Tag Archives: cfaa

Facebook hacking that causes emotional distress – does the CFAA provide recovery?

A recent federal case from Virginia provides information on the types of “losses” that are actionable under the federal anti-hacking statute, the Computer Fraud and Abuse Act (“CFAA”).

Unauthorized Access Under the Computer Fraud and Abuse Act

Underlying facts

Plaintiff worked as a campaign manager, communications director and private sector employee of a Virginia state legislator. While plaintiff was in the hospital, defendant allegedly, without authorization, accessed plaintiff’s Facebook, Gmail and Google Docs accounts, and tried to access her Wells Fargo online account.

Plaintiff’s lawsuit

Plaintiff sued, alleging a number of claims, among them a claim for violation of the CFAA. Defendant moved to dismiss. Although the court denied the motion to dismiss on other grounds, it held that plaintiff’s alleged emotional distress was not the type of “loss” that is actionable under the CFAA.

Loss under the CFAA

One can bring a civil action under the CFAA if the defendant’s alleged conduct involves certain factors. One of those factors, set out at 18 U.S.C. § 1030(c)(4)(A)(i)(II), provides recovery if there is “the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals”.

Plaintiff alleged that defendant’s unauthorized access and attempted access to her accounts caused her to sustain a “loss” under this definition because it caused her to suffer emotional distress for which she needed to seek counseling.

The court disagreed with plaintiff’s assertions. Essentially, the court held, the modification of or impairment of a plaintiff’s treatment must be based on impairment due to the ability to access or used deleted or corrupted medical records. As an example – this was not in the court’s opinion but is provided by the author of this post – one might be able to state a claim if, for example, medical records were modified by a hacker to change prescription information. Further, the court held, to recover under the relevant provision of the CFAA, a defendant’s violation must modify or impair an individual’s medical treatment as it already exists, not merely cause the plaintiff mental pain and suffering that requires additional care.

Hains v. Adams, 2019 WL 5929259 (E.D. Virginia, November 12, 2019)

Can a person bring a Computer Fraud and Abuse Act claim over unauthorized access to someone else’s computer?

Federal agents served a search warrant on plaintiff’s doctor’s office and thereby obtained access to plaintiff’s medical records, which were shared with a number of other parties involved in the criminal investigation of plaintiff’s doctor. Plaintiff sued under the Computer Fraud and Abuse Act (CFAA). Defendants moved to dismiss that claim. The court granted the motion. The CFAA prohibits unauthorized access to a “protected computer”. In dismissing the case, the court found, among other things, that there were no specific allegations that defendants accessed plaintiff’s computer.

Micks-Harm v. Nichols, No. 18-12634, 2019 WL 4781342 (E.D. Michigan, September 30, 2019)

About the Author: Evan Brown is a Chicago technology and intellectual property attorney. Call Evan at (630) 362-7237, send email to ebrown [at] internetcases.com, or follow him on Twitter @internetcases. Read Evan’s other blog, UDRP Tracker, for information about domain name disputes.

Case shows the surprising narrowness of a key hacking statute definition

Plaintiff sued defendant for violation of the Computer Fraud and Abuse Act (“CFAA”). For almost 20 years, defendant had worked for a company that developed plaintiff’s proprietary software system. In this capacity, defendant had access to plaintiff’s customer database, accounting system and other confidential information. After leaving the work he was performing for plaintiff, defendant founded his own competing venture. 

Defendant moved to dismiss the CFAA claim. The court granted the motion to dismiss. The court held that defendant did not exceed the scope of his authorized access by accessing certain of plaintiff’s documents, files or drives for the benefit of his own venture. Citing to United States v. Nosal, 676 F.3d 854, (9th Cir. 2012), the court observed that the Ninth Circuit has defined “exceeds authorized access” narrowly to include only someone who is authorized to access only certain data or files but accesses unauthorized data or files – or to put it simply: hacking. 

In this case, defendant was authorized to access plaintiff’s systems by virtue of the work he was hired to do in connection with plaintiff’s proprietary software systems. Plaintiff had attempted to draw a distinction between the work he was doing for his former employer and the actions he was undertaking to benefit his new venture (even though those actions were one and the same conduct). The court rejected this reasoning: “[E]ven if defendant accessed [plaintiff’s] information for the eventual benefit of [defendant’s new venture], that does not mean he could not have also accessed it for [his former employer’s] authorized purpose of building software.”

It is worth noting that the contours of “exceeding authorized access” under the CFAA give rise to a circuit split. It is fruitful to consider whether the outcome of this case may have been different, for example, in the Seventh Circuit, under the doctrines set out in Int’l Airport Ctr., L.L.C. v. Citrin, 440 F.3d 418 (7th Cir.2006).

Regal West Corporation v. Nguyen, No. 19-5374, 2019 WL 4748393 (W.D.Washington, September 30, 2019)

Sony’s EULA did not protect it from liability under CFAA and for trespass to chattel

Plaintiff filed a class action lawsuit against Sony after Sony issued a software update that bricked plaintiff’s Sony Dash. Sony moved to dismiss for failure to state a claim. The court granted the motion on a number of claims but allowed the Computer Fraud and Abuse Act (CFAA) and trespass to chattel claims to move forward.

CFAA Claim

Sony had argued that the CFAA claim should fail because plaintiff had not alleged the software update was “without authorization,” given the language of the end user license agreement, which read:

From time to time, Sony … may automatically update or otherwise modify the Software, for example, but not limited to for purposes of error correction, improvement of features, and enhancement of security features. Such updates or modifications may change or delete the nature of features or other aspects of the Software, including but not limited to features you may rely upon. You hereby agree that such updates and modifications may occur at Sony’s sole discretion, and that Sony may condition continued use of the Software upon your complete installation or acceptance of such updates or modifications.

Specifically, Sony argued that the EULA authorized Sony to “modify” the software at any time, and warned that such modifications may change or delete the nature of features or other aspects of the software, including features the consumer may rely upon. A court addressed a similar argument in In re Apple, 596 F.Supp.2d 1288 (N.D. Cal. 2008). In that case, Apple, as defendant, relied on the following language to argue that it acted “with authorization” for purposes of the CFAA when bricking iPhones that had been unlocked to access third-party applications:

IF YOU HAVE MODIFIED YOUR IPHONE’S SOFTWARE, APPLYING THIS SOFTWARE UPDATE MAY RESULT IN YOUR IPHONE BECOMING PERMANENTLY INOPERABLE

In that case, the court concluded that usage of the term “may” (as in “may result” in damage) created too much ambiguity surrounding Apple’s warning and found plaintiff’s allegations as to its CFAA claim sufficient to defeat Apple’s motion to dismiss.

Here, Sony had used the same ambiguous “may” (as in “may change or delete the nature of features”) and even more uncertain language than in In re Apple. Unlike in In re Apple, Sony did not explicitly warn that a subsequent software update could render the Dash “permanently inoperable.” The EULA did not say that Sony could delete all features. Instead, it vaguely warned consumers that Sony “may change or delete the nature of features” that a consumer “may rely upon.” This sentence was also prefaced by the following: “From time to time, Sony … may automatically update or otherwise modify the Software, for example, but not limited to for purposes of error correction, improvement of features, and enhancement of security features.”

The court found that this preface implied that automatic software updates would improve or enhance the Dash – not destroy its functionality. The court could not say at this stage that by using the Dash and thus implicitly agreeing to the EULA, plaintiff authorized Sony to render his device inoperable. Accordingly, the court found that plaintiff plausibly pled that Sony acted “without authorization” in bricking the Dash.

Tresspass to Chattel

Under New Jersey law, “[a] cognizable claim for trespass to chattel occurs ‘when personal property, in the actual use of the owner, is injured or taken by a trespasser, so that the owner is deprived of the use of it.’” Arcand v. Brother Int’l Corp., 673 F. Supp. 2d 282, 312 (D.N.J. 2009) (quoting Luse v. Jones, 39 N.J.L. 707, 709 (N.J. 1877)). “[P]hysical contact with the chattel, for instance, where a person kicks another’s car bumper, is not required.” Id. “All that is required … is interference with the chattel as a direct or indirect result of an act done by the actor.” Id.

In this case, Sony’s software update bricked plaintiff’s Dash. The court found that contrary to Sony’s assertions, plaintiff had not consented to Sony rendering his device wholly nonfunctional by agreeing to the EULA.

Sony had also argued that plaintiff never owned the software used by the Dash (in accordance with the EULA) and therefore Sony could not be liable for altering that software in the update. But the court saw it otherwise — whether plaintiff owned the software, Sony, at a minimum, indirectly injured plaintiff’s physical Dash by rendering it completely nonfunctional through the software update. The court again looked to In re Apple wherein that court found that the plaintiffs plausibly pled trespass to chattel by alleging that Apple released a software update that rendered the plaintiffs’ iPhones permanently inoperable. On these facts, the court found that plaintiff had plausibly pled his trespass to chattel claim.

Grisafi v. Sony Electronics Inc., 2019 WL 1930756 (D.N.J. April 30, 2019)

Facebook hacking victim’s CFAA and SCA claims not barred by statutes of limitation

Knowledge that email account had been hacked did not start the statutes of limitation clock ticking for Computer Fraud and Abuse Act and Stored Communications Act claims based on alleged related hacking of Facebook account occurring several months later.

Plaintiff sued her ex-boyfriend in federal court for allegedly accessing her Facebook and Aol email accounts. She brought claims under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”), and the Stored Communications Act, 18 U.S.C. § 2701, et seq. (“SCA”).

Both the CFAA and the SCA have two-year statutes of limitation. Defendant moved to dismiss, arguing that the limitation periods had expired.

The district court granted the motion to dismiss, but plaintiff sought review with the Second Circuit Court of Appeals. On appeal, the court affirmed the dismissal as to the email account, but reversed and remanded as to the Facebook account.

In August 2011, plaintiff discovered that someone had altered her Aol email account password. Later that month someone used her email account to send lewd and derogatory sexually-themed messages about her to people in her contact list. A few months later, similar things happened with her Facebook account — she discovered she could not log in in February 2012, and in March 2012 someone publicly posted sexually-themed messages using her account. She figured out it was her (now married) ex-boyfriend and filed suit.

The district court dismissed the claims because it found plaintiff first discovered facts giving rise to the claims in August 2011, but did not file suit until more than two years later, in January 2014. The Court of Appeals agreed with the district court as to the email account. She had enough facts in 2011 to know her Aol account had been compromised, and waited too long to file suit over that. But that was not the case with the Facebook account. The district court had concluded plaintiff knew in 2011 that her “computer” had been compromised. The Court of Appeals observed that the lower court failed to properly recognize the nuance concerning which computer systems were being accessed without authorization. Unauthorized access to the Facebook server gave rise to the claims relating to the Facebook account. The 2011 knowledge about her email being hacked did not bear on whether she knew her Facebook account would be compromised. The court observed:

We take judicial notice of the fact that it is not uncommon for one person to hold several or many Internet accounts, possibly with several or many different usernames and passwords, less than all of which may be compromised at any one time. At least on the facts as alleged by the plaintiff, it does not follow from the fact that the plaintiff discovered that one such account — AOL e-mail — had been compromised that she thereby had a reasonable opportunity to discover, or should be expected to have discovered, that another of her accounts — Facebook — might similarly have become compromised.

The decision gives us an opportunity to think about how users’ interests in having their data kept secure from third party access attaches to devices and systems that may be quite remote from where the user is located. The typical victim of a hack or data breach these days is not going to be the owner of the server that is compromised. Instead, the incident will typically involve the compromising of a system somewhere else that is hosting the user’s information or communications. This decision from the Second Circuit recognizes that reality, and contributes to the reasonable opportunity for redress in those situations.

Sewell v. Bernardin, — F.3d —, 2015 WL 4619519 (2nd Cir. August 4, 2015)

Evan Brown is an attorney in Chicago helping clients manage issues involving technology and new media.

Facebook wins against alleged advertising fraudster

Defendant set up more than 70 bogus Facebook accounts and impersonated online advertising companies (including by sending Facebook falsified bank records) to obtain an advertising credit line from Facebook. He ran more than $340,000 worth of ads for which he never paid. Facebook sued, among other things, for breach of contract, fraud, and violation of the Computer Fraud and Abuse Act (CFAA). Despite the court giving defendant several opportunities to be heard, defendant failed to answer the claims and the court entered a default.

The court found that Facebook had successfully pled a CFAA claim. After Facebook implemented technological measures to block defendant’s access, and after it sent him two cease-and-desist letters, defendant continued to intentionally access Facebook’s “computers and servers to obtain account credentials, Facebook credit lines, Facebook ads, and other information.” The court entered an injunction against defendant accessing or using any Facebook website or service in the future, and set the matter over for Facebook to prove up its $340,000 in damages. It also notified the U.S. Attorney’s Office.

Facebook, Inc. v. Grunin, 2015 WL 124781 (N.D. Cal. January 8, 2015)

Computer Fraud and Abuse Act claim dismissed where plaintiff failed to adequately plead loss or damage

Cost of investigating scope of information loss was not a “damage assessment” as contemplated by the CFAA.

BrokenlaptopPlaintiff sued defendant (a former employee) under the Computer Fraud and Abuse Act (“CFAA”) alleging that defendant intentionally and without authorization accessed plaintiff’s computers, intranet, and email system and sent plaintiff’s confidential customer information to his personal email account. Defendant allegedly used this information when he went to work for a competitor. Plaintiff also alleged that defendant attempted to conceal his actions by deleting the outgoing messages from the work email account.

Defendant moved to dismiss for failure to state a claim. The court granted the motion as to the CFAA claim.

The court found that plaintiff did not (and could not) claim defendant’s conduct caused “damage” within the meaning of the CFAA, because plaintiff did not allege any data were lost or impaired.

On the question of “loss” under the CFAA, the court found that plaintiff failed to allege any facts connecting its purported loss to an interruption of service, loss of data, or even a suspected loss of service or data. Although plaintiff attributed certain losses to “damage assessment and mitigation,” the court found it clear from the complaint that plaintiff’s “damage assessment” efforts were aimed at determining the scope of information defendant emailed to himself and disclosed to his new employer. Plaintiff did not allege it ever lost access to any of the information contained in defendant’s emails, notwithstanding defendant’s attempt to conceal his conduct by deleting the emails.

The court observed:

To be sure, assessing the extent of information illegally copied by an employee is a prudent business decision. But the cost of such an investigation is not “reasonably incurred in responding to an alleged CFAA offense,” because the disclosure of trade secrets, unlike destruction of data, is not a CFAA offense.

Accordingly, in this situation, the costs of investigating defendant’s conduct were not “losses” compensable under the CFAA.

SBS Worldwide, Inc. v. Potts, 2014 WL 499001 (N.D.Ill. February 7, 2014)

Using new employer’s credentials to copy former employer’s technology did not violate Computer Fraud and Abuse Act

This case arose from some rather complex but interesting facts:

8e19fbd8a556c7b63610c1cfd7782f10Defendant resigned from his job with an IT consulting firm. One of the firm’s customers hired defendant as an employee. Before the customer/new employer terminated the agreement with the IT consulting firm/former employer, defendant used the customer/new employer’s credentials to access and copy some scripts from the system. (Having the new employee and the scripts eliminated the need to have the consulting firm retained.) The firm/former employer sued under the Computer Fraud and Abuse Act. Defendants (the customer and its new employee) moved to dismiss for failure to state a claim. The court granted the motion.

It held that the complaint failed to allege “unauthorized access” within the Ninth Circuit’s interpretation of the CFAA.

The court looked to the Ninth Circuit’s holding in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), which provides that to access a protected computer “without authorization” is to do so “without any permission at all,” and that to “exceed authorized access” is to “access information on the computer that the person is not entitled to access.” And it looked to the more recent case of U.S. v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012), which teaches that an individual does not “exceed authorized access” simply by misusing information that he or she was entitled to view for some other purpose. Under Nosal, the CFAA regulates access to data, not its use by those entitled to access it.

In this case, the court found that the complaint did not allege that defendants were unauthorized to access the scripts in question. In fact, the Statement of Work that the court reviewed specifically granted defendant’s employer and its representatives (including defendant) “sudo access” to “non-shell root commands” that included the scripts at issue.

Plaintiff argued that the access was unauthorized because it had repeatedly refused to grant defendant or his employer the authority to write or edit those scripts. But the court found that argument to address the misuse of the scripts, not unauthorized access. Under Nosal this conduct did not run afoul of the CFAA. So because the complaint failed to allege that defendant and his new employer had no access rights to the scripts, and because the documents upon which plaintiff relied revealed that defendants had certain access rights, the court dismissed the CFAA claim.

Enki Corporation v. Freedman, 2014 WL 261798 (N.D.Cal. January 23, 2014)

Hunter Moore arrest reveals a certain schizophrenia about the Computer Fraud and Abuse Act

The feds arrested Hunter Moore and an alleged co-conspirator on Thursday for hacking into email accounts to get nude photos Moore published on isanyoneup.com. At the heart of the prosecution is the Computer Fraud and Abuse Act, the federal statute that makes it a crime (and in some circumstances, gives rise to civil liability) for accessing a computer without authorization.

Few will come to these guys’ defense in this situation. Moore’s conduct in publishing and promoting isanyoneup.com was reprobate, and if the allegations in this criminal action prove true, that backend nefariousness will simply multiply the reasons why Moore was known as the most hated man on the internet. And because of this disdain for Moore’s conduct, most of us are happy to see the CFAA used aggressively against him.

But that’s the same statute many blame for crushing Aaron Swartz. To the extent a reasonable person may feel ill-will against Hunter Moore, he or she may feel sympathy, indeed compassion, for Aaron Swartz having had the CFAA book thrown at him. Against Moore there’s a sense of justice, against Swartz, a palpable injustice.

Isn’t it a bit mysterious how the same conduct — granted, for way different purposes and under different circumstances — can elicit such contrasting emotions?

No Computer Fraud and Abuse Act violation for taking over former employee’s LinkedIn account

Eagle v. Morgan, 2012 WL 4739436 (E.D.Pa. October 4, 2012)

After plaintiff was fired as an executive, her former employer (using the password known by another employee) took over plaintiff’s LinkedIn account. It kept all of plaintiff’s contacts and recommendations but switched out plaintiff’s name and photo with those of the new CEO.

LinkedIn identity writ large

Plaintiff sued in federal court under the Computer Fraud and Abuse Act, the Lanham Act, and a slew of state law claims including identity theft, conversion and tortious interference. The former employer moved for summary judgment on the CFAA and Lanham Act claims. The court granted the motion, but continued to exercise supplemental jurisdiction over the state law claims.

On the CFAA claim, the court found that plaintiff failed to show how the taking over over her account gave rise to a cognizable loss under the CFAA. The kinds of losses she tried to prove, e.g., lost future business opportunities and professional reputation, did not pertain to any impairment or damage to a computer or computer system. Moreover, the court found, plaintiff failed to specify or quantify the damages she alleged.

As for the Lanham Act claim, the court found that there was no likelihood of confusion. It noted that “anyone who navigated to [plaintiff’s] LinkedIn account would be met with [the new CEO’s] name, photograph and new position.” Accordingly, there was no effort to “pass off” the new CEO as plaintiff or to otherwise suggest an endorsement or affiliation.

Though it dismissed all the federal claims, the court kept the pending state law claims. The matter had been before the court for over a year, the judge was familiar with the facts and the parties, and dismissing it so soon before trial would not have been fair.

Other coverage by Venkat.

Photo credit: Flickr user smi23le under this Creative Commons license.