Tag Archives: cfaa

No CFAA claim where no impairment of system or data

Andritz, Inc. v. Southern Maintenance Contractor, LLC, 2009 WL 48187 (M.D. Ga. January 7, 2008)

When defendants Pettit and Harper worked for plaintiff Andritz, Inc., they had company-issued laptops with which they accessed proprietary information. After defendants resigned, they allegedly took that proprietary information and gave it to defendant-competitor SMC.

Andritz sued in federal court, alleging violation of the Computer Fraud and Abuse Act (CFAA). Defendants moved to dismiss for failure to state a claim. The court granted the motion.

The CFAA claim failed because the plaintiff did not allege the type of “loss” or “damage” required to sustain such a claim. The loss that plaintiff alleged was that defendants took proprietary information and used it to poach customers.

But the CFAA requires there be an impairment of the computer system or data accessed. Because the plaintiff “still had access to the data just as it had before [d]efendants’ actions,” there was no violation of the CFAA.

Similar cases: Sam’s Wines & Liquors, Inc. v. Hartig and Garelli Wong & Assoc. v. Nichols.

Laptop photo courtesy Flickr user maveric2003 via this Creative Commons license.

No damage under Computer Fraud and Abuse Act for merely copying customer list

Sam’s Wines & Liquors, Inc. v. Hartig, 2008 WL 4394962 (N.D.Ill. September 24, 2008)

Hartig worked for Sam’s Wines & Liquors and had access to a password-protected customer list. Hartig left Sam’s in June 2005 and went to work for Plinio Group. Some two and a half years after leaving Sam’s, Hartig sent an email to customers appearing on Sam’s list, soliciting business for Plinio.

Sam’s claimed that Hartig used his password to access and copy the customer list prior to the time he resigned. So Sam’s sued Hartig for a number of things, including violation of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030 et seq. Hartig moved to dismiss the CFAA claim under Rule 12(b)(6) for failure to state a claim upon which relief can be granted. The court granted the motion.

Hartig put forth three arguments why the CFAA claim should be thrown out. First, he argued that Sam’s had not and could not adequately allege that Hartig accessed a protected computer without authorization, or that he exceeded his authorized access. Second, he argued that Sam’s had not and could not allege that it suffered “damage” under the CFAA from Hartig’s conduct. Finally, he argued that Sam’s had not and could not allege that it suffered “loss” under the CFAA from Hartig’s conduct.

The court held that Sam’s adequately pled unauthorized access to a protected computer (applying the agency principles Judge Posner set forth in Intl. Airport Centers v. Citrin, 440 F.3d 418 (7th Cir. 2006)). It also held that the expenses Sam’s incurred in responding to Hartig’s alleged conduct were properly pled as “loss” under the CFAA. But the claim failed on the damage element: merely accessing the information and allegedly using it while working for a competitor was not “impairment to the integrity or availability of data, a program, a system, or information.”

See Garelli Wong & Assoc., Inc. v. Nichols, 551 F.Supp.2d 704 (N.D.Ill. 2008) for a similar analysis.

Divorce spyware case moves forward

Court refuses to dismiss ECPA, SCA and CFAA claims against ex-spouse accused of delivering malicious code.

Becker v. Toca, No. 07-7202, 2008 WL 4443050 (E.D. La. September 26, 2008)

Plaintiff Becker sued his ex-wife, one Ms. Toca, claiming that Toca installed on Becker’s home and office computers a Trojan Horse that could steal passwords and send them to a remote computer. Becker claimed violations of the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), the Computer Fraud and Abuse Act (CFAA), and Louisiana’s Electronic Surveillance Act.

Toca moved to dismiss for failure to state a claim upon which relief can be granted. The court dismissed the Louisiana state claim, but allowed the federal claims under the ECPA, SCA and CFAA to move forward.

In denying Toca’s motion on the ECPA claim, the court nodded to the general consensus established by cases such as Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457 (5th Cir. 1994), United States v. Seiger, 318 F.3d 1039, 1047 (11th Cir. 2003), Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir.2001), and Bailey v. Bailey, 2008 WL 324156 (E.D. Mich. 2008) that ECPA liability requires the electronic communication to be intercepted contemporaneously with its transmission. Toca had argued that merely sending the Trojan Horse could not be considered an “interception” of an “electronic communication” under the ECPA. But the court held that allegations of stealing the passwords and transmitting them elsewhere, in conjunction with Becker’s computers being connected to the Internet, made it “reasonable … to infer that the Trojan Horse program may have collected information contemporaneous to its transmission.”

As for the SCA claim, Toca had argued Becker’s allegedly infected computers were not “a facility through which an electronic communication service is provided,” and thus not within the protection of the SCA. The court declined to dismiss the claim at the pleading stage because it was unclear to what extent the Trojan Horse may have accessed or retrieved information stored with an electronic communication service provider.

The court denied the motion to dismiss the CFAA claim, rejecting Toca’s arguments that the affected computers were not “protected” computers under the CFAA, and that the allegations were insufficient to show Toca intended to cause “damage.” The allegations that the Trojan Horse caused error messages and slow processing were sufficient on this point. Toca argued that an intent to damage the computers would be incompatible with a desire to retrieve information from them. But the court rejected this all-or-nothing damage approach.

The Louisiana statute claim failed simply because the court held that the statute covered only wire and oral communications, leaving electronic communications of the type at issue within the case outside its scope.

CFAA requires intent to cause harm, not merely intent to transmit

Kalow & Springnut, LLP v. Commence Corporation, 2008 WL 2557506 (D.N.J. June 23, 2008)

The federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030 et seq. creates civil liability for anyone who “knowingly causes the transmissions of a program, information, code, or command, and as a result of such conduct intentionally causes damage without authorization, to a protected computer.” Does this mean that the defendant has to intend to cause harm, or does it simply mean that the defendant merely intended to cause the transmission? The U.S. District Court for the District of New Jersey chose the former in the recent case of Kalow & Springnut, LLP v. Commence Corporation, 2008 WL 2557506 (D.N.J. June 23, 2008).

Plaintiff Kalow got hooked on the defendant’s software, which converted and stored plaintiff’s data in a proprietary format. In March 2006 the software stopped working because of a purported “time bomb” that defendant included in the application. To get the program working again, Kalow had to upgrade at a cost of over $15,000.

Kalow sued, and claimed, among other things, violation of the Computer Fraud and Abuse Act. The defendant moved to dismiss, and the court granted the motion with leave to amend.

In its complaint, Kalow had alleged that the defendant “intentionally transmitted a software code” to Kalow’s computer system and that the “software code [that defendant] intentionally transmitted to these computer systems caused damage to them.” The court found that these allegations were insufficient, as Kalow had not actually averred that defendant intended to cause harm.

The court rejected Kalow’s reliance on the case of Shaw v. Toshiba America Information Systems, Inc., 91 F.Supp.2d 926 (E.D.Tex.1999), concluding that the plaintiffs therein not only pled that the defendants knowingly had transmitted code, but that the defendants “knew [it] would cause the loss and corruption of data….” The court similarly rejected Kalow’s reliance on North Texas Preventive Imaging, LLC v. Eisenberg, No. 96-0071, 1996 U.S. Dist. LEXIS 19990, observing that the 1994 amendments to the CFAA embodied Congress’s aim to emphasize harmful intent and resultant harm rather than just unauthorized access.

Anonymous defendants to be unmasked in Computer Fraud and Abuse Act case

Kimberlite Corp. v. Does 1-20, No. 08-2147, 2008 WL 2264485 (N.D. Cal. June 2, 2008)

Plaintiff Kimberlite sued a number of anonymous John Doe defendants after it learned that its network and email system had been unlawfully accessed. A few days after filing suit for violation of the Computer Fraud and Abuse Act (CFAA) and trespass to chattels under state law, Kimberlite served a subpoena on AT&T, the owner of the IP address from which the unauthorized access originated, seeking to discover who was responsible.

One of the John Doe defendants, pro se, wrote a letter to the court which the court treated as a motion to quash the subpoena. The court denied the motion.

Doe argued that Kimberlite had failed to state a claim under the CFAA. The court rejected that argument, observing that Kimberlite had adequately alleged and had provided preliminary evidence of a CFAA violation. (Doe had not challenged the sufficiency of the trespass to chattels claim.) Kimberlite’s computers were “protected” computers under the CFAA because they were used in interstate and foreign commerce. They were password protected and accessed without authorization by someone from the subject IP address. Kimberlite succeeded in alleging the threshold amount of CFAA damages ($5,000) through an employee declaration describing over 100 hours of investigation and repair following the intrusions.

Doe also argued that Kimberlite had not demonstrated a need to obtain the information that outweighed Doe’s privacy rights under the Cable Communication Policy Act (CCPA). That act prohibits cable operators from disclosing subscriber information unless certain criteria are met.

The court rejected the CCPA argument first by expressing serious doubt that AT&T, as an Internet service provider was a “cable operator” and thus subject to the CCPA. Even if the CCPA did apply, the court found Kimberlite had demonstrated a compelling need for the information sought. It had adequately set forth a cause of action, so discovery of the anonymous parties was proper.

Company may be liable under Computer Fraud and Abuse Act for targeting and directing competitor’s employee to violate the Act

Binary Semantics Limited v. Minitab, Inc., No. 07-1750, 2008 WL 763575 (M.D. Pa. March 20, 2008)

Plaintiff Binary Semantics Limited is a company with expertise in promoting and selling software in India. Defendant Minitab, Inc. is a software development company that for several years had an agreement with Binary whereby Binary would promote and sell Minitab’s software in India. Minitab eventually decided that it would eliminate Binary’s services and sell directly in the Indian market.

Minitab allegedly contacted several of Binary’s employees and induced them to turn over some of Binary’s trade secrets and other information that would help Minitab hold its own in India. One of these Binary employees was a woman named Asha.

Asha

After Asha turned over the information to Minitab, Binary filed suit against Minitab, some of Minitab’s employees, and Asha, alleging, among many other things, violation of the Computer Fraud and Abuse Act, 18 U.S.C. §1030 (“CFAA”). Minitab moved to dismiss the CFAA claim pursuant to FRCP 12(b)(6), arguing that none of its employees had violated the Act, but that Binary’s own employee, Asha, had. The court denied the motion to dismiss as to the CFAA claim.

Binary was required to plead four elements under the CFAA: (1) that Minitab accessed a protected computer, (2) without authorization or by exceeding such authorization as was granted, (3) knowingly and with intent to defraud, and (4) as a result furthered the intended fraud and obtained something of value.

In denying the motion to dismiss, the court found that Binary’s allegations were sufficient to state a claim against Minitab, even though it was actually Asha’s conduct that allegedly brought about the offense. Specifically, the complaint alleged that Minitab targeted Asha and that Asha did indeed access a protected computer. Further, the information retrieved eventually made its way to Minitab.

It was not a situation where Minitab merely received the information from a protected computer. Rather, the complaint sufficiently alleged that the unauthorized access was an action undertaken at the direction of Minitab. Therefore, Minitab could be held liable for the conduct.

CD-ROM is not a computer

GWR Medical, Inc. v. Baez, No. 07-1103, 2008 WL 698995 (E.D.Pa. March 13, 2008)

Now there’s a revelation in that headline.

Plaintiff GWR Medical terminated defendant Baez’s position with the company. Baez took with him a CD-ROM containing training materials and, the company alleged, trade secrets. When Baez wouldn’t return the CD, GWR sued him in federal court for violation of the Computer Fraud and Abuse Act, 18 U.S.C. §1030 et seq. (“CFAA”).

Baez moved to dismiss the CFAA claim, and the court granted the motion. It held that a CD-ROM did not meet the definition of “computer” under the CFAA, and thus the claim could not stand.

The CFAA provides, among other things, that “whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information” violates the law. GWR asserted that Baez’s violation occurred when he kept the CD-ROM after he was terminated, thereby exceeding the authorization previously given to him.

A “computer” is defined in the CFAA [at 18 U.S.C. § 1030(e)(1)] as follows:

An electronic, magnetic, optical, electrochemical, or other high speed data processing device that performs logical, arithmetic or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but does not include an automated typewriter or typesetter, a portable hand held calculator, or similar device.

Electrochemical? Say what? And thank goodness we don’t have to hear about CFAA lawsuits brought for sneaking in late at night to use the automated typewriter. Hey man, come back with my calculator!

In any event, the parties each presented expert testimony on the question of whether a CD-ROM constitutes a computer. The court parsed the definition into three requirements: (1) “[a]n electronic, magnetic, optical, electrochemical, or other high speed data processing device;” (2) “performing logical, arithmetic, or storage functions;” which (3) “includes any data storage facility or communications facility directly related to or operating in conjunction with such device.” If at least one of these requirements were not met, then the CD-ROM fell outside the definition.

Central to the court’s conclusion was the requirement that a computer process information. It found that the lack of the capacity to process information was fatal to GWR’s assertion that the CD-ROM met the statutory definition. Instead, the disc was analogous to a compilation of documents and training materials. Accordingly, the court dismissed the CFAA claim.

Damage under CFAA must involve some diminution of the system to be actionable

Garelli Wong & Assoc. v. Nichols, No. 07-6227, 2008 WL 161790 (N.D. Ill. January 16, 2008)

A recent decision from the U.S. District Court for the Northern District of Illinois presents a pretty typical fact pattern (employee leaves with sensitive data to work for a competitor), but also gives some useful guidance on the scope of the Computer Fraud and Abuse Act, 18 U.S.C. 1030 et seq. (CFAA).

Plaintiff Garelli Wong and Associates provides temporary placement for accounting professionals. When defendant Nichols worked for Garelli, he signed an NDA and learned a lot about the company’s clients, employees and strategy.

So when Garelli learned that Nichols allegedly copied a bunch of information before jumping ship, it sued. In addition to breach of contract, Garelli claimed Nichols violated the CFAA.

Nichols moved to dismiss the CFAA claim pursuant to Fed. R. Civ. P. 12(b)(6). The court granted the motion. It held that the CFAA requires a plaintiff to plead both damage and loss, and that Garelli failed to sufficiently plead both.

The CFAA defines “damage” as “impairment to the integrity or availability of data, a program, a system, or information.” Citing approvingly to the unpublished case of ResDev v. Lot Builders, 2005 WL 1924743 (M.D. Fla. August 10, 2005), which held that the word “integrity” required “some diminution in the completeness or useability of data or information on a computer system,” the court sided with Nichols. He had contended that CFAA liability does not arise merely by copying data. A violation of the CFAA requires more — some adverse effect on the system.

Garelli’s loss allegation essentially got Twomblied. The court found that Garelli’s allegations of loss — essentially a formulaic recitation of the CFAA’s $5,000 threshold language — did not provide the grounds of the entitlement to relief with more than labels and conclusions.