Top 3 CFAA Takeaways from Facebook v. Power Ventures Case in Ninth Circuit

Here are my top 3 key Computer Fraud and Abuse Act (CFAA) takeaways from the Ninth Circuit Court of Appeals’ Order and Amended Opinion issued on December 9, 2016 in Facebook, Inc. v. Power Ventures, Inc.

1.  A violation of the CFAA can occur when someone “has no permission to access a computer or when such permission has been revoked explicitly.”

First, a defendant can run afoul of the CFAA when he or she has no permission to
access a computer or when such permission has been revoked explicitly. Once permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability.

*   *   *

The record shows unequivocally that power knew that it no longer had authorization to access Facebook’s computers, but continued to do so anyway. . . . Power admitted that, after receiving notice that its use of or access to Facebook was forbidden by Facebook, it “took, copied, or made use of data from the Facebook website without Facebook’s permission to do so.”

*   *   *

In sum, as it admitted, Power deliberately disregarded the cease and desist letter and accessed Facebook’s computers without authorization to do so. It circumvented IP barriers that further demonstrated that Facebook had rescinded permission for Power to access Facebook’s computers. We therefore hold that, after receiving written notification from Facebook on December 1, 2008, Power accessed Facebook’s computers “without authorization” within the meaning of the CFAA and is liable under that statute. (Opinion, p. 15-19).

2.  “[A] violation of the terms of use of a website — without more — cannot establish liability under the CFAA.” (Opinion, p. 15-16).

The foregoing statement was followed with this footnote:

One can imagine situations in which those two principles might be in tension–situations in which, for example, an automatic boilerplate revocation follows a violation of a website’s terms of use–but we need not address or resolve such questions on the stark facts before us.”

One of the most fundamental principles of law is that people be afforded notice of situations placing them in legal jeopardy. Over and over, the Court emphasizes that Power Ventures received actual notice and was subjectively aware that Facebook revoked its authorization to access the site. In looking at how courts handle “browse wrap” versus “click wrap” online agreements, they consistently look for some objective manifestation that the user was subjectively aware of the existence of the agreement and subjectively assented to it — whether actually reading it or understanding it or not.

In future terms of use cases claiming violations of the CFAA, it is likely that the courts will look to see if there was a manifestation of actual notice of the restrictions, prior to the restricted act, which was then consciously disregarded by engaging in the restricted act.

3.  Employee time spent investigating and responding to an incident can be used to calculate the $5,000 “Loss” that is a prerequisite for a civil CFAA claim.

First, we hold that Facebook suffered a loss within the meaning of the CFAA. The statute permits a private right of action when a party has suffered a loss of at least $5,000 during a one-year period. Id. § 1030(c)(4)(A)(i)(I). The statute defines “loss” to mean “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the consequential damages incurred because of interruption of service.” Id. § 1030(e)(11). It is undisputed that Facebook employees spent many hours, totaling more than $5,000 in costs, analyzing, investigating, and responding to Power’s
actions. Accordingly, Facebook suffered a loss under the CFAA. (Opinion, p. 13-14).

 

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Dang! “Loss” of Opportunity to Decide Interesting CFAA Issue, But “Loss” Analyisis is Good Too

Plaintiff had interesting claim under the CFAA but couldn’t get there due to that pesky “loss” requirement

Does an employer violate the Computer Fraud and Abuse Act by remotely wiping an employee’s personal mobile device that was connected to the employer’s server and contained its data? Continue reading “Dang! “Loss” of Opportunity to Decide Interesting CFAA Issue, But “Loss” Analyisis is Good Too”

Yes, Texas is a good state for plaintiffs to bring a CFAA claim.

©2011 Braydon Fuller
©2011 Braydon Fuller

Is Texas a good state for a plaintiff to bring a Computer Fraud and Abuse Act (CFAA) claim?

Yes it is, and a recent case reaffirms that the Federal District Courts in Texas are generally favorable jurisdictions for plaintiffs with CFAA claims because of two key issues, access and loss jurisprudence. Continue reading “Yes, Texas is a good state for plaintiffs to bring a CFAA claim.”

Will Sprint’s Multiple Computer Fraud and Abuse Act Lawsuits Highlight the District Court Split on Loss Jurisprudence?

©2011 Braydon Fuller
©2011 Braydon Fuller

Much has been written about the circuit split with regard to Computer Fraud and Abuse Act access jurisprudence. While this has been the primary focus of attention, there has been a similar divide among the district courts with regard to the loss jurisprudence. Given that the $5,000 loss requirement is the jurisdictional threshold that must be met in order to bring a civil CFAA claim — that is, the gatekeeper — the loss issue could prove to be more important than the access issue when it comes to expanding or limiting the use of the often criticized use of the Computer Fraud and Abuse Act in civil cases.

Sprint’s CFAA Lawsuits In Multiple Jurisdictions

Sprint has gone to war against unauthorized resellers of Sprint telephones who allegedly unlock those phones so that they will operate on a network other than Sprint’s.  For this battle, the Computer Fraud and Abuse Act is one of Sprint’s weapons of choice. Since January 1, 2014, Sprint has filed lawsuits in several different jurisdictions throughout the country in which it asserts claims under the CFAA, including one right next door to me in the Northern District of Texas. Here are 3 that I found rather quickly:

  1. Sprint Solutions, Inc., and Sprint Communications Company L.P. v. Alain Martinez, Sr., Cause No. 2:14-cv-00224 in the United States District Court of New Jersey (Complaint filed Jan. 13, 2014);
  2. Sprint Solutions, Inc. and Sprint Communications Company L.P. v. Liang Jin Shao, individually and d/b/a Leo’s Computer Repair and Liberty Laundromat, Cause No. 2:14-cv-00545 in the United States District Court, Eastern District of Pennsylvania (Complaint filed Jan. 17, 2014); and
  3. Sprint Solutions, Inc. and Sprint Communications Company L.P. v. Zoubi Imports and Exports Inc., Mohammad Abdel Halawani, Ashraf Zoubi and Mohammad Zoubi a/k/a Mohammad Zebi, Cause No. 4:14-cv-00053 in the United States District Court, Northern District of Texas, Fort Worth Division (Complaint filed Jan. 27, 2014).

While the complaints in these three cases are very similar though tailored as necessary to fit the unique facts of each case, the fact that they are in three different jurisdictions will make it interesting to see how the cases fare insofar as the CFAA claims are concerned. Especially how the “loss” analysis will play out for each. There is still quite a bit of evolution going on with regard to the loss jurisprudence in the various districts and quite a few conflicts between them.

The District Court Split in CFAA Loss Jurisprudence

For example, on one end of the spectrum, in the Northern District of Texas we have seen a case allow the value of the trade secret information taken to be used in calculating the $5,000 loss even though there was no allegation of interruption of service. (see post) For the reasons stated in the post, I believe that particular case is an aberration and the other loss cases in the Northern District of Texas bear that out. Nonetheless, the case is still on the books and will need to be addressed by defendants Zoubi Imports and Exports Inc., Mohammad Abdel Halawani, Ashraf Zoubi and Mohammad Zoubi a/k/a Mohammad Zebi should they decide to file a Motion to Dismiss based on whether the $5,000 loss was adequately pleaded.

At the other end of the spectrum, the courts in the Eastern District of Pennsylvania are extremely strict when it comes to calculating the loss. Last year I handled the defense of a CFAA case in the Eastern District of Pennsylvania (yes, “that” case) and thoroughly briefed two motions to dismiss that were heavily premised on the EDPA’s strict loss jurisprudence. (Motion to Dismiss and Motion to Dismiss Amended Complaint) I convinced the plaintiff to dismiss the claims against my client with prejudice before the plaintiff filed a response or the court ruled on the motions, however, I remain very confident that the positions asserted in the motions were consistent with the EDPA’s standards on this issue and would have been successful.

In many of the cases I see, the plaintiff clearly does not have a clue about the requirements of the $5,000 loss for CFAA claims and how to plead that loss and the courts usually dismiss those claims early on. That is not the case here with Sprint and its lawyers. You can tell from their pleading that they know the standard they need to meet and they do a nice job of trying to put together enough of the required points to get there — do they get there? That’s a tough question that could be broken down into a few others:

  1. Do they get there under the standards of the EDPA cases (and many New Jersey cases)?
  2. Do they get there under the standards of most of the NDTX cases?
  3. Do they get there under the standard of the NDTX Meats by Linz case?
  4. And, perhaps most importantly, do they get there under a correct reading of Section 1030(g) — that is, my understanding of the section?

Let’s see what happens here.

What does this mean?

I have written extensively about the CFAA’s loss jurisprudence (here) and I find it to be one of the more challenging aspects of any civil CFAA claim as well as an important feature of the CFAA to keep it from being used in civil cases that do not justify “having a federal case made out of it.” What we now see with the multiple CFAA lawsuits that Sprint has filed are:

  1. the same plaintiff,
  2. with the same lawyer (James B. Baldinger as actual lead counsel),
  3. asserting what are essentially the same claims,
  4. under the same law,
  5. but in different jurisdictions.

This is a great scenario to highlight the district court split on loss jurisprudence under the Computer Fraud and Abuse Act that just may help lead to some clarity and unity on this relatively unnoticed yet crucial issue.

Fortunately for us, defendants Liang Jin Shao, individually and d/b/a Leo’s Computer Repair and Liberty Laundromat, Zoubi Imports and Exports Inc., Mohammad Abdel Halawani, Ashraf Zoubi and Mohammad Zoubi a/k/a Mohammad Zebi, and of course plaintiff Sprint, will bear the expense of fleshing this issue out but we can sit back and learn from their experiences! And, in reading the complaints, I do need to add that I not only see significant issues on both sides with the loss issue, but with the access issue as well (hint: see my post about policies) — these will be fun cases to watch.

Need Help With The CFAA?

Should you or anyone you know need assistance in dealing with possible claims under the Computer Fraud and Abuse Act or just want to talk about cyber law in general, please feel free to give me a call (469.635.1335) or email me (stuma |at| brittontuma.com).

US v. Nosal Court Provides Guidance on Calculation of “Loss” Under the Computer Fraud and Abuse Act (CFAA)

Zero or One
©2011 Braydon Fuller

On January 13, 2014, the District Court in United States v. Nosal issued an Order Regarding the Calculation of Loss for Purposes of the Guidelines which, while aimed primarily at addressing the criminal sentencing guidelines, also provided some helpful principles for calculating a “loss” for purposes of 18 U.S.C. § 1030(g) of the Computer Fraud and Abuse Act (CFAA).

One of the things that makes this analysis of the loss issue so helpful is that it is being done after having so much activity in the case (including trial and appeal) on multiple issues and the record of the case is very well developed. Most of the loss cases out there are cases rulings on motions to dismiss or motions for summary judgment, both of which usually have a less developed record. In this case the court had already seen all of the evidence there was to see and, then looking backwards, was able to analyze whether the loss requirement had been satisfied.

Here are the principles the court looked to and provided in its analysis.

Principles from Case Law Broadly Construing the CFAA’s Definition of Loss

    • District courts have split on whether a victim’s internal investigations may be included within the the definition of “loss” in 1030 § 1030(e)(11).
    • Where the offense involves unauthorized access and the use of protected information, discovering who has that information and what information he or she has is essential to remedying the harm.
    • The “cost of discovering the identity of the offender or the method by which the offender accessed the protected information” would be deemed to be “part of the loss for purposes of the CFAA.
    • Costs associated with “identifying and ascertaining the extent” of defendant’s unauthorized access could satisfy the CFAA’s definition of loss.
    • It is not necessary for data to be physically changed or erased to constitute a loss or damage under the CFAA.
    • It is sufficient to show that there has been an impairment to the integrity of data, as when an intruder retrieves password information from a computer and the rightful computer owner must take corrective measures `to prevent the infiltration and gathering of confidential information.’ Costs associated with investigating intrusions into a computer network and taking subsequent remedial measures are losses within the meaning of the statute.

Principles from Case Law Narrowly Construing the CFAA’s Definition of Loss

    • Expending resources to analyze the system so as to discover how information was accessed is not considered.
    • The CFAA loss requirement was limited to “actual computer impairment” and where the plaintiff did not provide any evidence that its computer system was impaired or that its service was interrupted, it had failed to demonstrate a CFAA loss.
    • To state a claim based on loss, the loss must relate to the impairment or unavailability of data on a computer, and that loss does not include the cost of responding to a security breach.

Nosal Court’s Reasoning Adopting the Broad Construction of the CFAA’s Definition of Loss

    • Actual loss includes those costs incurred as part of an internal investigation reasonably necessary to respond to the offense, for example by identifying the perpetrator or the method by which the offender accessed the protected information.
    • The definition of loss includes, in part, costs reasonably necessary to resecure the data, program, system, or information from further damage.
    • The plain language of § 1030 includes in the definition of loss the cost of generally “responding to an offense.” In addition to this general statement, both provisions then expressly state that (1) conducting a damage assessment; (2) restoring data or a system to its prior condition; or (3) lost revenue resulting from any interruption of service all qualify as “loss.” If, as the cases which narrowly construe loss suggest, “loss” required some actual damage to a computer system or data, the phrase “responding to an offense” would be rendered superfluous by the more specific provisions.
    • in situations where the CFAA violation constitutes covert, unauthorized access into a computer system, taking corrective actions or otherwise “responding to an offense” will often be difficult (if not impossible) until the victim knows (1) who perpetrated the offense; (2) how the offense was perpetrated, and (3) the scope of any resulting damage or the degree to which the integrity of its data has been compromised. Individuals who access a computer without authorization and with an intent to defraud are unlikely to announce their presence, inform the victim what information they have accessed, and advise the victim on how it could protect itself in the future. Rather, an internal investigation will often be necessary to determine these critical facts. The very purpose of the “loss” enhancement to a Guideline offense level is that the reasonably foreseeable loss caused by an offender’s actions represents a proxy for that offender’s culpability.
    • Determining who breached the system security and the manner and extent of the intrusion, is a reasonable and foreseeable step a victim is expected to take in response to a CFAA violation; it may well inform what remedial steps need be taken, steps which are clearly cognizable as losses under the CFAA.
    • Costs in resecuring data, program, system or information from further damage constitutes loss under the CFAA.
    • There may be instances where a victim has the information necessary to take corrective action without the need of an extensive investigation.
    • Costs incurred for the purpose of building or supporting the victim’s civil case should not be considered “loss” for purposes of the Guidelines calculation.