Proving a CFFA Claim

THE FEDERAL Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030, et. seq., provides companies with a powerful legal tool to protect their computer data.  As its inclusion in Title 18 demonstrates, the CFAA was originally enacted as a criminal statute in 1984, but was amended in 1994 to provide victims of computer crime with a civil remedy for both damages and injunctive relief. ß 1030(g).  The CFAA contains seven potential causes of action based on theft and destruction of data, fraudulent use of passwords, hacking and schemes to defraud through unauthorized access to computers.
While damages are not to be minimized, the statute’s most useful civil remedy is injunctive relief, which permits a federal court to order the immediate return of stolen data and to direct a halt to their dissemination.  An injunction can be critically important to a company that is seeking to prevent its confidential and trade secret information from being used against it in the marketplace or trying to stop a data thief from perpetrating identity theft on its customers or employees.  The key to success under the CFAA is identifying and marshaling the evidence to prove a violation of the statute.
Advanced planning can lead to proof of theft
The recent decision by the 3d U.S. Circuit Court of Appeals in P.C. Yonkers Inc. v. Celebrations the Party and Seasonal Superstore LLC, 428 F.3d 504 (3d Cir. 2005), underscores just how important it is to be able to develop sufficient admissible evidence from the company’s computers to obtain a preliminary injunction.  Based on a failure of proof, the P.C. Yonkers plaintiffs lost their motion for a preliminary injunction.  This article will review that decision and its prime lesson: Advance planning and proactive steps before a theft occurs can facilitate a company’s ability to capture proof of a theft, which in turn maximizes the likelihood that a court will grant a preliminary injunction.
The P.C. Yonkers plaintiffs were all franchisees who each operated “a retail store selling discount party goods and related products.” Id. at 506.  The two defendants, a former officer and employee for the company that managed the various franchise locations, left the managing company to create a competing business, Celebrations.  The proof predicating the plaintiffs’ motion for a preliminary injunction, based on violations of the CFAA, focused on one employee, Andrew Hack.  Hack had accessed the franchisor’s computer shortly before and after resigning from the managing company.  The plaintiffs claimed that, of the 125 incursions into the computer system over seven days in October and November 2003, eight occurred after Hack was no longer an employee.
The plaintiffs also claimed that Hack accessed the computers two additional times after leaving the plaintiffs’ employ, once two months later “in December 2003 and a final time in April 2004.”  Id. at 507.  “The access in December 2003 lasted a total of 19.4 minutes,” and “[t]he April access was for a total of 5 minutes and 49 seconds.”  Id.  The plaintiffs claimed that the defendants obtained information from these computer incursions that resulted in Celebrations opening competing stores “in late July and August of 2004” in time to compete against the plaintiffs in their busiest and most profitable season “leading up to Halloween.”  Id. The information taken from the computers, according to the complaint, allowed the defendants to determine “where to locate their stores, where to focus marketing efforts and budgets, and to obtain valuable information as to sales during the Halloween season.”  Id.
The plaintiffs moved the court for a preliminary injunction “prohibiting Celebrations from operating the Celebrations stores and from using the PC plaintiffs’ trade secrets and confidential and proprietary information, and ordering the return of such information.”  Id.  The 3d Circuit, however, affirmed the district court’s denial of the preliminary injunction, finding that there was “absolutely no evidence as to what, if any, information was actually viewed, let alone taken” from the plaintiffs’ computers.  Id. at 508.  As a matter of law, to obtain a preliminary injunction the plaintiffs were required to demonstrate a likelihood of success on the CFAA claim.
Plaintiffs could not show that any data were taken
The court held that the plaintiffs failed to demonstrate a likelihood of success because “without a showing of some taking, or use, of information, it is difficult to prove intent to defraud,” a critical element of the CFAA violation alleged against the defendants.  Id. at 509.  Absent the plaintiffs’ speculation of thefts based solely on the incursions into the company computer, the court was left with no choice but to conclude that the defendants’ decisions about where to locate their stores and where to focus their marketing budgets were based on their “expertise gained through years of experience in the retail party goods business, unaided by any information obtained through access to the… plaintiffs’ computer system.”  Id. at 509-10.
The factual scenario alleged in P.C. Yonkers is not unique.  According to the plaintiffs, this is the classic “inside job,” where disloyal employees steal competitively sensitive computer data as part of their plan to resign and compete against their current employer.  Inside data thefts, as Judge Richard E. Posner observed in Int’l Airport Centers LLC v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006), are both “easier to detect [than attacks by an outside hacker and] may also be easier to accomplish.”  Id.  There is no dispute that the inside incursions into the P.C. Yonkers Inc. computers were easy to accomplish.  The incursions were also easy to prove.
What the plaintiffs could not show was which, if any, of their data records were accessed and whether any of their data records had been downloaded, copied or printed.  The court faulted the plaintiffs for not providing noncomputer evidence from which Celebrations’ acquisition of the plaintiffs’ trade secrets could have been reasonably inferred.  For example, the court pointed out that “[p]erhaps they could have produced evidence…[that] vendors [had been] contacted by…[the defendants] in temporal proximity to the unauthorized access.”  Id.  While such proof might have saved the day for the preliminary injunction, there was no excuse for the plaintiffs not being able to provide sufficient proof from their own computers of what was accessed.
Companies need to capture proof of what was accessed
Current technology permits a company to capture proof from its computer network establishing the details of each document accessed.  P.C. Yonkers should be a wake-up call for companies, alerting them to employ that technology.  Access itself, as demonstrated by P.C. Yonkers, is usually not difficult to prove, since most companies use passwords that identify the date and the time a particular employee enters and leaves the network.  What many companies do not have is an auditing function that automatically records what specific document is accessed and what happens to a document each time it is accessed.
For example, commercially available software exists that automatically creates a record detailing the history of who accessed a predesignated sensitively competitive document and whether the document was physically retrieved.  In P.C. Yonkers, the software would have demonstrated what documents, if any, Hack viewed and what actions, if any, he took with respect to each document.
Such an audit trail would be admissible in court to support a motion for a preliminary injunction as a record maintained in the regular course of business under Fed. R. Evid. 803(6). Whatever software or method is used to create an audit trail for individual documents, it is important to keep in mind that for the audit trail to be admitted under the business-record exception to the hearsay rule, the company must be able to convince a court that the audit trail is reliably created and is “an accurate representation of the record that originally was created” each time the user accessed the document in question.  In re Vee Vinhnee, 336 B.R. 437, 444 (B.A.P. 9th Cir. 2005).
Inspection of home computers may be needed
Another aspect of the P.C. Yonkers case that underscores the importance of advance planning is that all of the incursions into the plaintiffs’ computer network were made from Hack’s home computer.  What is conspicuously absent from the reported case is any reference to the evidence that should have been available from Hack’s home computer that might have shown which of the plaintiffs’ documents were observed or downloaded.  Again, proper advance planning could have facilitated the obtaining of proof from the home computer in addition to the regular discovery that the plaintiffs were entitled to take in the lawsuit.  At the time that the company permitted Hack to work from his home computers, the company should have required him to sign an agreement allowing it to inspect his home computers at the time of his termination of employment and to remove data belonging to the company.
In sum, the two lessons for protecting computer data from P.C. Yonkers are obvious and compelling.  Addressing both will make it more likely that if data are stolen, evidence will be available to support a preliminary injunction.  First, company computer networks should be programmed to create an automatic audit trail of all sensitive documents that is admissible in a court of law as a regularly conducted business record.  Second, when the company allows employees to work at home on their own computers, protocols and policies should be established to ensure the return of all company data remaining on the home computers.

E-Discovery Under CFAA

The computer Fraud and Abuse Act, 18 U.S.C. 1030, a federal criminal statute outlawing various computer crimes, provides a civil remedy for companies victimized by a violation of the statute.  The CFAA expressly permits a private company to sue for compensatory damages and injunctive relief.  18 U.S.C. 1030(g).  In this new digital age, the CFAA is fast becoming recognized as a proactive tool that can be used by companies to retrieve stolen data, prevent its dissemination in the marketplace and obtain compensatory damages resulting from its theft, use and malicious destruction.
Court applied the new rules in ‘Ameriwood Industries’
By its nature, a CFAA civil action is almost exclusively dependent on electronic evidence.  For that reason, the newly enacted amendments to the Federal Rules of Civil Procedure governing electronic discovery, which became effective on Dec. 1, 2006, will undoubtedly define how discovery is conducted whenever CFAA claims are filed.  Indeed, it took less than a month after the effective date of the e-discovery rules for the first federal court in Ameriwood Industries Inc. v. Liberman, No. 4:06CV524, 2006 WL 3825291 (E.D. Mo. Dec. 27, 2006), to apply these new rules to a discovery dispute in a CFAA case.  The thrust of the complaint alleged that the “defendant former employees forwarded plaintiff’s customer information and other trade secrets from plaintiff’s computers to defendants’ personal email accounts.”  Id. at *3.
In the course of discovery, the plaintiff served upon the defendants a document request for all of the mirror images (exact bit-for-bit copies) of their entire business and personal hard drives.  When the defendants objected to producing their hard drives, claiming that the requests were “overbroad, vague, and burdensome and [called] for irrelevant information,” the plaintiffs moved to compel.  Id. at *2.  This article will review how the court decided that motion in the context of the new e-discovery rules and its implications for discovery under the CFAA.
Initially, the court cited to Fed. R. Civ. P. 34(a), which now expressly permits a party to request another party to produce “electronically stored information-including…data compilations stored in any medium from which information can be obtained.”  Id. at *2.  The court recognized that Rule 34(a) “does not give the requesting party the right to search through all of the responding party’s records,” citing to concerns “of confidentiality and privacy.”  Id.  In addition, the Ameriwood court was required under newly enacted Fed. R. Civ. P. 26(b)(2) to engage in a “burden-shifting analysis” to decide whether to order the production of the hard drives sought by the plaintiff.
Rule 26(b)(2) provides: “[T]he party from whom discovery is sought must show that the information is not reasonably accessible because of undue burden or cost.  If that showing is made, the court may nonetheless order discovery from such sources if the requesting party shows good cause….The Court may specify conditions for discovery.”
The court concluded that the defendants met their burden of showing that the electronic evidence sought from the hard drives is not “reasonably accessible” because of undue cost.  The court relied upon affidavits submitted by the defendants “describing the significant costs of copying the hard drives, recovering deleted information, and translating the recovered data into searchable and reviewable formats.” Id. at *3.
Having found that the requested discovery was not reasonably accessible, the court still ordered the discovery because the plaintiff showed “good cause” for the production of the electronic evidence residing on the hard drives.  In reaching that conclusion, the court analyzed the factors enumerated in the advisory note to Fed. R. Civ. P. 26(b)(2): “(1) the specificity of the discovery request; (2) the quantity of information available from other and more easily accessed sources; (3) the failure to produce relevant information that seems likely to have existed but is no longer available on more easily accessed sources; (4) the likelihood of finding relevant, responsive information that cannot be obtained from other, more easily accessed sources; (5) predictions as to the importance and usefulness of the further information; (6) the importance of the issues at stake in the litigation; and (7) the parties’ resources.”
In essence, the court found that Rule 34(e) electronic discovery was justified based on “the close relationship between plaintiff’s claims and defendants’ computer equipment.” Id. at *1. These were the allegations in the complaint that the defendants had “used the computers, which are the subject of the discovery request, to secrete and distribute plaintiff’s confidential information,” creating a factual issue for discovery as to “[h]ow and whether defendants handled those documents and what defendants did with the documents.” Id. at *5.
The court also disposed of the defendants’ argument that “the requested information has already been disclosed” in paper documents with the recognition that data, unlike paper documents, contain metadata that describe “the history, tracking, or management of” the electronic file that “is usually not apparent to the reader viewing a hard copy or a screen image.” Id. at *3. Finally, the court emphasized the defendants’ failure to produce an e-mail created by a defendant that had only been produced by a third-party recipient of the e-mail, concluding “that other deleted or active versions of emails may yet exist on defendants’ computers.” Id. at *3.
Given that the type of wrongdoing upon which the CFAA is premised can best be proven through electronic evidence, “good cause” for electronic discovery in a CFAA case should almost always be a foregone conclusion. For example, in Physicians Interactive v. Lathian Systems Inc., No. CA 03-1193-A, 2003 WL 23018270, at *1 (E.D. Va. Dec. 5, 2003), a case decided three years before the effective date of the new rules, the plaintiff sued a competitor for violations of the CFAA, alleging that the defendants’ “information technology employee…secretly hacked Physicians Interactive’s website and stole their confidential customer lists and computer software code.” The court ordered discovery because the data sought were unquestionably relevant to the alleged computer attacks. Id. at *10.
Upon finding “good cause” for the production of the hard drives, the Ameriwood court directed a “three-step imaging, recovery, and disclosure process” to provide the “requesting party sufficient access to information that is not reasonably accessible and ensures the process does not place an undue burden on the responding party.” First, the court ordered that the plaintiff choose “a computer forensics expert of its choice…that has been trained in the area of data recovery” to obtain the mirror images of the defendants’ hard drives at their premises pursuant to a confidentiality agreement. Id. at. *5.
Second, the expert was charged with recovering “from the mirror images all available word-processing documents, incoming and outgoing e-mail messages, PowerPoint or similar presentations, spreadsheets, and other files included but not limited to those files that were ‘deleted.’ ” Id. at *6. A full report of the documents found “in a reasonably convenient and searchable form” was then to be provided to defendants’ counsel. Id.
Third, “[w]ithin twenty days of the receipt of the recovered documents and data, defendants’ counsel” was required to “review the records for privilege and responsiveness, appropriately supplement defendants’ responses to discovery requests, and send to plaintiff’s counsel all responsive and non-privileged documents and information.” Id. at *6. The defendants were also ordered to supply the plaintiff’s counsel with a privilege log.
The court ordered the plaintiff to pay for the imaging of the computers, recovering the data from the computers and preparing it in readable format for the defendants. While the plaintiff did not object to incurring these costs, it is highly likely that in the balancing process, courts will be strongly influenced by the parties’ resources in deciding who pays for the production of the electronic discovery. It is a fair assumption that in most situations the courts will order a large plaintiff company to bear the cost over an individual defendant.
‘Ameriwood’ three-step process could be a model
The three-step process established in Ameriwood can be used as a model in the early stages of a CFAA case. Newly amended Fed. R. Civ. P. 26(f) requires the parties to confer as soon as practicable after the case is filed, and certainly prior to the first scheduling conference, about “preserving discoverable information,” “any issues relating to disclosure or discovery of electronically stored information, including the form or forms in which it should be produced” and “any issues relating to claims of privilege or of protection as trial-preparation material” including “a procedure to assert such claims after production.”
Thus, a plaintiff filing a CFAA case is well advised at the Rule 26(f) conference to propose some variation of the three-step Ameriwood process as the basis for a proposal for conducting electronic discovery. Prior to the conference, it is important for the plaintiff’s counsel to identify an appropriate computer forensic expert to be assigned the task of reviewing the defendant’s computers and the type and sources of data the plaintiff’s counsel will need to prove his or her case. A big company suing individuals should be prepared to offer to pay the cost of the forensic expert. Because electronic discovery can involve the production of a huge volume of data, particularly e-mail, this is also the juncture at which a procedure should be agreed upon pursuant to new Rule 26(b)(5)(B) to return inadvertently produced privileged documents.