computer fraud and abuse act – Page 4

June 24, 2008 Anonymity

Anonymous defendants to be unmasked in Computer Fraud and Abuse Act case

Kimberlite Corp. v. Does 1-20, No. 08-2147, 2008 WL 2264485 (N.D. Cal. June 2, 2008)

Plaintiff Kimberlite sued a number of anonymous John Doe defendants after it learned that its network and email system had been unlawfully accessed. A few days after filing suit for violation of the Computer Fraud and Abuse Act (CFAA) and trespass to chattels under state law, Kimberlite served a subpoena on AT&T, the owner of the IP address from which the unauthorized access originated, seeking to discover who was responsible.

One of the John Doe defendants, pro se, wrote a letter to the court which the court treated as a motion to quash the subpoena. The court denied the motion.

Doe argued that Kimberlite had failed to state a claim under the CFAA. The court rejected that argument, observing that Kimberlite had adequately alleged and had provided preliminary evidence of a CFAA violation. (Doe had not challenged the sufficiency of the trespass to chattels claim.) Kimberlite’s computers were “protected” computers under the CFAA because they were used in interstate and foreign commerce. They were password protected and accessed without authorization by someone from the subject IP address. Kimberlite succeeded in alleging the threshold amount of CFAA damages ($5,000) through an employee declaration describing over 100 hours of investigation and repair following the intrusions.

Doe also argued that Kimberlite had not demonstrated a need to obtain the information that outweighed Doe’s privacy rights under the Cable Communication Policy Act (CCPA). That act prohibits cable operators from disclosing subscriber information unless certain criteria are met.

The court rejected the CCPA argument first by expressing serious doubt that AT&T, as an Internet service provider was a “cable operator” and thus subject to the CCPA. Even if the CCPA did apply, the court found Kimberlite had demonstrated a compelling need for the information sought. It had adequately set forth a cause of action, so discovery of the anonymous parties was proper.

June 14, 2008 Computer Crime

Company may be liable under Computer Fraud and Abuse Act for targeting and directing competitor’s employee to violate the Act

Binary Semantics Limited v. Minitab, Inc., No. 07-1750, 2008 WL 763575 (M.D. Pa. March 20, 2008)

Plaintiff Binary Semantics Limited is a company with expertise in promoting and selling software in India. Defendant Minitab, Inc. is a software development company that for several years had an agreement with Binary whereby Binary would promote and sell Minitab’s software in India. Minitab eventually decided that it would eliminate Binary’s services and sell directly in the Indian market.

Minitab allegedly contacted several of Binary’s employees and induced them to turn over some of Binary’s trade secrets and other information that would help Minitab hold its own in India. One of these Binary employees was a woman named Asha.

Asha

After Asha turned over the information to Minitab, Binary filed suit against Minitab, some of Minitab’s employees, and Asha, alleging, among many other things, violation of the Computer Fraud and Abuse Act, 18 U.S.C. §1030 (“CFAA”). Minitab moved to dismiss the CFAA claim pursuant to FRCP 12(b)(6), arguing that none of its employees had violated the Act, but that Binary’s own employee, Asha, had. The court denied the motion to dismiss as to the CFAA claim.

Binary was required to plead four elements under the CFAA: (1) that Minitab accessed a protected computer, (2) without authorization or by exceeding such authorization as was granted, (3) knowingly and with intent to defraud, and (4) as a result furthered the intended fraud and obtained something of value.

In denying the motion to dismiss, the court found that Binary’s allegations were sufficient to state a claim against Minitab, even though it was actually Asha’s conduct that allegedly brought about the offense. Specifically, the complaint alleged that Minitab targeted Asha and that Asha did indeed access a protected computer. Further, the information retrieved eventually made its way to Minitab.

It was not a situation where Minitab merely received the information from a protected computer. Rather, the complaint sufficiently alleged that the unauthorized access was an action undertaken at the direction of Minitab. Therefore, Minitab could be held liable for the conduct.

March 19, 2008 Computer Crime

CD-ROM is not a computer

GWR Medical, Inc. v. Baez, No. 07-1103, 2008 WL 698995 (E.D.Pa. March 13, 2008)

Now there’s a revelation in that headline.

Plaintiff GWR Medical terminated defendant Baez’s position with the company. Baez took with him a CD-ROM containing training materials and, the company alleged, trade secrets. When Baez wouldn’t return the CD, GWR sued him in federal court for violation of the Computer Fraud and Abuse Act, 18 U.S.C. §1030 et seq. (“CFAA”).

Baez moved to dismiss the CFAA claim, and the court granted the motion. It held that a CD-ROM did not meet the definition of “computer” under the CFAA, and thus the claim could not stand.

The CFAA provides, among other things, that “whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information” violates the law. GWR asserted that Baez’s violation occurred when he kept the CD-ROM after he was terminated, thereby exceeding the authorization previously given to him.

A “computer” is defined in the CFAA [at 18 U.S.C. § 1030(e)(1)] as follows:

An electronic, magnetic, optical, electrochemical, or other high speed data processing device that performs logical, arithmetic or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but does not include an automated typewriter or typesetter, a portable hand held calculator, or similar device.

Electrochemical? Say what? And thank goodness we don’t have to hear about CFAA lawsuits brought for sneaking in late at night to use the automated typewriter. Hey man, come back with my calculator!

In any event, the parties each presented expert testimony on the question of whether a CD-ROM constitutes a computer. The court parsed the definition into three requirements: (1) “[a]n electronic, magnetic, optical, electrochemical, or other high speed data processing device;” (2) “performing logical, arithmetic, or storage functions;” which (3) “includes any data storage facility or communications facility directly related to or operating in conjunction with such device.” If at least one of these requirements were not met, then the CD-ROM fell outside the definition.

Central to the court’s conclusion was the requirement that a computer process information. It found that the lack of the capacity to process information was fatal to GWR’s assertion that the CD-ROM met the statutory definition. Instead, the disc was analogous to a compilation of documents and training materials. Accordingly, the court dismissed the CFAA claim.

January 28, 2008 Computer Crime, Litigation

Damage under CFAA must involve some diminution of the system to be actionable

Garelli Wong & Assoc. v. Nichols, No. 07-6227, 2008 WL 161790 (N.D. Ill. January 16, 2008)

A recent decision from the U.S. District Court for the Northern District of Illinois presents a pretty typical fact pattern (employee leaves with sensitive data to work for a competitor), but also gives some useful guidance on the scope of the Computer Fraud and Abuse Act, 18 U.S.C. 1030 et seq. (CFAA).

Plaintiff Garelli Wong and Associates provides temporary placement for accounting professionals. When defendant Nichols worked for Garelli, he signed an NDA and learned a lot about the company’s clients, employees and strategy.

So when Garelli learned that Nichols allegedly copied a bunch of information before jumping ship, it sued. In addition to breach of contract, Garelli claimed Nichols violated the CFAA.

Nichols moved to dismiss the CFAA claim pursuant to Fed. R. Civ. P. 12(b)(6). The court granted the motion. It held that the CFAA requires a plaintiff to plead both damage and loss, and that Garelli failed to sufficiently plead both.

The CFAA defines “damage” as “impairment to the integrity or availability of data, a program, a system, or information.” Citing approvingly to the unpublished case of ResDev v. Lot Builders, 2005 WL 1924743 (M.D. Fla. August 10, 2005), which held that the word “integrity” required “some diminution in the completeness or useability of data or information on a computer system,” the court sided with Nichols. He had contended that CFAA liability does not arise merely by copying data. A violation of the CFAA requires more — some adverse effect on the system.

Garelli’s loss allegation essentially got Twomblied. The court found that Garelli’s allegations of loss — essentially a formulaic recitation of the CFAA’s $5,000 threshold language — did not provide the grounds of the entitlement to relief with more than labels and conclusions.