The answer is yes. The Sixth Circuit Court of Appeals last week reversed a district court and reinstated a Computer Fraud and Abuse Act (“CFAA”) claim brought by an employer against a labor union for “bombarding” the computer systems of its sales and executive offices with emails and voicemails making it impossible for the company to communicate with its customers and vendors. Pulte Homes, Inc v. Laborers’ International Union of North America, 2011 WL 3274014 (6th Cir. Aug 2, 2011). This case is a good example of how the federal Circuit Courts of Appeal are taking control of the interpretation of the scope of the CFAA away from the district courts and applying it expansively to protect computer technology.

“To generate a high volume of calls, . . . [the Union] both hired an auto-dialing service and requested its members to call Pulte [Homes, a homebuilder]. It also encouraged its members, through postings on its website, to “fight back” by using . . . [the Union’s] server to send e-mails to specific Pulte executives. Most of the calls and e-mails concerned Pulte’s purported unfair labor practices, though some communications included threats and obscene language.” Id. at *1.
 
As the court pointed out, “it was the volume of the communications, and not their content, that injured Pulte. The calls clogged access to Pulte’s voicemail system, prevented its customers from reaching its sales offices and representatives, and even forced one Pulte employee to turn off her business cell phone. The e-mails wreaked more havoc: they overloaded Pulte’s system, which limits the number of e-mails in an inbox; and this, in turn, stalled normal business operations because Pulte’s employees could not access business-related e-mails or send e-mails to customers and vendors.” Id.
 
“Four days” into the onslaught, “Pulte’s general counsel contacted” the union and requested that they “stop the attack because it prevented Pulte’s employees from doing their jobs.” Id. When the Union ignored his request, the company filed suit for, among other things, a violation of the CFAA for “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.” 18 U.S.C. § 1030(a)(5)(A). The CFAA defines damage as “”any impairment to the integrity or availability of data, a program, a system, or information.” Id. § 1030(e)(8).

The court, relying on the plain meaning of the terms “impairment,” “integrity,” and “availability,” concluded “that a transmission that weakens a sound computer system–or, similarly, one that diminishes a plaintiff’s ability to use data or a system–causes damage.” Id. at *4. Here, the court found that the complaint alleged “just that” – “the transmissions diminished Pulte’s ability to use its systems and data because they prevented Pulte from receiving at least some calls and accessing or sending at least some e-mails.” Id.

The court also found that the complaint alleged that the Union acted with the requisite intent under the statute to intentionally cause damage. The court summed up the allegations in the complaint that showed that the Union acted “with the conscious purpose of causing damage (in a statutory sense) to Pulte’s computer system”:

(1) The union “instructed its members to send thousands of e-mails to three specific Pulte executives; (2) many of these e-mails came from . . . [the union’s] server; (3) . . . [the Union] encouraged its members to “fight back” after Pulte terminated several employees; (4) . . . [the union] used an auto-dialing service to generate a high volume of calls; and (5) some of the messages included threats and obscenity. And although Pulte appears to use an idiosyncratic e-mail system, it is plausible . . . [the union] understood the likely effects of its actions–that sending transmissions at such an incredible volume would slow down Pulte’s computer operations. . . . [The Union’s] rhetoric of “fighting back,” in particular, suggests that such a slow-down was at least one of its objectives.
Id. at *6.

This case is reflective of the pattern that has emerged over the past few years in the judicial interpretation of the CFAA. The district courts have interpreted the CFAA narrowly, sometimes limiting it only to outside computer hacking, while the appeals courts have continued to interpret the statute broadly as a true federal omnibus computer crime statute outlawing all criminal activity directed at computers and computer systems.

LegalMinds® Interviews Nick Akerman, summer 2001, vol 2. no.1

“In this exclusive LegalMinds® interview, Akerman discusses recent developments related to data security, identity theft, workplace and customer privacy issues, discloseure obligations and compliance with state laws and federal statues, as well as several recent Supreme Court decisions that can have a significant impact on your internal policies and procedures.”

Starts on Page 17.

“While an old adage has been that companies’ greatest assets walk out the door at the end of each day, now in the Digital Age they can easily take other vital and proprietary assets in their pocket with them. Read the blog post at LegalMinds TV”

The New York Times recently reported that the UK telephone hacking scandal could result in News Corp. and its executives being charged in the United States with criminal violations of the Foreign Corrupt Practices Act, Title 15, U.S.C. § 78m, the Electronic Communications Privacy Act, 18 U.S.C. § 2511, and the Telephone Records and Privacy Protection Act, 18 U.S.C. § 1039. See NYT, “News Corp. Braces for Legal Trouble in the U.S.,” July 18, 2011. What the New York Times, as well as all of the politicians and pundits who have commented on this issue, failed to mention is that the federal Computer Fraud and Abuse Act (“CFAA”) is the federal criminal statute that most neatly fits the alleged crimes of hacking into voice mails and telephone records. Title 18, U.S.C. §1030.

The CFAA is the omnibus federal computer crime statute that, among other things, makes it a crime for anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” §1030(a)(2)(C). There is little doubt that the information News Corp.’s reporters allegedly obtained, the voices mails and telephone records, were data files from computers, and there is also no question that the access to the computers through which the News Corp. reporters allegedly obtained the voice mails and telephone information was not authorized.

The CFAA’s definition of a “computer” covers every conceivable type of computer. §1030(e)(1). As the defendant correctly claimed in U.S. v. Mitra, 405 F.3d 492, 495 (8th Cir. 2005), “[e]very cell phone and cell tower is a ‘computer’ under this statute’s definition; so is every iPod, every wireless base station in the corner coffee shop, and many another gadget.” Thus, it is highly likely that from whatever type of computer the News Corp.’s reporters retrieved the voices mails and other personal information, it almost certainly came from what the CFAA would recognize as a computer.

As stated above, to be guilty of the crime the reporter must not only have accessed a computer, but that the information be obtained from a “protected computer,” defined by the CFAA as a computer “used in interstate or foreign commerce or communication.” §1030(a)(2)(B). But what is of particular relevance to the News Corp. situation is that this definition extends to any computer “located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.” In other words, any computer anywhere in the world that communicates with the United States through email is subject to the CFAA and can form the basis for a criminal prosecution in the United States.

While it is theoretically possible that a News Corp. reporter could be charged with criminal violations of the CFAA for accessing a computer in the UK, it is highly unlikely that the Department of Justice would prosecute a case that thus far appears to be solely a UK crime. However, to the extent the current FBI investigation uncovers evidence of any U.S. connection such as the alleged retrieval of voices mails from 9/11 victims, the CFAA is likely to be the Justice Department’s criminal statute of choice for the News Corp. reporters and executives who initiated the hacking.

`

By Jamie M. Nafziger, partner Dorsey & Whitney

Yesterday, ICANN approved the launch of its new generic top level domain name (gTLD) plan.  It will accept applications for new gTLDs from January 12, 2012, to April 12, 2012.  Under ICANN’s plan, anyone can apply to own and manage a gTLD, the part after the dot.  However, the expense for doing so is expected to exceed $500,000 over the first eighteen to twenty-four months, with significant yearly expenses thereafter.

This move follows years of ICANN wrangling with brand owners and governments over opposition to the plan.  It is expected that the new gTLDs will not be functioning until 2013.  Even if brand owners do not want to acquire their own gTLD, there will be several relevant periods for defensively protecting their brands.  The first will be protecting their brands from being registered as gTLDs by others.  The second will involve defensively protecting their brands as second level domain names in the new gTLDs. The final ICANN plan includes a trademark clearinghouse, a uniform rapid suspension system (URS) and a post-delegation dispute resolution procedure (PDDRP), all of which can be used by brand owners to help protect their brands. One controversial aspect of the draft plan that would require brand owners to prove use of their trademarks before they could be included in the trademark clearinghouse was maintained in the final plan approved by the ICANN Board.

Dorsey & Whitney’s Trademark, Copyright and Brand Management Group would be pleased to assist your company in planning for the new gTLD launch. If you have questions, please contact Jamie M. Nafziger at nafziger.jamie@dorsey.com.

By Nick Akerman and Melissa Krasnow.
Melissa Krasnow is a corporate partner in the Minneapolis office of Dorsey & Whitney LLP who also is a Certified Information Privacy Professional and a member of the International Association of Privacy Professionals Publication Advisory Board.

What does a company do if it is faced with a possible or actual breach of customer, employee or shareholder personal data? California enacted the first state data breach notification law in 2003, obligating companies to notify individuals whose personal data had been compromised in a data breach. Since then, 45 more states have followed California’s lead in responding to the national epidemic of identity theft. This article provides an overview of these laws, describes some best practices that have developed in response to them and addresses the calls for a federal data-breach law.

The 46 state laws generally require companies to notify individuals if there is a reasonable basis to believe that there has been a compromise of their personal data. See, e.g., Calif. Civ. Code §1798.82. Some states also necessitate determining whether there is a “risk of harm” from the breach to such individuals. See, e.g., Conn. Gen. Stat. §36a-701b(b). These state laws typically cover such nonpublic personal information as name, together with a social security number, driver’s license number or account, credit or debit card number information that would permit access to an individual’s financial account. A handful of states also cover name plus medical information. See, e.g., Calif. Civ. Code §1798.82(e)-(f). When medical information is involved, companies should also review the federal Health Information Technology for Economic and Clinical Health (HITECH) Act data breach rule, which covers protected health information. 45 CFR Parts 160 and 164, Subpart D. The state laws require that affected individuals be provided with adequate timely notice so they can take steps to protect their personal information and prevent identity theft.

Enforcement of these state laws varies. The California law provides for lawsuits by private individuals who have been injured by virtue of not being notified. Calif. Civ. Code §1798.84(b). A number of states like New York and Minnesota charge the State Attorney General with enforcement. N.Y. Gen. Bus. Law §899-aa6(a); M.S.A. §325E.61. Finally, some state laws provide for fines of varying amounts. N.Y. Gen. Bus. Law §899-aa6(a); Fla. Stat. Ann §817.5681(1)(b).

There is no foolproof way to guard against computer hackers or the theft of an employee laptop. One preventative measure to minimize the risk of a data breach is to establish a data compliance program, which a recent Massachusetts privacy regulation requires. 201 CMR 17.00 et seq. Such a program mandates appointing a security coordinator, establishing security policies, minimizing risks to employees and third parties that have contact with the company’s personal data, training the workforce, regularly auditing the program and enforcing the policies and protocols to data incidents and breaches.

A key component of this proactive approach is encrypting personal data so if it is compromised, it is not automatically exposed and cannot be easily deciphered. The state laws generally do not apply when the personal data involved in a breach are encrypted. Also, the Massachusetts privacy regulation requires all personal data to be encrypted if transmitted via the Internet or wirelessly or stored on laptops or portable devices. 201 CMR 17.04.

A company must stand ready to respond once aware or informed of a possible or actual data incident or breach. There should be a mechanism for reporting a possible or actual data incident or breach, and employees should be sensitized to its importance. Time is of the essence in determining whether a data breach has occurred or is likely to occur, whether notification is required or advisable. If notification is required or advisable, then providing it must also be done quickly. Although a number of states, such as California, provide leeway by requiring that notice be provided in the “most expedient time possible and without unreasonable delay,” other states such as Wisconsin, define a more precise time period. Calif. Civ. Code §1789.82(a); Wis. Stat. §134.98.

Suspicion that a data breach may have occurred and having a “reasonable basis” to believe a data breach actually occurred requiring notification is a distinction with practical consequences. For example, that two Web site customers complain within 24 hours that someone used their credit card information to buy merchandise on other Web sites does not mean that your company’s Web site was necessarily breached. It is suspicious and should cause your company to investigate whether the site was breached or whether it was simply a coincidence having nothing to do with the integrity of the company’s Web site.

For that reason, it is critical your company be investigative-ready before the issue arises. Investigative-ready means selecting in advance a person or firm who will conduct the investigation of a company’s computer network and equipment. That computer investigator should be forensically trained and experienced in testifying in court and have credibility with the government agencies the company may ultimately have to convince that it acted properly and reasonably, particularly if it is determined that there is no factual basis to conclude that a data breach occurred.

State laws generally permit notification to “be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.” See, e.g., Calif. Civ. Code §1798.82(c). Notifying law enforcement of a data breach has three practical effects: It may delay when notification must be made; it is a common element of notifications to state attorney generals, regulators and affected individuals; it sends a message to affected individuals that your company is taking an important step to protect them.

If a data breach is determined to have occurred and it is determined that notification of affected individuals is required or advisable, the different state law requirements for notification must be considered. One notable example is that the Massachusetts law does not permit notification of affected individuals of “the nature of the breach.” Instead, the notification must advise about “the consumer’s right to obtain a police report, how a consumer requests a security freeze and the necessary information to be provided when requesting the security freeze, and any fees required to be paid to any of the consumer reporting agencies.” Mass. Gen. Laws, Ch. 93H, §3(a). For a breach involving medical information that also is determined to be a breach of protected heath information under the HITECH Act, those requirements also must be addressed.

In addition to notifying affected individuals, a company must also notify state attorney generals, state regulators or consumer reporting agencies under some state laws. New York and North Carolina each requires a particular notification to the State AG, and New York also requires a particular notification to the New York Consumer Protection Board and Office of Cyber Security. N.C. Gen. Stat. § 75-65(f); N.Y. Gen. Bus. Law §899-aa8(a). New Jersey requires notification to the state police. N.J. Stat. §56:8-163(12.c.).

Because these notifications are likely to be publicized in the press and via the Internet, they should be drafted accordingly. For example, notifications sent to the New Hampshire Attorney General are automatically posted on the state attorney general’s Web site (http://doj.nh.gov/consumer/breaches.html). Although not required by law, it is common to include an offer in the notifications for free identity-theft services. Public companies should also consider whether disclosure should be made in their filings with the U.S. Securities and Exchange Commission.

Finally, a company’s responsive actions to the data incident or breach should be carefully documented. If asked by any regulator or sued, a company must be able to credibly explain the cause of the incident or breach and the basis for determining whether notification be made. The Massachusetts regulation and best practices also dictate that a company conduct a post-incident review to analyze lessons learned to prevent future incidents and breaches and to make any changes to the company’s practices for protecting personal data, including becoming aware of and responding to a data incident or breach.

There have been calls for data-breach notification to be more uniform and the subject of a federal law. Recently, the U.S. Department of Commerce issued a green paper on privacy recommending consideration of a comprehensive commercial data-breach framework for electronic records that includes notification provisions; encourages companies to implement strict data-security protocols; and allows states to build upon the existing framework in limited ways, tracking the effective protections from state laws. Department of Commerce Internet Policy Task Force, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework (Dec. 16, 2010). But until a federal data-breach law that pre-empts the state laws is enacted, the state laws must continue to be followed.

In California, Washington, Oregon, Alaska, Montana, Arizona, Nevada and Idaho – states covered by the 9th Circuit Court of Appeals — the answer as of yesterday is an emphatic “YES.” In U.S. v. Nosal, 2011 WL 1585600 (9th Cir. April 28, 2011) the court clarified its decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1131 (9th Cir. 2009) which up until now was considered to be a bar to using the Computer Fraud and Abuse Act (“CFAA”), the federal computer crime statute, against employees who stole their employer’s computer data. This case places the 9th Circuit in sync with the other Circuit Courts that permit the CFAA to be used against employees who steal data from the company computers.

The CFAA, while primarily a criminal statute, permits victims of computer crime, including companies, to bring civil actions for damages and injunctive relief based on violations of the statute. Title 18, U.S.C. §1030. A key element in proving either a civil or criminal violation of the CFAA is that the employee accessed the company computer “without authorization” or “exceed [ed] authorized access.” Brekka has been cited for the simplistic proposition that employees have permission to access the company computers and, thus, by definition cannot access the company computers without authorization.

David Nosal, a Korn/Ferry executive, was indicted for stealing confidential data from the company computers prior to joining a competitor. Nosal had allegedly recruited “three Korn/Ferry employees to help him start a competing business.” Id. at *2. According to the Indictment, these employees, “using their user accounts to access the Korn/Ferry computer system” “transferred to Nosal source lists, names, and contact information from the ‘Searcher’ database – a ‘highly confidential and proprietary database of executives and companies’ – which was considered by Korn/Ferry ‘to be one of the most comprehensive databases of executive candidates in the world.’” Id.

The district court had originally upheld the CFAA counts against Nosal based on precedent in other Circuits but changed its decision and dismissed the counts after the Brekka decision. The government appealed, relying on Korn/Ferry’s computer policies that restricted the scope of employees’ access to the company computers including one that “restricted the use and disclosure of all such information, except for legitimate Korn/Ferry business.” Id. The government argued that based on these policies, Nosal had exceeded authorized access.

The court agreed with the government, citing the statutory definition of ‘exceeds authorized access” which means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The court held that the word “so” in the statutory definition “refers to an accesser who is not entitled to access information in a certain manner. Id. at *4. Thus, the court held that “an employee ‘exceeds authorized access’ under §1030 when he or she violates the employer’s computer access restrictions – including use restrictions.” Id.

Nosal distinguished its prior decision in Brekka on the facts — “[b]ecause LVRC [the employer] had not notified Brekka of any restrictions on his access to the computer, Brekka had no way to know whether – or when – his access would have become unauthorized.” Id at *6. The key difference was the Korn/Ferry computer policies. The court concluded “as long as an employee has some permission to use the computer for some purpose, that employee accesses the computer with authorization even if the employee acts with a fraudulent intent.” Id. Thus, “as long as the employee has knowledge of the employer’s limitations on that authorization, the employee ‘exceeds authorized access’ when the employee violates those limitations.” The court emphasized, “[i]t is as simple as that.” Id.

Finally, the court directly responded to Nosal’s argument that its decision “will make criminals out of millions of employees who might use their work computers for personal use, for example to access their personal email accounts or to check the latest college basketball scores.” Id. at *7. The court pointed out that the CFAA “does not criminalize the mere violation of an employer’s use restrictions.” Id. Rather, the employee must evince an intent to defraud and take something of value. Thus, there must be more than “[s]imply using a work computer in a manner that violates an employer’s use restrictions.” Id.

This case is all about instituting clear and conspicuous computer use policies. (“Korn/Ferry employees were subject to a computer use policy that placed clear and conspicuous restrictions on the employee’s access to the system in general and to the Searcher database in particular” Id). The major take away from the Nosal decision is that every company that is serious about protecting its computer data should have comprehensive computer policies that clearly spell out the scope of their employees’ authorization to access the company computers. It is no longer a viable option to do nothing.

There are few reported cases that reflect the problems that can result from computer investigations being inexpertly performed. U.S. v. Koo, 2011 WL 777965 (D. Or. March 1, 2011), decided this month by an Oregon federal district court, illustrates what can go wrong when a novice directs a computer investigation.

The underlying facts of the case are not atypical. Lawrence Hoffman, the owner of a manufacturer and distributor of after-market auto parts known as the Hoffman Group, discovered on eBay that JES Suppliers, LLC was offering to sell one of his products. A corporate records check revealed that JES Suppliers had been incorporated by a former Hoffman employee and two current employees, including Shegbao Wu who worked for a Hoffman Group subsidiary in China where he managed the design and manufacture of products. Id. at * 1.

As part of his investigation, Hoffman asked Wu to return from China to company headquarters in the U.S. under the pretext of discussing company business. While Wu was at the company office, Hoffman asked Wu to leave his company-owned laptop computer in order to replace it with an upgraded computer. The individual who took possession of Wu’s computer was an outside computer analyst hired to examine Wu’s computer. In examining the computer, “the computer analyst opened a folder named “private” [in Wu’s laptop containing documents allegedly relating to JES Suppliers, LLC] and moved it to the laptop desktop” from which he “copied selected parts of the “private” folder onto a USB external hard drive device using” regular business software that was not one of the standard forensic softwares. Id. at *2.

Thereafter, “Hoffman took the laptop home and, over the course of two days, periodically booted it up and looked around.” Id. Hoffman later “testified he “could have” moved files, but did not delete files and did not run the defragmentation utility” and “made “screen shots” of a chat program contact list, which he saved to a subfolder in the “private” folder he named ‘QQ.’” Id.

Hoffman provided both the laptop and the software backup of the private file to the FBI. As a result, Wu and the other two incorporators of JES Suppliers were indicted for various federal crimes including conspiracy, wire fraud, theft of trade secrets and computer fraud. As part of their pretrial motions, the defendants moved to exclude the back up of the personal file and the laptop from evidence to be offered by the government at their criminal trial. The court held a pre-trial evidentiary hearing on the motion.

The defendants attacked the software backup of the private files copied from Wu’s computer on two grounds. First, they claimed “that computer data can be changed or deleted, and a savvy computer user can cover up such work.” Id. at *5. From that premise the defendants asserted that the computer analyst “and Hoffman could have uploaded incriminating information onto Wu’s computer, altered the dates associated with that information’s uploading, installed . . . [the business software] to overwrite the data associated with that change, and then made a selective digital image of the hard drive to turn over to the FBI.” Id. The court found no evidence to support the defendants’ position and held that “[t]he mere possibility that the logs may have been altered goes only to the weight of the evidence not its admissibility.” Id.

Second, the defendants attacked the software backup of the private file on the ground that the software used to make the backup was not a forensic software and thus “failed to capture all of the data on the laptop.” Id. The defendants correctly argued that the business software backup was not “a bit-for-bit copy known as a ‘forensic image’” and did not contain the hash values of the files, known as digital fingerprints, and did not capture the computer’s unallocated space where deleted files reside. Id. at *6. The court, however, found that the government met its burden under Fed.R.Evd. 901 of showing authenticity and relevancy, but also held that the lack of completeness of the evidence relates to the government’s burden of proof and is a point which the defense was free to argue to the jury.

While admitting the evidence of the software backup of the personal file, the court took a totally contrary view on the admissibility of the Wu laptop. The court granted the defendants’ motion to exclude the laptop because the government could not “make a prima facie showing that the Laptop image was in ‘substantially the same condition’ as the laptop seized from Wu.” Id. at *7. The court relied on the hearing evidence not only showing Hoffman’s personal animus against Wu because he had filed a civil lawsuit against Wu but found “[m]ost importantly” that “the evidence adduced at the hearing supports the notion that Hoffman tampered with the laptop, which resulted in the FBI imaging ‘bad stuff.’” Id. at *8.

The court relied on the hearing evidence that “Hoffman himself admitted to booting the computer up and perusing its content over the course of two days” and the defendants’ expert who testified “from his forensic examination of the two Images, between the time the . . . [software backup] was made and the time the FBI took possession of the laptop, over 1,000 files or folders were accessed, altered, or deleted” and his findings of “285 files on the . . . [software backup] Image that were absent from the Laptop Image.” Id.

This case provides two clear lessons to any company that suspects one of its employees of stealing data. First, as a general rule it is usually not a good idea for someone in the organization, particularly a small organization, to conduct the investigation into the suspected theft when the employer could be accused of bias against the employee. The court found that Hoffman was biased because he had filed a civil action against Wu and the other defendants “the day before he obtained Wu’s laptop.” Id. at *7. Any issues of bias could have been eliminated if the investigation had been conducted at the direction of outside counsel with expertise in computers and criminal investigations. Hoffman should never have been directing the computer analyst or personally reviewing the computer.

Second, it is critical to hire a qualified computer forensic examiner to conduct the computer examination. What is striking about this case is that the computer examiner hired by Hoffman neither used forensic software to copy the private file nor did he image the entire computer. Instead, he used business software that was not capable of capturing the complete file, never mind the entire computer to preserve it in the exact condition when it was retrieved from Wu. Instead, Hoffman kept the laptop, reviewed it himself, thereby leaving himself open to charges of manipulating, deleting and changing the laptop data.

Indeed, without attributing any bad motive to Hoffman, his opening of Wu’s computer would have necessarily and unwittingly destroyed files and time date stamps that could have provided valuable evidence. There is more to computer investigations than simply hiring an investigator. What is critical is that the investigation be coordinated by an attorney with an expertise in computer crime to ensure that the necessary computer evidence is gathered and preserved, that proper procedures are followed including the use of state of the art forensic techniques and software and that a chain of custody on the computer evidence is preserved to rebut any claims that the computer evidence is not in the same condition as when it was initially retrieved in the investigation.

If anyone deserves a longer sentence, it is a sex offender who victimizes minors. But no one would ever have anticipated that a sex offender would receive extra prison time for using a basic cell phone in the furtherance of his crime. Last week the Eight Circuit Court of Appeals upheld the enhanced sentence of the defendant Neil Kramer who pleaded guilty to transporting a female minor in interstate commerce with the intent to engage in criminal sexual activity, Title 18, U.S.C. § 2423(a). Kramer’s prison sentence was increased by an extra 2 1/3 years because he had used his cell phone to make calls and text messages to the victim for a six-month period leading up to the offense. U.S. v. Kramer, 2011 WL 383710 (8th Cir. Feb. 8, 2011). In total Kramer was sentenced to over 13 years in prison.

Under the Federal Sentencing Guidelines, the sentencing judge is permitted to increase the sentence for the crime to which Kramer pled guilty if a computer, as that term is defined by Title 18, U.S. C. § 1030 (e)(1) of the Computer Fraud and Abuse Act (“CFAA”), is used to facilitate the offense. Based on its finding that the cell phone is a computer, the court increased Kramer’s sentence by 28 months.

This case illustrates the breadth with which the federal courts are interpreting the definition of a computer. Indeed, the Circuit Court quoted Steve Wozniak, the founder of Apple Computer, for the proposition that “Everything has a computer in it nowadays.” Id. at *1. This case not only has ramifications for increasing the length of prison sentences for federal crimes, but it also expands the reach of the CFAA, the federal computer crime statute, to ordinary cell phones.

Kramer appealed his sentence claiming “(1) that application of the enhancement was procedural error because a cellular telephone, when used only to make voice calls and send text messages, cannot be a “computer” as defined in 18 U.S.C. § 1030(e)(1), and (2) that even if a phone could be a computer, the government’s evidence was insufficient to show that his phone met that definition.” Id. The Appeals Court, however, disagreed and affirmed Kramer’s sentence.

First, the court rejected Kramer’s argument that a basic cell phone that was only used to make calls and text messages could not be a computer because it did not access the Internet. The court relied on the “exceedingly broad language” of § 1030(e)(1) that “’[i]f a device is “an electronic … or other high speed data processing device performing logical, arithmetic, or storage functions,’ it is a computer.” Id. at *2. The court also held that “there is nothing in the statutory definition that purports to exclude devices because they lack a connection to the Internet.” Id.

Second, the court found that the government provided sufficient evidence that the cell phone was a computer. That proof consisted of “the phone’s user’s manual and a printout from Motorola’s website describing the phone’s features.” Id. at *3. Thus, the court found that the evidence showed that in making calls the phone’s “processor performs arithmetic, logical, and storage functions.” Id. The court also found that “the phone keeps track of the ‘Network connection time,’ which is ‘the elapsed time from the moment [the user] connect[s] to [the] service provider’s network to the moment [the user] end[s] the call by pressing [the end key]’” and that “[t]his counting function alone is sufficient to support a finding that the phone is performing logical and arithmetic operations when used to place calls.” Id.

As to the phone’s texting function, the court further found that the phone performed the following computer functions: (1) “the phone stores sets of characters that are available to a user when typing a message” and “[a]s the user types, the phone keeps track of the user’s past inputs and displays the ‘entered text,’. . . i.e., the message being composed,” (2) “t]he user may also delete characters previously entered, either ‘one letter at a time’ or all at once,” and (3) “the phone allows the users to ‘set different primary and secondary text entry modes, and easily switch between modes as needed when [they] enter data or compose a message,’ including “iTAP” mode which uses ‘software’ to ‘predict[ ] each word’ as it is entered.” Id.

It is hard to argue with the logic of this decision in light of the broad definition of a “computer” as set forth in the CFAA and thus is likely to be followed by other courts.

In Liberty Media Holdings, LLC. v. Does 1-59, 2011 WL 292128 *3 (S.D.Cal. Jan. 25, 2011) unknown individuals hacked into Liberty Media Holdings’ web servers and obtained “certain motion pictures” that it “reproduced and distributed . . . onto their local hard drives and other storage devices.” Not knowing the identity of these hackers Liberty Media Holdings filed a “John Doe” lawsuit alleging violations of three federal statutes: the Electronic Stored Communications Privacy Act, 18 U.S. C. §§ 2701 and 2702, violations of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. §1030 and copyright infringement in violation of 17 U.S.C. § 501.

What the case describes is a fairly typical scenario – unknown individuals hack into the company web site and steal valuable data. There is no indication of the identity of the hackers. The only traces left behind are Internet Protocol (“IP”) addresses assigned to the hackers, the Internet Service Providers (“ISP”) that provided the hackers with Internet access and the dates and times of the intrusions.

Rather than wait for law enforcement to investigate and prosecute, something that may or may not happen, taking the aggressive approach outlined by this case can have the same remedial impact as a criminal prosecution in stopping the illegal activity. It also does not preclude the matter from also being referred at any time to law enforcement. Here, what Liberty Media Holdings did can be adopted as a template by any company victimized by a computer hacker. It filed a lawsuit against the unknown hackers as John Doe defendants and then moved for immediate discovery to subpoena the ISPs “to identify the users of the IP addresses during the dates and times” found on its web site. Id. at 1.

In analyzing Liberty Media Holding’s request, the court relied on Columbia Ins. Co. v. Seescandy.com, 185 F.R.D. 573, 577 (N.D. Cal. 1999) that had “recognized that “(s)ervice of process can pose a special dilemma for plaintiffs in cases … in which the tortious activity occurred entirely on-line. The dilemma arises because the defendant may have used a fictitious name and address in the commission of the tortious acts.” ‘[W]hether discovery to uncover the identity of a defendant is warranted,” Columbia Ins. Co. required the plaintiff to meet the following three standards:

First, . . . identify the missing party with sufficient specificity such that the Court can determine that (the) defendant is a real person or entity that could be sued in federal court .

Second, . . . identify all previous steps taken to locate the elusive defendant.

Third, . . . establish to the Court’s satisfaction that plaintiff’s suit against (the) defendant could withstand a motion to dismiss … Plaintiff must make some showing that an act giving rise to civil liability actually occurred and that the discovery is aimed at revealing specific identifying features of the person or entity who committed the act.
Id., at 578-580.

Here, the court found that Liberty Media Holdings met all three criteria. First, the court found that it had sufficiently identified the defendants through the unique IP addresses and the ISPs that had provided the unknown defendants with their Internet access. The court also found that “the requested discovery is necessary for Plaintiff to determine the names and addresses of each Defendant who performed the allegedly illegal and infringing acts.” Id at *2.

Second, the court found that other than the IP addresses and their ISPs “there are no other measures Plaintiff could take to identify the Defendants.” Id.

Third, the court found that Liberty Media Holdings had three viable claims against the unknown hacker defendants for violations of the Electronic Stored Communications Privacy Act, the CFAA and Copyright Infringement. Thus, the court granted Liberty Media Holdings’ motion to take immediate discovery by issuing subpoenas against the ISPs and various cable operators for the identity of the names belonging to the IP addresses.

In short, any company that is victimized by an unknown hacker can provide these exact same justifications for immediate discovery to identify the hacker through an IP address by subpoenaing the ISP associated with the IP address.

On January 26, 2011, the federal district court in the Northern District of California granted Facebook a default judgment against Philip Porembski and PP Web Services LLC for obtaining “login credentials for at least 116,000 Facebook accounts without authorization” and for sending “more than 7.2 million spam messages to Facebook users.” Facebook, Inc. v. Fisher, 2011 WL 250395 *1 (N.D.Cal. Jan. 26, 2011)

This case is a textbook example of how a company can use self help and available federal law to protect itself and its customers. Not only did Facebook bring a halt to the spam that was plaguing its users, but it also extracted from the perpetrators a significant monetary punishment without the assistance of law enforcement. What is noteworthy is that Facebook was able to achieve this result because it had strong policies in place that prohibited the misuse of its site and then took affirmative steps to enforce those policies through an aggressive federal court action based on two federal statutes designed to protect it and the public against computer crime.

In its complaint Facebook alleged that the spam emails asked the “recipients to click on a link to a “phishing” site designed to trick users into divulging their Facebook login information” and that “[o]nce users divulge[d] the information, Defendants use[d] it to send spam messages to the users’ friends, repeating the cycle.” The complaint further alleged that “certain spam messages allegedly redirect[ed] users to websites that pay Defendants for each user visit.” Id. The court granted Facebook a permanent injunction directing the defendants to refrain from their illegal activity and granting Facebook $360,500,000 in damages. Id. at *3.

The lawsuit alleged violations of the Computer Fraud and Abuse Act (“CFAA”), Title 18, U.S.C., Section 1030 et. seq. and the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM Act”), 15 U.S.C. § 7701 et seq. The CFAA, primarily a criminal statute, provides civil remedies to a company injured by a violation of the statute, Title 18, U.S.C. Section 1030(g), and the CAN-SPAM Act permits a civil action to be brought by a “provider of Internet access service adversely affected by a violation of” specified sections of the Act. 5 U.S.C. § 7706(g)(4).

The CFAA count was predicated on an unauthorized access to Facebook’s site through a violation of Facebook’s Statement of Rights and Responsibilities (“SRR”) The SRR prohibits users from “any activity . . . that would impair the operation of Facebook’s website, including the use of data mining ‘bots’ to gain access to users’ login information, the posting of unsolicited advertising on the website or circulation of such advertising via e-mail, or any commercial use of the Facebook website without Facebook’s prior authorization.” Id. at *1. The defendant was a Facebook user who was bound by the terms of the SRR. Users are also bound by Facebook’s “strict policies against spam or any other form of unsolicited advertising.” Id.The court granted the permanent injunction based on the following factual findings:

Facebook has received more than 8,000 user complaints, and more than 4,500 Facebook users have deactivated their accounts. Additionally, Facebook has expended large financial and professional resources to upgrade its security measures. Defendants have demonstrated a willingness to continue their activities without regard for Facebook’s security measures or cease and desist requests.
Id. at *3.

If the defendant violates the court’s injunction, he can be fined, imprisoned or both.