Tag Archives: cfaa

Computer Fraud and Abuse Act claim dismissed where plaintiff failed to adequately plead loss or damage

Cost of investigating scope of information loss was not a “damage assessment” as contemplated by the CFAA.

BrokenlaptopPlaintiff sued defendant (a former employee) under the Computer Fraud and Abuse Act (“CFAA”) alleging that defendant intentionally and without authorization accessed plaintiff’s computers, intranet, and email system and sent plaintiff’s confidential customer information to his personal email account. Defendant allegedly used this information when he went to work for a competitor. Plaintiff also alleged that defendant attempted to conceal his actions by deleting the outgoing messages from the work email account.

Defendant moved to dismiss for failure to state a claim. The court granted the motion as to the CFAA claim.

The court found that plaintiff did not (and could not) claim defendant’s conduct caused “damage” within the meaning of the CFAA, because plaintiff did not allege any data were lost or impaired.

On the question of “loss” under the CFAA, the court found that plaintiff failed to allege any facts connecting its purported loss to an interruption of service, loss of data, or even a suspected loss of service or data. Although plaintiff attributed certain losses to “damage assessment and mitigation,” the court found it clear from the complaint that plaintiff’s “damage assessment” efforts were aimed at determining the scope of information defendant emailed to himself and disclosed to his new employer. Plaintiff did not allege it ever lost access to any of the information contained in defendant’s emails, notwithstanding defendant’s attempt to conceal his conduct by deleting the emails.

The court observed:

To be sure, assessing the extent of information illegally copied by an employee is a prudent business decision. But the cost of such an investigation is not “reasonably incurred in responding to an alleged CFAA offense,” because the disclosure of trade secrets, unlike destruction of data, is not a CFAA offense.

Accordingly, in this situation, the costs of investigating defendant’s conduct were not “losses” compensable under the CFAA.

SBS Worldwide, Inc. v. Potts, 2014 WL 499001 (N.D.Ill. February 7, 2014)

Using new employer’s credentials to copy former employer’s technology did not violate Computer Fraud and Abuse Act

This case arose from some rather complex but interesting facts:

8e19fbd8a556c7b63610c1cfd7782f10Defendant resigned from his job with an IT consulting firm. One of the firm’s customers hired defendant as an employee. Before the customer/new employer terminated the agreement with the IT consulting firm/former employer, defendant used the customer/new employer’s credentials to access and copy some scripts from the system. (Having the new employee and the scripts eliminated the need to have the consulting firm retained.) The firm/former employer sued under the Computer Fraud and Abuse Act. Defendants (the customer and its new employee) moved to dismiss for failure to state a claim. The court granted the motion.

It held that the complaint failed to allege “unauthorized access” within the Ninth Circuit’s interpretation of the CFAA.

The court looked to the Ninth Circuit’s holding in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), which provides that to access a protected computer “without authorization” is to do so “without any permission at all,” and that to “exceed authorized access” is to “access information on the computer that the person is not entitled to access.” And it looked to the more recent case of U.S. v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012), which teaches that an individual does not “exceed authorized access” simply by misusing information that he or she was entitled to view for some other purpose. Under Nosal, the CFAA regulates access to data, not its use by those entitled to access it.

In this case, the court found that the complaint did not allege that defendants were unauthorized to access the scripts in question. In fact, the Statement of Work that the court reviewed specifically granted defendant’s employer and its representatives (including defendant) “sudo access” to “non-shell root commands” that included the scripts at issue.

Plaintiff argued that the access was unauthorized because it had repeatedly refused to grant defendant or his employer the authority to write or edit those scripts. But the court found that argument to address the misuse of the scripts, not unauthorized access. Under Nosal this conduct did not run afoul of the CFAA. So because the complaint failed to allege that defendant and his new employer had no access rights to the scripts, and because the documents upon which plaintiff relied revealed that defendants had certain access rights, the court dismissed the CFAA claim.

Enki Corporation v. Freedman, 2014 WL 261798 (N.D.Cal. January 23, 2014)

Hunter Moore arrest reveals a certain schizophrenia about the Computer Fraud and Abuse Act

The feds arrested Hunter Moore and an alleged co-conspirator on Thursday for hacking into email accounts to get nude photos Moore published on isanyoneup.com. At the heart of the prosecution is the Computer Fraud and Abuse Act, the federal statute that makes it a crime (and in some circumstances, gives rise to civil liability) for accessing a computer without authorization.

Few will come to these guys’ defense in this situation. Moore’s conduct in publishing and promoting isanyoneup.com was reprobate, and if the allegations in this criminal action prove true, that backend nefariousness will simply multiply the reasons why Moore was known as the most hated man on the internet. And because of this disdain for Moore’s conduct, most of us are happy to see the CFAA used aggressively against him.

But that’s the same statute many blame for crushing Aaron Swartz. To the extent a reasonable person may feel ill-will against Hunter Moore, he or she may feel sympathy, indeed compassion, for Aaron Swartz having had the CFAA book thrown at him. Against Moore there’s a sense of justice, against Swartz, a palpable injustice.

Isn’t it a bit mysterious how the same conduct — granted, for way different purposes and under different circumstances — can elicit such contrasting emotions?

No Computer Fraud and Abuse Act violation for taking over former employee’s LinkedIn account

Eagle v. Morgan, 2012 WL 4739436 (E.D.Pa. October 4, 2012)

After plaintiff was fired as an executive, her former employer (using the password known by another employee) took over plaintiff’s LinkedIn account. It kept all of plaintiff’s contacts and recommendations but switched out plaintiff’s name and photo with those of the new CEO.

LinkedIn identity writ large

Plaintiff sued in federal court under the Computer Fraud and Abuse Act, the Lanham Act, and a slew of state law claims including identity theft, conversion and tortious interference. The former employer moved for summary judgment on the CFAA and Lanham Act claims. The court granted the motion, but continued to exercise supplemental jurisdiction over the state law claims.

On the CFAA claim, the court found that plaintiff failed to show how the taking over over her account gave rise to a cognizable loss under the CFAA. The kinds of losses she tried to prove, e.g., lost future business opportunities and professional reputation, did not pertain to any impairment or damage to a computer or computer system. Moreover, the court found, plaintiff failed to specify or quantify the damages she alleged.

As for the Lanham Act claim, the court found that there was no likelihood of confusion. It noted that “anyone who navigated to [plaintiff’s] LinkedIn account would be met with [the new CEO’s] name, photograph and new position.” Accordingly, there was no effort to “pass off” the new CEO as plaintiff or to otherwise suggest an endorsement or affiliation.

Though it dismissed all the federal claims, the court kept the pending state law claims. The matter had been before the court for over a year, the judge was familiar with the facts and the parties, and dismissing it so soon before trial would not have been fair.

Other coverage by Venkat.

Photo credit: Flickr user smi23le under this Creative Commons license.

Alleged voyeur boss cannot pursue Computer Fraud and Abuse Act claim

Bashaw v. Johnson, 2012 WL 1623483 (D.Kan. May 9, 2012)

Some employees filed suit after they learned that their boss — who required them to wear skirts to work — allegedly installed the Cam-u-flage video surveillance app on his iPhone and iPad to surreptitiously capture upskirt shots of plaintiffs at work.

The boss filed a counterclaim under the Computer Fraud and Abuse Act (CFAA), claiming that plaintiffs deleted data from his iDevices without authorization. Plaintiffs moved to dismiss this counterclaim. The court granted the motion.

The court held that the boss failed to allege the nature of his alleged damages within the meaning of the CFAA, and that he failed to sufficiently allege a qualified loss as defined by the statute.

As for damage, the court found that the mere allegation that data had been erased, without identifying which data, did not meet the plausibility requirement to survive a motion to dismiss. (Hmm. I wonder what data the plaintiff-employees would have wanted to delete?)

On the question of loss, the employer alleged that such calculation “would exceed” the CFAA threshold of $5,000. But he did not allege that he actually incurred losses in that amount. He did not mention any investigative or response costs, nor did he allege any lost revenues or other losses due to an interruption in service.

Photo credit: Magic Madzik

ISP’s alleged throttling of BitTorrent and Skype violates Computer Fraud and Abuse Act

Fink v. Time Warner Cable, 2011 WL 3962607 (S.D.N.Y. September 7, 2011)

Plaintiffs sued Time Warner (the provider of Road Runner High Speed Online internet access), alleging, among other things, that Time Warner’s alleged “throttling” of plaintiffs’ internet communications violated the Computer Fraud and Abuse Act, 18 USC 1030 (“CFAA”). Specifically, plaintiffs alleged that without their authorization, Time Warner sent forged reset packets which frustrated plaintiffs’ peer-to-peer communications (e.g., BitTorrent and other P2P mechanisms) as well as their use of Skype.

Time Warner moved to dismiss the CFAA claims. The court granted the motion as to claims that required plaintiffs to  plead “loss” as defined by the statute. As for those claims that required only allegations of “access” and “damage,” the court denied the motion to dismiss and let the case move forward.

Plaintiffs brought three claims under the CFAA, one under each of subparts (A), (B) and (C) of 18 USC 1030(a)(5). This part of the statute provides liability for anyone who:

(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or

(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.

No CFAA loss

The CFAA defines “loss” as “any reasonable cost to any victim, including the
cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

In this case, plaintiffs alleged that the loss they suffered arose from their payments for high-speed internet services allegedly not received, costs to prevent Time Warner’s throttling practice and the costs of obtaining information elsewhere when they were unable to use their computers for file transfers and VoIP communications. Plaintiffs also pled losses relating to time and effort in assessing “damage” to each computer for which transmissions were interrupted. 

The court found these alleged losses to be outside the scope of those contemplated by the CFAA. Plaintiffs did not allege that they needed to restore data,a program, a system, or information to its condition prior to Time Warner’s conduct. The court held that Plaintiffs had failed to adequately plead this element of a CFAA claim. So it dismissed the claim plaintiffs had brought under 18 USC 1030(a)(5)(C).

“Damage” and “access” adequately pled

Plaintiffs’ failure to adequately plead loss was not the end of the case. Since subparts (A) and (B) of  18 USC 1030(a)(5) do not require one to plead “loss,” but do require pleading “damage” and “access,” the court turned its attention to see if those elements were adequately pled. It found that they were.

The CFAA defines “damage” as “any impairment to the integrity or availability of data, a system, or information.” Plaintiffs alleged that Time Warner impaired their ability to obtain data and utilize their computer systems by knowingly transmitting “reset packets to [their] computers with the intention of impeding or preventing [their] peer-to-peer transmissions” and that damage was caused because the reset packets “compromis[ed] the internal software of [their]computers and impair[ed] their ability to receive and transmit data.” The plaintiffs also alleged that the throttling process prevented data exchange and inhibited certain use of their computers. In addition, plaintiffs identified the specific types of information that had its availability “impeded” and identified a particular program, Skype, that was rendered unusable by the alleged throttling. 

As for “access,” the court looked to the plain meaning, dictionary definition of the word for guidance (since the term is not defined in the CFAA). Plaintiffs had alleged that Time Warner accessed their computers in violation of the statute by knowingly transmitting reset packets to plaintiff’s computers and otherwise accessed their computers to impede data receipt and transmission.” Giving the term “access” a broad meaning, the court found these allegations to satisfy the CFAA requirement.

Lost sales were not “loss” under the Computer Fraud and Abuse Act

CustomGuide v. CareerBuilder, LLC, 2011 WL 3809768 (N.D.Ill. August 24, 2011)

Plaintiff and defendant had discussed a licensing arrangement whereby defendant would provide certain of plaintiff’s materials online. The parties never entered into that agreement. But plaintiff claimed that defendant went ahead and accessed the materials stored on plaintiff’s computer system, and thereby caused plaintiff to miss out on certain sales in the business to business marketplace for the materials.

So plaintiff sued, alleging a variety of claims, including a claim under the Computer Fraud and Abuse Act. Defendant moved to dismiss. The court granted the motion.

The CFAA defines a “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11).

The court looked to the case of Cassetica Software v. Computer Sciences Corp., 2009 WL 1703015, (N.D.Ill. June 18, 2009) which explained that “[w]ith respect to ‘loss’ under the CFAA, other courts have uniformly found that economic costs unrelated to computer systems do not fall within the statutory definition of the term.” Rather, the purported loss “must relate to the investigation or repair of a computer system following a violation that caused impairment or unavailability of data.” For these reasons, the court in Cassetica Software held that lost revenues that were not related to the impairment of a computer system were not recoverable under the CFAA.

In this case, the court found that plaintiff did not allege any facts connecting its purported “loss” to an interruption of service of its computer systems. Instead, the complaint described an economic loss of revenues related plaintiff’s making business to business sales. Because such economic losses do not fall within the definition of “loss” under the CFAA, the court tossed the CFAA claim.

Computer Fraud and Abuse Act case against hard drive destroying director goes forward

Deloitte & Touche LLP v. Carlson, 2011 WL 2923865 (N.D. Ill. July 18, 2011)

Defendant had risen to the level of Director of a large consulting and professional services firm. (There is some irony here – this case involves the destruction of electronic data, and defendant had been in charge of the firm’s security and privacy practice.)

After defendant left the firm to join a competitor, he returned his work-issued laptop with the old hard drive having been replaced by a new blank one. Defendant had destroyed the old hard drive because it had personal data on it such as tax returns and account information.

The firm sued, putting forth a number of claims, including violation of the Computer Fraud and Abuse Act (CFAA). Defendant moved to dismiss for failure to state a claim upon which relief can be granted. The court denied the motion.

Defendant argued that the CFAA claim should fail because plaintiff had not adequately pled that the destruction of the hard drive was done “without authorization.” The court rejected this argument.

The court looked to Int’l Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006) for guidance on the question of whether defendant’s alleged conduct was “without authorization.” Int’l Airport Centers held that an employee acts without authorization as contemplated under the CFAA if he or she breaches a duty of loyalty to the employer prior to the alleged data destruction.

In this case, plaintiff alleged that defendant began soliciting another employee to leave before defendant left, and that defendant allegedly destroyed the data to cover his tracks. On these facts, the court found the “without authorization” element to be adequately pled.

CFAA violation where employee’s access to work computer violated fiduciary duty to employer

Plaintiff former employer sued defendant former employee for violation of the Computer Fraud and Abuse Act, 18 U.S.C. 1030, alleging that defendant, while still in the employ of plaintiff, accessed confidential business information and destroyed other important data. Defendant moved to dismiss the CFAA claim. The court denied the motion.

Defendant had argued that the complaint failed to establish that access to the work computer was had without authorization. He assserted that plaintiff did not allege that at any time while defendant was employed by plaintiff his access to his work-issued computer was restricted, or that plaintiff ever told him that he was no longer permitted to access the computer.

But the plaintiff had alleged that defendant’s access violated the fiduciary duty defendant owed. The court held that under Int’l Airport Ctr., L.L.C. v. Citrin, 440 F.3d 418, 420–21 (7th Cir.2006), allegations of a breach of duty are enough to properly allege that defendant lost his authorization to access his company computer.

Compare this holding (and Citrin) with the Ninth Circuit’s holding in LVRC Holdings v. Brekka.

Employee did not violate Computer Fraud and Abuse Act by checking Facebook and personal email at work

Lee v. PMSI, Inc., 2011 WL 1742028 (M.D.Fla., May 6, 2011)

Former employee sued the company she used to work for alleging pregnancy discrimination. The company countersued under the Computer Fraud and Abuse Act (“CFAA”) alleging that the former employee violated the CFAA by using her work computer to access Facebook and check her personal email. She moved to dismiss the counterclaim, and the court granted the motion. The court found that the company failed to allege that its computer system was damaged by plaintiff’s internet usage, and plaintiff was alleged only to have accessed her own information, not that of the employer.