Last week the Sixth Circuit Court of Appeals upheld the criminal conviction for the Computer Fraud and Abuse Act (“CFAA”) of an employee who stole confidential data from his employer’s computers. U.S. v. Batti, 2011 WL 111745 (6th Cir. Jan. 14, 2011). The issues on appeal were limited to whether the government had offered sufficient proof that the value of the data stolen exceeded $5,000 to qualify as a 5 year felony, 18 U.S.C. § 1030 (a)(2)(C)(c)(B)(iii), and whether the district court had abused its discretion in ordering restitution in the amount of $47,565.

These limited issues precluded the Sixth Circuit from addressing the 9th Circuit’s decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1135 (9th Cir. 2009). Brekka stands for the proposition that because an employee has permission to use the company computers, he or she cannot violate the CFAA because an employee’s access to the computers is never “without authorization,” a critical element of the CFAA. However, the facts in Batti and the language in the decision provide clues as to how the 6th Circuit might ultimately rule on this issue.

The defendant, Luay Batti, had been employed as an information technology employee at Campbell-Ewald, a Michigan advertising firm. The government’s proof of his intrusions into the company computers occurred both during his time as an employee and after his employment had been terminated. While he was still employed, the trial evidence showed that

Batti accessed Campbell-Ewald’s computer server and copied confidential computer files belonging to Campbell-Ewald’s CEO without authorization. Although these files were normally stored on the CEO’s desktop computer, they had been moved by the company to the company’s server while the CEO’s computer was being replaced. Within these files were “confidential pieces of information … including executive compensation, financial statements of the firm, goals and objectives for senior executives of the company reporting to the chairman, and some strategic plans.

Id. at *1.

The court’s statement that Batti “accessed” his employer’s computer server and files “without authorization,” would tend to suggest that the court would not agree with the underlying assumption of Brekka that just because an employee has permission to use the company computers, he can never access the company computers “without authorization.” Batti, an IT employee, likely had permission to access Campbell-Ewald’s computers as part of his duties.

The court’s statement about Batti accessing the computer without authorization is only dicta, and Batti’s conviction was based on the additional proof that after he had been discharged “[t]he FBI determined that Batti had accessed Campbell-Ewald’s confidential files no fewer than twenty-one times . . . , twice through a Campbell-Ewald server and nineteen times through the email account of another Campbell-Ewald employee.” Id. Thus, this proof would comport with Brekka’s holding that once employment had been terminated, the employee would no longer have permission to access the company computers, thereby making his access “without authorization.” Brekka, 581 F.3d at 1136.

Moreover, from the facts recited in the opinion, it is unclear whether Batti obtained information from the company computers during or after his employment. An additional element of the CFAA violation upon which he was convicted is the obtaining of information from the company computers that he had accessed without authorization. See, 18 U.S. C. § 1030(a)(2)(C) (one who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information” commits a crime). There is also no way to know precisely whether the 6th Circuit will join other Circuit Courts in rejecting Brekka, but the direction taken on Batti would seem to suggest it will.

This week the 11th Circuit upheld the Computer Fraud and Abuse Act (“CFAA”) conviction and one -year prison sentence of a former Social Security Administration (“SSA”) employee who accessed the agency’s computer for non-business reasons. U.S. v. Rodriguez, 2010 WL 5253231 (11th Cir. Dec. 27, 2010). This case is significant for two reasons.

First, the court refused to adopt the 9th Circuit’s decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), the poster child for not applying the CFAA to miscreant employees who steal their employer’s data. A critical element to prove a theft of data under the CFAA is that the defendant accessed the computer without authorization or exceeded authorized access. Brekka stands for the proposition that since an employee is permitted as part of his job to access the company computer, an employee cannot be found to have violated the CFAA. Rodriguez is the second of the Circuit Courts (in addition to the 5th Circuit) expressly to reject Brekka on an issue that ultimately will be decided by the U.S. Supreme Court.

Second, this case serves as a roadmap for employers who want to ensure that an employee who steals its data can be criminally or civilly prosecuted under the CFAA. While the CFAA is primarily the federal computer crime statute, it provides for civil remedies for anyone injured by a violation of the statute. Title 18, U.S.C. § 1030(g). Rodriguez illustrates the proactive steps a company can take to make it more likely that it can take advantage of the CFAA’s criminal and civil remedies.

Roberto Rodriguez had worked at the SSA as a TeleService representative. His job was to respond over the telephone to questions from the public about their social security benefits. “As a part of his duties, Rodriguez had access to Administration databases that contained sensitive personal information, including any person’s social security number, address, date of birth, father’s name, mother’s maiden name, amount and type of social security benefit received, and annual income.” Id. at *1.
The SSA policy on access to its computers was clear – employees are prohibited “from obtaining information from its databases without a business reason.” Id. The SSA “informed its TeleService employees about its policy through mandatory training sessions, notices posted in the office, and a banner that appeared on every computer screen daily” and “also required TeleService employees annually to sign acknowledgment forms after receiving the policies in writing.”  Id.

In addition, the SAA “warned employees that they faced criminal penalties if they violated policies on unauthorized use of databases.” Id. Nonetheless, “Rodriguez refused to sign the acknowledgment forms, stating to one supervisor, “’Why give the government rope to hang me?’”  The SSA also took steps “to monitor access and prevent unauthorized use” by issuing “unique personal identification numbers and passwords to each TeleService employee and review[ing] usage of the databases.” Id.

At trial the prosecution showed that Rodriguez “had accessed the personal records of 17 different individuals for nonbusiness reasons.” Id. All 17 of the individuals for whom he accessed information were women — his former wife, former girlfriends or women for whom he had a romantic interest. For example, Rodriguez accessed the SSA database “to determine how much . . . [his former wife] was earning,” accessed the personal information of a former girlfriend 62 times, and accessed the personal information of a number of women he met at a Universalist church study group. Id. at *2. One of these women testified at Rodriguez’ trial that “she received a letter from Rodriguez at her home address and was shocked because she had not given Rodriguez her address, she ordinarily receives all her mail at a post office box, and her middle initial was on the envelope although she had not used it since grade school.” Id. The SSA database records reflected that Rodriguez had accessed her personal information 45 times. At trial Rodriguez testified and “admitted that he did not access the victims’ records as a part of his duties as a TeleService representative.” Id. at 3. Rodriguez was convicted and sentenced to a year in prison.

On appeal Rodriguez relied on Brekka arguing that “he did not violate . . . [the CFAA] because he accessed only databases that he was authorized to use as a TeleService representative.” Id at *4. The court, however, rejected this argument and affirmed Rodriguez’ conviction. The court specifically found that based on SSA’s policy that “use of databases to obtain personal information is authorized only when done for business reasons” and the plain language of the CFAA, Rodriguez had exceeded his authorized access to the SSA’s database. Id. The court distinguished Brekka on its facts – Brekka’s employer “had no policy prohibiting employees from emailing company documents to personal email accounts, and there was no dispute that Brekka had been authorized to obtain the documents or to send the emails while he was employed;” whereas the SSA “told Rodriguez that he was not authorized to obtain personal information for nonbusiness reasons.” Id.

The lessons from this case to employers and their counsel who are drafting corporate computer policies are

• First, it is critical to establish corporate computer policies setting forth the employee’s scope of authorization to access the company computers,

• Second, this policy should be re-enforced on a periodic basis in a variety of ways that are designed for the particular circumstances and needs of the individual company, and

• Third, the company should actively monitor employee computer usage to ensure that its policies are being followed and take appropriate actions when its policies are violated.

Two recent district court opinions add to the caselaw providing judicial guidance on how employers might update their corporate computer policies to be able to sue ex-employees for stealing company data based on the Computer Fraud and Abuse Act (“CFAA”), the federal computer crime statute. Title 18, U.S.C. §1030. This is a particularly significant problem when employees leave their current jobs to join competitors and attempt to gain an unfair advantage by stealing data from the company computers prior to their departure. 4 of the 7 sections of the CFAA that are the basis for a civil cause of action require that the employer prove that the employee’s access to the company computer was “without authorization or exceeds authorized access.”

One way the courts permit an employer to establish lack of authorized access is by showing that the employee violated a company policy defining the scope of the employee’s permission to access the company computers. Courts have sanctioned the use of corporate computer policies to prove unauthorized access because the “CFAA…is primarily a statute imposing limits on access and enhancing control by information providers.” EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003). Thus, a company “can easily spell out explicitly what is forbidden,” through employee agreements, policies and access-limiting technology.

For example, U.S. v. John, 597 F.3d 263, 269, 272 (5th Cir. 2010), upheld the CFAA conviction of Citigroup account manager Dimetriace Eva-Lavon John, who accessed Citigroup’s internal computer system to provide her brother with customer account information that he used to perpetrate fraudulent charges. The court found that John had exceeded authorized access based on “Citigroup’s official policy, which was reiterated in training programs that John attended, [that] prohibited misuse of the company’s internal computer systems and confidential customer information.” Id. at 272.

The two recent decisions — Sloan Financial Group, LLC v. Coe, 2010 WL 4668341 (D.S.C., Nov. 18, 2010) and Clark Street Wine And Spirits v. Emporos Systems Corp., 2010 WL 4878190 (Nov. 24, 2010) – directly address the issue of corporate computer policies in the context of the employer suing the employee for violating the CFAA. According to Sloan Financial Group LLC’s (“Sloan”) complaint, Marcus Coe had been an insurance agent employed by Sloan who left to set up a competing insurance agency. Sloan alleged that its former employee violated the CFAA by “(1) transmitting two spreadsheets of Sloan’s client information from his work email address to his home email address; (2) conducting searches on the Harleysville database [that contained confidential information on Sloan’s insurance clients] for his own benefit; and (3) at Sloan’s expense, ordering Choice Point reports on individuals who never became clients of Sloan’s, but later became clients of Coe’s new Agency.” Id. at *3.

Sloan claimed that Coe accessed its computers without authorization or in excess of authorized access based on its company policies. Those policies were in a memorandum circulated to its employees and in an employee handbook. The memorandum restricted “employees’ use of client information” and “stated, “[i]t is imperative that all office personnel understand that no client information be taken out of the office…. This information includes electronic data (laptops, CDs, disks, flash-drives, emails), files, paperwork, etc.” . . . Coe acknowledged receipt of this policy.” Id. at *2. Thereafter, “Sloan established a more detailed confidentiality policy relating to client and proprietary information . . . when it issued a new employee handbook” that “provides, in pertinent part, that “[i]nformation concerning [Sloan's] clients is confidential…. Confidential information may not be released by anyone without proper authority, nor may it be used for personal gain.” . . . The handbook also includes a section on access to and use of Sloan’s computer systems, providing that “[a]ll computers, related equipment and computer accounts … are provided as tools to assist [employees] in performance of [their] job-related duties and responsibilities.” Id.

Despite these policies, the court dismissed the CFAA claims and granted Coe summary judgment, finding ‘that Sloan has not proffered evidence that Coe exceeded authorized access by performing any of the alleged actions.” Id. at *5. The court’s dismissal was based on its conclusion that Sloan’s company policies only “limit an employee’s use of information” rather than limiting “an employee’s right to access or obtain information” from the Sloan’s computers. Id.

Clark Street Wine And Spirits v. Emporos Systems Corp also focused on the employee’s right to access the information in question. The complaint alleged “that the defendant and its employees breached plaintiffs’ electronic credit and sales system (supplied largely by defendant), resulting in the stealing of credit card information and losses to plaintiffs’ customers, and ultimately, to plaintiffs.” Id. at *1. The district court denied defendants’ motion to dismiss the CFAA claim because the case required factual development in discovery on the issue of authorized access — “[i]f Emporos employees had permission to access Plaintiffs’ computers, but not their customers’ credit card information, [the CFAA] Count . . . might survive even a strict interpretation” of the element of authorized access. Id. *11.

However, that not all courts make such a fine distinction between access and subsequent use. For example, U.S. v. Salum, 257 Fed. App’x 225, 230-31 (11th Cir. 2007), interpreted “without authorization” based on the defendant’s intended use of the data at the time he accessed his employer’s computer. In Salum, a police officer with the Montgomery, Alabama, Police Department was charged with a criminal violation of the CFAA for providing information from the FBI’s criminal record database to a private investigator. Although Salum, as an employee, “had authority to access the [National Crime Information Center] database,” the court held that there was sufficient evidence for the jury to conclude that Salum had accessed the computer “without authorization “because at the time he accessed the computer Salum knew that he was accessing the information “for an improper purpose.” Id. at 230.

Based on the current state of the law, employers are well advised to establish corporate computer policies specifically for the CFAA to ensure their ability to use the statute against an ex-employee who might steal valuable data from the company computers to use unfairly in a competing venture. The policies must address the scope of employee’s permitted access to the company computers including 1) what information the employee is permitted to access and 2) for what purposes. These policies need to be precisely drafted to the unique circumstances of each company.

Court in ticket resale case says ‘yes,’ if it results in unauthorized access, an essential element of the crime.

The U.S. Department of Justice has brought a Computer Fraud and Abuse Act (CFAA) prosecution in New Jersey against the owners and operators of Wiseguy Tickets Inc., an online ticket seller for concerts and sports events. A critical element in proving most violations of the CFAA, the federal computer crime statute, is that the defendant’s access to the computer (interpreted broadly to include a Web site) that is the object of the criminal activity was “without authorization or exceeds authorized access.” 18 U.S.C. 1030. The defendants are charged with unauthorized access to the Web sites of online ticket vendors (OTVs) such as Ticketmaster and Telecharge for violating the OTVs’ Web site terms of service that prohibit the purchasing of tickets in large amounts for resale to the public.

The district court hearing the case recently denied the defendants’ motion to dismiss the indictment on the ground that it seeks “to criminalize what otherwise would be a breach of contract action for violating the terms of service for ticket sales on” these OTVs. U.S. v. Lowson, No. 10-114 (D.N.J. Oct. 12, 2010). The defendants argued that, “under the government’s theory, a teenager hypothetically could be prosecuted under the CFAA for violating the age requirement restrictions in the terms of service when using a search engine like Google.” Id., slip op. at 10.

The notion that this prosecution is seeking to criminalize a breach of contract will be examined in light of established court decisions interpreting the CFAA and its implications for Web site owners whose legal remedy is not limited to reporting violations to the authorities for criminal prosecution. Web site owners are also entitled under the statute to bring a civil action for damages and injunctive relief. 18 U.S.C.1030 (g).

The contract upon which the defendants premised their motion to dismiss was the requirement on the OTVs’ Web sites that all Internet customers had “to accept” the rules in the terms of service “before buying Event tickets.” Indictment ¶ 1(f). These terms of service were designed “[t]o ensure fair access to Event tickets” to the general public. Thus, the OTVs “generally limited the number of seats that an online purchaser could obtain per event” and “prohibited the purchase of Event tickets on their website for commercial re-sale (i.e. purchase by ticket brokers).” Id.

The OTVs also “specifically prohibited computer programs that purchased tickets automatically, such as ‘bots,’ ‘worms,’ ‘spiders,’ and ‘crawlers’ from accessing their sites.” Id. “To enforce these restrictions and to protect their webpages from automated ticket purchasing software,” the OTVs “used computer code and software that was designed to detect and prohibit automated programs from accessing…[their] computer servers.” Id. ¶ 1(k).

In denying the Wiseguy defendants’ motion to dismiss, the court recognized that, as “the indictment makes clear, the unauthorized access charges at the heart of this indictment involve allegations of breaches of both contract- and code-based restrictions.” Lowson, slip op. at 10. As to the code-based restrictions, the defendants, assisted by “contract hackers,” are charged with employing sophisticated means to circumvent the OTVs’ computer code through “automated software,” “optical character recognition to defeat…difficult” security measures and “ ‘hacks’ and ‘backdoors’ to enable automated programs to purchase tickets” and make it appear that the tickets were bought by individual members of the public. Id. at 9. From 2002 through 2008, the defendants procured more than 1.5 million tickets by hacking into the OTVs and generated profits for themselves of nearly $30 million by selling event tickets at prices more than the face value to the public. Indictment ¶¶ 52-55.

Based on these facts, the U.S. courts of appeals for the 2d and 5th circuits would readily conclude that the defendants’ efforts to defeat the code-based restrictions on the Web sites were sufficient standing alone to prove the CFAA’s critical element of “unauthorized access.” In U.S. v. Morris, 928 F.2d 504, 505 (2d Cir. 1991), the defendant Robert Morris, a student in Cornell University’s computer science doctorate program, disseminated through e-mail “a computer program known as a ‘worm’ that spread and multiplied, eventually causing computers at various educational institutions and military sites to ‘crash’ or cease functioning.” In affirming his conviction, the court concluded that “Morris’s conduct here falls well within the area of unauthorized access” because he did “not use…[two standard computer programs] in any way related to their intended function,” but “instead he found holes in both programs that permitted him a special and unauthorized access route into other computers.” Id. at 510. That is precisely what the Wiseguy Tickets defendants are charged with — circumventing through sophisticated hacks the intended function of the OTV Web sites to prevent mass purchases by ticket sellers.

U.S. v. Phillips, 477 F.3d 215 (5th Cir. 2007), followed Morris’ intended-use test in upholding the conviction of Christopher Phillips, a student in the computer sciences department at the University of Texas who hacked into UT’s secure server, which only allowed access to an authorized user through the user’s Social Security number. Phillips launched what is known as a “brute-force attack” program, which automatically transmitted to the server as many as six random Social Security numbers per second. During the course of 14 months, Phillips gained “access to a mother lode of data about more than 45,000 current and prospective students, donors, and alumni.” Id. at 218. Phillips had also signed a UT acceptable- use computer policy in which he agreed not to perform certain scans on his university computer account that would permit him to search for vulnerabilities to hack into and attack the network. The court found that Phillips’ brute-force attack program not only was unauthorized by his agreement with UT, but that it “was not an intended use of the UT network within the understanding of any reasonable computer user and constitutes a method of obtaining unauthorized access to computerized data that he was not permitted to view or use.” Id. at 220.

Similarly, other courts have emphasized the importance of employment contracts and policies to define unauthorized access. In EF Cultural Travel B.V. v. Explorica Inc., 274 F.3d 577, 580-84 (1st Cir. 2001), the court, in affirming a preliminary injunction in a civil action brought under the CFAA, relied upon the defendants’ signed confidentiality agreement to find that the defendants’ access to EF’s Web site was unauthorized because they had used a scraper that had been built from their confidential knowledge about the topology of EF’s Web site for the purpose of automatically and accurately downloading EF’s 154,293 tour prices from the site.

U.S. v. John, 597 F.3d 263, 269, 272 (5th Cir. 2010), upheld the CFAA conviction of Citigroup account manager Dimetriace Eva- Lavon John, who accessed Citigroup’s internal computer system to provide her brother with customer account information that he used to perpetrate fraudulent charges. The court found that John had exceeded authorized access based on “Citigroup’s official policy, which was reiterated in training programs that John attended, [that] prohibited misuse of the company’s internal computer systems and confidential customer information.” Id. at 272.

As the above court decisions reflect, “authorization” is a “word…of common usage, without any technical or ambiguous meaning,” and is a question of fact to be decided by a jury based on all of the circumstances. Morris, 928 F.2d at 511. Criminal (or civil) liability for the CFAA only attaches if there is proof of the other essential elements of the crime, such as the theft or destruction of data. Thus, the risk raised by the Wiseguy defendants that a teenager would be prosecuted for a violation of the CFAA for simply lying about his age on Google is as well founded as a teenager being prosecuted for mail fraud for lying in a letter to his parents.

Given the Wiseguy Tickets prosecution and the case law underpinning it, there are several proactive steps every company can take to enhance the likelihood that violators of its Web site can be criminally prosecuted or sued in a civil action. This is because the “CFAA…is primarily a statute imposing limits on access and enhancing control by information providers.” EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003). Thus, a company “can easily spell out explicitly what is forbidden,” through employee agreements, policies and access- limiting technology.

Reprinted with permission from the November 29, 2010 edition of THE NATIONAL LAW JOURNAL © 2010 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382, reprints@alm.com or visit www. almreprints.com. #005-11-10-13

I recently reported that the federal court in Tennessee refused to overturn the Computer Fraud and Abuse Act conviction of David Kernel, the 22 year-old college student who had hacked into the Yahoo! email account of then Vice Presidential candidate Sarah Palin. Kernel had been convicted after a jury trial last April. Today the Judge sentenced Kernel to a year and a day and recommended to the Bureau of Prisons that he serve his time in a halfway house. Given that then Governor Palin had released to the world all of the information that Kernel used to identify the password of her Yahoo! email account, there seems to have been a lost opportunity in this case to have argued that what Kernel did was not unauthorized access, a critical element for a CFAA conviction.

While the federal Computer Fraud and Abuse Act (“CFAA”) permits seven causes of action to be brought by individuals or companies who have been victims of violations of the statute, practitioners lose sight of the fact that the CFAA is at its core a criminal statute. Nyack Hospital v. Moran, 2010 WL 4118355 (S.D.N.Y. June 1, 2010) neatly illustrates the importance of being able to prove the criminal elements of the statute in order to obtain a civil remedy – damages or injunctive relief.

The defendant, Kevin Moran, had been employed by Nyack Hospital as its Manager of Organizational Development. After Nyack Hospital terminated Moran’s employment, Moran allegedly “sent e-mails, including a 17-page attachment, to over ‘100 Hospital senior managers and employees’ and others and misrepresented the source of the e-mails as David Freed, the president of the hospital.” The complaint asserted that the “emails ‘leaked certain aspects of an internal confidential employee survey, defamed the Hospital’s reputation and the reputations of the several Hospital employees … and urged the … recipients to report the alleged wrongdoings to the Hospital’s Board of Trustees and the Rockland Journal New News.’ Id. at *1.

The Hospital sued Moran, for among other things, that section of the CFAA which makes it a crime to “knowingly caus[e] the transmission of … information … and as a result of such conduct intentionally caus[e] damage without authorization [ ] to a protected computer [.]” 18 U.S.C. § 1030(a) (5)(A). The fatal defect with the Hospital’s complaint was that it did not allege that Moran had “intentionally caused any damage to the hospital’s computers, but rather that . . . [Moran] knew that the sending of bulk e-mail ‘could result in a ‘denial of service’ or ‘spamming’ attack against the Hospital’s information system.’” Id. at 6.

The best the Hospital could say was that “Moran accessed the Hospital’s e-mail system and server by creating a fake Yahoo account … to trick Hospital employees into reading [the e-mail].” Id. The court dismissed the CFAA claim on the ground that the Hospital failed to allege that Moran “acted with the specific criminal intent required to establish a violation of” the CFAA.” Id. The court also found the Hospital’s failure to allege damage resulting from Moran’s alleged conduct with specificity rather than as a possibility was “inadequate to support a cause of action for a violation of the CFAA.” Id. at 7.

This decision drives home the principle that the only difference between a criminal violation of the CFAA and a civil violation is the standard of proof – the government must prove the criminal violation beyond a reasonable doubt and the civil litigant must prove the violation by a preponderance of the evidence. In both instances there must be proof of the same criminal elements of the CFAA.

The college student David C. Kernell who was convicted by a Chattanooga, Tennessee jury of various federal crimes including a violation of the Computer Fraud and Abuse Act (“CFAA”) for accessing Alaska Governor Sarah Palin’s Yahoo email account will be sentenced on October 29, 2010. What Kernell did was to decipher the password for Alaska Governor Sarah Palin’s Yahoo email account and distribute her emails over the Internet during the 2008 Presidential campaign. Kernell moved post-verdict pursuant to Rule 29, Fed.R.Cr.P. for a judgment of acquittal on the ground that the evidence was insufficient to support his conviction. The trial court just last month denied Kernell’s motion finding that there was sufficient evidence to convict. U.S. v. Kernell, 2010 WL 3937421 *4-5 (E.D. Tenn. Sept. 23, 2010). What is interesting about the court’s opinion is not what it says but what it does not say.

The motion directed at the CFAA was made on a very narrow ground challenging only whether Kernell had accessed a “protected computer.” This is an extremely weak defense since the Eight Circuit has recognized that “[e]very cell phone and cell tower is a “computer” under this statute’s definition; so is every iPod, every wireless base station in the corner coffee shop, and many another gadget.” U.S. v. Mitra, 405 F.3d 492, 495 (8th Cir. 2005).

The section of the CFAA upon which Kernell was convicted is 18 U.S.C. §1030(a)(2)(C) which makes it a crime for anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer if the conduct involved an interstate or foreign communication.” In pressing his motion to overturn the jury verdict Kernell claimed that the government had “failed to prove the ‘protected computer’ element . . . of [the crime]. . . because Yahoo! either would or could not identify the computer or computers on which the account and its attachments resided.” U.S. v. Kernell at *5.

In rejecting Kernell’s motion the court relied on the trial evidence of the “Yahoo! records [that] revealed that the computers managing the Account on the date of the offense were located in Quincy, Washington.” Id. The court emphasized that Kernell “does not dispute that a Yahoo! computer located in Quincy, Washington was managing the Account at that time.”Id. In addition, “[t]he records also showed that Defendant accessed the Account by using Internet Protocol address “66.253.190 .21.” Id.

The court concluded that “[i]t was not necessary for the Government to identify the specific Yahoo! computer that managed the Account because: (1) the location of the Yahoo! computer was verified; and (2) the IP address used by the Defendant to access the Account was verified.” Based on that evidence, the court held “that a rational trier of fact, when viewing the evidence in the light most favorable to the Government, could have found the essential elements of the” CFAA count. Id.

What is absent from this opinion is any defense that Kernell could have raised before the jury based on unauthorized access, a critical element of the CFAA. According to the press reports, Kernell was able to determine Palin’s Yahoo email address from publicly available information disseminated by Governor Palin about her background. Given her creation of a password based on facts provided to the entire world, a factual defense could have been raised that she gave everyone constructive access to her account. There is no mention in the opinion of any such defense having been advanced.

LimeWire sounds innocent enough – a file sharing program that allows individual users to download music over the Internet, video and other files directly from the hard drive of another LimeWire user. LimeWire and other similar software, described as peer-to- peer software, is a popular way to avoid paying for music and movies. There is, however, a catch. These free downloads pose enormous risks. An anonymous LimeWire user who can download a song or a movie from your computer can also download your highly sensitive personal information that can be used to steal your identity and, in turn, your bank accounts and credit cards.

Because “users of some versions of LimeWire risk inadvertently sharing sensitive information stored on their computers,” the Federal Trade Commission (“FTC”), Bureau of Consumer Protection, conducted an investigation into the LimeWire program as reported in a publicly released letter, dated August 19, 2010, from the FTC to the CEO of Lime Wire LLC. http://www.ftc.gov/os/closings/100919limewireletter.pdf. The FTC was concerned that “LimeWire might expose . . . [a user’s] tax returns, credit reports, and college loan applications to millions of people” because “[i]dentity thieves have used LimeWire to retrieve this information and injure consumers.”

This was not a theoretical concern. In 2009 Frederick Eugene Wood was prosecuted by the Seattle Washington U.S. Attorney’s Office for using the LimeWire program to steal personal information from the computers of 120 people across the United States. The stolen personal information included tax returns and bank statements. Armed with this personal information, Wood assumed the individuals’ identity and created forged checks that he used to buy high-end electronic equipment that he sold through Craigslist. Wood pleaded guilty to, among other things, a violation of the Computer Fraud and Abuse Act, Title 18, U.S. C. §1030(a)(4) and was sentenced to 39 months in prison. http://www.justice.gov/usao/waw/press/2009/aug/wood.html

The FTC, as its letter to Lime Wire reflects, did not recommend any enforcement action against Lime Wire because it had incorporated “safeguards against the inadvertent sharing of sensitive, personal documents into the user interface of more recent versions of its software.” Other reasons the FTC gave for not pursuing action against Lime Wire were “that the attrition rate for legacy versions is substantial, the apparent inability of Lime Wire to force users to upgrade legacy versions of the software to more recent versions; and the possibility that users of some of the older versions of LimeWire may have been able to avoid disclosure of sensitive information.”

Despite efforts by Lime Wire to rectify this issue, the FTC warned that consumers “who are still using insecure legacy versions” are still at “risk of inadvertent sharing of sensitive, personal information.” Moreover, LimeWire, as the FTC recognized, is not the only peer to peer software that is available to consumers. All computer users must be aware of the risks posed by software programs like LimeWire. This risk is increased if multiple people are using the same computer. For example, if your children are using the home computer that you use to prepare your income tax returns and conduct personal banking, you need to be extra vigilant that they are not using peer-to-peer software to create their music libraries.

In the past six months approximately 6 class action lawsuits have been filed in Los Angeles federal district court against various companies for, among other things, violations of the Computer Fraud and Abuse Act (“CFAA”), Title 18 U.S. C. § 1030, based on advertising technology that tracks a computer’s web surfing practices. Unlike traditional cookies, the type of technology alleged in these complaints supposedly cannot be deleted from a computer. The corporate defendants in these cases, including CNN, Fox News, News Corp. and the Wall Street Journal, are certain to be checking whether their insurance policies cover the attorney’s costs to defend these lawsuits.

Having defended a number of similar cases myself, the cost of a legal defense can be costly. A recent case decided by the 8th Circuit Court of Appeals, Eyeblaster, Inc. v. Federal Insurance Co., 613 F.3d 797 (2010), addressed whether two insurance policies covered defense costs for a lawsuit based on on-line advertising practices and held that an insurer improperly refused to provide defense cost coverage. This is an important case for companies that advertise on the Internet.

The insured Eyeblaster, as described by court, “is a worldwide online marketing campaign management company that advertisers, advertising agencies, and publishers use to run campaigns across the Internet and other digital channels.” Id. at 799. Eyeblaster creates interactive ads and tracks the performance and effectiveness of these ads through cookies placed on consumer computers. It does not, however, “use spyware or introduce malicious contact such as spam, viruses, or malware.” Id.

A consumer sued Eyeblaster alleging, among other things, violations of the CFAA claiming that “his computer was infected with a spyware program from Eyeblaster . . . [that] caused his computer to immediately freeze up,” and that “he lost all data on a tax return on which he was working and that he incurred many thousands of dollars of loss.” Id. at 800. Once “his computer became operational again,” after supposedly being fixed by a computer technician, he still experienced “numerous pop-up ads; a hijacked browser that communicates with websites other than those directed by the operator; random error messages; slowed computer performance that sometimes results in crashes and ads oriented toward his past web viewing habits.” Id.

Eyeblaster requested its insurer, Federal Insurance Co., to provide it with a defense of the lawsuit, as set forth under its General Liability and Network Technology Errors or Omissions policies. Federal denied coverage claiming that the lawsuit in question did not obligate the insured under either policy to provide a legal defense. Eyeblaster sued, but the district court agreed with Federal.

On appeal Eyeblaster challenged two principal findings of the district court – 1) that the lawsuit did not involve damage to physical property as required by the General Liability policy, and 2) that the lawsuit “had not alleged that Eyeblaster committed a wrongful act (as defined by the [Information and Network Technology Errors or Omissions] policy in connection with a product failure or in performing or failing to perform its services.” Id.

The Circuit court reversed the district court and held that the policies obligated Federal to defend the lawsuit. The court rejected the district court’s finding on the General Liability policy that “the complaint does not allege damage to tangible property because it only claims damage to software, which is by definition excluded.” While the policy does not define tangible property, the court relied on its plain meaning to include the computer that the Plaintiff alleged “repeatedly” in the complaint that he lost the ability to use. Id. at 801-02.

The court also found that Federal did not meet its burden in showing that the exclusion, entitled, “Damage to Impaired Property or Property Not Physically Injured” applied. The court held that the computer at issue in the lawsuit “cannot be considered ‘impaired property’ because no evidence exists that the computer can be restored to use by removing Eyeblaster’s product or work from it.” Id. at 802. Thus, the court found that “[i]t is not clear that an Eyeblaster product or Eyeblaster’s work ever existed on . . . [the] computer, and thus it is equally unclear that such product or work could be removed from the computer.” Id.

As to the Information and Network Technology Errors or Omissions policy which “specifically covers intangible property, such as software, data, and other electronic information,” the court found that “Federal cannot [meet its burden to prove it has no duty to defend] and demonstrate that each claim in the . . . complaint falls outside the coverage of the policy.” Id. at 804. The court emphasized that while the complaint “alleges that Eyeblaster installed tracking cookies, Flash technology and JavaScript on . . . [the] computer, all of which are intentional acts” that Federal “can point to no evidence that doing so is intentionally wrongful.” Id. The court relied on an Eyeblaster Affidavit that “Federal’s parent company utilizes JavaScript, Flash technology, and cookies on its own website” and Federal’s failure to produce any “evidence that the allegation concerning tracking cookies, etc. spoke of intentional acts that were either negligent or wrongful.” Id.

Given the recent filings of CFAA civil suits based on advertising tracking software, any business that uses technology in its advertising campaign or as a means to track its customers should carefully check its insurance policies to be certain that it is covered for defense costs if it finds itself swept up in this recent rash of lawsuits directed at on-line advertising practices.

Ever worry that what you do on a social networking site could be used against you in a court of law? While no one is recommending that Facebook provide users with its own version of the Miranda rights, two Bar Associations have recently considered this issue in the context of lawyers using information from social networking sites to gather impeachment material to use against witnesses in civil lawsuits.

On September 10, 2010, the New York State Bar Association, Committee on Professional Ethics, followed the March 2009 opinion of the Philadelphia Professional Guidance Committee in ruling that it is improper for a lawyer to befriend an adverse witness on Facebook for the purpose of obtaining potential impeachment material to use at a deposition. Both legal ethical bodies “determined that the proposed ‘friending’ by a third party would constitute deception in violation of Rules [of Professional Conduct] 8.4 and 4.1, and would constitute a supervisory violation under Rule 5.3 because the third party would omit a material fact (i.e. that the third party would be seeking access to the witness’s social networking pages solely to obtain information for the lawyer to use in the pending lawsuit).” New York State Bar Assoc. Op. 843 (9/1//10).

The New York State Committee, however, dealt with the additional issue of whether a lawyer may simply view and access the publicly available Facebook and My Space pages of a party in a pending litigation in order to gather possible impeachment material for use in litigation. The Committee concluded “that the lawyer may ethically view and access the Facebook and MySpace profiles of a party other than the lawyer’s client in litigation as long as the party’s profile is available to all members in the network and the lawyer neither ‘friends’ the other party nor directs someone else to do so.”

The Committee explained that New York’s Rule 8.4 [of Professional Conduct prohibiting deceptive conduct by a lawyer] would not be implicated because the lawyer is not engaging in deception by accessing a public website that is available to anyone in the network, provided that the lawyer does not employ deception in another way (including, for example, employing deception to become a member of the network).” Thus, ‘[o]btaining information about a party available in the Facebook or MySpace profile is similar to obtaining information that is available in publicly accessible online or print media, or through a subscription research service such as Nexis or Factiva.” These ethical opinions notwithstanding, the lesson to the public is to be aware that whatever you post on a social networking site can come back to haunt you in unexpected ways.