Skip to content
Peter Toren | Experienced Intellectual Property Lawyer

A Dubious Decision: Eleventh Circuit Finds Scraping of Data from a Public Website Can Constitute Theft of Trade Secrets (Part I)

This article was first published in on July 2, 2020.

“Surely, this is not the first instance in which bots were used to scrape publicly available information from a website. Yet the Eleventh Circuit failed to provide any support for its conclusion…. If support existed for the court’s legal analysis and conclusion, it undoubtedly would have provided it.”

Much has already been written in a relatively short period of time since the Eleventh Circuit decided Compulife Software, Inc. v. Newman, __ F.3d __, 2020 WL 2549505, (11th Cir. May 20, 2020). However, such commentaries have not addressed whether this decision is legally supportable and whether other circuits should follow this decision, which would provide a legal basis for website operators under certain circumstances to pursue unwarranted scraping of their websites. This is particularly important because the Supreme Court is currently considering whether to grant certiorari in a case involving whether website scraping is legal under the Computer Fraud and Abuse Act (CFAA). Depending on the outcome of this matter, website operators may be extremely restricted to prevent scraping under that statute.

The Holding

In general, the Eleventh Circuit held that the scraping of public information on a website may constitute trade secret misappropriation, so long as the scraping is done by “bots” and the amount of such information is considerable. “Scraping” refers to automatically accessing and extracting information from a website for a variety of purposes. In particular, the court agreed with the lower court that Compulife’s insurance quotes on their publicly accessible website were trade secrets. However, the appellate court disagreed with the lower court’s finding that the use of automated techniques to scrape large portions of the database could not constitute “improper means” and could thus not be a violation of the Florida Uniform Trade Secrets Act. In reversing the district court’s dismissal of the trade secret claims, the appellate court stressed that the “simple fact that the quotes taken were publicly available does not automatically resolve the question in the defendant’s favor.” The court, therefore, remanded the case.

The first part of this article will address the Eleventh Circuit’s dubious conclusion that such publicly available information can be a trade secret. The second part of this article will address the understanding of “improper means” under the federal Defend Trade Secrets Act (DTSA) and state law, and whether the Eleventh Circuit’s application and understanding of this term were correct.

A Tangled Test for Trade Secrets

As the court noted, “there is nothing easy about this case, the legal issues are “tangled,” and the vast majority of them concerned copyright law. However, for the purposes of this article, the focus will be on the trade secret aspects of the case.

Compulife and the defendants are direct competitors in the business of generating life insurance quotes. Compulife obtains rate tables from insurance companies, that are publicly available. It compiles this information into a database in a confidential manner and encrypts the database to prevent reverse engineering. Compulife then licenses access to the database for a fee to certain entities under various licensing schemes. More importantly, for our purposes, Compulife maintains a website that allows visitors to obtain life insurance quotes at no cost.

The defendants hired a “hacker” to scrape certain portions of the publicly available data from Compulife’s website using bots. The court found the use of the process significant because while a human user would be limited to the number of queries that could be entered into the database, the bot entered every possible combination of demographic data, totaling more than 42 million quotes. Compulife alleged that the defendants then used the scrapped data as a basis for generating quotes on their own websites. According to Compulife, these facts establish a claim of misappropriation under the Florida Uniform Trade Secrets Act (FUTSA).

Turning now to the issue of whether the information scraped from the website could constitute a trade secret, the appellate court began by disagreeing with the magistrate judge that because the individual 42 million quotes that defendants allegedly scraped from Compulife’s website were freely available to the public, they could not be trade secrets. The court noted that “public availability creates a vulnerability, which—if unreasonable—could be inconsistent with the reasonable precautions requisite to trade-secret protection,” however, the lower court was incorrect in finding that this ends the inquiry. Id. at *16.

According to the appellate court, “[e]ven granting that individual quotes themselves are not entitled to protection as trade secrets, the magistrate judge failed to consider the important possibility that so much of the [information] was taken—in a bit-by-bit fashion—that a protected portion of the trade secret was acquired.” The court appellate agreed with the lower court that the “scraped quotes were not individually protectable trade secrets because each is readily available to the public,” but found “that doesn’t in and of itself resolve the question whether in effect, the database as a whole was misappropriated.” Thus, according to the Eleventh Circuit, “[e]ven if quotes aren’t trade secrets, taking enough of them must amount to misappropriation of the underlying secret at some point. Otherwise, there would be no substance to trade-secret protections for ‘compilations,’ which the law clearly provides.” Id. (emphasis in original).

The appellate court also stressed that to conclude otherwise would mean that Compulife couldn’t recover even in the circumstance where “Compulife had implemented a technological limit on how many quotes one person could obtain, and even if the defendant had taken all the data, rather than a subset of it, each quote would still be available to the public and therefore not entitled to protection individually.” Id. at *17. Because Compulife may not have grounds to recover under such circumstances does not mean that the court should fashion a remedy to provide for recovery. Under such circumstances, Compulife may be able to recover under the CFAA, but certainly not for misappropriation of trade secrets, since the information is available to the public and the limitation imposed by the plaintiff should not be considered as a “reasonable measure” as required by federal and state law.

Flawed Analysis

In Compulife, the appellate court, however, found that under the plain terms of the FUTSA the defendants would be liable in this scenario because they “would have acquired a compilation of information that ‘derives independent economic value … from … not being readily ascertainable’ and ‘ is the subject of efforts that are reasonable under the circumstances to maintain its secrecy’ by means which plainly amount to ‘espionage through electronic … means.’” However, as explained below, this analysis is further flawed and contrary to an understanding of basic trade secret law.

First, the sine qua non of an action under the Defend Trade Secret Act (DTSA) or state law including the FUTSA is the existence of a “trade secret.” Although there are a number of factors that involved in this determination for our purposes it is sufficient for the purpose of this article to focus on the requirement that the information must be subject to efforts that are reasonable under the circumstances to maintain its secrecy or confidentiality. Here, the court relied upon the amount of the information that was scraped that constituted reasonable measures as required under the FUTSA. However, trade secret law does not support this conclusion. Indeed, there is no evidence that Compulife took reasonable measures as recognized by trade secret law to protect the insurance quotes at issue. The information was freely available to the public, and how the information was accessed is completely immaterial to the inquiry of whether such information meets the reasonable measures requirement.

The analysis, however, does not end there, since the court is correct that compilations are specifically included in the definition of trade secrets under federal and state law, and the fact that some or even most of the information were publicly available is not dispositive of whether the compilation can be considered a trade secret. A combination of elements that are in the public domain can be in the public domain if the trade secret constitutes a unique, effective, successful, and valuable integration of public domain elements. The focus is on whether the combination creates a type of information that is not “readily ascertainable” to the public. There is no evidence that the combination of the insurance quotes transmogrifies public information into trade secrets. The lower court, and not the Eleventh Circuit, was correct in finding that this means that these quotes do not constitute trade secrets.

The appellate court also conflated the requirement of “deriving independent economic value” with “reasonable measures.” The Eleventh Circuit is correct that Compulife’s aggregation of the information relating to the insurance quotes meets the requirement under the FUTSA that it “derives independent economic value from not being readily ascertainable.” However, this does not mean that it was the “subject of efforts that are reasonable under the circumstances to maintain its secrecy.” The two are simply separate and distinct trade secret requirements.

An Absence of Authority

Surely, this is not the first instance in which bots were used to scrape publicly available information from a website. Yet the Eleventh Circuit failed to provide any support for its conclusion. In general, under these circumstances, plaintiffs have brought claims under the CFAA on the grounds that such conduct amounted to “unauthorized access” or “exceeding authorized access” and for breach of contract of the underlying terms of service. Here, Compulife did not bring a CFAA claim, but did bring a claim under the Florida state computer hacking statute; however, the claim was dismissed because the state statute protects networks that “can be accessed only employing a technological access barrier,” which was not present in this case. Regardless, if support existed for the court’s legal analysis and conclusion, it undoubtedly would have provided it. The court should have been put on notice from the absence of such authority that its decision was unsupportable.

The second part of this article will address the Eleventh Circuit’s understanding of “improper means” under the FUTSA, and more generally the meaning of it under the DTSA. The meaning of this term is critical to a full understanding of the multiple ways that a trade secret can be misappropriated.