Update: Recent Computer Fraud and Abuse Act Cases

By necessity, for this update I am trying to change my format for blogging updates for recent cases involving the Computer Fraud and Abuse Act (“CFAA”) as this lawyer has been busy lately. Instead of providing a relatively thorough analysis of each individual case, I must cover several in one update and just briefly touch on each of them. If you find that you like this format better, let me know or, if you don’t, let me know that too!

Ok, on to the cases …

Yoder & Frey Auctioneers, Inc. v. Equipmentfacts, LLC, 2011 WL 2433504 (N.D. Ohio June 14, 2011).

A copy of the opinion is available HERE.

The Yoder case is a case in which the court denied the defendant’s motion to dismiss the Computer Fraud and Abuse Act claim and provides a nice break from the usual employer-employee in fact scenario we see in CFAA cases. More importantly, it involves an application of the rarely used “interruption of service” aspect of a “loss” under the Computer Fraud and Abuse Act.

Yoder, the plaintiff, is a heavy equipment auction company that, while performing in person auctions, uses a website that provides online services to its buyers and sellers associated with the auction. Equipmentfacts, the defendant, was under a contract with Yoder to run the online bidding services for Yoder until 2010 when it services were terminated. Following the termination of the services, Equipmentfacts obtained unauthorized access to Yoder’s website by two different methods: (1) using an administrative identification and password from its prior relationship; and (2) creating a fictitious login using the name of a Yoder customer who was registered for the auction. Equipmentfacts used its access to post negative comments about Yoder and to place bids in excess of $1 million for equipment that it then failed to pay.

Yoder sought consequential damages due to lost commissions from the failed auction on items for which Equipmentfacts submitted winning bids that were not ultimately purchased. Equipmentfacts filed a motion to dismiss on the basis of Yoder’s allegation of “loss” under the CFAA—there was no challenge to the “access” issue. As mentioned above, this case raises a rare question involving the “interruption of service” language of the CFAA’s loss definition:

“any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11) (emphasis added).

The question is whether Equipmentfacts’ interference with the bid process invokes the “interruption of service” language. Equipmentfacts contends that language only applies to large scale sabotage such as crashing a website where a computer. Yoder contends that it applies to smaller scale issues such as this which is, in essence, interfering with the functional services provided by a website.

The court found this to be a question of first impression addressing the parameters of “interruption of service”.

The court examined the cases argued by Equipmentfacts and found them to be distinguishable because they did not address the “interruption of service” issue; rather, they focused on the typical employer – employee misappropriation of information cases and destruction of data cases. These arguments were not helpful to the court.

Yoder urged the court to look to the legislative history of the Computer Fraud and Abuse Act which encompassed “responding to a computer hacker” as being included within the definition of “loss”. Looking to Black’s Law Dictionary, the court found that “to hack” means “to surreptitiously break into the computer, network, servers, or database of another person or organization.” The court then reasoned that,

“[g]iven the legislative history, the language of the statute, and the paucity of case law at issue, … Defendant’s alleged intentional disruption of even a portion of the online auction through surreptitiously submitted false bids interrupted the service of that site. While the online auction was not totally thwarted, a number of individual online transactions were. As such, the auction website did not provide service to either Plaintiffs or the buyers and sellers in the auction while Defendants allegedly submitted false winning bids.”

Accordingly, the court denied Equipmentfacts’ motion to dismiss.

Global Bankcard Services, Inc. v. Global Merchant Services, Inc., 2011 WL 2268057 (E.D. Va. June 7, 2011).

A copy of the opinion is available HERE.

In this case the court granted a third party’s motion to dismiss a CFAA claim on the basis of its finding that “[a] review of the statute does not reveal any provision that provides that it is unlawful to use a computer or computer system to convert the property of another.”

This case is confusing and makes my head hurt. I want to figure out what is going on here but I just haven’t had time to – in the interest of not waiting another week for this update, I am leaving it at this. If you figure out the case before I take the time to do so, please let me know! Otherwise, I may update this later if I find a little free time!

Amedisys Holding, LLC v. Interim Healthcare of Atlanta, Inc., 2011 WL 2182720 (N.D. Ga. June 3, 2011).

A copy of the opinion is available HERE.

Now we are back in familiar CFAA territory with the Amedisys case: an employee (Mack) excepted employment with a competitor and, before leaving his former job, e-mailed copies of proprietary information to herself. This matter was before the court on a motion for preliminary injunction which the court granted in part and denied in part.

The court found that Amedisys was likely to prevail on the merits of its Computer Fraud and Abuse Act claim against Mack: “there is no question that Mac exceeded any authority she had when she sent them [the proprietary information] to herself after accepting a position at Interim for use in competing with Amedisys.” It is worth noting that the defendants were able to avoid having a temporary restraining order issued against them by agreeing to return the information, not use the information, and submit to a third-party forensics examination of their computers.

On June 15, 2011, Interim Healthcare of Atlanta, Inc. filed an appeal in the Eleventh Circuit: Interim Healthcare of Atlanta, Inc. v. Amedisys Holding, LLC, Case No. 11-12701 and a link to the Justia webpage to follow that case is available HERE.

There you have it, my efforts to just briefly touch upon these three recent cases involving the Computer Fraud and Abuse Act! First, you should know when a lawyer says he’s going to be brief, you had better get comfortable — but anyway … I tried to do a pretty good job of keeping it brief on these last two cases, I simply could not do so with the Yoder case because it is so rare that we see a CFAA case involving the application or interpretation of the “interruption of service” loss language. I just couldn’t let this one go by that easily!