CD-ROM is not a computer

GWR Medical, Inc. v. Baez, No. 07-1103, 2008 WL 698995 (E.D.Pa. March 13, 2008)

Now there’s a revelation in that headline.

Plaintiff GWR Medical terminated defendant Baez’s position with the company. Baez took with him a CD-ROM containing training materials and, the company alleged, trade secrets. When Baez wouldn’t return the CD, GWR sued him in federal court for violation of the Computer Fraud and Abuse Act, 18 U.S.C. §1030 et seq. (“CFAA”).

Baez moved to dismiss the CFAA claim, and the court granted the motion. It held that a CD-ROM did not meet the definition of “computer” under the CFAA, and thus the claim could not stand.

The CFAA provides, among other things, that “whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information” violates the law. GWR asserted that Baez’s violation occurred when he kept the CD-ROM after he was terminated, thereby exceeding the authorization previously given to him.

A “computer” is defined in the CFAA [at 18 U.S.C. § 1030(e)(1)] as follows:

An electronic, magnetic, optical, electrochemical, or other high speed data processing device that performs logical, arithmetic or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but does not include an automated typewriter or typesetter, a portable hand held calculator, or similar device.

Electrochemical? Say what? And thank goodness we don’t have to hear about CFAA lawsuits brought for sneaking in late at night to use the automated typewriter. Hey man, come back with my calculator!

In any event, the parties each presented expert testimony on the question of whether a CD-ROM constitutes a computer. The court parsed the definition into three requirements: (1) “[a]n electronic, magnetic, optical, electrochemical, or other high speed data processing device;” (2) “performing logical, arithmetic, or storage functions;” which (3) “includes any data storage facility or communications facility directly related to or operating in conjunction with such device.” If at least one of these requirements were not met, then the CD-ROM fell outside the definition.

Central to the court’s conclusion was the requirement that a computer process information. It found that the lack of the capacity to process information was fatal to GWR’s assertion that the CD-ROM met the statutory definition. Instead, the disc was analogous to a compilation of documents and training materials. Accordingly, the court dismissed the CFAA claim.

Damage under CFAA must involve some diminution of the system to be actionable

Garelli Wong & Assoc. v. Nichols, No. 07-6227, 2008 WL 161790 (N.D. Ill. January 16, 2008)

A recent decision from the U.S. District Court for the Northern District of Illinois presents a pretty typical fact pattern (employee leaves with sensitive data to work for a competitor), but also gives some useful guidance on the scope of the Computer Fraud and Abuse Act, 18 U.S.C. 1030 et seq. (CFAA).

Plaintiff Garelli Wong and Associates provides temporary placement for accounting professionals. When defendant Nichols worked for Garelli, he signed an NDA and learned a lot about the company’s clients, employees and strategy.

So when Garelli learned that Nichols allegedly copied a bunch of information before jumping ship, it sued. In addition to breach of contract, Garelli claimed Nichols violated the CFAA.

Nichols moved to dismiss the CFAA claim pursuant to Fed. R. Civ. P. 12(b)(6). The court granted the motion. It held that the CFAA requires a plaintiff to plead both damage and loss, and that Garelli failed to sufficiently plead both.

The CFAA defines “damage” as “impairment to the integrity or availability of data, a program, a system, or information.” Citing approvingly to the unpublished case of ResDev v. Lot Builders, 2005 WL 1924743 (M.D. Fla. August 10, 2005), which held that the word “integrity” required “some diminution in the completeness or useability of data or information on a computer system,” the court sided with Nichols. He had contended that CFAA liability does not arise merely by copying data. A violation of the CFAA requires more — some adverse effect on the system.

Garelli’s loss allegation essentially got Twomblied. The court found that Garelli’s allegations of loss — essentially a formulaic recitation of the CFAA’s $5,000 threshold language — did not provide the grounds of the entitlement to relief with more than labels and conclusions.

Scroll to top