In a civil case where a former director, after being removed as director, logged into the company’s Internet domain names and redirected traffic away from the company resulting in lost revenue and business opportunities, the court determined that such redirection of traffic away from the company was not an “interruption of service” under the Computer Fraud and Abuse Act.
As I have both blogged several times and written in the Texas Lawyer, in order to bring a civil claim under the Computer Fraud and Abuse Act you must show a “loss” of at least $5,000 which (1) is usually a “cost” in most cases, or (2) in those rare cases where there is an interruption of service, can also include other consequential damages in reaching that magical $5,000 hurdle:
“any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11) (emphasis added).
In the case Ritlabs, S.R.L. v. Ritlabs, Inc., 2012 WL 6021328 (E.D. Va. Nov. 30, 2012), the access violation under the facts stated above is clear — the former director who accessed the company’s Internet domain after he was relieved of his position was accessing “the computer” without authorization. In fact, the court had previously held as much in an earlier opinion finding liability only. The problem is this is a civil case and the cost for mitigating the damages caused by the wrongful access was only $2,026.08 even though the lost business opportunities for sales that were redirected away from the company were $8,757.50. Clearly the plaintiff couldn’t meet the minimum $5,000 loss requirement based only on the usual cost so it had to argue there was also an interruption of service for the CFAA claim to survive. The plaintiff argued that, by redirecting the Internet domain traffic to another site it amounted to an interruption of service. It didn’t work. The court found there was no interruption of service and, therefore, the plaintiff could not maintain an action for violating the CFAA.
Takeaway: Logging into a company’s Internet domain and redirecting traffic away from the company to another site in a way that causes business to likewise be redirected away from the company is not an interruption of service under the Computer Fraud and Abuse Act.
Should you or anyone you know need assistance in dealing with possible claims under the Computer Fraud and Abuse Act or just want to talk about the law in general, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com) and I will be more than happy to talk with you!
-Shawn E. Tuma
Related articles
- Fifth Circuit Finds Company Not Liable for Alleged Violations of CFAA and ECPA by Its Regional Manager (shawnetuma.com)
- Court allows expedited discovery to identify website hijackers (internetcases.com)
- Controversial Law Means Checking Facebook At Work Could Be A Federal Crime (businessinsider.com)
- “AtHomeNet Violates Computer Fraud and Abuse Act”, Final Judgment by Federal Court (prweb.com)
Interesting. I would think that redirection of service WOULD fit the definition of “interruption of service”, as anyone attempting to access the company’s website would end up elsewhere. I’m assuming the failure to prove “interruption” revolves, at least partly, on the fact that the website itself never disappear, nor did users receive the dreaded “404-Not Found” message – in addition to the amount of loss failing to meet the threshold.
Like I said at the start, VERY interesting.