Tag Archives: facebook privacy

Facebook hacking that causes emotional distress – does the CFAA provide recovery?

A recent federal case from Virginia provides information on the types of “losses” that are actionable under the federal anti-hacking statute, the Computer Fraud and Abuse Act (“CFAA”).

Unauthorized Access Under the Computer Fraud and Abuse Act

Underlying facts

Plaintiff worked as a campaign manager, communications director and private sector employee of a Virginia state legislator. While plaintiff was in the hospital, defendant allegedly, without authorization, accessed plaintiff’s Facebook, Gmail and Google Docs accounts, and tried to access her Wells Fargo online account.

Plaintiff’s lawsuit

Plaintiff sued, alleging a number of claims, among them a claim for violation of the CFAA. Defendant moved to dismiss. Although the court denied the motion to dismiss on other grounds, it held that plaintiff’s alleged emotional distress was not the type of “loss” that is actionable under the CFAA.

Loss under the CFAA

One can bring a civil action under the CFAA if the defendant’s alleged conduct involves certain factors. One of those factors, set out at 18 U.S.C. § 1030(c)(4)(A)(i)(II), provides recovery if there is “the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals”.

Plaintiff alleged that defendant’s unauthorized access and attempted access to her accounts caused her to sustain a “loss” under this definition because it caused her to suffer emotional distress for which she needed to seek counseling.

The court disagreed with plaintiff’s assertions. Essentially, the court held, the modification of or impairment of a plaintiff’s treatment must be based on impairment due to the ability to access or used deleted or corrupted medical records. As an example – this was not in the court’s opinion but is provided by the author of this post – one might be able to state a claim if, for example, medical records were modified by a hacker to change prescription information. Further, the court held, to recover under the relevant provision of the CFAA, a defendant’s violation must modify or impair an individual’s medical treatment as it already exists, not merely cause the plaintiff mental pain and suffering that requires additional care.

Hains v. Adams, 2019 WL 5929259 (E.D. Virginia, November 12, 2019)

Court says you don’t need a person’s permission to tag them in a Facebook photo

Lalonde v. Lalonde, — S.W.3d —, 2011 WL 832465 (Ky. App., February 25, 2011)

Mother sought appellate review of the lower court’s order that awarded primary physical custody of her daughter to the child’s father. The mother argued, among other things, that the court improperly considered Facebook photos showing her drinking. This was not good because her psychologist had testified that alcohol would have an adverse effect on the medication she was taking for bipolar disorder. (Seems like there’s no shortage of cases involving drinkin’ photos on social media.)

The court rejected the mother’s assertion that the photos should not be considered as evidence. She argued that because Facebook allows anyone to post pictures and then “tag” or identify the people in the pictures, she never gave permission for the photographs to be published in this manner. The court held that “[t]here is nothing within the law that requires [one’s] permission when someone takes a picture and posts it on a Facebook page. There is nothing that requires [one’s] permission when she [is] “tagged” or identified as a person in those pictures.”

It might be easy to overstate the court’s conclusion here. Some instances of tagging might be part of something actionable. For example, the posting and tagging of photos in the right context might constitute harassment, infliction of emotional distress, or invasion of privacy. Use of another’s photo on the web without permission for commercial purposes might violate that person’s right of publicity. And of course there is the question of copyright as to the uploading of the photo in the first place — if the person appearing in the photo owns the copyright (e.g., it’s a self-portrait) there is the risk of infringement. But it’s interesting to see the court appear to validate ordinary tagging.