Computer Fraud and Abuse Act Cases Update (March 6, 2013)

Colorplay on Monday

Here are some recent Computer Fraud and Abuse Act (“CFAA”) cases that have been decided (or published) over the last couple of weeks:

Tracfone Wireless, Inc. v. Cabrera, 883 F. Supp.2d 1220 (S.D. Fla. July 11, 2012). Defendant and former employee who engaged in selling stolen TracFone Prepaid Phones violated the unauthorized access with intent to defraud (18 U.S.C. § 1030(a)(4)) and unauthorized access (18 U.S.C. § 1030(a)(5)) by his unauthorized access TracFone’s computer system using improperly obtained codes and information to obtain access to the system and alter information in the system to generate and obtain stolen airtime and services which he then sold. This is a default judgment case but the court goes through a detailed explanation of the loss / interruption of service analysis that is worth reading.

Dalzell Management Co., Inc. v. Bardonia Plaza, LLC, 2013 WL 592672 (S.D.N.Y. Feb. 15, 2013). This is an interesting case where there are two lawsuits, one state and one federal, and the Defendants moved to dismiss the federal (alleging the Computer Fraud and Abuse Act claim) based on the Colorado River Abstention Doctrine. The court denied the motion to dismiss. The allegations giving rise to the CFAA claim were given but the decision did not address the substantive merits of the CFAA claim. Plaintiff (a real estate management company) leased office space in Defendant’s building with a portion of the rent being a percentage of rents collected by Plaintiff. Defendant evicted Plaintiff and, during the process, had its IT staff copy data from Plaintiff’s computer system which included Plaintiff’s proprietary and confidential information as well as banking information. According to Plaintiff, Defendant did not have authorization to access its computer system which gave rise to the CFAA claim under (18 U.S.C. § 1030(a)(2)) for unauthorized access to obtain information from a protected computer.

Sebrite Agency, Inc. v. Platt, 884 F. Supp.2d 912 (D. Minn. Aug. 7, 2012). The court granted a motion to dismiss Plaintiff’s Computer Fraud and Abuse Act claim. The Plaintiff, an insurance agency, alleged that its former agent (and his girlfriend) set up a competing agency and was trying to steal its clients and, for purposes of the CFAA claim, accessed Plaintiff’s computers without authorization or in excess of authorization by forwarding e-mails containing confidential company information for roughly 74 of its clients to their own e-mail. The court followed the Strict Access Theory (see explanation toward bottom of post) and determined that, because the former agent had been authorized to access all of this information at the time of the access, he did not access computers were databases that he was forbidden to use.

As the parties recognize, the federal courts have disagreed about whether the CFAA is violated when a person who has authority to “access[] a protected computer” misuses the information that he or she obtains.[2] This Court previously endorsed the narrower interpretation of the CFAA, holding that the misuse or misappropriation of confidential information stored on a computer to which the defendant has authority to access does not give rise to liability. See Xcedex, Inc. v. VMware, Inc, No. 10-CV-3589 (PJS/JJK), 2011 WL 2600688, at *4-5 (D. Minn. June 8, 2011), adopted by 2011 WL 2581754, at *1 (D. Minn. June 30, 2011). The Eighth Circuit still has not directly addressed this question, and nothing in the cases decided since Xcedex has persuaded the Court to change its mind.[3] The Court continues to believe that the narrower interpretation of the CFAA is more consistent with statutory text, legislative history, and the rule of lenity. See Walsh Bishop, 2012 WL 669069, at *3. Moreover, the broader interpretation would transform just about every state-law claim for misappropriation of trade secrets into a federal lawsuit, see Condux, 2008 WL 5244818, at *6, not to mention expose employees who violate their employers’ computer-use restrictions to criminal liability, see Nosal, 676 F.3d at 861-62. The Court continues to believe that, if Congress meant to so vastly expand the jurisdiction of the federal courts, Congress would have been much more explicit.

Under the Court’s interpretation of the CFAA, Sebrite’s allegation that Plattimproperly used confidential information that he had authority to access fails to state a claim under 18 U.S.C. § 1030(a)(4). Count IX is therefore dismissed.

West Plains, L.L.C. V. Retzlaff Grain Co. Inc., 2013 WL 705859 (D. Neb. Feb. 26, 2013). This is an opinion granting a Motion for Preliminary Injunction based primarily on misappropriation of trade secrets. The Plaintiff did bring a claim for violating the Computer Fraud and Abuse Act though the substantive merits of the claim were not addressed in this opinion, but the opinion is still worth reading because of the trade secrets analysis in the context of a preliminary injunction.

If you have any questions or would like to talk computer fraud, data security or privacy, please feel free to give me a call (469.635.1335) or email me (stuma@brittontuma.com).

3 thoughts on “Computer Fraud and Abuse Act Cases Update (March 6, 2013)

  1. Some interesting cases there. But please, warn a guy when you’re going to post psychedelic images, okay? With 3 Vicodin in me, I spent 5 minutes staring at that thing before I realised I’d frozen up! 🙂

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s