I was really impressed with the quality of this event on many levels — these folks really put on first class meetings so, for those of you who are accountants or financial professionals, I would encourage you to check them out. The facilities were great, the people were great, the food was great and it’s amazing how insightful and inquisitive a group can be when wine is served! Seriously, if you spend much time presenting to groups, you can tell when an audience is interested and paying attention or when they’d rather be some place else — this group was focused and their questions showed it. It was a real pleasure for me. The icing on the cake, however, was at the end when I was told that the organization would make an honorarium to my favorite charity — Cure JM of course! Much thanks!

TAKEAWAY: Deactivating your Facebook account while in litigation may be destroying evidence that could be sanctioned by the court for spoliation of evidence.

In Gatto v. United Air Lines, Inc., et al., 2:10-cv-01090 (D. NJ Mar. 25, 2013), the district court entered an order finding that the Defendants would be entitled to an instruction at trial permitting the jury to draw an adverse inference against the Plaintiff for failing to preserve his Facebook account. The relevant facts regarding this issue are straightforward.

Plaintiff sued Defendants for personal injuries that occurred while he was working, claiming he could no longer do certain activities, no longer work, etc. The Defendants requested information from Plaintiff’s social media accounts in discovery (which is standard course these days) and Plaintiff produced quite a bit of the information from accounts other than his Facebook. He did not provide the requested information from his Facebook account. The parties engaged in quite a bit of fighting over the Facebook account and, just before all of the contents were ordered to be turned over, Plaintiff just so happened to (accidentally, of course) deactivate his Facebook account. Unfortunately–of course–by the time news traveled from lawyers to Plaintiff and back to lawyers, well, over 14 days had elapsed since the account was deactivated and it was now permanently deleted — bye bye Facebook account and everything in it!

Defendants then sought sanctions against Plaintiff for “spoliation of evidence” and sought their costs, attorneys fees, and a spoliation inference for the jury. The court agreed there was spoliation:

Spoliation occurs where evidence is destroyed or significantly altered, or where a party fails to “preserve property for another’s use as evidence in pending or reasonable foreseeable litigation.” Litigants in federal court have a duty to preserve relevant evidence that they know, or reasonably should know, will likely be requested in reasonably foreseeable litigation, and the Court may impose sanctions on an offending party that has breached this duty.”

The court stated in no uncertain terms that it was irrelevant whether Plaintiff requested that his account be deleted or merely deactivated because either scenario involved the withholding or destruction of evidence. “[I]t is beyond dispute that Plaintiff had a duty to preserve his Facebook account at the time it was deactivated and deleted.” The court provided a very thorough analysis of the spoliation issue (i.e., you should read the full opinion) and ultimately determined that the appropriate sanction was a spoliation inference.

Now, was this scintillating little blurb enough to make you want to go and read the opinion?

If you have any questions or would like to talk about any of these kinds of issues, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com).

p.s. – I would like to thank Chad Pinson at Stroz Friedberg for sharing this opinion with me – thanks Chad!

UPDATE: here is the podcast

Shawn Tuma is a featured guest on this week’s PlayMaker’s Talk Show on 570 KLIF in Dallas, Texas. Shawn will discuss several social media law issues that are important for businesses and business owners to consider when using social media. The show airs at 4:00 p.m. today – Sunday, March 17, 2013. You can listen LIVE by going to the KLIF website or stream the show on iheartradio.

A podcast of the episode is available by clicking HERE to play/download or going to the PlayMaker’s Talk Show website.

You can view Shawn’s blog posts on social media law HERE. If you have any questions or would like to talk social media law, computer fraud, data security or privacy, please feel free to contact Shawn at 469.635.1335, stuma@brittontuma.com or @shawnetuma

Here is a link to the full article: http://www.law360.com/articles/422542/9th-circ-pioneers-laptop-search-limits-in-border-case 

Tuma provided more explanation of these data privacy implications in two other posts:

• Podcast Discussing Data Privacy and Information Security Implications of United States v. Cotterman – Now Available!

• Courts Showing Greater Respect for Data Privacy – United States v. Cotterman

These teens are also about to learn one of the key maxims of social media law: what you post on social media can and will be used against you in court.

You can now listen to the podcast for Courts Showing Greater Respect for Data Privacy – United States v. Cotterman. Click HERE!

For a recap, here is my discussion of this podcast and who participated:

I finished a fantastic Skype discussion of the Cotterman opinion with with Rafal Los (@Wh1t3Rabbit) and Mike Schearer (@theprez98). As you may recall from The Law and the Hacker podcast I did a few months ago, Raf is often referred to as the Chief Security Evangelist for HP and blogs at Following the Wh1t3Rabbit – Practical Enterprise Security. Mike is a security consultant and penetration tester by day and a law student and hacker by night who blogs at Mike’s Blog and wrote a nice post on the Cotterman opinion: Law in Plain English: United States v. Cotterman You should know how seriously the three of us take this issue since this is how we spent our Saturday night! Raf has turned our discussion into a podcast that is available HERE. So, much of what I would write in the blog is in the podcast so I will keep this post as short as possible.

If you have any questions or would like to talk computer fraud, data security or privacy, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com).

Related articles

• United States v. Cotterman Shows an Increasing Respect for Data Privacy in the Courts (shawnetuma.com)
• En Banc Ninth Circuit Holds That Computer Forensic Searches Are Like “Virtual Strip Searches” And Require Reasonable Suspicion At the Border (volokh.com)
• Ninth Circuit Applies The Fourth Amendment to Border Search of Laptop (lawprofessors.typepad.com)
• UPDATE – Your Rights Under Attack: What A Difference Judical Review Makes (jonathanturley.org)
• 9th Circuit Appeals Court: 4th Amendment Applies At The Border; Also: Password Protected Files Shouldn’t Arouse Suspicion (techdirt.com)

TAKEAWAY: Data privacy is gaining respect within the judiciary, as it should because in many ways, data is the new currency and is worthy of protection.

On March 8, 2013 the Ninth Circuit Court of Appeals (en banc) handed down a watershed case with significant privacy implications: United States v. Cotterman, No. 09-10139 (9th Cir. Mar. 8, 2013). This case (including the majority, concurring and dissenting opinions) is 82 pages so plan your time accordingly. It is worth reading because it represents a tug-of-war between competing interests of border security and data privacy. Data privacy may not have scored a knockout but it certainly gained some very important ground.

While analyzing the Cotterman case I made some notes on my whiteboard. Instead of sharing the customary random psychedelic photo with you, I decided to just share an image of the whiteboard so you can see what I thought was really important which I will briefly discuss below.

Note – it is 12:30 on Saturday night and a few hours ago I finished a fantastic Skype discussion of the Cotterman opinion with with Rafal Los (@Wh1t3Rabbit) and Mike Schearer (@theprez98). As you may recall from The Law and the Hacker podcast I did a few months ago, Raf is often referred to as the Chief Security Evangelist for HP and blogs at Following the Wh1t3Rabbit – Practical Enterprise Security. Mike is a security consultant and penetration tester by day and a law student and hacker by night who blogs at Mike’s Blog and wrote a nice post on the Cotterman opinion: Law in Plain English: United States v. Cotterman You should know how seriously the three of us take this issue since this is how we spent our Saturday night! Raf has turned our discussion into a podcast that is available HERE. So, much of what I would write in the blog is in the podcast so I will keep this post as short as possible.

Facts

Cotterman was a sleazebag child molester who had been convicted for molesting a child and apparently traveled out of the country quite frequently. Cotterman was returning from Mexico with his wife, had been visiting a country known for “sex tourism,” and had what was considered to be a significant amount of electronic equipment with him (a laptop and several cameras).

Cotterman was profiled at customs while coming back into America because of the totality of all of these factors which indicated he fit within the parameters of the Operation Angel Watch program aimed at combating child sex tourism. This led to Cotterman and his wife being taken for a heightened inspection. Cotterman’s laptop and cameras were inspected, nothing inappropriate was found during the cursory inspection and he and his wife were allowed to go. Because there were files that were password protected, however, this raised another red flag and the laptop and a camera were held for forensic examination.

The forensic examiner later contacted Cotterman and asked him to provide his password. Cotterman, sensing the inevitable at this point, hopped a plane to Mexico and then on to Sydney, Australia. Meanwhile, the forensic examiner was able to crack the password and discovered 378 child porn pictures and videos, some of which showed Cotterman sexually molesting a young girl between the age of 7 to 10. 

Procedural Posture

The district court determined that the forensic examination of the laptop and camera were improper and excluded the evidence under the exclusionary rule. The prosecutors appealed, arguing that the law was clear that customs had the authority to do a routine border search without the need for any suspicion whatsoever, including the forensic examination.

The key issue in this case was whether it was reasonable to conduct a forensic examination of the computer and camera.

The Ninth Circuit’s Analysis and Ruling

The Ninth Circuit disagreed with the prosecutors argument but ultimately gave them a favorable ruling in the case that enabled the evidence to be used against Cotterman. The court found that, in order to obtain a forensic exam of data on electronic devices, there must be a “reasonable suspicion”, which is a heightened standard over what is typically required for a routine border search. The reason for requiring a reasonable suspicion for a forensics exam is because of the “comprehensive and intrusive nature of forensic examination.” The court also found, however, that the facts of this case satisfied the reasonable suspicion standard and the evidence should not have been excluded.

The court emphasizes protection of data privacy

The court also emphasized that Fourth Amendment protection of “personal papers” directly encompasses data on electronic devices because such data goes to the heart of the notions of freedom of conscious, thoughts, and ideas. Therefore, data on electronic devices is afforded a higher standard of protection than other forms of property. The court expressly stated “data on electronic devices carries with it a significant expectation of privacy.”

The court acknowledged that this case directly implicates substantial personal privacy interests and found that inspecting information individuals stored on digital devices is much less like inspecting an impersonal gas tank and more closer to inspections of people themselves, therefore, requiring a higher standard. In the court’s words: “It was essentially a computer strip search.”

I believe this represents a higher level of respect for the value and importance of data than we have seen out of many courts (especially if you consider that most of the data breach lawsuits have been tossed because there courts find there is no value in the compromised data). For me, this was the true value in this case — let’s see if other courts will follow.

If you have any questions or would like to talk computer fraud, data security or privacy, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com).

There has been much debate over the last couple of years over whether an employee violates the Computer Fraud and Abuse Act by wrongfully accessing and obtaining information from the employer’s computer for nefarious reasons – while still being employed. This has been referred to as the “circuit split” because the circuit courts of appeal have three different approaches for determining whether this violates the CFAA, what I refer to as the Trilogy of Access Theories (see bottom of post for explanation). What is not open to debate, however, is whether a former employee violates the CFAA by wrongfully accessing its former employer’s computer system after he or she no longer works for that employer.

That is the lesson of Nouveon Technology Partners, Inc. v. McClure & Smarter Systems, LLC, 2013 WL 811102 (W.D.N.C. March 5, 2013). The basis for the Court issuing this order is not the reason I am blogging about it, rather, I am blogging about it because I think the facts of this case are something that all employers and employees need to understand and this case does a nice job of illustrating that point.

The basic facts are all too familiar. Employee decides to go work for a new company and wants to take her former employer’s confidential proprietary information and use it to work for her new employer. Where the facts differ from many of these cases is that, according to the Plaintiff’s Complaint, the employee accessed the employer’s computer system and took the information after she no longer worked for the employer. I recommend you read the Complaint because it does a nice job of laying out the investigation into the employee’s conduct and clearly distinguishes the former employee’s activities prior and subsequent to her employment ending.

The employee’s last day of employment was April 23, 2012. She was directed to return all of employer’s property in her possession and was understood she was no longer permitted to access the employer owned computer system (including the laptop that was issued to her) after her employment ended. She was to return the company issued laptop on April 23 but did not return it until later:

58.   The forensic search of the laptop computer also revealed that McClure had, without NouvEON’s knowledge or approval, retained and continue to use the NouvEON-owned laptop computer in her possession through the evening of April 23, after she had officially ended her duties for NouvEON and was no longer a NouvEON employee. Throughout the evening of April 23, McClure utilized the username and password provided to her by NouvEON solely for NouvEON business to continually remotely access NouvEON’s Salesforce.com account and various folders on the laptop containing Confidential Information such as NouvEON’s recruiting candidate pipeline, information regarding sales activities, the resumes of candidates identified and interviewed by NouvEON for placement with NouvEON clients and related recruiting information.

59.   As a result of further forensics analysis of the NouvEON-owned laptop used by McClure, NouvEON has now learned that after McClure became an employee of Smarter Systems, she continued to remotely access NouvEON’s Salesforce.com Database to access and misappropriate NouvEON’s Confidential Information by using a username and password issued to another employee through as late as June 7, 2012.

60.   In summary, the foregoing forensic inspection of the NouvEON laptop computer used by McClure revealed for the first time that prior to and for over one month after her last day of employment with NouvEON, McClure regularly accessed and misappropriated, and likely downloaded, highly sensitive and proprietary Confidential Information belonging to NouvEON. McClure’s actions in this regard were not known by or authorized by NouvEON and are in violation of her Employee Agreement and NouvEON’s policies.

So there you have it, if you are looking for a really great way to violate the Computer Fraud and Abuse Act when leaving your job, just do what McClure did! If you have any questions or would like to talk computer fraud, data security or privacy, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com).

TAKEAWAY: If you are claiming you cannot work and are on medical leave, posting pictures on the Internet of you hunting during that same time will not help your case when (yes, i said WHEN) you get fired and make a claim under the Family and Medical Leave Act for retaliatory discharge. They will kill your case!

This is the lesson of Foster v. Sanderson Farms, Inc., 2013 WL 177998 (S.D. Tex. Jan. 16, 2013). This is a great example of one of my maximums of social media law: “If you are doing something you shouldn’t, don’t post about it on the Internet!”

Any more questions?

When a single case can make or break your business, there’s no such thing as too much innovation — or too much lawyering.

via Ready to Innovate? Get a Lawyer. – Larry Downes – Harvard Business Review.

Here are some recent Computer Fraud and Abuse Act (“CFAA”) cases that have been decided (or published) over the last couple of weeks:

Tracfone Wireless, Inc. v. Cabrera, 883 F. Supp.2d 1220 (S.D. Fla. July 11, 2012). Defendant and former employee who engaged in selling stolen TracFone Prepaid Phones violated the unauthorized access with intent to defraud (18 U.S.C. § 1030(a)(4)) and unauthorized access (18 U.S.C. § 1030(a)(5)) by his unauthorized access TracFone’s computer system using improperly obtained codes and information to obtain access to the system and alter information in the system to generate and obtain stolen airtime and services which he then sold. This is a default judgment case but the court goes through a detailed explanation of the loss / interruption of service analysis that is worth reading.

Dalzell Management Co., Inc. v. Bardonia Plaza, LLC, 2013 WL 592672 (S.D.N.Y. Feb. 15, 2013). This is an interesting case where there are two lawsuits, one state and one federal, and the Defendants moved to dismiss the federal (alleging the Computer Fraud and Abuse Act claim) based on the Colorado River Abstention Doctrine. The court denied the motion to dismiss. The allegations giving rise to the CFAA claim were given but the decision did not address the substantive merits of the CFAA claim. Plaintiff (a real estate management company) leased office space in Defendant’s building with a portion of the rent being a percentage of rents collected by Plaintiff. Defendant evicted Plaintiff and, during the process, had its IT staff copy data from Plaintiff’s computer system which included Plaintiff’s proprietary and confidential information as well as banking information. According to Plaintiff, Defendant did not have authorization to access its computer system which gave rise to the CFAA claim under (18 U.S.C. § 1030(a)(2)) for unauthorized access to obtain information from a protected computer.

Sebrite Agency, Inc. v. Platt, 884 F. Supp.2d 912 (D. Minn. Aug. 7, 2012). The court granted a motion to dismiss Plaintiff’s Computer Fraud and Abuse Act claim. The Plaintiff, an insurance agency, alleged that its former agent (and his girlfriend) set up a competing agency and was trying to steal its clients and, for purposes of the CFAA claim, accessed Plaintiff’s computers without authorization or in excess of authorization by forwarding e-mails containing confidential company information for roughly 74 of its clients to their own e-mail. The court followed the Strict Access Theory (see explanation toward bottom of post) and determined that, because the former agent had been authorized to access all of this information at the time of the access, he did not access computers were databases that he was forbidden to use.

As the parties recognize, the federal courts have disagreed about whether the CFAA is violated when a person who has authority to “access[] a protected computer” misuses the information that he or she obtains.^[2] This Court previously endorsed the narrower interpretation of the CFAA, holding that the misuse or misappropriation of confidential information stored on a computer to which the defendant has authority to access does not give rise to liability. See Xcedex, Inc. v. VMware, Inc, No. 10-CV-3589 (PJS/JJK), 2011 WL 2600688, at *4-5 (D. Minn. June 8, 2011), adopted by 2011 WL 2581754, at *1 (D. Minn. June 30, 2011). The Eighth Circuit still has not directly addressed this question, and nothing in the cases decided since Xcedex has persuaded the Court to change its mind.^[3] The Court continues to believe that the narrower interpretation of the CFAA is more consistent with statutory text, legislative history, and the rule of lenity. See Walsh Bishop, 2012 WL 669069, at *3. Moreover, the broader interpretation would transform just about every state-law claim for misappropriation of trade secrets into a federal lawsuit, see Condux, 2008 WL 5244818, at *6, not to mention expose employees who violate their employers’ computer-use restrictions to criminal liability, see Nosal, 676 F.3d at 861-62. The Court continues to believe that, if Congress meant to so vastly expand the jurisdiction of the federal courts, Congress would have been much more explicit.

Under the Court’s interpretation of the CFAA, Sebrite’s allegation that Plattimproperly used confidential information that he had authority to access fails to state a claim under 18 U.S.C. § 1030(a)(4). Count IX is therefore dismissed.

West Plains, L.L.C. V. Retzlaff Grain Co. Inc., 2013 WL 705859 (D. Neb. Feb. 26, 2013). This is an opinion granting a Motion for Preliminary Injunction based primarily on misappropriation of trade secrets. The Plaintiff did bring a claim for violating the Computer Fraud and Abuse Act though the substantive merits of the claim were not addressed in this opinion, but the opinion is still worth reading because of the trade secrets analysis in the context of a preliminary injunction.

If you have any questions or would like to talk computer fraud, data security or privacy, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com).

Related articles

• Computer Fraud and Abuse Act Incorporates Traditional Principles of Tort Causation (shawnetuma.com)
• Plaintiff’s CFAA Claim Dismissed Because of Simple Pleading Error (shawnetuma.com)
• Court Implies Unknown “Backdoor Node” On Software Licensee’s Server To Monitor Infringement May Violate CFAA (shawnetuma.com)
• Court Finds Computer Fraud and Abuse Act Claim is Subject to Arbitration Agreement (shawnetuma.com)

I need your help — I intend to write a more thorough analysis of this issue and would appreciate your help so please tell me what you think. (see below for specific questions)

A new bill proposed in Texas would allow people to be served legal documents through social media as a form of “substituted service.” What do you think, is this a good thing or a bad thing? Read more here: Texas Bill Would Allow Serving Subpoenas Through Social Media and Texas Leg Watch 2013: Bill proposes to allow service via social media. The text of proposed H.B. No. 1989 (.pdf file), authored by attorney Jeff Leach, is as follows:

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:

SECTION 1.  Subchapter B, Chapter 17, Civil Practice and Remedies Code, is amended by adding Section 17.031 to read as follows:

Sec. 17.031.  SUBSTITUTED SERVICE THROUGH SOCIAL MEDIA WEBSITE.  (a)  If substituted service of citation is authorized under the Texas Rules of Civil Procedure, the court may prescribe as a method of service under those rules an electronic communication sent to the defendant through a social media website if the court finds that:

(1)  the defendant maintains a social media page on that website;

(2)  the profile on the social media page is the profile of the defendant;

(3)  the defendant regularly accesses the social media page account; and

(4)  the defendant could reasonably be expected to receive actual notice if the electronic communication were sent to the defendant’s account.

(b)  Notwithstanding Section 22.004, Government Code, the supreme court may not amend or adopt rules in conflict with this section.

SECTION 2.  This Act takes effect September 1, 2013.

Prior Case Law on Social Media Service

Also, check out the blog I wrote last year discussing a case in which a federal judge refused to allow a lawsuit to be served on a defendant via social media, instead reasoning that the local papers would better apprise the defendant of the lawsuit. Given what we know about that defendant, do you think she was more likely to be informed of things happening on Facebook or in the local newspapers? Federal Court in New York Refuses Service Via Facebook | Shawn E. Tuma.

UPDATE: We are actively discussing this proposal on the State Bar of Texas group on LinkedIn – feel free to join by clicking HERE!

QUESTIONS: Please tell me your thoughts on:

1. is this a good or bad idea;
2. why is this a good or bad idea;
3. what pros and/or cons you see for using social media in this way;
4. what tools, services or procedures are you aware of that could be used or could help make this process more reliable;
5. what overall suggestions do you have that could help make this process more reliable; and
6. anything else you can share that may have some bearing on this discussion.

I am seeking truth and understanding, not advocating a position (at this point), thank you for your help!

TAKEAWAY: A Computer Fraud and Abuse Act claim that touches matters covered by an arbitration agreement is arbitrable.

In Torbit, Inc. v. Datanyze, Inc., 2013 WL 572613 (N.D. Cal. Feb. 13, 2013), the defendant moved to compel arbitration of a Computer Fraud and Abuse Act claim under an arbitration agreement that provided that “all claims ‘relating to or arising out of our employment relationship’ are subject to arbitration.”

The Court found that the CFAA claim touched matters covered by that arbitration clause because the factual allegations supporting the claim were that “Mr. Semin [the employee] ‘intentionally and without authorization’ accessed Plaintiff’s computers and obtained valuable information, including Playbook, from such computers.” Plaintiff is the employer. The wrongful access was alleged to have taken place during and following Semin’s employment. Accordingly, the Court ruled as follows:

Plaintiff has alleged that Mr. Semin engaged in unauthorized computer activity and improper use of Plaintiff’s proprietary information during the course of his employment. Such conduct “touches matters” that “relat[e] to or aris[e] out of” the Agreement because the Agreement covers the copying of Plaintiff’s information to Mr. Semin’s personal computer and the proper usage of that information. See, e.g. Compl. ¶¶ 12–13. Therefore, the First and Fifth Causes of Action against Mr. Semin are arbitrable.

If you have any questions or would like to talk computer fraud, data security or privacy, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com).

Related articles

• Two Year Statute of Limitations of Computer Fraud and Abuse Act Accrued When Plaintiff “Suspected” Wrongdoing (shawnetuma.com)
• Court Implies Unknown “Backdoor Node” On Software Licensee’s Server To Monitor Infringement May Violate CFAA (shawnetuma.com)
• Employment Agreement Restrictions Determined Whether Employees Exceeded Authorized Access Under Computer Fraud and Abuse Act (shawnetuma.com)
• Another CFAA Case Dismissed Because Plaintiff Only Recited Elements in Complaint (shawnetuma.com)

Defendants in the case argued that the reviews were hearsay and therefore inadmissible.  The court, however, disagreed and concluded that the posters’ declarations were admissible since they demonstrated “the then existing mental state of the declarents who posted the comments.”

via Social Media and the Law » Blog Archive » Anonymous Yelp reviews not hearsay..

Related articles

• Injunction over negative Yelp review overturned by Virginia Supreme Court (bizjournals.com)
• Court Says Negative Yelp Reviews Shouldn’t Be Censored (allthingsd.com)
• Yelp Reviewers Beware: You Can Get Sued (ideas.time.com)
• Yelp Defeats Legal Challenge to Its User Review Filter (Forbes Cross-Post) (ericgoldman.org)