Money for pain and suffering because your email was hacked?

pain and suffering email hack

Plaintiff and defendant worked together doing real estate appraisals. Defendant accessed plaintiff’s email account without authorization and was later found liable for violating the federal Stored Communications Act. When it came time to assess damages, plaintiff asked for $150,000 for the pain and suffering he endured because of the email access. He alleged that he suffered mental decline, began drinking a lot and had troubles with his marriage.

The court was sympathetic to plaintiff’s “very real difficulties” but found that the amount he was seeking bore “an outsized relationship to the actual offense.” From the court’s opinion:

[Defendant], on one occasion, committed a targeted SCA offense. [Defendant] searched solely for emails related to [plaintiff’s] disparagement of [defendant] and printed four of them. Immediately, [plaintiff] learned of the breach and quickly put security measures in place to prevent further unauthorized access. Because the offense was objectively narrow in scope, the Court credits that [plaintiff] suffered a brief period of emotional harm related to the offense. The original intrusion was startling and, no doubt, produced some anxiety during the time it took [plaintiff] to protect his privacy by installing computer security software, changing passwords, and contacting his internet service provider who assured him they had taken “care of everything.”

The court ended up awarding plaintiff $1,000 for his pain and suffering tied to the breach.

Skapinetz v. CoesterVMS, Inc., 2021 WL 1634712 (D.Md. April 27, 2021)

Former employee committed vandalism by deleting company’s YouTube videos

deleting YouTube videos vandalism

Of all the things that can go wrong when deleting your former employer’s YouTube videos, being liable for vandalism may not be the first thing that comes to mind. But it happened to the former employee of an Ohio company.

Defendant worked for plaintiff as vice president of sales and left the company in 2017. During that time plaintiff authorized defendant to access the company’s two YouTube channels and to upload content. Two years after defendant left, however, all the videos on both channels disappeared. Through detailed forensic work, plaintiff showed that defendant deleted the videos using his iPhone.

So plaintiff sued defendant for violating the Computer Fraud and Abuse Act, “vandalism” under Ohio law, and breach of a confidentiality provision in defendant’s employment contract. Plaintiff sought summary judgment on these claims, and the court granted plaintiff’s motion, finding there was no reasonable dispute the defendant deleted the YouTube videos.

The vandalism claim is particularly interesting. Under the applicable Ohio law, one is liable if he or she knowingly causes physical harm to the property of another. The decision does not indicate that defendant argued the deletion of YouTube videos would not meet this criterion. Instead, the decision indicates that defendant essentially stipulated he would be liable if plaintiff proved he deleted the videos. The court believed the so-called “mountain” of evidence plaintiff produced showing that defendant was the one who did the deletion.

Kaivac, Inc. v. Stillwagon, 2021 WL 184593 (S.D. Ohio, January 19, 2021)

About the author: Evan Brown is a technology and intellectual property attorney in Chicago. This post originally appeared on http://evan.law.

Can you violate the CFAA by deleting data on your own computer?

The Computer Fraud and Abuse Act (CFAA) has a provision that makes it unlawful to “knowingly cause the transmission of a program, information, code, or command, and as a result of such conduct, intentionally cause damage without authorization, to a protected computer.” Can a person violate that provision of the CFAA by deleting data on his or her own computer? A recent federal case answered that question.

Plaintiff sued its former chief technology officer under the CFAA after it learned that the former executive wiped the hard drive of his personal laptop he had used for company business. Defendant moved to dismiss, arguing primarily that the purpose of the CFAA is to target hackers. And he argued that there is a circuit split over what it means for an employee to access a computer without authorization or in excess of authorization.

The court denied the motion to dismiss. It acknowledged there is a circuit split on what it means for an employee to access a computer without authorization or in excess of authorization. Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006) and LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) exemplify this split. But the court noted that this case did not present the question of authorization to access a computer. Instead, the relevant CFAA provision discusses unauthorized damage.

Looking at the plain language of the CFAA, the court found no basis to dismiss the complaint. So the court in effect said that a person can violate the CFAA by deleting data on his or her computer. The factual question of whether the particular defendant in this case did that will proceed to trial.

New Touch Digital Inc. v. Cabral, 2020 WL 5946067 (D.D.C. October 7, 2020)

See also:

Damages available under Computer Fraud and Abuse Act, even though no “interruption of service”

About the author:

Evan Brown, nondisclosure agreementsEvan Brown is a technology and intellectual property attorney in Chicago. This content originally appeared on evan.law.

Click fraud might violate CFAA

Click fraud is a problem in online advertising and in situations where companies and advertisers use publishers to promote their content. A federal court in Delaware recently addressed this problem. 

Plaintiff job search engine sued one of its former “publishing partners” and its owners. Defendants sent out email messages with links to job search results. Plaintiff paid defendants on a “pay-per-click” basis – a certain amount each time someone clicked on one of the links.

The Alleged Click Fraud

Eventually plaintiff noted that “conversions” were low from defendants’ activities. That means there were a lot of clicks on links but not many actual job applicants. Plaintiff began to suspect defendants were artificially inflating the number of clicks – that is, committing click fraud. The contract between plaintiff and defendants prohibited this conduct.

After investigating, plaintiff learned one of its employees was allegedly working with defendants to engage in the click fraud scheme. Plaintiff sued defendants, asserting a number of claims, including one under the federal Computer Fraud and Abuse Act, 18 USC 1030 (“CFAA”).

Defendants moved to dismiss. The court denied the motion.

CFAA and Click Fraud

The CFAA imposes liability when a plaintiff pleads and proves that a defendant:

  • has accessed a protected computer (defined in the statute);
  • did so without authorization or by exceeding such authorization as was granted;
  • has done so knowingly and with intent to defraud; and
  • as a result has furthered the intended fraud and obtained anything of value.

Defendant argued that CFAA liability should not apply because there were no allegations of “hacking” in this case. The court rejected that argument.

The court looked to the case of CollegeSource, Inc. v. AcademyOne, Inc., 597 F. App’x 116 (3d Cir. 2015) to hold that if a defendant accesses the plaintiff’s computers and uses information in violation of a contractual agreement with the plaintiff, that could be enough to impose CFAA liability. And the court believed that is essentially what is alleged to have happened in this case: that defendants violated the terms of contractual agreements with plaintiff by causing illegitimate clicks to be directed to plaintiff’s computer servers.

Juju, Inc. v. Native Media, LLC, 2020 WL 3208800 (D. Del., June 15, 2020)

See also: Facebook hacking that causes emotional distress – does the CFAA provide recovery?

How companies can use their trademarks to combat COVID-19-related phishing

Straightforward out-of-court domain name proceeding can provide efficient relief against fraudulent websites and email.

Google has seen a steep rise amid the Coronavirus pandemic in new websites set up to engage in phishing (i.e. fraudulent attempts to obtain sensitive information such as usernames, passwords and financial details). Companies in all industries – not just the financial sector – are at risk from this nefarious practice. But one relatively simple out-of-court proceeding may provide relief.

Varieties of Phish Species

Phishing schemes can take a variety of forms. A fraudster may register a domain name similar to the company’s legitimate domain name and use it to send email messages to the company’s customers, requesting payment and providing wire instructions. Distracted or untrained customers who receive the email may unwittingly wire funds as instructed in the fraudulent email to an account owned by the criminal. Or the phishing party may set up a legitimate looking but fake website at a domain name similar to the company’s legitimate domain name, and direct users there to purportedly log in, thereby disclosing their usernames, passwords, and perhaps additional sensitive information.

Taking Sites Down with the UDRP

Everyone who registers a domain has to agree, by contract, to have disputes over the domain name’s ownership resolved through an administrative proceeding (similar to arbitration). The Uniform Domain Name Dispute Resolution Policy (UDRP) governs disputes over .com, .net, .org and many other domain name registrations. The World Intellectual Property Organization (WIPO) provides administrative panels who decide disputes under the UDRP. These are decided “on the papers” with each party having the opportunity to submit arguments and supporting documentation. The time and expense of a UDRP proceeding is a small fraction of what one sees in typical litigation – UDRP cases usually conclude within weeks, and generally cost a few thousand dollars.

The UDRP Frowns Upon Phishing

To be successful in bringing a UDRP proceeding, a party has to prove (1) that it owns a trademark that is identical or confusingly similar to the disputed domain name, (2) that the party that registered the disputed domain name has no rights or legitimate interests in the disputed domain name, and (3) that the disputed domain name was registered and has been used in bad faith.

UDRP panels typically show little tolerance for blatant phishing efforts. Companies bringing UDRP actions against registrants of domain names registered for phishing purposes enjoy a high rate of success. A good phishing effort (that is, “good” in the sense that the fake domain name succeeds in deceiving) will require using words similar to the company’s mark. So the first element is usually a low hurdle. On the second and third elements, UDRP panels are readily persuaded that a party using a disputed domain name for phishing gains no rights or legitimate interests, and demonstrates clear bad faith. “Using the disputed domain name to send fraudulent email is a strong example of bad faith under the [UDRP].” Samaritan’s Purse v. Domains By Proxy, LLC / Christopher Orientale NA, WIPO Case No. D2019-2403 

Facebook hacking that causes emotional distress – does the CFAA provide recovery?

A recent federal case from Virginia provides information on the types of “losses” that are actionable under the federal anti-hacking statute, the Computer Fraud and Abuse Act (“CFAA”).

Unauthorized Access Under the Computer Fraud and Abuse Act

Underlying facts

Plaintiff worked as a campaign manager, communications director and private sector employee of a Virginia state legislator. While plaintiff was in the hospital, defendant allegedly, without authorization, accessed plaintiff’s Facebook, Gmail and Google Docs accounts, and tried to access her Wells Fargo online account.

Plaintiff’s lawsuit

Plaintiff sued, alleging a number of claims, among them a claim for violation of the CFAA. Defendant moved to dismiss. Although the court denied the motion to dismiss on other grounds, it held that plaintiff’s alleged emotional distress was not the type of “loss” that is actionable under the CFAA.

Loss under the CFAA

One can bring a civil action under the CFAA if the defendant’s alleged conduct involves certain factors. One of those factors, set out at 18 U.S.C. § 1030(c)(4)(A)(i)(II), provides recovery if there is “the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals”.

Plaintiff alleged that defendant’s unauthorized access and attempted access to her accounts caused her to sustain a “loss” under this definition because it caused her to suffer emotional distress for which she needed to seek counseling.

The court disagreed with plaintiff’s assertions. Essentially, the court held, the modification of or impairment of a plaintiff’s treatment must be based on impairment due to the ability to access or used deleted or corrupted medical records. As an example – this was not in the court’s opinion but is provided by the author of this post – one might be able to state a claim if, for example, medical records were modified by a hacker to change prescription information. Further, the court held, to recover under the relevant provision of the CFAA, a defendant’s violation must modify or impair an individual’s medical treatment as it already exists, not merely cause the plaintiff mental pain and suffering that requires additional care.

Hains v. Adams, 2019 WL 5929259 (E.D. Virginia, November 12, 2019)

Can a person bring a Computer Fraud and Abuse Act claim over unauthorized access to someone else’s computer?

Federal agents served a search warrant on plaintiff’s doctor’s office and thereby obtained access to plaintiff’s medical records, which were shared with a number of other parties involved in the criminal investigation of plaintiff’s doctor. Plaintiff sued under the Computer Fraud and Abuse Act (CFAA). Defendants moved to dismiss that claim. The court granted the motion. The CFAA prohibits unauthorized access to a “protected computer”. In dismissing the case, the court found, among other things, that there were no specific allegations that defendants accessed plaintiff’s computer.

Micks-Harm v. Nichols, No. 18-12634, 2019 WL 4781342 (E.D. Michigan, September 30, 2019)

About the Author: Evan Brown is a Chicago technology and intellectual property attorney. Call Evan at (630) 362-7237, send email to ebrown [at] internetcases.com, or follow him on Twitter @internetcases. Read Evan’s other blog, UDRP Tracker, for information about domain name disputes.

Case shows the surprising narrowness of a key hacking statute definition

Plaintiff sued defendant for violation of the Computer Fraud and Abuse Act (“CFAA”). For almost 20 years, defendant had worked for a company that developed plaintiff’s proprietary software system. In this capacity, defendant had access to plaintiff’s customer database, accounting system and other confidential information. After leaving the work he was performing for plaintiff, defendant founded his own competing venture. 

Defendant moved to dismiss the CFAA claim. The court granted the motion to dismiss. The court held that defendant did not exceed the scope of his authorized access by accessing certain of plaintiff’s documents, files or drives for the benefit of his own venture. Citing to United States v. Nosal, 676 F.3d 854, (9th Cir. 2012), the court observed that the Ninth Circuit has defined “exceeds authorized access” narrowly to include only someone who is authorized to access only certain data or files but accesses unauthorized data or files – or to put it simply: hacking. 

In this case, defendant was authorized to access plaintiff’s systems by virtue of the work he was hired to do in connection with plaintiff’s proprietary software systems. Plaintiff had attempted to draw a distinction between the work he was doing for his former employer and the actions he was undertaking to benefit his new venture (even though those actions were one and the same conduct). The court rejected this reasoning: “[E]ven if defendant accessed [plaintiff’s] information for the eventual benefit of [defendant’s new venture], that does not mean he could not have also accessed it for [his former employer’s] authorized purpose of building software.”

It is worth noting that the contours of “exceeding authorized access” under the CFAA give rise to a circuit split. It is fruitful to consider whether the outcome of this case may have been different, for example, in the Seventh Circuit, under the doctrines set out in Int’l Airport Ctr., L.L.C. v. Citrin, 440 F.3d 418 (7th Cir.2006).

Regal West Corporation v. Nguyen, No. 19-5374, 2019 WL 4748393 (W.D.Washington, September 30, 2019)

Sony’s EULA did not protect it from liability under CFAA and for trespass to chattel

Plaintiff filed a class action lawsuit against Sony after Sony issued a software update that bricked plaintiff’s Sony Dash. Sony moved to dismiss for failure to state a claim. The court granted the motion on a number of claims but allowed the Computer Fraud and Abuse Act (CFAA) and trespass to chattel claims to move forward.

CFAA Claim

Sony had argued that the CFAA claim should fail because plaintiff had not alleged the software update was “without authorization,” given the language of the end user license agreement, which read:

From time to time, Sony … may automatically update or otherwise modify the Software, for example, but not limited to for purposes of error correction, improvement of features, and enhancement of security features. Such updates or modifications may change or delete the nature of features or other aspects of the Software, including but not limited to features you may rely upon. You hereby agree that such updates and modifications may occur at Sony’s sole discretion, and that Sony may condition continued use of the Software upon your complete installation or acceptance of such updates or modifications.

Specifically, Sony argued that the EULA authorized Sony to “modify” the software at any time, and warned that such modifications may change or delete the nature of features or other aspects of the software, including features the consumer may rely upon. A court addressed a similar argument in In re Apple, 596 F.Supp.2d 1288 (N.D. Cal. 2008). In that case, Apple, as defendant, relied on the following language to argue that it acted “with authorization” for purposes of the CFAA when bricking iPhones that had been unlocked to access third-party applications:

IF YOU HAVE MODIFIED YOUR IPHONE’S SOFTWARE, APPLYING THIS SOFTWARE UPDATE MAY RESULT IN YOUR IPHONE BECOMING PERMANENTLY INOPERABLE

In that case, the court concluded that usage of the term “may” (as in “may result” in damage) created too much ambiguity surrounding Apple’s warning and found plaintiff’s allegations as to its CFAA claim sufficient to defeat Apple’s motion to dismiss.

Here, Sony had used the same ambiguous “may” (as in “may change or delete the nature of features”) and even more uncertain language than in In re Apple. Unlike in In re Apple, Sony did not explicitly warn that a subsequent software update could render the Dash “permanently inoperable.” The EULA did not say that Sony could delete all features. Instead, it vaguely warned consumers that Sony “may change or delete the nature of features” that a consumer “may rely upon.” This sentence was also prefaced by the following: “From time to time, Sony … may automatically update or otherwise modify the Software, for example, but not limited to for purposes of error correction, improvement of features, and enhancement of security features.”

The court found that this preface implied that automatic software updates would improve or enhance the Dash – not destroy its functionality. The court could not say at this stage that by using the Dash and thus implicitly agreeing to the EULA, plaintiff authorized Sony to render his device inoperable. Accordingly, the court found that plaintiff plausibly pled that Sony acted “without authorization” in bricking the Dash.

Tresspass to Chattel

Under New Jersey law, “[a] cognizable claim for trespass to chattel occurs ‘when personal property, in the actual use of the owner, is injured or taken by a trespasser, so that the owner is deprived of the use of it.’” Arcand v. Brother Int’l Corp., 673 F. Supp. 2d 282, 312 (D.N.J. 2009) (quoting Luse v. Jones, 39 N.J.L. 707, 709 (N.J. 1877)). “[P]hysical contact with the chattel, for instance, where a person kicks another’s car bumper, is not required.” Id. “All that is required … is interference with the chattel as a direct or indirect result of an act done by the actor.” Id.

In this case, Sony’s software update bricked plaintiff’s Dash. The court found that contrary to Sony’s assertions, plaintiff had not consented to Sony rendering his device wholly nonfunctional by agreeing to the EULA.

Sony had also argued that plaintiff never owned the software used by the Dash (in accordance with the EULA) and therefore Sony could not be liable for altering that software in the update. But the court saw it otherwise — whether plaintiff owned the software, Sony, at a minimum, indirectly injured plaintiff’s physical Dash by rendering it completely nonfunctional through the software update. The court again looked to In re Apple wherein that court found that the plaintiffs plausibly pled trespass to chattel by alleging that Apple released a software update that rendered the plaintiffs’ iPhones permanently inoperable. On these facts, the court found that plaintiff had plausibly pled his trespass to chattel claim.

Grisafi v. Sony Electronics Inc., 2019 WL 1930756 (D.N.J. April 30, 2019)

Police not required to publicly disclose how they monitor social media accounts in investigations

In the same week that news has broken about how Amazon is assisting police departments with facial recognition technology, here is a decision from a Pennsylvania court that held police do not have to turn over details to the public about how they monitor social media accounts in investigations.

The ACLU sought a copy under Pennsylvania’s Right-to-Know Law of the policies and procedures of the Pennsylvania State Police (PSP) for personnel when using social media monitoring software. The PSP produced a redacted copy, and after the ACLU challenged the redaction, the state’s Office of Open Records ordered the full document be provided. The PSP sought review in state court, and that court reversed the Office of Open Records order. The court found that disclosure of the record would be reasonably likely to threaten public safety or a public protection activity.

The court found in particular that disclosure would: (i) allow individuals to know when the PSP can monitor their activities using “open sources” and allow them to conceal their activities; (ii) expose the specific investigative method used; (iii) provide criminals with tactics the PSP uses when conducting undercover investigations; (iv) reveal how the PSP conducts its investigations; and (v) provide insight into how the PSP conducts an investigation and what sources and methods it would use. Additionally, the court credited the PSP’s affidavit which explained that disclosure would jeopardize the PSP’s ability to hire suitable candidates – troopers in particular – because disclosure would reveal the specific information that may be reviewed as part of a background check to determine whether candidates are suitable for employment.

Pennsylvania State Police v. American Civil Liberties Union of Pennsylvania, 2018 WL 2272597 (Commonwealth Court of Pennsylvania, May 18, 2018)

About the Author: Evan Brown is a Chicago technology and intellectual property attorney. Call Evan at (630) 362-7237, send email to ebrown [at] internetcases.com, or follow him on Twitter @internetcases. Read Evan’s other blog, UDRP Tracker, for information about domain name disputes.

Scroll to top