Hacking and Trading

In October 2007, Oleksandr Dorozhko, a Ukrainian national operating from Ukraine, “hacked into the computer network of Thomson Financial” and “gained access to IMS Health’s soonto- be-released negative earnings announcement.”  Securities and Exchange Commission v. Dorozhko, No. 07 Civ. 9606, 2008 WL 126612, at *1 (S.D.N.Y. Jan. 8, 2008).  Armed with this nonpublic knowledge of the negative earnings announcement, Dorozhko used his newly opened Internet trading account at Interactive Brokers in Greenwich, Conn., to purchase put options in IMS Health stock prior to the release of the negative earnings announcement.
Dorozhko sold the options the next day after the negative earnings were announced “for $328,571.00, a return overnight of 697 percent.”  Id. On Oct. 29, U.S. District Judge Naomi Reice Buchwald of the Southern District of New York granted a U.S. Securities and Exchange Commission (SEC) motion for a temporary restraining order (TRO) “freezing the proceeds of Dorozhko’s trades.”  Id.

However, on Jan. 7, Buchwald denied the SEC’s motion for a preliminary injunction, finding that the SEC could not show a likelihood of success on the merits of its assertion of a violation of ß 10(b) of the Securities Exchange Act of 1934.  Based on well-established U.S. Supreme Court precedent, Buchwald held that Dorozhko’s ” ‘hacking and trading’…does not amount to a violation of ß10 (b) of the Exchange Act” because it was impossible for the SEC to prove an essential element of the statute: that Dorozhko, as a corporate outsider, breached a fiduciary duty or similar duty of candid disclosure.  Id.
Dorozhko, an outsider to both IMS Health and Thomson Financial, did not owe either company a duty of disclosure.  As the court correctly observed, “in the 74 years since Congress passed the Exchange Act, no federal court has ever held that the theft of material non-public information by a corporate outsider and subsequent trading on that information violates ß 10(b).”  Id.  Recognizing that the lifting of the TRO could “result in the release of the restrained trading proceeds,” the court reiterated its suggestion to the SEC from the preliminary injunction hearing that the matter be referred to “the United States Attorney’s Office for criminal investigation.”  Id. at *2.
Corporate victims could pursue CFAA civil options
From the evidence presented at the preliminary injunction hearing, Buchwald opined that the hacking and trading appeared to violate several federal criminal statutes, including ß 1030(a)(4) of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030 et. seq., and that the U.S. attorney’s office could seek “to seize Dorozhko’s trading proceeds under 18 U.S.C. ß 981(b).”  Id.  The court, however, did not address the civil options for self help under the CFAA available to the corporate victims of Dorozhko’s scheme.  Indeed, that might be the most viable option here if the U.S. attorney’s office views a case against an Ukrainian national as a waste of resources where it is difficult, if not impossible, to extradite the defendant to the United States.
While the CFAA is primarily a criminal statute, it also provides that “[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.”  18 U.S.C. 1030(g).  From a civil perspective, there are two questions not addressed in Buchwald’s decision.  First, were CFAA civil remedies available to IMS Health, whose data were stolen, and Thomson Financial, whose Web site was hacked? Second, can the CFAA be used against a corporate insider (as opposed to an outside hacker) who steals company information that is used to trade in the company’s stock? The answers to both of these issues is yes.
Section 1030(a)(4) is one of seven sections of the CFAA that can form the basis for a civil action.  To succeed on a civil claim pursuant to it, a plaintiff must prove the jurisdictional prerequisite that it suffered $5,000 in “loss” within a one-year period, and that the defendant, knowingly and with intent to defraud, accessed a protected computer; the defendant did so either without authorization or by exceeding authorized access; and by means of such conduct the defendant furthered the intended fraud and obtained anything of value.  18 U.S.C. 1030(a)(5)(B)(i), (g); Physicians Interactive v. Lathian Systems Inc., No. CA 03- 1193-A, 2003 WL 23018270, at *6 (E.D. Va. Dec. 5, 2003).
The CFAA defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its [prior condition], and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”  18 U.S.C. 1030(e)(11).  While none of the entities in question experienced an interruption in service, “federal courts have sustained actions based on allegations of costs to investigate and take remedial steps in response to a defendant’s misappropriation of data.”  Modis Inc. v. Bardelli, No. 3:07cv1638, 2008 WL 191204, at *4 (D. Conn. Jan. 22, 2008).  To the extent either Thomson Financial or IMS Health incurred at least $5,000 to investigate the hacking and secure its network, each is entitled to file a CFAA civil action. Interactive Brokers, which had no ownership interest in the Thomson Financial Web site or the data contained on it, could not have conducted such an investigation or have taken remedial steps.  Thus, Interactive Brokers likely could not meet the jurisdictional loss prerequisite and is not entitled to sue Dorozhko for CFAA violations.
That IMS Health did not own the computer network that was the object of the hacking would not preclude it from filing a CFAA claim against Dorozhko.  The 9th U.S. Circuit Court of Appeals held that there is “[n]othing in the provision’s language” to support an “ownership or control requirement.”  Theofel v. Farey-Jones, 359 F.3d 1066, 1078 (9th Cir. 2004).  Theofel explained that the CFAA’s civil remedy “extends to ‘[a]ny person who suffers damage or loss by reason of a violation of this section’ ” and that the “word ‘any’ has an expansive meaning.”  Id. As to the elements necessary to prove a violation of ß 1030(a)(4), the Thompson Financial computer network is indisputably a “protected computer” within the meaning of the CFAA.  A “protected computer” is defined in ß 1030(e)(2)(B) as one “which is used in interstate or foreign commerce or communication,” and includes “a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.”  There can be little doubt that this computer network conducts business and communicates with its offices and customers in interstate and foreign commerce.  Also, if the computer had been located in Ukraine, it would still be a “protected computer” since it would still affect interstate and foreign commerce and communicate with the United States.
There is also no question that Dorozhko acted with intent to defraud.  The proof of fraud required by the CFAA simply requires proof of wrongdoing and not proof of the common law elements of fraud.  Thompson Financial and IMS Health would need only prove that the “defendant participated in dishonest methods to obtain” the data from the computer.  Shurgard Storage Ctrs. v. Safeguard Self Storage Inc., 119 F. Supp. 2d 1121, 1125- 26 (W.D. Wash. 2000).
On the element of unauthorized access, all federal courts that have ever considered this issue agree that hacking into a computer by a corporate outsider constitutes unauthorized access.  By definition “hacking” is done “to gain unauthorized access.”  Physicians Interactive, 2003 WL 23018270, at *1.  Finally, Dorozhko unquestionably obtained something of value in furtherance of the fraud: the information that permitted him to obtain the hugely inflated proceeds from the sale of the IMS Health options.
A preliminary injunction is also possible under CFAA
Physicians Interactive, cited by Judge Buchwald, illustrates the type of injunctive relief a civil litigant can obtain on facts similar to Dorozhko.  In that case, the district court upheld a preliminary injunction based, in part, on violations of the CFAA when a competitor “secretly hacked Physicians Interactive’s website and stole their confidential customer lists and computer software code.”  Id. at *1.  The defendant was enjoined from, among other things, “engaging in any activity beyond the scope of normal user or guest to Plaintiff’s website” and not “using or disclosing any information” obtained through the hacking of the Web site.  Id. at *11.  Similarly, there is no reason why a court could not have enjoined Dorozhko in a civil CFAA action from continuing to enter Thompson Financial’s computer network and directed a freeze of his ill-gotten gains from the sale of the IMS Health options, pending the resolution of the lawsuit.
Finally, with the exception of a few federal district court judges who are hostile to applying the statute against company insiders, the CFAA can be used against employees who access sensitive nonpublic information from a company’s computers for the purpose of trading in its stock.  Unauthorized access by insiders can be established when the insider employee exceeds “expected norms of intended use” for the computer; terminates his agency relationship with his employer by entering its computer for a purpose adverse to his employer; violates company rules and policies on computer use; or violates a contractual duty such as a confidentiality agreement to access the company computer.  U.S. v. Phillips, 477 F.3d 215 (5th Cir. 2007); Int’l Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006); Doe v. Dartmouth-Hitchcock Medical Center, No. CIV. 00-100-M, 2001 WL 873063 (D.N.H. July 19, 2001); EF Cultural Travel B.V. v. Explorica, 274 F.3d 577 (1st Cir. 2001).
The lesson here is simple: Any company that finds itself victimized by insider trading as a result of information obtained from its computers should consider the option of self help by pursuing a civil action under the CFAA.

When workers steal data to use at new jobs

In response to the economic crisis, companies have downsized, resulting in some terminated employees’ stealing vital data to improve their job opportunities with a new employer.  In addition to traditional state remedies such as misappropriation of trade secrets, employers have been “increasingly taking advantage of…[the federal Computer Fraud and Abuse Act’s] civil remedies to sue former employees and their new companies who seek a competitive edge through wrongful use of information from the former employer’s computer system.”  Pacific Aerospace & Electronics Inc. v. Taylor, 295 F. Supp. 2d 1188, 1196 (E.D. Wash. 2003).

The Computer Fraud and Abuse Act, a federal criminal statute outlawing the theft of data, permits a company that”suffers damage or loss” by reason of a violation of the CFAA to “maintain a civil action against the violator” for damages and injunctive relief.  18 U.S.C. 1030(g).  Since Taylor, there has developed a body of district court opinions that refuse to apply the CFAA against employees who steal their employers’ data.  This article will explain why these opinions are not likely to survive appellate review; it will also provide a strategy to avoid the application of these decisions.

CITRIN’ IS LEADING AUTHORITY

Four of the seven violations of the CFAA that provide a basis for a civil action require the employer to show that the employee’s access to the company computers was “without authorization” or “exceeds authorized access.”  The leading authority for using the CFAA against employees who steal their employers’ data is Int’l Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006).  Based on the Restatement (Second) of Agency ß 112 (1958), the U.S. Court of Appeals for the 7th Circuit held that an employee’s authorization to use the company computers is predicated on his agency relationship with his employer and that, when the employee violates “his duty of loyalty,” i.e., accesses his employer’s computer to steal its data, he voids this relationship and thereby terminates his authority to access the computer.

There are now 11 reported district court decisions that disagree with Citrin and refuse to apply the CFAA to employee data thieves.  These courts hold that the intent of the employee in accessing the computer is irrelevant to the question of authorization because employees do have permission to access the company computers.  See, e.g., Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962 (D. Ariz. 2008).  These cases conclude that the CFAA is “generally aimed towards outside, third parties or other ‘high-tech’ criminals, rather than the rogue employee.”  Lasco Foods Inc. v. Hall And Shaw Sales, Marketing, & Consulting LLC, 600 F. Supp. 2d 1045, 1049 (E.D. Mo. 2009).

Nine of the 11 opinions rely on Lockheed Martin Corp. v. Speed, 2006 WL 2683058 (M.D. Fla. 2006), which, along with Diamond Power Int’l Inc. v. Davidson, 540 F. Supp. 2d 1322, 1341 (N.D. Ga. 2007), is within the 11th Circuit and has been effectively overruled by U.S. v. Salum, 257 Fed. Appx. 225, 230-31 (11th Cir. 2007).  In Salum, a police officer with the Montgomery, Ala., Police Department was charged with a criminal violation of the CFAA for providing information from the FBI’s criminal record database to a private investigator.  Although Salum, as an employee, “had authority to access the [National Crime Information Center] database,” the circuit court held, without citing the lower court opinions of Lockheed Martin or Davidson, that there was sufficient evidence to convict on the element of lack of authorization because Salum knew that the information he accessed was to be used “for an improper purpose.”  The five district courts that adopted the holding in Lockheed Martin and were decided after Salum ignore Salum.  See, e.g., US Bioservices Corp. v. Lugo, 595 F. Supp. 2d 1189, 1191-96 (D. Kan. 2009).

Lockheed Martin faulted Citrin for relying “heavily on…the Second Restatement of Agency…to derive the meaning of ‘without authorization.’ ”  2006 WL 2683058, at *4.  The court complained that “the breadth of the statute given under the Citrin reading is especially disconcerting, given that the CFAA is a criminal statute with a civil cause of action.”  Id at *7.

In Carpentar v. U.S., 484 U.S. 19 (1987), however, the U.S. Supreme Court, employed the Restatement (Second) of Agency to affirm the mail and wire fraud convictions of a Wall Street Journal reporter who, prior to publication, had provided his upcoming financial columns to confederates, who bought or sold stock “based on the probable impact of the column on the market.”  Relying on the Restatement, the Court held that “an employee has a fiduciary obligation to protect confidential information obtained during the course of his employment” and that intentionally exploiting that information for his own personal benefit was a scheme to defraud his employer of confidential information outlawed by the mail and wire fraud statutes.  Just as the Restatement prescribes the duty of an employee in the context of these fraud statutes to safeguard his employer’s confidential information, it also prescribes the scope of an employee’s authority to access his employer’s computer in the context of the CFAA.

IN THE CRIMINAL CONTEXT

The first criminal case to deal with the CFAA in the employment context, U.S. v. Nosal, 2009 WL 981336, at *7 (N.D. Calif. 2009), refused to dismiss CFAA charges against a former “high level executive at an international executive search firm” who quit his position “with plans to start a competing executive search firm.”  Prior to leaving the firm, he stole competitively sensitive data from his employer’s computer.  The court rejected the defendant’s argument that “the CFAA was aimed primarily at computer hackers and that the statute does not cover employees who misappropriate information.”

The court adopted Citrin, finding that “ample authority exists to permit criminal actions to proceed based on violations of [ß 1030(a)(4)] by employees, as interpreted by civil cases, and there is simply no statutory basis to suggest otherwise.”  The court also emphasized that the defendant was wrong in “focusing exclusively on the later misuse of information by an employee against an employer’s interests,” when the “gravamen of the charge” is that the employee accessed the computer “with the intent to defraud.”  Thus, the critical element is that, at the time the employee accessed the company computer, he intended to use it in a fraudulent way.

Finally, Citrin is not the only circuit court decision sanctioning use of the CFAA against employees.  The 3d Circuit recognized that its reach includes actions against employees who steal data from their employers’ computers. P.C. Yonkers Inc. v. Celebrations The Party and Seasonal Superstore LLC, 428 F.3d 504, 510 (3d Cir. 2005).  The 5th Circuit, citing Citrin, has recognized that “authorized access typically arises…out of a[n]…agency relationship,” U.S. v. Phillips, 477 F.3d 215, 221, n. 5 (5th Cir. 2007). In short, although there are 11 district courts that preclude CFAA civil actions against employees, four circuit courts and Supreme Court law strongly suggest that these 11 opinions will ultimately lack precedential value.

Until this issue is resolved by the circuit courts or the Supreme Court, a simple strategy to avoid relying solely on the agency theory in filing a civil CFAA action is to establish unauthorized access through company polices and employee agreements.  An employer “clearly has a right to control and define authorization to access its own computer systems” through its company policies.  Cont’l Group Inc. v. KW Property Mgmt., 2009 WL 1098461, at *12 (S.D. Fla. 2009).  Thus, “written computer access policies maintained by…[the employer] in its Employee Handbook” can “determine whether” the employee “exceeded her authority to access.”

Unauthorized access can also be established through employee agreements.  In EF Cultural Travel B.V. v. Explorica Inc., 274 F.3d 577 (1st Cir. 2001), the court upheld a preliminary injunction based on a violation of the CFAA because the defendants, all former employees of the plaintiff, had accessed and downloaded pricing data on EF Cultural’s Web site by violating their confidentiality agreements with EF Cultural.  It is therefore critical for employers to review and amend company rules and agreements to maximize their ability to use the CFAA.