September 24, 2018

Civil Actions

The single most important federal law that covers computer hacking is the Computer Fraud and Abuse Act (“CFAA”).  Although the CFAA is primarily a criminal statute, it provides for a private right of action. Indeed, with varying degrees of success, employers are taking advantage of the CFAA’s civil remedies to sue former employees and their new companies who may be seeking a competitive edge through wrongful use of information from their former employer’s computer system.  Further, while many of the civil cases involve “classic” hacking activities, some courts have held that the civil reach of the CFAA, includes instances where a user violates the terms of use of a Web site, for example, by using a scraper program to harvest data from the Website.

In order to prove a civil violation of the CFAA, a plaintiff must, in general, (1) establish that the defendant accessed a protected computer without or in excess of authorization and (2) caused damage or loss to the victim of more than $5,000.  Damages are limited to economic damages and most courts have held that damage does not cover the loss of a trade secret, goodwill or reputation, business opportunities revenue or profits or other damages which are unrelated to the damage caused to the plaintiff’s computer system or to damage relating to attempts to resecure a computer system in the wake of a hacking attack.  Loss includes the cost of determining the amount of damage caused by defendant’s activities and attempts to restore information and electronic data as well as the cost incurred because of service interruption.

The most heavily litigated civil CFAA issue is whether the defendant accessed a protected computer without authorization or in excess of authorization. There are three general categories of civil CFAA cases and courts have approached each category differently in determining whether the defendant has acted without authorization or in excess of authorization.

The first category of cases involving the meaning of “authorization” has arisen in the context of employee misconduct.  In this area, courts have become increasingly split as to what it means for an employee to access an employer’s computer system without authorization or in excess of authorization.  Under the so-called “broad view,” which has also become a distinctly minority view, courts have concluded that when an employee or former employee accesses an employer’s computer with the intent to misuse the information obtained as a result of such access, then such access was in excess of authorization, even if the employee could otherwise have accessed the information.  The focus of these cases is not on an employee’s later misuse of information, but “on an employee’s initial access of the employer’s computer with the intent to either obtain information or defraud the employer, thereby, obtaining something of value.

The leading case supporting this view is International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006). In this case, Judge Posner, writing for the majority, noted that the difference between “without authorization and exceeding authorized access is paper thin.”  Judge Posner stated that the employee adequately stated a cause of action under the CFAA, where the defendant was an employee of plaintiff and after resigning from the company deleted certain files from his company-issued laptop computer and loaded into the laptop a secure-erasure program that prevented the recovery of the deleted files  The court found that defendant’s resignation from the company terminated his agency relationship, and with it, “his authority to access the laptop because the only basis of his authority had been the relationship.”

Many courts have criticized this approach, holding that the CFAA targets the unauthorized procurement, or alteration of information, not its misuse, and that there is no violation of the CFAA under such circumstances.  For example, one court held that the defendant did not violate the CFAA where it hired several of plaintiff’s employees, including one who had access to the plaintiff’s confidential business plan and other trade secrets and e-mailed them to the defendant.  Lockheed Martin Corp. v. Speed, 2006 WL 2683058 (M.D.Fla. Aug. 1, 2006).  The plaintiff claimed that because the employees accessed the information with the intent to steal and deliver it to a competitor those employees acquired adverse interests, terminated their agency authority, and therefore, the access was “without authorization.”  The court rejected this argument, and pointed out that because the plaintiff permitted the employees to access the precise information at issue, they did not exceed authorized access.  The district court stated that it is clear from the plain meaning of the words that “without authorization means no access and exceeds authorized access means to go beyond the access permitted. While Citrin attempts to stretch without authorization to cover those with access authorization (albeit those with adverse interests), Congress did not so stipulate.”

The district court further found that under Citrin, employers would have a federal cause of action whenever employees access the company computer with “adverse interests,” and such access causes a statutorily recognized injury, which was not Congress’ intent.  Thus, “under Citrin, would checking personal email on company time without express permission and thereby causing, however unintentionally, impairment to the computer in excess of $5,000 give rise to CFAA liability?  It might.”  Finally, the district court held that because the CFAA is primarily a criminal statute, it should be interpreted narrowly.

The second category of cases involves contracts governing the use of computers. Generally, these cases have arisen where a user violates the terms of use of a Website by, for example using a “scraper” program to harvest data from the Website.  In EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001), the defendant’s vice president was a former vice president of the plaintiff”s who had signed a confidentiality agreement with the plaintiff promising not to disclose any of plaintiff’s “technical, business or financial information, the use or disclosure of which might reasonably be construed to be contrary to the interests of EF.”  When this vice president went to work for defendant as a computer programmer, he developed an automated “scraper” program that could query plaintiff’s Website for information and then send it to the defendant which used it to undercut plaintiff’s prices for tours.  Defendant used this program on two occasions and each occasion involved approximately 30,000 queries.  The district court agreed with plaintiff that this activity constituted a violation of the CFAA reasoning that use of the scraper was so far beyond the “reasonable expectations” of the plaintiff that it was clearly unauthorized.

In affirming the district court’s decision, the First Circuit reasoned that the use of the scraper likely violated the statute because its use implicitly breached the confidentiality agreement that the vice-president had signed with the plaintiff.  The court found that the decision to use the scraper was based on the vice president’s insider knowledge of plaintiff’s Website and business practices and the use of the scraper relied on information obtained in violation of the contractual agreement.  As a result, use of the scraper exceeded authorized access to plaintiff’s computer and violated the CFAA.

The third category of cases involves a claim that a defendant committed common law trespass when it accessed a computer or database without permission from the owner.  To establish a claim for trespass, plaintiff must show that it had a possessory interest in the chattel, and that defendant (1) dispossessed plaintiff of the chattel; and (2) impaired the chattel’s condition, quality, or value; (3) deprived plaintiff of the chattel’s use for a substantial time; or (4) caused bodily harm to plaintiff or to some person or thing which plaintiff had a legally protected interest.  Generally, even an electronic trespass to chattels claim must be based on some link to a physical object.

Several courts have held that even intangible damage to computer servers can constitute a trespass to chattels.  In contrast, other courts have been more reluctant to find a trespass where the intangible damage is speculative or minimal.  For example, one court reversed summary judgment for plaintiff where plaintiff presented no evidence that defendant’s mass emails prevented plaintiff “from using its computers for any measurable length of time” or that plaintff”s system “was slowed or otherwise impaired by the burden of delivering [defendant’s] electronic messages.”