Senate. The bill amends the Economic Espionage Act to provide a civil cause of action to private litigants for violations of 18 U.S.C. § 1831(a) and 1832(a) of the EEA and for “misappropriation of a trade secret that is related to a product or service used in, or intended for use in, interstate or foreign commerce.” The bill also would allow a plaintiff to obtain a seizure order, though some have questioned whether this remedy may be subject to abuse and have concerns about implementation.   A few months later, a bi-partisan group led by Reps. George Holding (R-N.C.) and Jerrold Nadler (D-N.Y.) introduced a similar bill in the House of Representatives, the Trade Secrets Protection Act of 2014.  The House bill largely tracks the Senate bill but refines the seizure provisions and contains other notable refinements that we discussed here.  The House Judiciary Committee has reported favorably on the bill and recommended its passage.  Although the House did not pass the bill before adjourning, expect to see the same or similar legislation introduced early this year. With the recent high profile hacking incidents, we believe that there is momentum for the passage of a bill this year.

4) Attempt to Harmonize Trade Secrets Protection in EU.  Across the pond, European lawmakers are considering a similar proposal to harmonize trade secrets protection throughout the EU’s 28 members states.  As we discussed here, currently there is no uniform protection of trade secrets across the EU.  Instead, a patchwork of uneven levels of protection and remedies exist among EU Member States.  After a study prepared for the European Commission identified substantial perceived weaknesses in the trade secrets protections afforded by the laws of many Member States, the European Commission announced a proposal for a Directive on trade secrets that, if enacted, will substantially alter the legal landscape in Europe regarding trade secret protection and will enhance cross-border certainty within the EU.  The draft directive is currently being reviewed by the EU Parliament’s Legal Affairs, Internal Market, and Industry Committees and their decisions have not been released yet.  While the European Parliament has not yet voted on the proposal, it is expected that the matter will be scheduled for a first reading in the Parliament during the first half of 2015.

5) Massachusetts Fails to Enact Proposed Non-Compete / Trade Secrets Legislation.  In what has become an annual tradition over the past several years, lawmakers in Massachusetts once again debated, but failed to pass, legislation that would overhaul the Bay State’s existing law on non-competes and trade secrets, which are currently governed by state common law. Along with New York, Massachusetts is one of only two states that has not yet adopted a version of the Uniform Trade Secrets Act (“UTSA”). This past legislative session, the Massachusetts legislature considered a proposed bill that would have adopted the UTSA and that (more controversially) would have virtually eliminated employee non-compete agreements in Massachusetts.  Although the state Senate overwhelmingly approved a compromise bill that, if enacted, would have imposed certain notice requirements and established presumptions of reasonableness for employee non-competes (among other provisions), ultimately the legislature did not pass either the compromise bill or any of the various alternative non-compete or trade secrets bills proposed this year.  But if recent history is any guide, expect to see attempts to overhaul Massachusetts non-compete law once again introduced in 2015.  In fact, after this year’s legislative session ended, outgoing Governor Duval Patrick introduced another compromise bill that legislators may debate when the new legislative session begins in January.

6) Courts Continue to Grapple with UTSA’s Preemptive Impact.  Among the 48 states that have adopted some version of the UTSA, courts continue to grapple with the impact of the UTSA on common law remedies for misappropriation of confidential information (such as claims for unfair competition, conversion, tortious interference, or unjust enrichment).  The UTSA contains a provision stating that the Act “displaces conflicting tort, restitutionary, and other laws of this State providing civil remedies for misappropriation of a trade secret” but “does not affect (1) contractual remedies, whether or not based on misappropriation of a trade secret; (2) other civil remedies that are not based on misappropriation of a trade secret; or (3) criminal remedies, whether or not based on misappropriation of a trade secret.”  As we discussed here, courts in several states have held that the UTSA should be read broadly to preempt all claims related to the misappropriation of information, regardless of whether or not the information falls within the definition of a trade secret.  In contrast, courts in other states have concluded that the UTSA preempts only claims for misappropriation of “trade secrets,” as defined by the UTSA, and leaves available all other remedies for the protection of confidential information that is not a trade secret.  With its recent decision in Orca Communications Unlimited, LLC v. Noder, 337 P.3d 545 (Az. 2014), the Arizona Supreme Court joined this latter group and held as a matter of first impression that the AUTSA does not displace common law remedies for misappropriation of confidential information that does not qualify as a trade secret.  Expect to see states continue to line up on either side of this divide.

7) Continued Significance of Choice of Law and Forum Selection Provisions In Non-Compete Disputes.  Following the U.S. Supreme Court’s decision in Atlantic Marine v. U.S.D.C. for the W.D. of Texas, choice of law and forum selection clauses are increasingly significant in non-compete litigation.  In Atlantic Marine, the Supreme Court held that courts should ordinarily transfer cases pursuant to applicable and enforceable forum selection clauses in all but the most extraordinary circumstances. While Atlantic Marine did not concern restrictive covenant agreements or the employer-employee context, the decision appears to strengthen the enforceability of forum selection clauses generally. For example, in AAMCO Transmissions, Inc. v. Romano, — F. Supp. 2d –, 2014 WL 4105986 (E.D. Pa. Aug. 21, 2014), a federal district court in Pennsylvania enforced a forum-selection clause in a non-compete agreement against both a franchisee who signed the agreement and the franchisee’s wife who, though not a signatory the agreement, was also deemed to be bound by the forum selection clause because of her close connection to the signatory.  In addition, as we reported here, federal district courts in California are increasingly enforcing forum selection clauses in non-compete agreements of California employees and finding that enforcement of such clauses does not violate California’s strong public policy of employee mobility.  In light of Atlantic Marine, expect companies to make greater use of choice of law and forum selection clauses (and the resulting “race to the courthouse”) in suits to enforce their restrictive covenants. 

8) Social Media Continues to Generate Disputes.  Continuing a trend that we discussed last year, social media continues to generate disputes in trade secret, computer fraud, and non-compete law, as well as in privacy law.  Wisconsin, Louisiana, Oklahoma, New Hampshire, and Rhode Island joined several other states in enacting legislation to protect “personal” use of social media by employees.  Expect other states to get on the social media bandwagon in the next year.   The ownership of content stored in LinkedIn and other social medial accounts is also a continuing source of disputes.  Like courts in the UK and elsewhere, US courts continue to grapple with whether there can be trade secret protection for such information.  For example, a few months ago, a federal district court in California issued a well-publicized decision in Cellular Accessories For Less, Inc. v. Trinitas LLC, No. CV 12–06736 D, 2014 WL 4627090  (C.D. Cal. Sept. 16, 2014), in which it denied a motion for summary judgment on a trade secrets misappropriation claim against a former employee who retained the contacts in a LinkedIn account that he created while employed by the plaintiff.  That case illustrates that LinkedIn and other social media contacts can be protectable as trade secrets if the methods used to compile the contact information are “sophisticated,” “difficult,” or “particularly time consuming,” though the purported trade secret holder will also have to establish that the contacts were not made public in order to be entitled to trade secret protection.  Although the Cellular Accessories court did not rely on decisions from other jurisdictions,  the court’s decision is consistent with a handful of recent decisions in which English courts have suggested that an employee’s competitive use of LinkedIn contacts that the employee developed during his or her employment might, in some circumstances, constitute a breach of the duty of good faith.  (See, e.g., Whitmar Publications Limited v Gamage [2013] EWHC 1881 (Ch.)  and Hays Specialist Recruitment (Holdings) v. Ions [2008] EWHC 745 (Ch.).)  As use of social media continues to proliferate, more courts are likely to weigh-in on this issue.

9) NLRB Challenges Employer Policies on Employee Use of Social Media and IT Resources.  Speaking of social media, the National Labor Relations Board (“NLRB”) issued significant decisions this year that have left many employers scrambling to revise their policies on employee use of social media and IT resources.  As we reported here, in Triple Play Sports Bar & Grille, 361 NLRB No. 31 (2014) , the NLRB ruled that a Facebook discussion regarding an employer’s tax withholding calculations and an employee’s “like” of the discussion constituted concerted activities protected by Section 7 of the National Labor Relations Act (“NLRA”), which protects employees’ rights to engage in concerted activities regarding the terms and conditions of their employment.  The Board also held that the employer’s internet and blogging policy (which provided that “engaging in inappropriate discussions about the company, management, and/or co-workers, the employee may be violating the law and is subject to disciplinary action, up to and including termination of employment”) was overly broad and, therefore, violated the NLRA.  Additionally, as we reported here, the NLRB recently ruled that employees who have access to an  employer’s email system as part of their job generally may, during non-working time, use the email system to communicate about wages, hours, working conditions and union issues.  The NLRB’s ruling (Purple Communications, 361 NLRB No. 126 (2014)) poses a major headache for employers who seek to control use of their IT assets.  As the new Republican-led Congress seeks to reign-in the NLRB, expect these rulings to be hotly debated in the coming year.

10) Courts, Lawmakers, and Regulators Continue to Scrutinize Non-Competes and Consideration Remains a Hot Button Issue.  Finally, as in past years, many employers are once again reviewing and tweaking their non-competes and onboarding procedures in light of continued scrutiny of non-competes by courts, legislatures, and regulators. On the enforcement side, the Texas Supreme Court found that the enforcement of a forfeiture provision for competitive activity in an employee incentive compensation plan was not contrary to Texas public policy. Courts have, however, continued to issue significant decisions invalidating some non-competes. For example, in Dawson v. Ameritox, Ltd., 571 Fed. App’x. 875 (11th Cir. 2014), the Eleventh Circuit affirmed an Alabama federal court’s ruling that a non-compete executed prior to employment was unenforceable. In Nott Co. v. Eberhardt, Nos. A13–1061, A13–1390, 2014 WL 2441118 (Minn. Ct. App.  June 2, 2014), the Minnesota Court of Appeals held that a non-compete was unenforceable against an employee who signed the non-compete and received benefits purportedly as consideration for the agreement because another employee did not sign a non-compete but nevertheless received the same benefits.  Following an Illinois Court of Appeals’ decision in Fifield v. Premier Dealer Servs., Inc., 993 N.E.2d 938 (Ill. App. Ct. 2013), courts in Illinois are continuing to consider whether less than two years employment is adequate consideration to enforce a non-compete against an at-will employee where no other consideration is given for the non-compete.  In Charles T. Creech, Inc. v. Brown, 433 S.W.3d 345 (Ky. 2014), the Kentucky Supreme Court held that a non-compete with an existing employee was not supported by consideration where the employee was offered no payment, no change in employment terms, and was not threatened with termination if he failed to execute the agreement. Courts in Pennsylvania and Wisconsin are also grappling with what constitutes sufficient consideration for the enforcement of non-competes. We also expect that government agencies and employees will continue to mount challenges to the use and enforcement of some non-compete and other restrictive covenants  (including “no poaching” provisions) with certain employees and industries this year. In light of these decisions and other continuing developments in non-compete law, employers should periodically review their existing agreements and on-boarding procedures to maximize the likelihood that their agreements will be upheld.

We thank everyone who followed us this year and we really appreciate all of your support. We will continue to provide up-to-the-minute information on the latest legal trends and cases in the U.S. and across the world, as well as important thought leadership and resource links and materials.