Dice Corporation v. Bold Technologies, 12-2513, 13-1712 (6th Cir. Jan. 24, 2014)
Does a person violate the Computer Fraud and Abuse Act by accessing a remote computer without authorization if he is not aware that he is even accessing that remote computer?
The Sixth Circuit says no. The Computer Fraud and Abuse Act prohibits the intentional access of a computer without authorization and, where a defendant is not aware that he is accessing a computer remotely, he cannot be said to be accessing it intentionally.
Plaintiff and defendant were competing providers of alarm monitoring software that provided their software to companies in the alarm industry. ESC Central was plaintiff’scustomer and had a database that stored large amounts of data for ESC’s customers including names, addresses, contact information, billing information, and information regarding the type and location of alarms. ESC became dissatisfied with plaintiff and moved its business to defendant.
To facilitate a seamless transition for ESC’s customers, defendant write a program to extract ESC’s data from plaintiff’s software and convert it into a format that could be read by defendant’s software. Under normal operations, ESC could access plaintiff’s database files of ESC’s customer data and retrieve the data without circumventing any of plaintiff’s security measures. Also during this time period, one of plaintiff’s employees went to work for defendant and assisted in the transfer of ESC’s data from plaintiff to defendant. Plaintiff sued defendant for violating the Computer Fraud and Abuse Act premised on the allegation that the employee, while working for defendant, accessed plaintiff’s servers after her employment terminated, which the employee flatly denied.
In deposition, plaintiff admitted that it had no evidence of when the employee allegedly hacked into its servers or how she did: “I don’t know how Bold got our–got all of our intelligence…. It’s not a question for me to answer, it’s a question for you to answer. How did Bold get access to those files[?] … I don’t know how Bold got the information to be able to do what they’ve done. I have no idea. All I know is that they have it….” Id. at 415.
District Court Grants Defendant’s Summary Judgment
The court granted summary judgment for defendant because plaintiff admitted that it had no evidence, indeed, no idea of when, how, or specifically whether the former employee actually accessed its server after her employment terminated. The employee testified that she did not and offered a plausible explanation for how the information was obtained that did not involve her accessing plaintiff’s server which supported the defendant’s motion and warranted summary judgment.
Sixth Circuit Upholds District Court’s Summary Judgment
Plaintiff appealed to the Sixth Circuit which affirmed the district court’s grant of summary judgment on all claims.
The Sixth Circuit found the Computer Fraud and Abuse Claim failed because the plaintiff failed to show an intentional access, which is required under the CFAA. In this case, the plaintiff was claiming the defendants wrongfully accessed its servers by performing a “Go To Assist Function” to access those servers. The defendants, however, were not aware that by performing a Go To Assist Function they could even access such servers, accordingly, they could not have intentionally accessed the servers and there is no CFAA violation.
Even assuming this claim were fairly raised, it would still fail. Liability under the CFAA requires a showing of intentional access. 18 U.S.C. § 1030(a)(2). Neither Narowski nor Condon was aware that performing a Go To Assist Function on ESC Central servers allowed access to Dice servers in Bay City, Michigan.