4 Practical Takeaways:
- A “protected computer” is any computer connected to the Internet.
- The $5,000 loss requirement can be aggregated and need not be met by only one single act.
- Lost revenue is a “loss” if it was caused by an interruption of service because the computers failed.
- Observation of data alone constitutes “obtaining information”.
Over the course of time the Computer Fraud and Abuse Act has given us some real “head scratchers” that have challenged us to think. Not this time. This recent case, Freedom Banc Mortgage Services, Inc. v. O’Harra, 2:11-cv-01073 (S.D. Ohio Sept. 5, 2012), is not such a case. The issues before the Court were presented in a Motion for Judgment on the Pleadings, thus, the Court took the Plaintiff’s factual allegations as true:
In March 2010, Defendant O’Harra began remotely downloading software programs onto Plaintiff’s computers. These programs provided Defendant O’Harra with unauthorized access to twenty-seven of Plaintiff’s computers and five of Plaintiff’s servers. Plaintiff alleges on information and belief that Defendant Knobbe and four unidentified individuals named as “John Does 2-5” assisted and/or collaborated with Defendant O’Harra in downloading these programs and accessing Plaintiff’s computers.
* * *
Defendants O’Harra, Knobbe, and John Does 2-5 continued to remotely download software and monitoring programs onto Plaintiff’s computers for the next several months. Through these programs, Defendants accessed Plaintiff’s employees’ email accounts, deleted hundreds of emails from these accounts, uninstalled Plaintiff’s security camera, deleted pictures that the camera had recorded, and monitored Plaintiff’s employees’ Blackberry usage, among other activities. Defendants initiated contact with Plaintiff’s computers approximately 125,000 times.
As a result of these unauthorized intrusions into Plaintiff’s computer system, Plaintiff’s computers began to operate slowly and twenty-two computers and three servers eventually became inoperable. Plaintiff lost business, productivity, and revenue as a result of the damage to its computers. In December 2010, as a result of this damage, Plaintiff ceased its business operations.
The primary defendant, O’Harra, was a former employee of Plaintiff who was terminated in June 2009 — nearly a year before the surreptitious activities began. Without question, O’Harra’s access was without authorization. I believe even the Ninth and Fourth Circuits would find the CFAA applicable to this “employment” related case. The Defendants challenged the adequacy of the Plaintiff’s pleadings with a Motion for Judgment on the Pleadings on the following grounds, each ofwhich the court found unpersuasive:
- The computer was not a “protected computer” — WRONG!
- The $5000 “loss” was not satisfied because they did not stem from a single act — WRONG!
- Plaintiff’s lost revenue caused by the interruption of service by the computer failures was not part of the “loss” — WRONG!
- Plaintiff’s allegations that Defendants’ observation of data did not constitute “obtaining information” — WRONG!
For more information, you can read the full opinion HERE or you can always contact me to discuss any and everything relating to the Computer Fraud and Abuse Act.
Shawn Tuma: 214.726.28o8 | stuma@brittontuma.com | @shawnetuma
Related articles
- 4th Circuit Limits the Reach of the Computer Fraud and Abuse Act – WEC Carolina Energy Solutions v. Miller (ericgoldman.org)
- Botnet creator gets 30 month jail sentence (itpro.co.uk)
- Feds Add 9 Felony Charges Against Swartz For JSTOR Hack (yro.slashdot.org)
Good things to know, especially the “looking is obtaining data” ruling.
Thanks John!