Computer Fraud and Abuse Act (CFAA)
Contents
Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, is an amendment made in 1986 to the Counterfeit Access Device and Abuse Act that was passed in 1984 and essentially states that, whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer if the conduct involved an interstate or foreign communication shall be punished under the Act. In 1996 the CFAA was, again, broadened by an amendment that replaced the term “federal interest computer” with the term “protected computer.”18 U.S.C. § 1030. While the CFAA is primarily a criminal law intended to reduce the instances of malicious interferences with computer systems and to address federal computer offenses, an amendment in 1994 allows civil actions to brought under the statute, as well.
How the CFAA Works
Types of Offenses (7 Prohibitions)
There are seven types of criminal activity enumerated in the CFAA: obtaining national security information, compromising confidentiality, trespassing in a government computer, accessing to defraud and obtain value, damaging a computer or information, trafficking in passwords, and threatening to damage a computer.
Attempts to commit these crimes are also criminally punishable.
Protected Computer the term “protected computer” means a computer
- (1) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
- (2) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.
18 U.S.C. § 1030
In MBTA v. Anderson, No. 08-11364, (D. Mass. filed Aug. 19, 2008), Plaintiff claimed that defendants violated or threatened to violate the CFAA by releasing the findings of their research regarding the security holes associated with the MBTA fare charging system. The court found that a violation of the CFAA only occurs if the person knowingly causes the transmission of programmed information to a protected computer. Because the defendants in this case were only seeking to transmit information to a non-computer audience, the court found that the MBTA was not likely to succeed on a claim under the CFAA.
Access
A violation of the CFAA can be committed in two ways: either by an outsider who trespasses into a computer or an intruder who goes beyond the scope of his given authorization.
Without Authorization "Congress did not define the phrase 'without authorization,' perhaps assuming that the words speak for themselves. The meaning, however, has proven to be elusive." EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001). Some courts have applied a "reasonable expectation" standard in that conduct is without authorization only if it is not “in line with the reasonable expectations” of the website owner and its users. Id. While other courts, finding the "reasonable expectations" standard to be an overly broad reading that restricts access and is at odds with the Internet's intended purpose of providing the “open and free exchange of information," urge us to adopt the reasoning that computer use is “without authorization” only if the use is not “in any way related to [its] intended function.” Id. at 582.
Instances where an outsider trespasses onto a computer system are fairly easy to recognize, however in some instances an insider can stray so far from the realm of his given authorization that the court treats the user as having acted without authorization. In United States v. Morris, a case prosecuted under a previous version of the CFAA that punished “intentionally accessing a Federal interest computer without authorization,” Morris spread a program known as a “worm” that affected computers across the country and caused damage. U.S. v. Morris, 928 F.2d 504 (2d Cir. 1991) (Internet worm violated CFAA). Morris argued that he had merely exceeded his authorized access and not accessed the computers without authorization. The court noted that Congress “did not mean to insulate from liability the person authorized to use computers at the State Department who causes damage to computers at the Defense Department.” Id at 511. Further, the court goes on to state that, “Congress did not intend an individual's authorized access to one federal interest computer to protect him from prosecution, no matter what other federal interest computers he accesses.” Id. As such, they found that Morris was acting without authorization.
Agency In determining if an employee has exceeded authorization in accessing a computer system, issues regarding agency often arise. In Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., Plaintiff sued a competitor for violations of the CFAA resulting from allegations that Defendant created an agency relationship with one of Plaintiff’s employees whereby the employee accessed Plaintiff’s computers to provide Defendant proprietary information regarding Plaintiff’s company while still employed by Plaintiff. Regarding the agency issue, the court held that, “for purposes of stating claim under CFAA, former employees lost access to computers when they allegedly became agents of competitor.” Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121 (W.D. Wash. 2000)(finding that insiders with authorization to use a system can lose that authorization when they act as agents of an outside organization).
Like Shurgard, where Defendant accessed files on Plaintiff’s computer and used the files against Plaintiff, in LVRC Holdings v. Brekka the defendant transferred files from his employer’s computer and later used these files for reasons contrary to the employer’s interests. However, unlike Shurgard, where the employee’s behavior changed as a result of his new agency relationship with Defendant, in Brekka, Defendant regularly emailed documents from his work computer to his personal computers and Plaintiff did not have an employment agreement or give guidelines to Defendant prohibiting the transfer of Plaintiff’s computer files to personal computers. Thus, the court found that, “because Brekka was authorized to use [Plaintiff’s] computers while he was employed [by Plaintiff], he did not access a computer ‘without authorization’ in violation of § 1030(a)(2) or § 1030(a)(4) when he emailed documents to himself and to his wife prior to leaving [Plaintiff’s company]. Nor did emailing the documents ‘exceed authorized access,’ because [Defendant] was entitled to obtain the documents.” LVRC Holdings v. Brekka, No. 07-17116, (9th Cir. Sept. 15, 2009). Moreover, the Ninth Circuit noted that, "[n]o language in the CFAA supports [Plaintiff’s] argument that authorization to use a computer ceases when an employee resolves to use the computer contrary to the employer’s interest."Id.
The Seventh Circuit, in Citrin, noting the principles of agency in their decision stated that Defendant, a former employee of the plaintiff, breached his duty of loyalty to his employer, thus terminating his agency relationship with said employer. As such, the court found that any rights that were granted as a result of the agency relationship, including authorization to use the employer's computer, were also terminated. Thus, because defendant was not authorized to use Plaintiff's computer, the court held that the "employee's alleged installation of [a] program on employer's computer that caused deletion of files would violate the Computer Fraud and Abuse Act." International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. March 8, 2006).
Exceeds Authorization The term "exceeds authorized access" is defined by the CFAA to mean "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6).
Misuse/TradeSecret Recent judicial decisions and statutory amendments have broadened the scope of the CFAA. This broadened CFAA scope combined with today's corporate practice of storing confidential information electronically, has created an environment where plaintiffs bring claims for the misappropriation of proprietary information under the CFAA. However, because more than merely unauthorized use is required to establish a violation of the CFAA, the majority of courts have found that misappropriation alone does not constitute an offense under the statute.
In Therapeutic Research Faculty v. NBTY, 488 F. Supp. 2d 991 (E.D. Cal. 2007), Plaintiff alleged that Defendant purchased a single user subscription to Plaintiff's publication, but proceeded to share its provided "confidential username and passcode among many [of its employees] for two-and-a-half years, thereby infringing on [Plaintiff's] rights in the Publication.” Id. As such, Plaintiff brought suit for a number of claims including violation of the CFAA and the court found that Plaintiff adequately "alleged that its username and passcode constituted 'trade secret' under California law." Id. Regarding the CFAA claim, the court held that "Plaintiff's allegations sufficiently state a claim under the CFAA" and they go on to state "several district courts have recognized that damage caused by unauthorized access or access in excess of authorization to a computer system may be redressed under the CFAA." Id. at 997.
Unlike Therapeutic Research Faculty, where Defendant provided information to other users that allowed for unauthorized access to Plaintiff’s computer system, in U.S. v. Czubinski, Defendant made no attempt to damage the data or the usability of the computer system he was accessing. Instead, Defendant merely accessed files on the IRS's computer system without authorization and the court noted that there was no evidence to show that defendant's end was no more than to satisfy his own curiosity and that the showing of some additional end-to which the unauthorized access is a means is required. Thus, the hurdle to making a successful claim for trade secrets violation under the CFAA appears to stem from the CFAA's requirement that the inflicted damage diminished the completeness or usability of data or information on a computer system. However, misappropriated data very often remains intact on the originating computer; as such, in these instances, most plaintiffs will not be able to make a CFAA claim.
Drew/EULA
Recently, during the U.S. v. Drew case, questions arose regarding whether an intentional breach of a website’s end user license agreement, without more, is enough to sustain a violation of the CFAA. In U.S. v. Drew, Plaintiff created a fictitious profile for a boy named “Josh” on the social networking website, Myspace. In doing so, Plaintiff violated Myspace’s Terms of Service. Plaintiff then used this fictitious profile to communicate with her daughter’s classmate. During one of the communications, Plaintiff, using the fictitious profile, told her daughter’s classmate “that [‘Josh’] no longer liked her and that ‘the world would be a better place without her in it.’” United States v. Drew, 259 F.R.D. 449 (C.D.Cal.) Her daughter’s classmate killed herself later that day. Upon learning of the classmate’s death, Plaintiff deleted the fictitious Myspace account. The court in Drew concluded that, “an intentional breach of the MSTOS can potentially constitute accessing the MySpace computer/server without authorization and/or in excess of authorization under the statute.” Id. at 461.
However, the court goes on to note that, “[t]he pivotal issue herein is whether basing a CFAA misdemeanor violation as per 18 U.S.C. §§ 1030(a)(2)(C) and 1030(c)(2)(A) upon the conscious violation of a website's terms of service runs afoul of the void-for-vagueness doctrine. This Court concludes that it does primarily because of the absence of minimal guidelines to govern law enforcement, but also because of actual notice deficiencies.” Id. at 465. A violation of the CFAA in this instance appears to hinge on whether a reasonable person, upon consenting to a click wrap agreement, would be put on notice that potential criminal penalties could be enforced for breaching the contract. The court in Drew noted that the CFAA, “does not explicitly state (nor does it implicitly suggest) that the CFAA has 'criminalized breaches of contract' in the context of website terms of service.” Id. Moreover, the court goes on to point out that, “[n]ormally, breaches of contract are not the subject of criminal prosecution . . . [and that] by utilizing violations of the terms of service as the basis for the section 1030(a)(2)(C) crime . . . the website owner-in essence [becomes the] party who ultimately defines the criminal conduct.” Id. “In sum, if any conscious breach of a website's terms of service is held to be sufficient by itself to constitute intentionally accessing a computer without authorization or in excess of authorization, the result will be that section 1030(a)(2)(C) becomes a law “that affords too much discretion to the police and too little notice to citizens who wish to use the [Internet].” Id. (citing City of Chicago v. Morales, 527 U.S. 41 at 64, 119 S.Ct. 1849).
Civil Action - Damages
The CFAA is primarily a criminal statute. However, in 1994 a civil suit provision was added that provides a private cause of action if a violation causes loss or damage, as those terms are defined in the statute. 18 U.S.C. § 1030(g). To state a civil claim for violation of the CFAA, a plaintiff must allege
- damage or loss;
- caused by;
- a violation of one of the substantive provisions set forth in § 1030(a); and
- conduct involving one of the factors in § 1030(c)(4)(A)(i)(I)-(V).
18 U.S.C. § 1030(g).
Persons found to be civilly liable for a CFAA violation can be responsible for compensatory damages and injunctive or other equitable relief.
Moreover, an action brought under this section must be bought within two years of the date the act is complained or the date of the discovery of the damage. Additionally, no action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware. June 23, 2008) (must plead intent to cause harm, intent to transmit software code is not enough).
In 2008, the CFAA was amended by the Identity Theft Enforcement and Restitution Act, Pub. Law 110-326, 122 Stat. 3560. This amendment enhanced a number of aspects of the CFAA. Most notably, the 2008 amendment eliminated the need for Plaintiff’s loss to be greater than $5,000 and made it a felony for a user to cause damage to ten or more computers. Thus, while the $5,000 threshold has been done away with, a Plaintiff still needs to show that they suffered damage or loss.
Prior to the USA PATRIOT ACT in 2001, the CFAA contained no definition for “loss.” In United States v. Middleton, a case argued before the enactment of the USA PATRIOT Act, the defendant accessed his former employer’s computer system without authorization and as a result, the company was forced to pay to repair the system. At trial, Defendant argued that his actions had not caused “damage” as the term is defined in the CFAA. The Ninth Circuit disagreed, however, reasoning that, “[i]n determining the amount of losses, [one] may consider what measures were reasonably necessary to restore the data, program, system, or information that [one] finds was damaged or what measures were reasonably necessary to resecure the data, program, system, or information from further damage. “United States v. Middleton, 231 F.3d 1207 (9th Cir. 2000). The court’s holding in Middleton then became the basis for the definition of “loss” in the USA PATRIOT Act. As such, “loss” is now statutorily defined as, “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”
Loss includes
- Response costs
- Damage assessments
- Restoration of data or programs
- Wages of employees for these tasks
- Lost sales from website
- Lost advertising revenue from website
Loss might include
- Harm to reputation or goodwill
- Other costs if reasonable
Loss does not include
- Assistance to law enforcement
Moreover, lost revenue resultant from the theft of proprietary information is also not considered loss. While the following cases do not meet the current definition of “loss,” they are relevant to understanding what damage or loss is. In Andritz, Inc. v. Southern Maintenance Contractor, LLC, Plaintiff claimed that Defendant violated the CFAA by misappropriating Plaintiff’s trade secrets. The court found that:
Plaintiff simply fails to allege that it suffered any damages that fall within CFAA's statutory definition of “loss” or “damage.” Plaintiff does not allege that there was any impairment to its computer system or data as a result of Defendants' conduct. After the alleged theft of the data, Plaintiff still had access to the data just as it had before Defendants' actions. The alleged CFAA violation is not that Defendants deleted or altered any data but that Defendants used the data inappropriately. Plaintiff also does not allege any damages related to responding to the offense or conducting a damage assessment, nor does Plaintiff allege that it lost revenue or incurred costs because of an interruption of service. Rather, Plaintiff alleges that it lost revenue because Defendants copied Plaintiff's proprietary information and intellectual property and then used that information to steal customers away from Plaintiff. While a remedy may exist for such conduct, Congress did not provide one in CFAA. See Nexans Wires S.A. v. Sark-USA, Inc., 319 F.Supp.2d 468, 477 (S.D.N.Y.2004) (finding that lost revenue due to unfair competition and lost business opportunity does not constitute a loss under CFAA). Andritz, Inc. v. Southern Maintenance Contractor, LLC, 2009 WL 48187 (M.D. Ga. January 7, 2009).
CFAA Criminal Cases
- United States v. Stegora, 849 F.2d 291, 292 (8th Cir. 1988)
- U.S. v. Middleton, 231 F.3d 1207 (9th Cir. 2000)(CFAA protects corporate entities)
Defendant was convicted of intentionally causing damage to protected computer by the United States District Court for the Northern District of California, William H. Orrick, Jr., J., and he appealed. The Court of Appeals, Graber, Circuit Judge, held that: (1) statute that prohibits any person from knowingly causing damage, without authorization, to protected computer criminalizes computer crime that damages natural persons and corporations alike; (2) refusal to give defendant's requested instruction on “damage” was not abuse of district court's discretion; and (3) in calculating damage resulting from ex-employee's unauthorized access to employer's computers and deletion of internal databases, district court could compute “damage” based on salaries paid to, and hours worked by, in-house employees who corrected problem.
- U.S. v. Czubinski, 106 F.3d 1069 (1st Cir. 1997) (unauthorized browsing of computer files did not violate CFAA)
Defendant was convicted of wire fraud and computer fraud by the United States District Court for the District of Massachusetts, Nathaniel M. Gorton, J., and Robert B. Collings, United States Magistrate Judge. Defendant appealed. The Court of Appeals, Torruella, Chief Judge, held that: (1) interstate transmission element of wire fraud could be inferred from circumstantial evidence that defendant's searches of master taxpayer files caused information to be sent to his computer terminal in different state; (2) defendant's unauthorized browsing of confidential taxpayer information did not defraud Internal Revenue Service (IRS) of its property within meaning of wire fraud statute; (3) defendant's unauthorized browsing of confidential taxpayer information did not deprive taxpayers of their intangible, nonproperty right to honest government services; and (4) defendant could not be convicted of computer fraud in connection with his browsing of confidential taxpayer files.
- U.S. v. Morris, 928 F.2d 504 (2d Cir. 1991) (Internet worm violated CFAA)
Defendant was convicted in the United States District Court for the Northern District of New York, Howard G. Munson, J., of violating Computer Fraud and Abuse Act. Defendant appealed. The Court of Appeals, Jon O. Newman, Circuit Judge, held that: (1) statute punishing anyone who intentionally accesses without authorization federal interest computers and damages or prevents authorized use of information in those computers causing loss of $1,000 or more does not require Government to demonstrate that defendant intentionally prevented authorized use and thereby caused loss, and (2) there was sufficient evidence to conclude that defendant acted without authorization within meaning of statute.
- U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012)
In United States v. Nosal, an ex-employee of an executive recruiting firm was prosecuted on the theory that he induced current company employees to use their legitimate credentials to access the company's proprietary database and provide him with information in violation of corporate computer-use policy. The government claimed that the violation of this private policy was a violation of the Computer Fraud and Abuse Act (CFAA). Following a decision issued in 2009 by the Ninth Circuit, the district court ruled that violations of corporate policy are not equivalent to violations of federal computer crime law.
Trespassing a Government Computer:
- Sawyer v. Department of Air Force, 31 M.S.P.R. 193, 196 (M.S.P.B. 1986)
- Fasulo v. United States, 272 U.S. 620, 629 (1926)
- United States v. Sadolsky, 234 F.3d 938 (6th Cir. 2000)
- United States v. Bae, 250 F.3d 774 (D.C. Cir. 2001)
- United States v. Sullivan, 40 Fed. Appx. 740 (4th Cir. 2002) (unpublished)
- United States v. Rushdan, 870 F.2d 1509, 1514 (9th Cir. 1989)
- United States v. Scartz, 838 F.2d 876, 879 (6th Cir. 1988)
- WEC Caroline Energy Solutions LLC v. Miller, No. 11-1201, (4th Cir. 2012)
Miller quit his job, but before leaving, and before his access to the company's intranet was terminated, violates the company's use policy by downloading proprietary information to a personal computer. He then used this information in a sales pitch representing a competitor to WEC, a competitor that Miller began to work for shortly after leaving WEC. Miller and the competitor won the sales contract. The Fourth Circuit found that improper use of information that an employee was authorized to access could not fit the definition in § 1030(e)(6).
- LVRC Holdings v. Brekka, No. 07-17116, (9th Cir. Sept. 15, 2009).
LVRC Holdings, LLC (LVRC) filed this lawsuit in federal
district court against its former employee, Christopher Brekka, his wife, Carolyn Quain, and the couple’s two consulting businesses, Employee Business Solutions, Inc., a Nevada corporation (EBSN), and Employee Business Solutions, Inc., a Florida corporation (EBSF). LVRC alleged that Brekka violated the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, by accessing LVRC’s computer “without authorization,” both while Brekka was employed at LVRC and after he left the company. See 18 U.S.C. § 1030(a)(2), (4). The district court granted summary judgment in favor of the defendants. We affirm. Because Brekka was authorized to use LVRC’s computers while he was employed at LVRC, he did not access a computer “without authorization” in violation of § 1030(a)(2) or § 1030(a)(4) when he emailed documents to himself and to his wife prior to leaving LVRC. Nor did emailing the documents “exceed authorized access,” because Brekka was entitled to obtain the documents. Further, LVRC failed to establish the existence of a genuine issue of material fact as to whether Brekka accessed the LVRC website without authorization after he left the company.
- CollegeSource, Inc. v. AcademyOne, Inc., 2012 WL 5269213 (E.D. Pa. October 25, 2012)
The plaintiff, CollegeSource, Inc. has accused the defendant, AcademyOne, Inc., of republishing course catalogs and course information digitized and maintained by CollegeSource. CollegeSource relied on the argument that the scope of the subscription agreement extends beyond the actions of AcademyOne while logged in as a subscriber and includes AcademyOne's subsequent access of CollegeSource documents through CataLink. The district court held "that because the documents in issue were available to the general public, AcademyOne did not access them without authorization. Moreover, because AcademyOne was under no obligation to abide by any terms of use as to its CataLink access, it did not exceed authorized access."
- Eagle v. Morgan, 2012 WL 4739436 (E.D.Pa. 2012)
While Dr. Eagle was president of Edcomm, she established an account on LinkedIn. Immediately after Dr. Eagle was terminated from her position at Edcomm, Edcomm, using Dr. Eagle's LinkedIn password, accessed her account and changed the password so that Dr. Eagle could no longer access the account, and then changed Dr. Eagle's account profile to display the new president's name and photograph. "Plaintiff is not claiming that she lost money because her computer was inoperable or because she expended funds to remedy damage to her computer. Rather, she claims that she was denied potential business opportunities as a result of Edcomm's unauthorized access and control over her account. Loss of business opportunities, ... is simply not compensable under the CFAA."
- Cassetica Software, Inc. v. Computer Sciences Corp, 2009 WL 1703015 (N.D.Ill. 2009)
Plaintiff Cassetica Software, Inc. (“Cassetica”) filed suit against Defendant Computer Sciences Corporation (“CSC”), claiming copyright infringement, breach of contract, violation of the Computer Fraud and Abuse Act, conversion, trespass to chattels and unjust enrichment. Pursuant to Fed.R.Civ.P. 12(b)(6), CSC has moved to dismiss Cassetica's First Amended Complaint . . . CSC's Motion to Dismiss is granted.
- Andritz, Inc. v. Southern Maintenance Contractor, LLC, 2009 WL 48187 (M.D. Ga. January 7, 2009) ("loss" and "damages" do not include "lost revenue caused by the misappropriation of proprietary information and intellectual property from an employer's computer.")
In this action, Plaintiff alleges that Defendants, who are former employees of Plaintiff, stole Plaintiff's trade secrets and other proprietary business information and that Defendants' conduct gives rise to a civil claim under the federal Computer Fraud and Abuse Act. Presently pending before the Court is Defendants' Motion to Dismiss (Doc. 13) . . . Plaintiff's federal claim fails to state a claim upon which relief may be granted, and therefore Defendants' motion is granted as to that claim. The Court declines to exercise supplemental jurisdiction over Plaintiff's remaining state law claims, and those claims are dismissed without prejudice.
- Garelli Wong & Assoc. v. Nichols, 551 F.Supp.2d 704 (N.D.Ill. 2008) (no CFAA liability for only copying data)
Employer brought action against former employee for breach of contract and violation of Computer Fraud and Abuse Act (CFAA), alleging that employee was working in direct competition with employer in his new position. Employee moved to dismiss . . . The District Court, Charles P. Kocoras, J., held that:(1) employer failed to allege damage under CFAA, and (2) employer failed to allege loss under CFAA.
- GWR Medical, Inc. v. Baez, 2008 WL 698995 (E.D.Pa. March 13, 2008) ("CD-ROM does not, in and of itself, process information. The CD-ROM at issue is analogous to a compilation of documents and training materials, and cannot be considered a computer under the CFAA without processing capabilities.")
This matter comes before the Court on Defendant Hector M. Baez's Motion to Dismiss the Amended Complaint [Doc. No. 17], Plaintiff GWR Medical, Inc.'s Response thereto [Doc. No. 18], and Defendant's Reply [Doc. No. 21]. After reviewing the pleadings, the applicable law, and after a hearing thereon, the Court will grant the Motion in part and deny it in part.
- Kalow & Springnut, LLP v. Commence Corporation, 2008 WL 2557506 (D.N.J. June 23, 2008) (must plead intent to cause harm, intent to transmit software code is not enough)
Plaintiff Kalow & Springnut, LLP (“Plaintiff” or “Kalow”) brings the instant class action suit against Defendant Commence Corporation (“Defendant” or “Commence”) to recover damages arising from the alleged failure of computer software that Plaintiff purchased from Defendant seven years ago. Plaintiff filed a Class Action Complaint on behalf of a class that consists of those who purchased Commence's software. Specifically, the three-count Complaint alleges: 1) violations of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, for Defendant's alleged intentional transmission of a software code causing damage to Plaintiff's computer systems; 2) violations of the New Jersey Consumer Fraud Act (“NJCFA”), N.J.S.A. § 56:8-2, for Defendant's alleged engagement in deceptive and misleading practices in the marketing of its software; and 3) violations of various consumer fraud acts in the states where Defendant conducts business (virtually all states), in anticipation of class certification. Presently before the Court is Defendant's motion to dismiss Plaintiff's Complaint. For the reasons set forth below, Plaintiff's claims are dismissed without prejudice; however, Plaintiff shall have Twenty (20) days from the date of the Order accompanying this Opinion to amend its Complaint.
- Brett Senior & Assocs. v. Fitzgerald, No. 06-1412, 2007 WL 2043377 (E.D. Pa. July 13, 2007)
The plaintiff claimed that the defendant accountant violated the CFAA by accessing its computer system to transfer files to the defendant firm. Specifically, the plaintiff claimed that the defendant accountant violated section 1030(a)(4) of the CFAA when he copied the plaintiff’s client files, created a list of the clients he serviced while working with the plaintiff, transformed plaintiff’s files to certain formats for the purpose of transferring them to the defendant firm, and e-mailed information relating to four clients of the plaintiffs to the defendant firm. Court ruled that section 1030(a)(4) of the CFAA prohibits the unauthorized procurement or alteration of information, not its misappropriation or misuse. Because there was no allegation that the defendant accountant lacked authority to see, reformat or email any information in the plaintiff’s computer system, the District Court ruled that the CFAA claim failed.
- Southwest Airlines Co. v. Boardfirst, L.L.C., 2007 U.S. Dist. LEXIS 96230 (N.D. Tex Sept. 12, 2007)(unpublished). Plaintiff alleges Defendat violated the CFAA by accessing Plaintiff's website as a 3rd party to obtain boarding passes for Defendant's paying clients. The court states that Plaintiff must "establish that [Defendant] obtained 'information' from its protected computer as a result of the unauthorized use. Southwest points to no evidence on that score. Nor has it shown that BoardFirst's use of its computer itself 'involved an interstate or foreign communication' as required by the statute. For these reasons, and construing the available evidence in a light favorable to [Defendant], the Court finds that [Plaintiff] has failed to establish its entitlement to summary judgment on its CFAA claim." Id. at *46.
- International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. March 8, 2006).[1]
Former employer brought action against former employee, alleging violation of the Computer Fraud and Abuse Act. The United States District Court for the Northern District of Illinois, Wayne R. Andersen, J., dismissed action. Former employer appealed . . . The Court of Appeals, Posner, Circuit Judge, held that: (1) employee's alleged installation of program on employer's computer that caused deletion of files would violate the Computer Fraud and Abuse Act, and (2) Court of Appeals would not determine whether files destroyed were confidential, as would arguably be permitted by employment contract.
- International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006) (holding that an employee's access to data became unauthorized when breach of his duty of loyalty terminated his agency relationship).
Former employer brought action against former employee, alleging violation of the Computer Fraud and Abuse Act. The United States District Court for the Northern District of Illinois, Wayne R. Andersen, J., dismissed action. Former employer appealed . . . The Court of Appeals, Posner, Circuit Judge, held that: (1) employee's alleged installation of program on employer's computer that caused deletion of files would violate the Computer Fraud and Abuse Act, and (2) Court of Appeals would not determine whether files destroyed were confidential, as would arguably be permitted by employment contract.
- Vi Chip Corp. v. Lee, 438 F.Supp.2d 1087, 1100 (N.D.Ca. 2006) (applying the holding of Citrin to an employee who deleted data after being informed that his employment was to be terminated)
- Int’l Ass’n of Machinists & Aero. Workers v. Werner-Matsuda, 390 F. Supp. 2d 479, 498 (D. Md. 2005)
Incumbent airline employees' union filed suit under Stored Wire and Electronic Communications and Transactional Records Access Act (SECA) and Computer Fraud and Abuse Act (CFAA), as well as common law and Maryland statute, alleging that secretary treasurer of local had accessed confidential membership information on secure proprietary website on behalf of herself and rival union. Advisory group allegedly staffing rival union's efforts with respect to flight attendants at one airline was also named in suit. Defendants moved to dismiss for lack of subject matter jurisdiction, lack of personal jurisdiction, and failure to state a claim, and plaintiff moved to seal certain exhibits, to amend complaint,to file surreply, and for leave to file response to motion to reduce sanctions imposed by Charles B. Day, United States Magistrate Judge . . . The District Court, Chasanow, J., held that:
(1) exhibits containing confidential membership information that rested at heart of case and that allegedly constituted trade secret under Maryland statute would be sealed; (2) magistrate judge's overall award in sanctions against defendant union for failure to provide adequate deposition witness on two occasions was too large and would be reduced; (3) action was not representation dispute over which National Mediation Board (NMB) had exclusive jurisdiction; (4) complaint failed to state a claim under SECA and CFAA, as defendant local union official was authorized to access website and entitled to see all information stored therein; and (5) having dismissed all federal claims, court would decline to exercise supplemental jurisdiction over remaining state law claims.
- Lockheed Martin Corp. v. Speed, 2006 WL 2683058 at *5-7 (M.D. Fla. 2006) (criticizing Citrin)
- HUB Group, Inc. v. Clancy, 2006 WL 208684 (E.D. Pa. 2006) (downloading employer's customer database to a thumb drive for use at a future employer created sufficient damage to state claim under the CFAA)
- ResDev v. Lot Builders, 2005 WL 1924743 (M.D. Fla. August 10, 2005) ( “integrity” needs “some diminution in the completeness or useability of data or information on a computer system")
This case is before the Court on Defendants Lot Builders Association Inc.'s, Michael Boswell's, and Brad Luken's (collectively, “Lot Builders”) Motion for Summary Judgment (Doc. 52), Plaintiff ResDev LLC's Cross Motion for Summary Judgment (Doc. 53), and Resdev's and Lot Builder's respective Oppositions (Docs. 73 and 71).
- I.M.S. Inquiry Management Systems, Ltd. v. Berkshire, 307 F.Supp.2d 521 (SDNY 2004). Section 1030(a)(2)(c) forbids obtaining information from a protected computer involved in interstate or foreign communication through intentional and unauthorized access. Court allowed a civil cause of action under this section, in conjunction with a § 1030(g) claim. See also Theofel v. Farey-Jones, 341 F.3d 978, 986 (9th Cir.2003) (same).
Provider of advertising tracking services, which utilized Internet website, sued competitor alleging copyright violations. Competitor moved to dismiss . . . The District Court, Buchwald, J., held that:(1) provider alleged damages and loss, under Computer Fraud and Abuse Act;(2) provider could proceed under Act despite claim there was no provision for private action;(3) copyright registration certificate did not cover allegedly infringed item, precluding infringement action;(4) version covered by certificate was not derivative of earlier version, allowing suit covering earlier version; (5) there was no violation of Digital Millennium Copyright Act (DMCA). Motion granted in part, denied in part.
- Southwest Airlines Co. v. Farechase, Inc., 318 F. Supp.2d 435 (ND Tex. 2004). CFAA does not require damage as defined in 18 U.S.C. § 1030(e)(8) over $5,000, only "loss" as defined in (e)(11).
Software company, which created a product which allowed corporate travelers to search online for airline fares, filed motion to dismiss airline's claims for computer fraud and abuse, misappropriation, breach of a use agreement, tortious interference, trespass, unjust enrichment, and harmful access by computer . . . The District Court, Sanders, Senior District Judge, held that: (1) airline stated claim under Computer Fraud and Abuse Act (CFAA); (2) fare, route, and scheduling information which were allegedly misappropriated were not copyrightable and therefore airline's misappropriation claim under Texas law was not preempted by federal copyright law; (3) airline stated a claim for interference with business relations; (4) airline stated claim for harmful access by computer.
- Nexans Wires S.A. v. Sark-USA, Inc., 319 F.Supp.2d 468, 477 (S.D.N.Y.2004) (lost revenue due to unfair competition and lost business opportunity does not constitute a loss under CFAA)
Wire and cable manufacturer sued competitor for, inter alia, violations of Computer Fraud and Abuse Act (CFAA). Competitor moved for summary judgment . . . The District Court, Cedarbaum, J., held that manufacturer lacked standing to assert civil claim based on competitor's alleged violation of CFAA.
- Role Models America, Inc. v. Jones, 305 F.Supp.2d 564 (D. Md. 2004)
- EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003), (rejecting a CFAA claim based on a “reasonable expectations” test but stating in dicta that “a lack of authorization could be established by an explicit statement on the website restricting access”)
Travel company brought action against maker of “scraper tool” software program provided to competitor that collected pricing information from the travel company's public website, alleging violations of the Computer Fraud and Abuse Act (CFAA) and the Copyright Act, and seeking preliminary injunction under both acts. The United States District Court for the District of Massachusetts, Morris E. Lasker, J.FN*, granted preliminary injunction under the CFAA but denied preliminary injunction under the Copyright Act. Software maker appealed. The Court of Appeals, Boudin, Chief Circuit Judge, held that: (1) reasonable expectations test was not the proper gloss for determining lack of authorization for purpose of CFAA provision setting forth offense of fraudulently accessing a protected computer without authorization; (2) software maker was bound by terms of preliminary injunction even though it was not named in the injunction; and (3) injunction did not violate software maker's First Amendment rights.
- Ingenix, Inc. v. Lagalante, 2002 U.S. Dist. LEXIS 5795 (E.D. La. 2002). The court held that plaintiff had properly alleged damages in excess of the statutory minimum due to the cost of hiring forensic experts to recover the deleted files and carry out an investigation on the laptops and email servers.
Appeal was taken from a preliminary injunction of the United States District Court for the District of Mississippi, Walter L. Nixon, Jr., Chief Judge, staying demand for arbitration of contract dispute between general contractor and city. The Court of Appeals, Jerre S. Williams, Circuit Judge, held that: (1) an order granting a stay of arbitration pending outcome of litigation is an appealable interlocutory order; (2) general contractor's claim was arbitrable; and (3) district court abused its discretion in staying arbitration.
- EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001)
Tour company sued competitor and individual executives of competitor, alleging that competitor's use of “scraper” software program to systematically glean company's prices from its website violated Computer Fraud and Abuse Act (CFAA), Copyright Act, and Racketeer Influenced and Corrupt Organizations Act (RICO). Company moved for preliminary injunction on CFAA claim. The United States District Court for the District of Massachusetts, Lasker, Senior District Judge, granted injunction, and competitor appealed. The Court of Appeals, Coffin, Senior Circuit Judge, held that: (1) use of “scraper” program “exceeded authorized access” within meaning of CFAA, assuming program's speed and efficiency depended on executive's breach of his confidentiality agreement with company, his former employer, and (2) company's payment of consultant fees to assess effect on its website was compensable “loss” under CFAA.
- Thurmond v. Compaq Computer Corp., 171 F.Supp.2d 667 (E.D. Tex. 2001) Holding that losses suffered by unnamed members of proposed class made up of buyers of allegedly defective computers could not be used to CFAA damage threshold. Noted in dicta that if the defective program corrupted $5,000 worth of data, then Plaintiffs would have met the statutory minimum.
Buyers of personal computers sued manufacturer under Computer Fraud and Abuse Act (CFAA), alleging sale of machines containing defective floppy diskette controllers, and asserting state-law claims including breach of contract. Manufacturer moved for summary judgment. The District Court, Heartfield, J., held that: (1) showing of “damage” is required for CFAA civil claim; (2) fact question existed as to whether buyers suffered “impairment to the integrity” of their data within meaning of CFAA; (3) damages allegedly suffered by unnamed proposed class members could not be used to satisfy Act's threshold damages requirement; and (4) damages resulting from transmissions to multiple computers could not be aggregated to meet threshold.
- Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121 (W.D. Wash. 2000)(finding that insiders with authorization to use a system can lose that authorization when they act as agents of an outside organization)
Employer of former employees, alleged to have appropriate trade secrets stored on employer's computers, sued competitor which allegedly received secrets, under Computer Fraud and Abuse Act (CFAA). Competitor moved to dismiss. The District Court, Zilly, J., held that: (1) for purposes of stating claim under CFAA, former employees lost access to computers when they allegedly became agents of competitor; (2) CFAA was not limited to situations in which national economy was affected; (3) fraud provision of CFAA did not require showing of common law elements; (4) provision penalizing infliction of damage on protected computers was not limited to conduct of outsiders; and (5) damage claim was stated, even though appropriation did not affect integrity of secrets within employers' computers.
- Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238, 253 (S.D.N.Y. 2000) (terms of use notice)
- America Online, Inc. v. National Health Care Discount, Inc., 121 F.Supp.2d 1255 (N.D. Iowa 2000) (noting that no other published decision contains the same interpretation as America Online, Inc. v. LCGM, Inc. on the issue of unauthorized access)
- YourNetDating v. Mitchell, 88 F.Supp.2d 870, 871 (N.D. Ill. 2000) (granting temporary restraining order where defendant installed code on plaintiff's web server that diverted certain users of plaintiff's website to pornography website)
- America Online, Inc. v. LCGM, Inc., 46 F.Supp.2d 444, 450-51 (E.D. Va. 1998) (holding that AOL members acted without authorization when they used AOL network to send unsolicited bulk emails in violation of AOL's member agreement)
Authorization Cases:
Defendant was convicted in the United States District Court for the District of Minnesota, James M. Rosenbaum, J., of interstate transportation of stolen property and mail fraud, and he appealed. The Court of Appeals, Fagg, Circuit Judge, held that: (1) finding that stolen samples of synthetic casting material for use by orthopedic surgeons to repair broken bones were worth more than $5,000 was supported by evidence, and (2) refusal to instruct jury regarding definition of term “patent pending” was not abuse of discretion.
Employee was removed on charges of misconduct. The presiding official upheld removal, and employee petitioned for review. The Merit Systems Protection Board held that: (1) agency was not required to prove employee's specific intent to defraud in regard to his alteration of contracts; (2) agency had reasonable cause to believe that criminal violation had occurred, so as to invoke crime provision; and (3) penalty of removal was reasonable for employee's alteration of official contract, receiving of unauthorized agency records, and submission of fraudulent invoices.
Accessing to Defraud and Obtain Value:
Certiorari to United States Circuit Court of Appeals for the Ninth Circuit. Cologero Fasulo was convicted of conspiracy to violate Criminal Code, s 215, and to review a judgment (7 F.(2d) 961), affirming conviction, he brings certiorari. Judgment reversed.
Defendant pleaded guilty to computer fraud and was sentenced by the United States District Court for the Western District of Kentucky, John G. Heyburn II, J., and the United states appealed sentence. The Court of Appeals, Suhrheinrich, Circuit Judge, held that: (1) the district court's two-level downward departure, based on defendant's alleged gambling disorder, was not an abuse of discretion, and (2) finding that defendant had a gambling problem that qualified as an significantly reduced mental capacity (SRMC) was not clearly erroneous.
Defendant was convicted before the United States District Court for the District of Columbia, Thomas Penfield Jackson, J., of computer fraud, and he appealed. The Court of Appeals, Ginsburg, J., held that in calculating sentence for computer fraud which involved the fraudulent procurement of lottery tickets by operator of terminal which printed and dispensed the tickets for sale, district court correctly valued the “loss” due to the fraud based on the fair market value of the tickets prior to the drawing, rather than on the value of the winning tickets, replacement cost, or lost profits.
Damaging a Computer or Information:
Defendant was convicted in the United States District Court for the Western District of North Carolina, Richard L. Voorhees, J., of intentionally causing damage to protected computer. Defendant appealed. The Court of Appeals held that: (1) items seized from defendant's home and home computer were admissible under other acts rule, and (2) conviction was supported by evidence.
Trafficking in Passwords:
Defendant was found guilty of conspiracy to traffic in and possess counterfeit credit cards and possession of 15 or more counterfeit credit cards, and he moved for judgment of acquittal. The United States District Court for the Central District of California, J. Spencer Letts, J., granted motion as to possession count and denied motion as to conspiracy count. On appeal, the Court of Appeals, Leavy, Circuit Judge, held that: (1) conspiracy conviction did not require that conspiracy itself actually affect interstate commerce and was supported by evidence of defendant's possession of numbers of out-of-state accounts he and his codefendants intended to use; (2) defendant was not prejudiced by failure of conspiracy instruction to include reference to interstate commerce in describing object of conspiracy; and (3) illicit possession of out-of-state credit card numbers was “offense affecting interstate or foreign commerce” for purposes of possession count.
Defendant was convicted of conspiracy to use and using credit access devices in violation of federal statute by the United States District Court for the Southern District of Ohio, John D. Holschuh, J., and he appealed. The Court of Appeals, Nathaniel R. Jones, Circuit Judge, held that fraudulent use of credit card conviction was sufficiently supported by evidence that defendant had directed confederate to charge over $1,000 in merchandise at merchant's store.
CFAA Civil Cases
Electrical engineering company involved in manufacture and sale of integrated circuits, as employer, brought action against former chief executive officer (CEO) claiming breach of contract in connection with employee agreement, breach of fiduciary duty, trade secret misappropriation, violation of Computer Fraud and Abuse Act (CFAA), and conversion on allegations that CEO stole confidential and proprietary information. Former CEO counterclaimed alleging misappropriation, unjust enrichment, and intentional interference with contractual relations and prospective economic advantage, and sought declaratory relief regarding ownership of intellectual property embodied in relevant patent applications. Employer brought motion for summary judgment . . . The District Court, Hamilton, J., held that:(1) consultant agreement only transferred ownership in all technology expressly “produced by or created for” contracting party after execution of agreement;(2) consulting agreement only bound those named parties to agreement;(3) CEO expressly assigned all chip technology to corporation upon which CEO worked as employee;(4) patent assignment form was adequately supported by consideration;(5) patent assignment form conveyed to assignee exclusive rights to same technology that was source for CEO's subsequent utility patents;(6) company set up as joint venture could not be considered stranger to original joint venture agreement;(7) CEO violated confidentiality provision in employee agreement; and(8) CEO breached fiduciary duty owed to corporate employer.
This matter comes before the Court upon the Motion to Dismiss by Defendants Kevin Speed (“Speed”) and Steve Fleming (“Fleming”) (Doc. 53), to which Plaintiff Lockheed Martin Corporation (“Lockheed” or “the company”) responded in opposition (Doc. 71), and the Motion to Dismiss by Patrick St. Romain (“St.Romain”) (Doc. 68), to which Lockheed responded in opposition (Doc. 75). Lockheed alleges that three of its former employees accessed Lockheed computers, copied proprietary information, and delivered trade secrets to Defendant L-3 Communications Corporation (“L-3”) in violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. For the reasons herein stated, the Court grants the Motions to Dismiss.
Plaintiff, HUB Group, Inc. (“HUB”) seeks a preliminary injunction temporarily barring defendant, Jeffrey Clancy, from contacting, soliciting, or servicing any of the 29 customers he serviced during his final year of employment with HUB. HUB contends that Clancy stole secret information regarding those current and former HUB clients, and that he should not be allowed the opportunity to use that information to unfairly compete against HUB. HUB's complaint alleges violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, et. seq., Misappropriation of Trade Secrets, Breach of Contract, Breach of Fiduciary Duty, Conversion, Tortious Interference with an Economic Advantage, and Unfair Competition. This court entered a temporary restraining order on May 4, 2005 directing the defendant to cease using or disclosing any confidential or proprietary information that Mr. Clancy obtained from HUB. On August 23, 2005, a hearing was held so the court could consider evidence as to whether its temporary restraining order should remain in place. Based upon my findings of fact after careful consideration of the evidence from the hearing . . . I will dissolve the temporary injunction entered on May 4, 2005.
Private school sued its former principal and Internet-based university in which he had enrolled, alleging violation of Computer Fraud and Abuse Act (CFAA) and misappropriation of trade secrets. University moved to dismiss . . . The District Court, Blake, J., held that: (1) university did not violate CFAA, but (2) fact issue existed as to whether university misappropriated school's trade secrets.
Internet domain name registrar sued competitor providing website host services, alleging breach of contract, trespass to chattels, breach of Computer Fraud and Abuse Act and violation of Lanham Act. Registrar moved for preliminary injunction. The District Court, Jones, J., held that: (1) registrar satisfied requirements for issuance of preliminary injunction barring competitor from offering website hosting services to registrar's new registrants, by means of direct mail or telephone solicitation; (2) requirements were satisfied for injunction based on commission of trespass to chattels; (3) requirements were satisfied for injunction barring violation of Computer Fraud and Abuse Act; and (4) requirements were satisfied in connection with violations of Lanham Act.
Internet service provider (ISP) brought action against Iowa corporation engaged in selling discount optical and dental service plans, alleging that corporation hired e-mailers to send unauthorized and unsolicited bulk e-mail advertisements to ISP's customers, in violation of state and federal law. On ISP's motion for summary judgment, the District Court, Zoss, United States Magistrate Judge, held that: (1) non-statutory claims were governed by Virginia law, rather than Iowa law; (2) genuine issues of material fact precluded summary judgment on ISP's claims under the Computer Fraud and Abuse Act (CFAA); (2) genuine issues of material fact precluded summary judgment for ISP on its claim of unjust enrichment under Virginia law; (3) genuine issues of material fact precluded summary judgment on grounds that corporation was liable for trespass to chattels and violation of Virginia Computer Crimes Act (VCCA) based upon acts of e-mailers.
Internet dating service sought temporary restraining order (TRO) prohibiting a former programmer from “hacking” the dating service's website and diverting its clients and users to a porn site. The District Court, Bucklo, J., held that dating service was entitled to TRO.
Internet service provider brought action against operators of web sites, and principals of those operators, alleging that defendants sent unauthorized and unsolicited bulk e-mail advertisements to provider's customers, in violation of state and federal law. On provider's motion for summary judgment, the District Court, Lee, J., held that: (1) operators' use of provider's Internet domain name violated Lanham Act's prohibition on false designations of origin; (2) operators' use of domain name constituted dilution; (3) operators violated Computer Fraud and Abuse Act; (4) operators violated Virginia Computer Crimes Act; (5) operators' conduct amounted to trespass to chattels under Virginia law; and (6) fact issues precluded sum