Monthly Archives: June 2010
No New i-Phone 4 for Convicted CFAA Felon Randal Craig
One person you will not see waiting in line to buy the new i-Phone 4 at the Apple Store is Randall Craig who pleaded guilty to violations of the Computer Fraud and Abuse Act. (“CFAA”). Craig, a subcontractor at the Marine Corps Reserve Center, communicated by email with an undercover FBI agent posing as a Chinese agent. In the course of their dealings Craig provided the FBI agent with the names and social security numbers of approximately 17,000 Marine employees from a private Marine database in exchange for $500. During their email correspondence, Craig told the agent that he had … [ Continue reading ]
Investigating Ways to Make Website More Secure Constitutes Loss Under the Computer Fraud and Abuse Act
A federal court in Ohio last week held that the cost of investigating ways to make a website more secure after an authorized access into the website in violation of the Computer Fraud and Abuse Act (“CFAA”) constitutes “loss” to meet the $5,000 jurisdictional amount for loss under the CFAA. Jedson Engineering, Inc. v. Spirit Construction Services, Inc., 2010 WL 2541619 *19 (S.D. Ohio June 18, 2010) The court rejected the defendant’s motion for summary judgment on Jedson’s CFAA claim on the ground that Jedson had not met the $5,000 jurisdictional amount for loss required by the CFAA. Jedson relied … [ Continue reading ]
New York Court: CFAA Does Not Apply to Company Executives
A New York court held that the Computer Fraud and Abuse Act’s (“CFAA”) prohibition against unauthorized access does not apply to corporate executives who stole confidential and proprietary information from the company computers because, as company executives, they had been “granted unfettered access to . . . [the company’s] computer system and information residing on it.” Orbit One Communications, Inc. v. Numerex Corp., 692 F.Supp2d 373, 386 (S.D.N.Y. 2010). While recognizing that the “Courts have interpreted the CFAA’s prohibitions of ‘access without authorization’ and ‘exceed[ing] authorized access’ in two different ways,” and that the “Second Circuit has not addressed the … [ Continue reading ]
California Court Holds that an Employee Can Be Sued Under the CFAA for Deleting Company Files
Without referring to its Circuit’s controlling decision of LVRC Holdings LLC v. Brekka, 581 F.3d 1127, (9th Cir. 2009) , a federal district court in San Jose, California permitted a Computer Fraud and Abuse (“CFAA”) claim to proceed against an ex-employee for deleting files from her former employer’s computer. Kal-Tencor Corp. v. Murphy, 2010 WL 1912029 *6-*7 (N.D. Cal. May 11, 2010). This case is significant because it allows a CFAA claim for unauthorized access to be predicated on an employee agreement requiring an employee to return company records at the time of termination from the company. This decision is contrary to another district court decision in the same federal judicial district — U.S. v. Nosal, 2010 WL 934257 *7 (N.D. Ca. Jan. 6, 2010) — leaving open the question of whether in the 9th Circuit employer policies can be used to define employee authorization to the company computers . [ Continue reading ]
Alabama District Court: CFAA Does Not Apply to Employees
Bell Aerospace Services, Inc. v. US. Aero Services, Inc., 690 F.Supp.2d 1267 (M.D. Ala. 2010) recently followed the 9th Circuit’s decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009). The case alleges a classic employee theft of competitively sensitive data from the company computers for use at a competing business. Bell Aerospace Services fired one of its officers who two months later founded a competing company, U.S. Aero Services, and then recruited seven Bell Aerospace Services employees to join him at the new company. [ Continue reading ]
Another District Court Dismisses a CFAA Claim for Failure to Allege Jurisdictional Loss
ailure to allege proper “loss” under the Computer Fraud and Abuse Act (“CFAA”) continues to bedevil plaintiffs filing CFAA civil actions. The latest case decided this week, Devine v. Kapasi, 2010 WL 2293461 *4 (N.D. Ill. June 7, 2010), dismissed a CFAA claim on the ground that it did not allege that the Defendants’ actions “”caused … loss to 1 or more persons during any 1-year period … aggregating at least $5,000 in value.” § 1030(c)(4)(A)(i)(I). [ Continue reading ]
New Washington Privacy Law Effective July 1, 2010
Washington is the third state to enact an encryption law and a payment card law.1 Massachusetts and Nevada enacted encryption laws and Minnesota and Nevada enacted payment card laws. Since this law takes effect July 1, 2010, any entity that could be subject to this law should begin assessing whether they are subject to and in compliance with this law. [ Continue reading ]
Courts Adopt Tort Standard to Define CFAA “Loss”
The jurisdictional $5,000 “loss” requirement continues to be one of the most hotly contested issues arising out of civil actions filed under the federal Computer Fraud and Abuse Act (“CFAA”). [ Continue reading ]
