Dang! “Loss” of Opportunity to Decide Interesting CFAA Issue, But “Loss” Anayisis is Good Too

Plaintiff had interesting claim under the CFAA but couldn’t get there due to that pesky “loss” requirement

Does an employer violate the Computer Fraud and Abuse Act by remotely wiping an employee’s personal mobile device that was connected to the employer’s server and contained its data?

The United States District Court for the Southern District of Texas was poised to answer this question but did not reach the issue. The court found, as in most of these cases, the plaintiff did not satisfy the jurisdictional threshold $5,000 loss requirement.

What we did get, however, is a strong analysis of how the federal courts in Texas interpret the loss requirement of the CFAA. 

Something to think about — would this have violated the CFAA?

The plaintiff in Rajaee v. Design Tech Homes, Ltd. claimed that his job required him to have constant access to email to do his job. His employer did not provide him with a mobile device so he used his own personal iPhone 4 to conduct his work for Defendants. Plaintiff’s iPhone was connected to his employer’s network server to allow him to remotely access the email, contact manager, and calendar provided by the employer. The parties disagreed over who connected the device or whether it was authorized.

Plaintiff resigned his employment with Defendants and, a few days later, Defendants’ network administrator remotely wiped Plaintiff’s iPhone, restoring it to factory settings and deleting all the data–both personal and work-related–on the iPhone.

Plaintiff sued Defendants alleging that their actions caused him to lose more than 600 business contacts collected during his career, family contacts, family photos, business records, irreplaceable business and personal photos , and videos, and numerous passwords.

Plaintiff sued for violations of the Computer Fraud and Abuse Act, Electronic Communications Privacy Act, and various state law claims.

Violation of the Electronic Communications Privacy Act

The Court found the Defendants’ actions did not violate the Stored Communication Act prong of the ECPA: “the Fifth Circuit has held that ‘information that an individual stores to his hard drive or cell phone is not in electronic storage under the statute.’” The information Plaintiff claimed was deleted was stored on his cell phone and not covered by the SCA.

Unauthorized Access Under the Computer Fraud and Abuse Act

The Court does not reach the issue of whether Defendants’ actions were an unauthorized access under the CFAA but that doesn’t mean we can’t think about it ourselves. In fact, over a year ago my friend Jim Brashear (@JFBrashear) and I talked about this and he suggested I write something about it. I didn’t. I should have.

What we do know from the court’s opinion are the following things:

  • Plaintiff owned the iPhone
  • The iPhone contained Plaintiff’s personal data
  • The iPhone was connected to Defendants’ server
  • The iPhone contained Defendants’ data
  • Defendants’ network administrator somehow remotely wiped all of the data — Plaintiff’s and Defendants’ — from the iPhone

We also know that a cell phone is considered a “protected computer” under the CFAA (post). So, we have a protected computer that — somehow — has its data wiped by someone other than its owner.  What we do not know from the opinion, but need to know, are:

  • What authorization did Plaintiff have to retain Defendants’ data on his device after his employment terminated?
  • What authorization did Plaintiff give Defendants to access his device when (whomever) connected it to Defendants’ server (beyond the fact that by connecting to the server Plaintiff was necessarily giving Defendants authorization for their server to communicate with his device)?
  • Assuming Plaintiff gave any authorization to Defendants, did that authorization continue for as long as Plaintiff maintained the connection to Defendants’ server?
  • What means did Defendant’s network administrator use to remotely wipe the device and what steps were taken beforehand to give Defendants the ability to do that?

I believe the answers to these questions are important in this analysis. If I were the judge, these are things I would want to know.

A hack back?

Thinking in the big picture, this scenario reminds me of the ongoing debate over whether it is acceptable for a company to “hack back” — that is, after a hacker has stolen data from a company, whether the company can in turn hack the attacking hacker (“you drew first blood” – Rambo) to either retrieve or destroy its (or its customers) data that is now residing on the hacker’s system likely in some far off land.

The arguments on both sides of the hack back issue are vigorous and I am not foolish enough to think I could resolve the issue here. I just want to point out that, in the big picture, the rationale seems somewhat similar: someone else has your data, they are not entitled to keep it, you do not want them to keep it, so go zap it!

Loss Under the Computer Fraud and Abuse Act

The real value in the Rajaee Opinion comes from the court’s analysis of the loss issue. As I discussed the CFAA’s loss requirement in another post, “I find it to be one of the more challenging aspects of any civil CFAA claim as well as an important feature of the CFAA to keep it from being used in civil cases that do not justify ‘having a federal case made out of it.’”

Meeting the loss requirement is a jurisdictional threshold that must be met before a plaintiff can bring a civil claim under the CFAA. “Although the CFAA is a criminal statute, Section 1030(g) provides a private right of action ‘for [a]ny person who suffers damage or loss by reason of a violation of this section.’”

The terms “damage” and “loss” are statutorily defined terms that each have a unique meaning under the CFAA, which meanings also differ from the meaning of “damages.” This is important to remember.

The term “damage” means any impairment to the integrity or availability of data, a program, a system, or information and the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. Capitol Audio Access, Inc. v. Umemoto (for CFAA, disclosure of info not “damage” and evading license not “loss”)

Courts still routinely get this wrong despite the fact that “loss” is defined in subsection (e)(11): “the term ‘loss’ means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.

While the Rajaee Opinion does not rise to the level of analysis of the Nosal Court’s Opinion which throughly discusses the various views of the CFAA loss jurisprudence, it is one of the more thorough ones I have seen from a federal court in Texas.

Because this case involves a ruling on a motion for summary judgment, the Plaintiff has the burden of providing evidence to support its allegations. The Rajaee Court required Plaintiff to point to evidence that, if believed by the trier of fact, would be sufficient to show that his loss did in fact exceed $5,000. Plaintiff referred the court to a declaration in which he described the losses he suffered as a result of Defendants’ deletion of his personal data as being:

  1. pictures of his personal home rehabilitation project, which decreased the value of the remodel by at least $50,000;
  2. pictures and video of family, friends, and his dogs, which he values at $3,500;
  3. all cell phone contacts after 2009, which he values at over $50,000 based on his diminished employability;
  4. all of Plaintiff’s text messages, which he values at $1,000; and
  5. all of his notes and email accounts, which he values at $600.

The court was correct in agreeing with the Defendants who argued that none of these items qualified as loss. “Plaintiff [did] not produce[] evidence of any costs he incurred to investigate or respond to the deletion of his data, nor do the losses and damages for which he does produce evidence arise from an ‘interruption of service.’”

Because of this, the court dismissed the CFAA claim. 

Important CFAA Loss Principles Applied in this Case

In reaching its decision, the court referenced and stated the following propositions of law that will be helpful for any party to understand in a civil case in the federal courts in Texas, especially the Southern District:

Why is PNC Bank Accusing Morgan Stanley of Corporate Espionage and Trade Secret Theft?

You No Let Me Download

©2011 Braydon Fuller

I often write about corporate espionage and trade secrets but I bet some of you may still be trying to imagine real-world scenarios that demonstrate exactly what those terms mean and how they apply. Let me tell you a story and see if it helps it make more sense.

Let’s Talk About Your Business

Let’s say you have a business and you have some really valuable information that your employees use when they are working for your business — the most important of which is the list of your customers and all of the background information you have compiled on those customers. Because you know how valuable this information is, you have had your company’s IT department implement certain technological limits to keep people from downloading that information to USB drives, Dropbox, or emailing it to their Gmail account. You’re really thinking ahead of the curve in trying to safeguard your trade secret information and you’re feeling pretty proud of yourself. And, you should, because most businesses don’t go to such efforts to protect their valuable trade secret information.

Zig Ziglar had a saying about dishonest employees: “If a person is dishonest, I hope he is dumb. I’d hate to have a smart crook working for me.

You, however, hired smart …

Now let’s imagine you had pretty senior and high ranking person in your company decide to leave to go work for one of your competitors where having your customer list (with all the extra information included) would be a great asset to them. And, you later come to believe, the competitor was actively trying to hire your employees and was trying to get them to take your trade secret information and bring it with them. You, however, have thrown a kink in their plans with your on-the-ball IT department’s information security practices. Or so you think.

Before telling you of her intentions to leave your company, this soon-to-be former employee still has access to your trade secret customer list from her computer and decides to access it on the system and pull it up for one last look. Can you imagine what she does next?

She whips out the trusty little smart phone and takes picture after picture after picture of all of the information on her computer monitor! She didn’t download it — she couldn’t. But she has it in several digital images on her mobile phone and when she goes out the door of your company, so too do your highly valuable trade secret customer lists.

Here Is The Real Life Case

This is a storified version of the allegations made by PNC Bank against its former employee, Eileen Daly, and her new employer Morgan Stanley in the case PNC Financial Services Group, Inc. v. Daly and Morgan Stanley, Inc. (Complaint) filed in the United States District Court for the Western District of Pennsylvania on March 14, 2014.

What makes this case (as alleged, anyway) a case of corporate espionage? Simple. It is one company trying to steal the valuable information of another company. It happens all the time. In this case it just so happened to be by an “insider” — a departing employee.

This is Clearly a Trade Secrets Case — But Could it Also Be a CFAA?

PNC sued the defendants for several causes of action, including misappropriation of trade secrets and unfair competition — exactly what you would expect in a case like this, right? It did not, however, sue them for “unauthorized access” in violation of the Computer Fraud and Abuse Act and, while I can think of several reasons why PNC may not have done so, it did get me to wondering if they could have. I mean after all, there have been much weaker CFAA cases filed in Pennsylvania District Courts.

What Does the Statute Say?

To violate the Computer Fraud and Abuse Act  under the most lenient part of the statute, the defendant must “intentionally access[] a computer without authorization or exceed[] authorized access, and thereby obtain[] … information from any protected computer;” 18 U.S.C. § 1030(a)(2)(C). And here, the information could not be downloaded, even though attempted, sooooo …..

Was There an Access?

Maybe so. She did have to access the computer system to retrieve the information and pull it up on her computer monitor. The question of whether her access was unauthorized or exceeded authorized access has not been conclusively determined by the Third Circuit, however, the bulk of the district court cases tend to follow the Strict Access Theory of the Ninth and Fourth Circuits, under which it probably would not have been improper, though in the Fifth and Eleventh Circuits under the Intended Use Theory, it may very well have been.

Was Information Obtained?

Yes, it was. The defendant took pictures of the trade secret customer lists — information — and kept those pictures on her smart phone. That sounds like the obtaining of information to me.

Was There a Loss?

I don’t think so. Without the “loss” there is no civil case unless there is “damage,” which is not very common. For the difference between the two, see Loss and Damage Are Not Interchangeable Under CFAA–District Court Blows Right Past CFAA’s “Loss” Requirement in Sysco Corp. v. Katz

The federal district courts in Pennsylvania are extremely strict when it comes to calculating the loss under 18 U.S.C. § 1030(g). Last year I handled the defense of a civil CFAA case in the Eastern District of Pennsylvania and thoroughly briefed two motions to dismiss that were heavily premised on the Pennsylvania district courts’ strict loss jurisprudence. (Here are the motions: Motion to Dismiss and Motion to Dismiss Amended Complaint) I convinced the plaintiff to dismiss the claims against my client with prejudice before the plaintiff filed a response or the court ruled on the motions, however, I remain very confident that the positions asserted in the motions were consistent with the courts’ standards on this issue and would have been successful. 

Under these standards, I cannot imagine how investigating the taking of pictures of a computer monitor could qualify as a “loss” or “damage” such to get the case past 18 U.S.C. 1030(g) and survive a motion to dismiss. I haven’t put a lot of thought into this, and am not saying it can’t happen, I just haven’t thought of how it would.

My guess is this is why the attorneys representing PNC didn’t bother throwing in a claim for violating the CFAA — well that, and, they probably didn’t see a need for it since they were already in federal court on diversity jurisdiction!

About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex digital information law and intellectual property issues such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act. He is a partner at BrittonTuma, a boutique business law firm with offices near the border of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as across the nation pro hac vice ). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

Yes, Texas is a good state for plaintiffs to bring a CFAA claim.

©2011 Braydon Fuller

©2011 Braydon Fuller

Is Texas a good state for a plaintiff to bring a Computer Fraud and Abuse Act (CFAA) claim?

Yes it is, and a recent case reaffirms that the Federal District Courts in Texas are generally favorable jurisdictions for plaintiffs with CFAA claims because of two key issues, access and loss jurisprudence.

On February 3, 2014, the United States District Court, Southern District of Texas, denied the defendants’ Motion to Dismiss in Absolute Energy Solutions, LLC v. Trosclair, 2014 WL 360503 (S.D. Tex. Feb. 3, 2014) (related CFAAdigest post). This case involved 2 claims: misappropriation of trade secrets and Computer Fraud and Abuse Act.

Facts of the Case

The facts are fairly typical. According to the Complaint, Absolute Energy, the plaintiff, employed J. Trosclair. On April 18, 2013, Absolute Energy terminated J. Trosclair who then opened SBJ Resources, a company that competed with Absolute Energy. Absolute Energy alleges that upon J. Trosclair’s termination, his authorization to access Absolute Energy’s computer system (including email system) was terminated. R. Trosclair is J. Trosclair’s wife and was not employed by Absolute Energy which alleges R. Trosclair was never authorized to access its computer system.

After his termination, J. Trosclair and R. Trosclair accessed Absolute Energy’s computer system without authorization, sent, received, and forwarded email messages belonging to Absolute Energy, and engaged in a business endeavor that directly competed with Absolute Energy using Absolute Energy’s computer system, including to conduct business with Absolute Energy’s customers.

Absolute Energy Filed a Lawsuit

Absolute Energy filed a lawsuit against J. Trosclair and R. Trosclair for violating 18 U.S.C. § 1030 (a)(2) and (a)(4) of the Computer Fraud and Abuse Act and misappropriation of trade secrets (though it is not clear if this claim was pursuant to the newly enacted Texas Uniform Trade Secrets Act (TUTSA)).

The Trosclairs filed a Motion to Dismiss arguing the following points, and included declarations which contradicted the allegations in the Complaint:

  1. J. Trosclair was a 25% owner of Absolute Energy which gave him authorization to access its computers;
  2. the email account he was given was an email address and password for a Google operated email account that utilized computers and servers owned by Google, not Absolute Energy;
  3. The Google email system was used through J. Trosclair’s own personal computer and information received was automatically downloaded to that computer;
  4. Absolute Energy did not ever de-activate the Google email account that was assigned to J. Trosclair or notify him that he was not supposed to be using that account from his own personal computer;
  5. R. Trosclair’s only use of the Google email account was when she was gathering emails to forward to their attorney for purposes of an earlier lawsuit that J. Trosclair had filed against Absolute Energy in state court;
  6. Absolute Energy did not have a written employment agreement nor did it promulgate employee guidelines that prohibited employees from emailing Absolute Energy documents to other personal computers; and
  7. Absolute Energy failed to adequately plead a loss pursuant to 18 U.S.C. § 1030(g).

Absolute Energy filed a Response to the Motion to Dismiss in which it argued the following points:

  1. The allegations in the Complaint were adequate to support the CFAA claim and, instead of attacking the sufficiency of the allegations, the Trosclairs include declarations as evidence to contradict the substance of the allegations, which is improper for a Rule 12(b)(6) motion to dismiss;
  2. The allegations in the Complaint were sufficient to establish a loss as it alleged the Trosclairs caused a loss that exceeded $5,000 in value; and
  3. Given that for purposes of a Rule 12(b)(6) motion to dismiss the allegations asserted in the Complaint are to be taken as true, the motion should be denied.

Legal Principles and Court’s Analysis in Denying the Motion to Dismiss

The primary reason why the court denied the motion to dismiss is, what many laymen may feel like is a technicality, but in reality is a well-settled principle when dealing with motions to dismiss; that is, they are generally not the proper vehicle for addressing factual disputes. Generally they are intended for such cases where you say, “even if we assume that everything the plaintiff says is true, he still has no case because of x, y or z …” In this case, the Trosclairs tried to dispute the veracity of Absolute Energy’s factual allegations which, by definition, created a factual dispute that almost always requires denial of a motion to dismiss on such grounds. And, it did.

Point of Law 1. A motion to dismiss a Computer Fraud and Abuse Act claim in which the the defendants’ argue that the plaintiff’s allegations are false because, contrary to plaintiff’s allegations, the defendants really were authorized to access plaintiff’s computers, is an argument that raises a factual dispute that could not be decided on a motion to dismiss. This is a procedural issue that is germane to all motions to dismiss, regardless of the particular subject matter of the claim.

In ruling on the motion, the court also provided some succinct statements of important principles concerning the Computer Fraud and Abuse Act:

Point of Law 2. The elements to a Section 1030(a)(2) claim require a plaintiff to show that a defendant: (1) intentionally accessed a computer, (2) without authorization or exceeding authorized access, and that he (3) thereby obtained information, (4) from any protected computer, and that (5) there was loss to one or more persons during any one-year period aggregating at least $5,000 in value.

Point of Law 3. The elements to a Section 1030(a)(4) claim require a plaintiff to show that a defendant: (1) accessed a protected computer, (2) without authorization or exceeding such authorization that was granted (3) knowingly and with intent to defraud, and thereby (4) furthered the intended fraud and obtained anything of value, causing (5) a loss to one or more persons during any one-year period aggregating at least $5,000 in value.

Point of Law 4. The court reaffirmed its adherence to the Intended Use Theory that is followed in the Fifth Circuit which stated that “[a]ccess to a computer and data that can be obtained from that access may be exceeded if the purposes for which access has been given are exceeded.” quoting United States v. John, 597 F.3d 263, 272 (5th Cir. 2010).

Finally, the court addressed the 18 U.S.C. § 1030(g) jurisdictional loss issue.

Point of Law 5. To satisfy the loss requirement and state a civil claim under the CFAA, plaintiff is not required to allege details or the exact nature of the loss. Rather, plaintiff must simply allege sufficient damages to establish that the elements of a 18 U.S.C. § 1030(g) claim have been met.

My Thoughts on the Case

Did the plaintiff adequate plead an unauthorized access to a protected computer?

Regarding the dispute over the access issue, I believe the court was correct in its ruling based on the arguments that counsel presented in their motions. As a general rule, a motion to dismiss should be denied when the arguments supporting the motion are that the plaintiff’s facts are wrong, as was the case here. However, I have a problem with it — and regular readers know that if I have a problem with a successful CFAA case, there just may be a problem there!

I recently defended a CFAA case in which the plaintiff’s allegations of access were simply bald allegations that were too vague and conclusory to determine how the wrongful access purportedly occurred or, more importantly, what protected computer was even accessed. In my view, two things that should be required for any CFAA wrongful access claim are (1) specificity as to what protected computer was accessed and (2) how the plaintiff believes the access occurred, in general. Because neither of these points had been pleaded in my case, in my motion to dismiss I thoroughly briefed the law that says a court is not always required to accept the plaintiff’s allegations as true because in cases where the plaintiff makes nothing more than “bald allegations” because they are conclusory and, as a matter of law, not entitled to be assumed true. Here is the general gist of the three questions a court should ask per this argument, a “no” to any one question means the allegations in the complaint are insufficient:

  1. Ignoring all “bald allegations” and “legal conclusions,” do the “factual allegations” support the elements of the claim?
  2. If so, does common sense and judicial experience suggest the plaintiff’s theory of the claim is plausible or that there are more likely alternative explanations?
  3. If not, are the factual allegations supporting the discrete nuances of the claim strong enough to nudge the claim across the line from conceivable to plausible?

If you are interested in reading more of this argument, here is the Brief in Support of Motion to Dismiss Amended Complaint. There are also significant issues with the “information and belief” allegations, which is another issue that I briefed in the foregoing motion, which could be helpful in this case as they are used quite freely.

There are several key allegations in Absolute Energy’s Complaint that are pleaded as bald allegations and/or pleaded on information and belief and, therefore, should not be entitled to the presumption of truth:

“12.     Upon information and belief, Jason and Rhonda did, after Jason’s termination from Absolute, access on multiple occasions the computer system and e-mail system and accounts of Absolute, without the knowledge, permission, or authorization of Absolute.”

      • “computer system and e-mail system and accounts” is too generic of an allegation — which specific device or account is being claimed as a protected computer that was wrongfully accessed?
      • without more specificity as to what actual device or account was accessed, such a generic allegation should not suffice
      • how were the accesses accomplished? this too is important to know because it sheds a lot of light on the plausibility issue mentioned in the 3 question test.

“10.     Upon termination of Jason Trosclair’s employment, his authorization to access the computer system and e-mail accounts and/or system of Absolute was terminated.”

        • This goes to the plausibility issue — how was his authorization terminated?
        • Was he notified in an exit interview? Were his credentials revoked? Was there a policy somewhere that said it was terminated?
        • Without some specificity on this issue, this is nothing more than a “threadbare” legal conclusion that is not entitled to a presumption of truth.
        • Now add in the fact that he was a 25% owner of the company and his access to the email account was never shut off — does the mere fact that plaintiff pleaded “his authorization … was terminated” with nothing more push this across the line from conceivable to plausible?

The court ruled on the issues presented by counsel and, based on the arguments in the motions and responses, it made the safe ruling. However, based on the facts we learned from the Trosclair’s declarations, there are some significant issues that Absolute Energy will need to address with its case — if not its Complaint — otherwise this may be a short lived victory.

Did the Plaintiff adequately plead the jurisdictional threshold $5,000 loss?

Not even close (IMHO). I have written extensively about the $5,000 loss requirement (see posts). Have you, the readers of this blog, been paying attention? Let’s find out … according to the court:

Plaintiff has alleged a loss exceeding $5,000. See Complaint, ¶ 23. To state a claim under the CFAA, Plaintiff is not required to allege … details or the exact nature of the loss. Rather, Plaintiff must simply allege sufficient damages to establish that the elements of a Section 1030(g) claim have been met, as Plaintiff has done here. [The court then footnotes the following:] Plaintiff’s damages allegations are sparse but are sufficient for present purposes, when read in light of the allegations in ¶ 29 of the Complaint. Because it is better practice, Plaintiff will be required to elaborate on the damages in an amended complaint ….”

What do you think? Do you see what I see? 3 references to damages?!?! Damages??? Ok, let’s review: Loss and Damage Are Not Interchangeable Under CFAA–District Court Blows Right Past CFAA’s “Loss” Requirement in Sysco Corp. v. Katz

Let’s have a look at what Absolute Energy pleaded as its loss:

Absolute Energy - Loss

And then we have Paragraph 29, which the court found to be important:

Let me put this as simply as I can:

LOSSES ARE NOT DAMAGES!

A LOSS MUST BE A COST UNLESS THERE IS AN INTERRUPTION OF SERVICE, WHICH IS NOT PLEADED HERE.

What did Absolute Energy plead?

  • “actual damages in excess of $75,000″ NO!
  • “obtaining value of more than $5,000″ NO!
  • “obtained information with a value in excess of $5,000″ NO!
  • “loss of business” NO!
  • “loss of prospective business” NO!
  • “economic costs associated with Defendants’ tortious acts” MAYBE
  • “attorneys’ fees” MAYBE

I have said all I can say about this case for now and it will be interesting to see how it progresses.

About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex intellectual property issues such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act. He is a partner at BrittonTuma, a boutique business law firm with offices near the border of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as across the nation pro hac vice ). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

Sixth Circuit: Unknown Access of a Remote Server Cannot Be Intentional, Thus Does Not Violate CFAA

©2011 Braydon Fuller

©2011 Braydon Fuller

Does a person violate the Computer Fraud and Abuse Act by accessing a remote computer without authorization if he is not aware that he is even accessing that remote computer?

The Sixth Circuit says no. The Computer Fraud and Abuse Act prohibits the intentional access of a computer without authorization. When a defendant is not aware that he is accessing a computer remotely, he cannot be said to be accessing it intentionally. Thus, he cannot be violating the CFAA. 

This was the issue addressed by the Sixth Circuit in Dice Corporation v. Bold Technologies, 12-2513, 13-1712 (6th Cir. Jan. 24, 2014). You can read a complete analysis of the case on the CFAAdigest.

Hacker Sentenced to 5 Months Under CFAA for Hacking SodaHead.com Accounts

A Kentucky man was convicted of violating the Computer Fraud and Abuse Act for hacking into specific accounts on the website sodahead.com and replacing purported racist and homophobic content with less offensive content. Michael Pullen was able to hack into the accounts by exploiting a software vulnerability. The man was sentenced to 5 months in prison and 2 months probation, as well as having to pay $21,000.

Read more here: Man Sentenced to 5 Months Under CFAA for Hacking SodaHead.com Accounts.

Loss and Damage Are Not Interchangeable Under CFAA–District Court Blows Right Past CFAA’s “Loss” Requirement in Sysco Corp. v. Katz

English: Lascaux Caves - Prehistoric Paintings...

English: Lascaux Caves – Prehistoric Paintings.(Photo credit: Wikipedia)

In denying a motion to dismiss a civil Computer Fraud and Abuse Act claim, a district court found that a departing employee’s purported cover-up of nefarious activity by deleting e-mails from his “sent” and “deleted items” folders on Plaintiffs’ computer system was sufficient to allege damage pursuant to 18 U.S.C. § 1030(c)(4)(A)(i) which provision, however, does not address the issue of damage at all — but only loss. The case is Sysco Corp. v. Katz, et al., 2013 WL 5519411 (N.D. Ill. Oct. 3, 2013) and I find it troubling.

Damage v. Loss — what difference does it make?

A lot. The two terms are completely different and each have their own unique role within the statutory framework of the CFAA.

The term “damage” means any impairment to the integrity or availability of data, a program, a system, or information and the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. Capitol Audio Access, Inc. v. Umemoto (for CFAA, disclosure of info not “damage” and evading license not “loss”)

Plaintiffs’ Allegations

In Sysco Corp., Defendant Katz was employed by Plaintiff Sysco Corp. He began discussing an offer of employment with Defendant Reinhart Foodservice (Plaintiff’s competitor) in April 2013, accepted an offer of employment with Reinhart on May 8, 2013, but did not announce his resignation until July 1, 2013. Plaintiff alleges that during the interim period from April 2013 until July 1, 2013, Katz emailed confidential and proprietary trade secret information from his company email account to his wife’s personal email account. Further, the Complaint states

Katz then deleted the SGR/SC confidential e-mail messages and attachments he had sent to his wife’s e-mail, by first deleting them from his “sent” box. Once he did this, those messages and attachments migrated to his “deleted items” folder. In an effort to permanently delete all of the messages, he then took the additional step of deleting the messages and attachments in the ‘deleted items’ folder, such that the record of Katz sending the e-mail messages and documents to his wife’s e-mail account all but vanished. Only because the Sysco Companies acted quickly, did they discover that Katz had intentionally attempted to delete e-mails containing confidential documents that he had sent to his wife. But because Plaintiff’s acted quickly, they were able to restore this information in Outlook and review the messages that Katz had sent to his wife’s email account, and the types of documents attached to those messages.

Complaint ¶ 40. Plaintiff alleges both access violations (Complaint ¶¶ 63, 65) and transmission violations (Complaint ¶ 66) of the CFAA. Plaintiff’s Complaint alleges that it sustained a $5,000 loss and properly references the costs for which such loss are typically acceptable: “Through their actions in violation of 18 U.S.C. § 1030 (a)(2), 18 U.S.C. § 1030(a)(4), 18 U.S.C. § 1030(a)(5)(A)-(C), Defendants have caused Plaintiffs to incur losses for responding to and investigating Defendants’ conduct and for conducting a forensic damages assessment, which continues. Such losses exceed $5,000.00 in a one-year period, in violation of 18 U.S.C. § 1030(g) and (c)(4)(A)(i)(I).” Complaint ¶67.

Defendants’ Motions to Dismiss

Defendants Reinhart filed a Motion to Dismiss and Katz filed a Motion to Dismiss which basically adopted Reinhart’s. Katz argued “Plaintiffs’ claim under the CFAA must fail because Plaintiffs have not alleged that they suffered either “loss” or “damage” as defined under the CFAA. Katz joins and incorporates by reference Reinhart’s arguments as if fully stated herein.” Id. at p. 7. Reinhart’s Motion seems to have adequately raises the issue of whether Plaintiff sufficiently alleged a loss which, as addressed ad nauseum in these posts, this article, and this article, and is an absolute prerequisite jurisdictional threshold to moving forward on a civil CFAA claim. Motion to Dismiss p. 7-8.

The Court’s Focus on Damage – Ignoring the Jurisdictional Threshold Requirement of Loss

The court in this case seems to treat damage and loss as an either/or proposition — where finding one will suffice for the other: “To succeed on a CFAA claim brought under § 1030(a)(5)(B), a plaintiff must prove the damage or loss resulted in losses to one or more persons during any one-year period aggregating at least $5,000 in value. 18 U.S.C. § 1030(c)(4)(A)(i). Technically, that may be correct, however, to prevail on a civil claim pursuant to that section, there must be a loss. Section 1030(c)(4)(A)(i) is the second level of what must be established to assert a civil claim for violating the CFAA. Here is how it works:

  1. Section 1030(g) is what authorizes a civil claim for violations of the CFAA: “Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator . . . . A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i).
  2. Of the 5 factors listed in subsection (c)(4)(A)(i), only one applies to business cases (for all practical purposes) — the loss requirement — without which there can be no civil claim: “(1) loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value;”
  3. Unless both steps 1 and 2 above are satisfied, there can be no civil claim for violating the CFAA in most business cases, including this one.

Loss and Damage Are Not Interchangeable — If There Is No Loss, There Is No Civil CFAA Claim

In its analysis, the Sysco Court completely blows past the loss requirement of 18 U.S.C. §1030(c)(4)(A)(i)(1) and addresses only whether there is damage which does not satisfy the jurisdictional threshold for bringing a civil CFAA claim: “Reinhard and Katz contend that Plaintiffs have not alleged damage or loss as those terms are used by the CFAA…. These allegations are sufficient to allege damage as to Katz, but not as to Reinhart.”

Perhaps the Sysco Court simply assumes, without stating, that the Complaint adequately pleaded the loss and it did not need to be addressed any further. However, the language used by the court suggests otherwise; it suggests that the court treated the loss and damage requirements as being interchangeable although the statutory language of section 1030(g) is very clear that they are not — “A civil action … may be brought only if” — is a pretty direct statement.

As to the allegations of loss in the Complaint, the Plaintiff did a better job than most do by invoking alleged costs in responding to the wrongful activity, however, given the facts of the case it is not certain that such facts are plausible and they may require further elaboration. Plaintiffs claim “losses for responding to and investigating Defendants’ conduct and for conducting a forensic damages assessment, which continues.” Complaint ¶67. However, the facts alleged are that Defendant Katz deleted email from the Outlook program on Plaintiff’s computer system, specifically from the “sent” and “deleted items” folders. Determining whether $5,000 in costs is reasonable for restoring Outlook emails — most likely by in-house IT folks — is reasonable is also a requirement and should certainly be addressed whether in a Motion for Reconsideration or Motion for Summary Judgment.

District Court Finds Breach of Contractual Limits on Access Violates the CFAA

TRILOGY

TRILOGY (Photo credit: Liqueur Felix)

TAKEAWAY: Businesses (and anyone else) that allow others to access to their computers should have contractual agreements with those persons that clearly specify the restrictions on their authorization to access and use the computers and data. 

This is the lesson of United States v. Cave, 2013 WL 3766550 (D. Neb. July 16, 2013), a case in which the court found that a memorandum of understanding that restricted the defendant’s access to a database as being only for professional use in his job also set the limits of authorized access for purposes of the Computer Fraud and Abuse Act. This is an example of the Intended Use Theory of access under the CFAA that was also followed by Custom Hardware Engineering & Consulting, Inc. v. Dowell, 2013 WL 252945 (E.D. Mo. Jan. 23, 2013), which I blogged about here: Employment Agreement Restrictions Determined Whether Employees Exceeded Authorized Access Under Computer Fraud and Abuse Act (I also explain the Trilogy of Access Theories in this post: Intended Use Theory, Strict Access Theory, and Agency Theory).

While the Ninth and Fourth Circuits have received a lot of recent attention for adhering to the Strict Access Theory, the majority of circuit courts that have ruled on this issue still follow the Intended-Use Theory, including the First, Third, Fifth, Eighth, and Eleventh Circuits. With the Intended-Use Theory, it is very important to have some form of contractual or other objectively verifiable restrictions on the authorization to access the computer and data to demonstrate to the court that there were restrictions in place and the defendant had actual notice of those restrictions.