Digital Media Lawyer Blog

The Computer Fraud and Abuse Act ("CFAA", 18 U.S.C. § 1030) has long caused knotty interpretive problems for the courts. This blog has frequently reported on a growing split between the federal courts over whether an employee who was authorized to use a company computer can be sued under CFAA if he accesses the computer to serve interests adverse to the company. The First and Seventh Circuits say "yes," while the Ninth Circuit and numerous district courts say "no." For more on this split see our post of November 16, 2009.

However, there is a second long-term federal court split regarding CFAA - whether CFAA permits suits for purely economic losses that are not accompanied by an interruption in service to the company computer system.

In Section 1030(g), CFAA provides that "[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief." 18 U.S.C. 1030(g). CFAA defines "damage" as "any impairment to the integrity or availability of data, a program, a system, or information." Id. at § 1030(e)(8). CFAA defines "loss" as "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." Id. at § 1030(e)(11).

Courts finding that economic losses not accompanied by an interruption in service are not actionable look at Section 1030(g) as specifying the types of harms for which CFAA provides a civil remedy - namely, "damage" and "loss" as those terms are defined in CFAA. CFAA's definition of damage doesn't mention economic losses and its definition of "loss" only includes "any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." See American Family Mutual Ins. Co. v. Rickman, 544 F.Supp.2d 766 (N.D. Ohio 2008); ES&H, Inc. v. Allied Safety Consultants, Inc., 2009 WL 2996340 (E.D. Tenn. 2009). See Fn 1.

Court finding that such losses are actionable have provided a variety of justifications for this position. The best argument I have seen is from a Louisiana District Court judge in Frees, Inc. v. MaMillian, W.D. La., No. 5:05-cv-01979 (Aug. 6, 2007). The judge reasoned that Section 1030(g) only provides a jurisdictional threshold that a civil litigant must jump over to obtain compensatory damages - it must have incurred "damage" or "loss" as defined by CFAA. But once it has leaped this hurdle, a litigant may recover any type of compensatory damages, including for economic losses. See Fn 2.

Continue reading "Remedpar v. Allparts: The Other CFAA Circuit Split - Is a Loss in Revenues that Is Not Accompanied by an Interruption in Service Actionable under CFAA?" »

The Computer Fraud and Abuse Act (CFAA, 18 U.S.C. § 1030) is a broadly written statute permits private citizens to recover damages for a wide variety of computer-related injuries. I use the amorphous term "computer-related," because CFAA permits recoveries for wrongful acts committed against computers, or for wrongful acts committed using computers. In some cases, CFAA may permit recovery for acts that have not been recognized under state law -- such as the unauthorized accessing or obtaining information from a computer. Use of CFAA can also permit a plaintiff to bring her suit in federal court, a favorable litigation strategy under many circumstances.

The CFAA was originally written as a criminal statute, and only secondarily extended to permit private claims. And, it imposes a series of hurdles -- in my view, small hurdles -- that must be crossed on civil claims. A recent dismissal of a CFAA class action suit provides an excellent guide to these minimum requirements. See Czech v. Wall Street on Demand, D. Minn., No. 0:09-cv-00180.

The defendant, Wall Street on Demand (WSOD) is a provider of financial information services sent via electronic text messaging to cell phones. The plaintiff, Czech, began receiving text messages from WSOD after she purchased a new cell phone. Czech claimed that she incurred fees and costs related to her receipt of these messages from her cell phone carrier. While Czech was able to get WSOD to stop sending these messages to her, she ultimately filed a class action lawsuit against WSOD claiming that by sending unwanted messages, it had violated CFAA. Her argument was that by sending unwanted messages, WSOD was using up some of the broadband "minutes" that she had purchased from her cell phone carrier.

To recover under CFAA, a plaintiff must meet three requirements:

• First, she must show that the defendant violated one of the prohibitions of CFAA,
• Second, she must show that she incurred "damage or loss" as a result of this violation, and
• Third, she must show that the defendant caused one of five specific types of harm enumerated in the Act.

The CFAA violation prong:

CFAA applies to all computers that are involved in interstate communication. This includes computers that are connected to the Internet, which means that the Act covers virtually all computers in use today. The Court in the Czech case held that the term "protected computer" would also apply to a cell phone. The most useful CFAA provisions prohibit:

• obtaining information via intentional unauthorized access to a computer,
• committing fraud via unauthorized access to a computer,
• knowingly or intentionally transmitting a program, information, a code or command to a computer that causes damage,
• intentionally accessing a computer without authorization and causing damage,
• trafficking in passwords or other information that can be used to access a computer,
• extorting money by threatening to cause damage to or obtain information from a computer.

See 18 U.S.C. § 1030(a).

Continue reading "What are the Threshold Requirements for a CFAA Civil Suit?" »

We have been watching closely the development of a Circuit split over whether Computer Fraud and Abuse Act (CFAA) - 18 U.S.C. § 1030 -- claims can be brought against persons who have been given authority to access a computer, but then exceed the scope of this authority. The 7th Circuit holds that an employee has accessed his employer's computer "without authorization" and can be sued under CFAA, if he uses legitimately-acquired access rights to advance an interest that is adverse to his employer. A recent ruling by a District Court in the Eastern District of Missouri, in Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting LLC, confirms that courts in the 8th Circuit are lining up behind this minority viewpoint.

The Lasco Foods case involves a common litigation scenario in which an executive has left a company to start a competing business. The defendants, Shaw and Hall, were long-time Lasco sales executives. Both were allegedly provided Lasco-owned laptops for use in company business. According to the complaint, in 2008, Shaw and Hall decided to start a competing business. Both before and after Lasco became aware of this new business, but which they were still Lasco employees, the defendants allegedly "accessed, printed, copied and/or downloaded" a substantial amount of data from their laptops, as well as Lasco's network. Among this data allegedly was customer contact information stored in Shaw's Outlook "Contacts" file. Shaw allegedly deleted the Contacts file from his laptop before returning it to Lasco -- thus depriving the company of customer information that it had paid to develop. See Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting LLC, E.D.Missouri, No. 4:08-cv-01683, Third Amended Complaint (May 15, 2009).

Several state law remedies address what we will call the "absconding executive" situation, including interference with business relations, conversion, and trespass to chattels causes of action. However, companies have often attempted to sue absconding executives under CFAA, as well.

CFAA Section (a)(5) contains three provisions that permit suits against persons who knowingly access a "protected computer" and intentionally or recklessly cause damage. (A protected computer includes any computer which is used in interstate or foreign communication. 18 U.S.C. § 1030(e)(2). In today's internet age, it includes just about every computer in the country.) However, each of these three provisions require that the defendant have accessed the computer "without authorization." Therein lies the rub. As discussed in our September 24 and October 1 posts, the federal courts are divided on when an employee's access to a computer is "without authorization." The majority position, which was recently adopted by the 9th Circuit, is that "without authorization" only refers to persons who do not have permission to access the company's computer in the first place. LVRC Holdings, Inc. v. Brekka, 9th Circuit, Case No. 07-17116 (Sept. 15, 2009). Under this interpretation, Shaw and Hall could not be sued under CFAA, because they had originally received permission from Lasco to access its computers.

Continue reading "Update on CFAA Circuit Split: District Courts in 8th Circuit Adopt Minority View, Permitting Claims Where Defendant Exceeds His Authority to Access Computer" »

We recently wrote about a common scenario in which an employee abuses his authority to access his company's computer files by obtaining secret information for use in his outside employment. The Computer Fraud and Abuse Act (CFAA) provides criminal penalties and gives victims the right to sue for damages when a person intentionally accesses a computer "without authorization" or "exceeds authorized access" and obtains information, perpetrates a fraud or causes damage. 18 U.S.C. § 1030(a)(2), (4), (5). However, courts have long been split over whether such a disgruntled/disloyal employee can be considered to have accessed the computer "without authorization."

Our September 24, 2009 post explained that the majority position is that "without authorization" only refers to persons who do not have permission to access the company's computer in the first place. However, a minority of courts, led by the 7th Circuit, have held that an employee can also be found to have accessed a computer "without authorization," if he uses his access rights to obtain information to advance a personal interest that is adverse to his employer. International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006).

In a case decided in just the past 2 weeks, the 9th Circuit has now come down firmly on the side of the majority position. See LVRC Holdings, Inc. v. Brekka, 9th Circuit, Case No. 07-17116 (Sept. 15, 2009). The 9th Circuit's opinion is largely based on the reasoning and case law discussed in our September 24 post.

The plaintiff in the case, LVRC, operates Fountain Ridge, an addiction treatment center in Nevada. In April 2003, LVRC hired Christopher Brekka to oversee the facility. At the time he was hired, Brekka also owned two consulting businesses, located in Florida and Nevada, that provided potential patients with referrals to addiction treatment centers and vise versa. While Brekka worked for LVRC, he shuttled between Florida where he lived, and Nevada where LVRC was located. While commuting, he emailed documents from LVRC back to his home computer.

In June 2003, Brekka obtained an administrative log-in for LVRC's website. Using this password, Brekka gained access to information about LVRC's website, which he used in managing LVRC's internet marketing -- one of his areas of responsibility. In August 2003, Brekka began to talk with LVRC about acquiring an ownership interest in the company. During this time, Brekka emailed a number of LVRC financial, admissions and marketing documents to his home computer. However, in September 2003, the negotiations broke down, and Brekka ceased working for LVRC.

Sometime after Brekka left their employment, LVRC discovered that he had emailed its financial, admissions and marketing documents to his home computer. LVRC then filed suit, claiming that these actions were without authorization and hence violated the CFAA.

The District Court and the 9th Circuit disagreed.

Continue reading "LVRC v. Brekka: 9th Circuit Decision Creates Circuit Split on Whether CFAA Applies to an Employee Who Misuses His Authority to Access His Employer's Computer Files" »

A recent decision by a judge in the District of Eastern Tennessee reflects the continued judicial unease over an employer's use of the CFAA -- a criminal statute -- to sue an employee who has abused his authority to access the company's computer files by obtaining secret information for use in subsequent employment. See ES&H, Inc. v. Allied Safety Consultants, Inc., E.D.Tenn, No. 3:08-cv-323 (Sept. 16, 2009).

The Computer Fraud and Abuse Act (CFAA) provides criminal penalties and gives victims the right to sue for damages when a person intentionally accesses a computer "without authorization" or "exceeds authorized access" and obtains information, perpetrates a fraud or causes damage. 18 U.S.C. § 1030(a)(2), (4), (5). However, courts have long been split over when a person can be considered to have accessed a computer "without authorization."

In an oft-repeated scenario, an employee, who was granted access to his employer's data as part of job, learns that he is about to be fired or decides to leave on his own. He then quickly downloads information that might be useful to his next employer immediately before formal termination.

Some courts considering this scenario have held that "without authorization" only reaches outsiders who do not have permission to access the company's computer in the first place. Other courts looking at this fact pattern apply agency law principles and hold that an employee who uses his access rights to obtain information to advance an interest adverse to his employer has accessed a computer "without authorization."

In Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962 (D. Ariz. 2008), the defendant, Jeff Gast, began working for Shamrock in 2000. In December 2007, he was promoted to Regional Sales Manager. About that time, he also began employment talks with a Shamrock competitor, Sysco Food Services. On January 4 and 7, 2008, Gast emailed numerous documents containing confidential Shamrock material to his personal account. A few days later, he resigned his position at Shamrock and joined Sysco. Shamrock sued, claiming that Gast had violated CFAA, specifically, 18 U.S.C. § 1030(a)(2), (4) and (5).

The Arizona District Court held that the text and legislative history of CFAA supported the narrower view of "authorization." The strongest argument cited by the court was that the House Committee reports discussing CFAA stated that "Section 1030 deals with an 'unauthorized access' concept of computer fraud, rather than mere use of a computer. Thus, the conduct prohibited is analogous to that of 'breaking and entering' rather than [merely] using a computer . . . in committing the offense." H.R. Rep. No. 98-894 at 20 (1984), as reprinted in 1984 U.S.C.C.A.N. 3689, 3706. The Committee report also repeatedly referred to "hackers" who "trespass into" computers and the inability of "password codes" to protect against this threat." H.R. Rep. No. 98-894 at 10-11. U.S.C.C.A.N. at 3695-97. Based on this narrower interpretation of "authorization," the court dismissed the CFAA claims against the former employee.

While a majority of federal courts have adopted the narrow position, a number of federal courts have taken the more expansive view of the term "authorization." For lists of courts adopting each view, see Shamrock, 535 F.Supp.2d at 964-65, and ES&H, Inc. v. Allied Safety Consultants, Inc., E.D. Tenn. (Sept. 16, 2009).

Continue reading "ES&H v. Allied Safety: Court Sidesteps Split in Authority over Whether CFAA Applies to an Employee Who Misuses His Authority to Access His Employer's Computer Files" »

Internet privacy law: Lawyers frequently vent their frustration over the widely variant interpretations given to the outdated Electronic Communications Privacy ACT (ECPA) by courts around the country. A recent decision by a court in the Eastern District of Illinois reveals the problems caused by these differences, and also illustrates how thoughtful forum selection and "kitchen sink" pleading can prevent a plaintiff from being deprived of a remedy.

The facts of the case:

The case is Steinbach v. Village of Forest Park, Northern District of Illinois, Case No. 06C4215. The plaintiff, Theresa Steinbach was elected Commissioner of the Village of Forest Park in 2003. Upon her election, the Village provided Ms. Steinbach with a personal email account that was hosted by Hostway Corporation, a third party webmail service. Ms. Steinbach had a Village IT tech configure this email account so that it would forward all email traffic to her personal email account, which was not associated with the Village.

In 2006, Ms. Steinbach ran for mayor against co-defendant Anthony Calderone, but lost. Around this time, she discovered that she was not receiving all of her email in her private account. An investigation revealed that eleven emails she had sent from her personal email account had been forwarded to Calderone.

Ms. Steinbach sued Forest Park under four different legal authorities: (i) ECPA Part I (a/k/a, the Wiretap Act, 18 U.S.C. § 2510 et seq.); (ii) ECPA II (a/k/a, the Stored Communications Act, 18 U.S.C. § 2701 et seq.); (iii) The state common law claim, "intrusion of seclusion," and (iv) CFAA (18 U.S.C. § 1030).

The Court's inconsistent rulings on ECPA Parts I and II are based on a troublesome 7th Circuit position

Parts I and II of the ECPA were enacted as part of the same legislative process and use many of the same terms. For example, ECPA Part I contains a lengthy definition section, which Part II does not bother to repeat. Instead, the definition section for Part II, 18 U.S.C. § 2711, merely provides that the terms used in Part II have the same meanings given in the definition section for Part I, 18 U.S.C. § 2510. Similarly, both sections permit private causes of action for violations of their provisions "from the person or entity which engaged in that violation." See §§ 2520(a); 2707(a).

In apparent disregard of this parallelism, the Court found that the plaintiff did not have a right to bring a cause of action against the Village under ECPA Part I, but permitted her to maintain her cause of action against the Village under ECPA Part II. The Court never explained these inconsistent rulings. Its decision to reject the ECPA Part I claim was based on the fact that this ruling was required by controlling 7th Circuit precedent -- which itself seems to rest on very shaky ground.

Continue reading "Steinbach v. Forest Park: Navigating the Federal Court Splits on the Interpretation of the Electronic Communications Privacy Act (ECPA) to a Remedy" »

In the financial world, the fraud du jour is the Ponzi scheme. On the internet, the fraud du jour is click fraud. Click fraud defrauds advertisers who pay ad fees on a per "click" basis to internet service providers such as Google or MSN. In theory, each "click" is supposed to represent an interested consumer who has "clicked" on an ad, taking him to more detailed content. In click fraud, the perpetrator simply clicks away at ads without any interest in the content, thus creating higher bills for the advertiser with no marketing result. The perpetrators tend to be competitors of the advertiser, who use click fraud to deplete their competitor's ad budget and increase legitimate customer attention to their own sites, or ad subcontractors, who increase their ad revenues by generating fraudulent clicks.

After increasing hue and cry over click fraud, on June 15, 2009, Microsoft filed suit against the Lam family of Vancouver, British Columbia and Guangzhou, China (Microsoft, Corp. v. Lam, U.S. District Court, District of Washington, Case No. 09-0815). The suit alleges that the Lams were committing the competitor form of click fraud -- using computer-generated clicks on competitors' web ads for insurance and World of Warcraft gold, in order to drain their competitors' ad budgets and to advance the placement of their own ads. According to the suit, Microsoft suffered at least $750,000 in damages from lost ad revenue and from investigating and addressing the defendant's fraudulent activities.

Microsoft raised numerous common law claims, including breach of contract, interference with business relations and fraud. In addition, Microsoft also brought claims under the State of Washington's consumer protection act -- and the Computer Fraud and Abuse Act (CFAA, 18 U.S.C. § 1030).

Continue reading "Microsoft Corp. v. Lam: The Role of CFAA in the Legal Battle Against Click Fraud" »