Plaintiff is a lawyer who represented defendant in defendant’s divorce proceedings. During those proceedings, defendant terminated the representation and clawed back money he had paid plaintiff, which plaintiff claimed was properly paid. Plaintiff alleged this was a fraudulent act that resulted in a violation of the Computer Fraud and Abuse Act (“CFAA”) as well as several state law claims.
Plaintiff sued under the CFAA. Defendant moved to dismiss the claim. The court granted the motion.
The CFAA if the federal “anti-hacking” statute. It creates criminal and civil liability, among other things, for whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer.
The court held that plaintiff’s complaint did not plausibly allege facts showing that in his attempt to get the credit card company and bank to return the money he previously paid to plaintiff, defendant accessed a protected computer without authorization or while exceeding his authorized access in violation of the statute.
If found that plaintiff accused defendant of filing fraudulent complaints and refund requests with Chase Bank and American Express through their websites. However, there were no allegations saying he did anything than access publicly available websites. In line with the holding of hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022), this did not constitute “access without authorization” since no special permission was needed to access these areas. Using the language of hiQ, it noted that publicly available webpages have “erected no gates to lift or lower in the first place”.
Even if defendant had used password-protected sections, the court found there were no assertions that defendant did so without authorization or exceeded his authorized access, such as using false credentials or accessing restricted information.
The court also examined plaintiff’s allegations that defendant violated AmEx’s terms of service by using the website for fraudulent purposes. It found that these allegations alone did not establish liability under the CFAA. Since there were no facts indicating that defendant’s actions were analogous to computer misconduct like “breaking and entering,” which the CFAA aims to combat, the court granted the motion to dismiss.
Watters v. Breja, 2024 WL 201356 (N.D. Cal. January 18, 2024)
See also:
- Is it unlawful to access someone else’s Google Drive content that is not password protected?
- Can you violate the CFAA by deleting data on your own computer?
- Click fraud might violate CFAA