Computer Policies and the 9th Circuit

Last month I posted my article from the National Law Journal, entitled, “Time to Review Computer Policies,” discussing three recent cases, including LVRC Holdings LLC v. Brekka, 81 F.3d 1127, 1131 (9th Cir. 2009). I cited Brekka for the proposition that it is important to delineate the scope of an employee’s permissible access to the company computers. Since then, two new district court decisions from California and Washington have called into question whether such a strategy will work in the 9th Circuit. Both decisions narrow the meaning of exceeding authorized access under the federal Computer Fraud and Abuse Act (“CFAA”) and underscore how the 9th Circuit is taking a much more restrictive view of the CFAA than the other federal Circuits which have considered the breadth of this statute.

The first of these cases is U.S. v. Nosal, 2010 WL 934257 (N.D. Ca. Jan. 6, 2010), a criminal prosecution of Korn/Ferry employees who stole confidential data from the company computers prior to joining a competitor. The court had originally upheld the CFAA counts against the defendants based on precedent in other Circuits but changed its decision and dismissed the counts after the Brekka decision.

Brekka refused to apply the CFAA to employee data theft, holding that employees cannot act “without authorization” because their employer gave them “permission to use” the company computer. Brekka at 1133. The Ninth Circuit recognized that its decision was contrary to Int’l Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), which held that an employee’s authorization to access the company computers is predicated on his agency relationship with his employer, such that when an employee violates his duty of loyalty by stealing his employer’s data, his authorization to access the company computers is terminated. Id. at 420.

Nosal stated that “Brekka provides some indication, in dicta, that an employer might be able to define the scope of an employee’s access in terms of how the employee uses the information obtained from the computer system. See Brekka, 581 F.3d at 1133 (“An individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has ‘exceed[ed] authorized access.’ “) (emphasis added). And Brekka is quite clear that it is the employer who determines whether or not an employee has access. Id. at 1133, 1135.”

This dicta is consistent with the First Circuit’s view that the “CFAA…is primarily a statute imposing limits on access and enhancing control by information providers.” EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003). Under this view of the CFAA, a company “can easily spell out explicitly what is forbidden,” Id. at 63, through a compliance code or an Employee Handbook, see e.g. Cont’l Group Inc. v. KW Property Mgmt., 622 F. Supp.2d 1357 at 1372 (S.D. Fla. 2009) or through employee agreements. See EF Cultural Travel BV, v. Explorica, Inc. 274 F.3d 577, 583-84 (1st Cir. 2001).

The government argued that Nosal was distinguishable from Brekka and that the “court could still hold that Nosal ‘exceed[ed] authorized access.’” The argument was predicated on the existence of company policies violated by the defendants:

They contend that whereas in Brekka, there was an absence of any employment agreement or express company policy limiting the scope of his authorization to access the company’s computer system, here there were a number of policies regulating the manner in which Nosal, Christian, J.F and M.J. could access and use the Korn/Ferry system. The superseding indictment alleges that “Korn/Ferry required all of its employees–including the defendants David Nosal and Becky Christian–to enter into agreements that both explained the proprietary nature of information disclosed or made available to Korn/Ferry employees (including the information contained in the Searcher database) and restricted the use and disclosure of all such information, except for legitimate Korn/Ferry business.” Superseding Indictment ¶ 10. Korn/Ferry also allegedly “declared the confidentiality of information in the Searcher database by placing the phrase ‘Korn/Ferry Proprietary and Confidential’ on every Custom Report generated from the Searcher database.” Id. ¶ 11. Finally, each time an individual logged in to a Korn/Ferry computer, a notice would appear explaining “[t]his computer system and information it stores and processes are the property of Korn/Ferry. You need specific authority to access any Korn/Ferry system or information and to do so without relevant authority can lead to disciplinary action or criminal prosecution.” Id. 

Id. at 7. Thus, “[t]he government argue[d] that these notices and agreements defined the extent of a Korn/Ferry employee’s access to the computer network . . . [and that] when Nosal and his confederates violated these provisions, they “exceed[ed] authorized access.”

The district court, however, rejected the government’s position and held that “[a]n individual only ‘exceeds authorized access’ if he has permission to access a portion of the computer system but uses that access to ‘obtain or alter information in the computer that [he or she] is not entitled so to obtain or alter.'” 18 U.S.C. § 1030(e)(6) (emphasis in original). The court concluded that “[t]here is simply no way to read that definition to incorporate corporate policies governing use of information unless the word alter is interpreted to mean misappropriate.” Id. at 7.

Based on Brekka, which held that “access and intent are separate elements,” the court found that “the government’s proposed interpretation of “exceeds authorized access” would create an uncomfortable dissonance within section 1030(a)(4).” Id. Thus, under the interpretation advanced by the government “an individual’s intent would be irrelevant in determining whether that person accessed a computer ‘without authorization,’ but as long as the company had policies governing the use of the information stored in its computer system, that same individual’s intent could be dispositive in determining whether they ‘exceed[ed] authorized access.’” Id.

Because “access” and “intent” are separate and distinct elements of the CFAA does not mean that proof of the two elements cannot overlap. This is one of the fatal flaws with the Brekka reasoning. There are many instances in the criminal law where the proof on the element of intent and another element of the crime can overlap. For example, in the mail fraud statute a jury can rely on the deceptive nature of the content of the mailing to determine whether the defendant acted with fraudulent intent to perpetrate a scheme to defraud.

The Eleventh Circuit resolved this issue correctly in U.S. v. Salum, 257 Fed. Appx. 225, 230-31 (11th Cir. 2007) which interpreted “without authorization” based on the defendant’s change of mental state. Brekka totally ignores this decision. In Salum, a police officer with the Montgomery, Alabama Police Department was charged with a criminal violation of the CFAA for providing information from the FBI’s criminal record database to a private investigator. Although Salum, as an employee, “had authority to access the [National Crime Information Center] database,” the court held that there was sufficient evidence for the jury to conclude that Salum had accessed the computer “without authorization” because at the time he accessed the computer Salum knew that he was accessing the information “for an improper purpose.” Id. at 230.

The one Circuit which has directly addressed Brekka in the context of corporate computer policies, U.S. v. John, 2010 WL 432405, *2-*4 (5th Cir., Feb. 9, 2010) also got it right. John affirmed the criminal conviction of a Citigroup account manager, Dimetriace Eva-Lavon John, for violations of the CFAA for accessing customer account information contained in Citigroup’s internal computer system. John provided that Citigroup customer information to her half-brother, who used it to incur fraudulent charges on four different customer accounts. 



On appeal John, citing Brekka, argued that as a Citigroup employee, she was authorized to access the company computers for customer account information and that her mental state or motive in accessing the customer account information cannot be the basis for a violation of the CFAA. She argued “that the statute does not prohibit unlawful use of material that she was authorized to access through authorized use of a computer. The statute only prohibits using authorized access to obtain information that she is not entitled to obtain.” 

 Id. at *2. The court rejected John’s argument based, in part, on Citigroup’s corporate computer policies that “prohibited misuse of the company’s internal computer systems and confidential customer information.” Id. at *4. The court pointed out that John was aware of these policies and attended corporate training programs where these policies were reiterated.

By virtue of her violation of Citigroup’s computer policies, the court held that the jury could have properly found that John exceeded her authorized access to Citigroup’s computer because she “was not authorized to access that information for any and all purposes but for limited purposes.” Id. at *3. She was certainly “not authorized to access data or information in furtherance of a criminally fraudulent scheme.” Id. at *4. In reference to Brekka, the court held that the “Ninth Circuit’s reasoning at least implies that when an employee knows that the purpose for which she is accessing information in a computer is both in violation of an employer’s policies and is part of an illegal scheme, it would be ‘proper’ to conclude that such conduct ‘exceeds authorized access’ within the meaning of section 1030(a)(2).” Id.

The second case providing an identical interpretation of Brekka as Nosal is National City Bank, N.A. v. Republic Mortgage Home Loans, LLC, 2010 WL 959925 (W.D. Wash. March 12, 2010), in the context of a civil CFAA action,. The court read Brekka to mean that “[a]n employee who has permission to access a range of documents and stays within the confines of his authorization would have no reason to suspect that he could be charged with hacking, i.e., exceeding his authorized access, simply because he uses those documents in a way that violates company policies regarding confidentiality or document retention.” Id. at *4.

The Court, however, did state that “there is a clear split in authority on this point.” Id. This issue ultimately will be decided by the U.S. Supreme Court. See my previous posting, “Will the Justices Rule on the CFAA?,” as to why I believe Brekka will ultimately be reversed.

Default judgment entered for Criagslist on the CFAA

Craigslist, Inc. v. Naturemarket, Inc., 2010 WL 807446, *12 (N.D. Ca., March 5, 2010) entered a default judgment in favor of Craigslist for, among other things, a violation of the Computer Fraud and Abuse Act.

The court held that the defendants’ access to the Craigslist Web site was unauthorized under the CFAA because the defendants violated the Web site’s Terms of Use (“TOU”). Specifically, the Craigslist TOU “expressly prohibits users from engaging in repeated postings of similar content, posting ads on behalf of others, gaining unauthorized access to Plaintiff’s computer systems, and using automated posting devices or computer programs that enable the submission of postings on craigslist.com without each posting being manually entered by the author thereof, including the use of any such automated posting device to submit postings in bulk for automatic submission of postings at regular intervals.” Id. at *3.

In violation of that TOU the “Defendants developed, advertised, and sold software to automate posting ads on craigslist.com, services to post ads for customers, programs to gather craigslist user email addresses from the craigslist website, and systems to circumvent Plaintiff’s security measures.” This software “allows users to post ads automatically to the craigslist website in whatever quantity, frequency, and location the user wishes, in direct violation of the TOUs.” Id. at *4.

The court granted Craigslist a permanent injunction enjoining the defendants from “manufacturing, developing, creating, adapting, modifying, exchanging, offering, distributing, selling, providing, importing, trafficking in” the software and $840,000 in liquidated damages under the Terms of Use Agreements.

The full opinion of the Magistrate Judge relating to the CFAA which was adopted by the federal district court judge is as follows:

Plaintiff’s third claim is for violation of the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030. [FN2] To state a claim under § 1030(a)(5)(B) and (C), Plaintiff must allege that Defendants intentionally accesses a protected computer without authorization, and as a result of such conduct, caused damage or recklessly caused damage or loss. [FN3]

FN2. Public Law 110-326, § 204(a)(1), § 1030(a)(5)(A)(ii) and (iii), which Plaintiff cites to in its First Amended Complaint and Proposed Findings of Fact and Conclusions of Law, was amended to eliminate the subsections as well ast the $5,000 damages requirement.

FN3. Under the CFAA, a computer used in interstate commerce is defined as a “protected computer.” 18 U.S.C. § 1030(e)(2)(B).

Here, Plaintiff adequately pled a claim for violation of the CFAA. First, Plaintiff established that its computers were used in interstate commerce, and therefore qualify as protected computers under the CFAA. (Compl. ¶ 144; FAC ¶ 145.) Second, Plaintiff alleged that Defendants accessed its computers in violation of the TOUs, and therefore without authorization, for the purpose of employing, implementing and updating their AutoPoster Professional software. (Compl. ¶¶ 143-50; FAC ¶¶ 144-51.) Finally, Plaintiff sufficiently pled that the Defendants’ actions caused it to incur losses and damages. (Compl. ¶¶ 114, 115, 148; FAC ¶¶ 115, 116, 149.) Thus, the undersigned finds Plaintiff has sufficiently established its claim under the CFAA.

How To Prove “Loss” for Computer Fraud and Abuse Act

To bring a civil action based on the federal Computer Fraud and Abuse Act (“CFAA”) a plaintiff must show that the alleged violation “caused . . . loss . . . aggregating at least $5,000 in value.” 18 U.S. C. Section 1030(c)(4)(A)(i). “Loss” is defined by the CFAA as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system , or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S. C. Section 1030(e)(11). The recent Virginia District Court opinion set forth below dismissed CFAA claims on the ground that plaintiffs could not meet the $5,000 “loss” threshold. This case is highly instructive on how a plaintiff must prove “loss” to bring a viable CFAA claim.

2010 WL 675241 (E.D.Va.))
United States District Court,
E.D. Virginia.
GLOBAL POLICY PARTNERS, LLC, et al., Plaintiffs,
v.
Brent YESSIN, Defendant.
No. 1:09cv859.
2010 WL 675241 (E.D.Va.)

Feb. 18, 2010.

MEMORANDUM OPINION
T.S. ELLIS, III, District Judge.

*1 At issue on summary judgment in this case alleging unauthorized access to e-mail accounts are the following questions:
(i) whether the summary judgment record reflects that plaintiffs can meet the jurisdictional $5,000 “loss” requirement of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”), and
(ii) whether the summary judgment record reflects that plaintiffs can prove “actual damages” as required to recover actual and statutory damages under the Stored Communications Act, 18 U.S.C. § 2701 et seq. (“SCA”).
Mr. Yessin requests full summary judgment on the two CFAA counts and partial summary judgment on the two SCA counts. For the reasons that follow, the motion is granted with respect to the CFAA counts and denied with respect to the SCA counts.

I.
The facts material to defendant’s motion are largely undisputed. Mr. Yessin was a founding manager of Global Policy Partners, LLC (“GPP”), a limited liability corporation organized under Florida law that is in the business of lobbying and government relations. He remained a manager until at least August 18, 2009. One of his business partners in GPP was also his partner in marriage–Katherine Friess Yessin (“Ms.Friess”), who, along with GPP, is a plaintiff in this case. Mr. Yessin and Ms. Friess are in the process of terminating both their marriage and their business relationships. In 2007, at a time the parties’ marriage and business relationships were still intact, Mr. Yessin directed Jon Hageman, an information technology consultant, to reserve and acquire the domain name “gppwashington.com.” Mr. Hageman did so, registering the domain name with GoDaddy.com, a domain name registrar and web site host. Although Mr. Hageman initially registered the domain name in his own name, he thereafter transferred the domain name registration to Mr. Yessin. Mr. Hageman also set up e-mail accounts through GoDaddy.com, including Ms. Friess’s “Katherine@gppwashington.com” e-mail address.

Mr. Yessin and Ms. Friess were separated in May 2009. During May and June 2009, Mr. Yessin, by his own admission, repeatedly accessed Ms. Friess’s e-mail accounts without her knowledge through a password that was apparently–and perhaps inadvertently–stored on his computer. In doing so, Mr. Yessin read Ms. Friess’s e-mail communications with attorneys concerning a potential divorce action and settlement strategy. Mr. Yessin shared some of those communications with his own divorce lawyer.

In June 2009, Ms. Friess became suspicious that Mr. Yessin was accessing her “Katherine@gppwashington.com” e-mail account without her permission. Accordingly, on or about June 25, 2009, Ms. Friess asked Mr. Hageman to change the password to the “Katherine@gppwashington.com” e-mail account, and Mr. Hageman did so. Thereafter, Mr. Yessin contacted Mr. Hageman and asked to be given Ms. Friess’s e-mail account password, or alternatively, to have Ms. Friess’s e-mails forwarded to Mr. Yessin. Mr. Hageman declined both requests. When Mr. Yessin persisted, Mr. Hageman reiterated his refusal and referred Mr. Yessin to Mr. Hageman’s attorney and alerted Ms. Friess to Mr. Yessin’s request. Additionally, on or about July 9, 2009, Mr. Hageman informed Ms. Friess that the domain name “gppwashington.com” was owned by Mr. Yessin, and that Mr. Yessin could therefore redirect the domain name away from GoDaddy’s web and e-mail server. Mr. Hageman further informed Ms. Friess that unless renewed, the domain name would soon expire, and that Ms. Friess could renew the domain name even though it was registered in Mr. Yessin’s name.

*2 In the end, Ms. Friess chose not to do so, electing instead to use the services of Shawn Hilbig, a web designer, to purchase a new domain name– globalpolicypartnersllc.com–and to establish a new GPP website complete with new e-mail addresses. It appears that Mr. Hilbig sent Ms. Friess an invoice billing her for the following services:

Service Amount Billed
“New Website purchase assistance” $90
“Email Address setup and support” $900
“Domain Auction support” $ 180
“Search Engine criteria” $90
“Business Requirements/Content & Images for site” $1,800
“Creating, updating, and uploading content” $900
“Modifying Images and Creating Slideshow” $90
“Support Calls (Q and A)” $450
TOTAL $4.500

Ex. 9 at 1. [FN1] In connection with establishing the new web site, plaintiffs also appear to have incurred (i) $500 “to register to purchase” the globalpolicypartnersllc.com domain name from Network Solutions, Inc., (ii) $926 “in establishing” that domain name with Network Solutions, Inc., and (iii) $499 “in establishing” the domain name of globalpolicypartners.com with Network Solutions, Inc. Opp. at 6; see Opp. Exs. 12-14. Ms. Friess instructed Mr. Hageman to shut down the web site located at gppwashington.com on or about July 27, 2009.

FN1. Importantly, Mr. Hilbig did not provide an affidavit or otherwise certify or authenticate this invoice. Mr. Yessin’s counsel further notes that he “has made repeated attempts to serve Mr. Hilbig with a subpoena, but to no avail, as Mr. Hilbig continues to avoid service.” Rep. Br. at 6. The total amount that Ms. Friess paid Mr. Hilbig–$4,500–is corroborated by Opp. Ex. 10, the check from Ms. Friess, but there is no evidence to explain or corroborate the invoice’s line items. Plaintiffs state only that “Mr. Hilbig’s invoice speaks for itself” Opp. at 6.

Earlier in the summer of 2009, GPP submitted or was in the process of submitting six “confidential business proposals for the government of India.” Ex. 8 at 47-49. It is undisputed that although Ms. Friess had made Mr. Yessin aware of these so-called “India Project” proposals, she did not share with him the specific details of the proposals. On July 10, 2009, in response to a “cease and desist” e-mail message from plaintiffs’ counsel, Mr. Yessin threatened to disclose to the government of India plaintiffs’ allegations that he was accessing their e-mail, stating that the Indian government would find it “unnerving” that GPP “thought so little of their own security capabilities as to make these rash allegations.” Opp. Ex. 18 at 3. The following day, in reply to an e-mail from plaintiffs’ counsel threatening a lawsuit under the CFAA and SCA, Mr. Yessin further stated that, barring a resolution of the matter, he would “feel obligated” to inform the Indian government that GPP “cannot safeguard the confidential material” being transmitted via its e-mail accounts and that it is not “qualified to do such sensitive work.” Id. at 1.

Thereafter, on September 8, 2009, Mr. Yessin sent an e-mail message to Lalit and Rohini Mattu, two partners in the India Project, to which he attached the complaints in two civil actions he filed in Florida against Ms. Friess and Mr. Weiss to establish his ownership of GPP. There is no allegation that Mr. Yessin provided the Mattus with confidential documents or other materials that he obtained by accessing Ms. Friess’s e-mail accounts. Plaintiffs have not heard from the Indian government on the status of the India Project proposals. Plaintiffs contend therefore that the government of India did not select or accept GPP’s proposals.

*3 In this action, filed on July 31, 2009, plaintiffs contend that Mr. Yessin is liable under the CFAA and the SCA for accessing Ms. Friess’s e-mail account without authorization. On December 15, 2009, Mr. Yessin filed his motion for summary judgment, in which he contends (i) that both CFAA counts should be dismissed because plaintiffs have not met the $5,000 “loss” threshold required to maintain a CFAA action, (ii) that the second CFAA count should be dismissed because plaintiffs have failed to show that he acted with the requisite “intent to defraud,” and (iii) that plaintiffs are not entitled to actual or statutory damages on their SCA claims because they have not shown actual damages, which he claims is a prerequisite to recovering statutory damages. The motion was fully briefed and argued, and is now ripe for disposition.

II.
The summary judgment standard is too well-settled to require elaboration here. In essence, summary judgment is appropriate under Rule 56, Fed.R.Civ.P., only where, on the basis of undisputed material facts, the moving party is entitled to judgment as a matter of law. Celotex Corp. v. Catrett, 477 U.S. 317, 322 (1986). Importantly, to defeat summary judgment the non-moving party may not rest upon a “mere scintilla” of evidence, but must set forth specific facts showing a genuine issue for trial. Id. at 324; Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 252 (1986). Thus, the party with the burden of proof on an issue cannot survive summary judgment on that issue unless he or she adduces evidence that would be sufficient, if believed, to carry the burden of proof on that issue at trial. See Celotex, 477 U.S. at 322.

III.
To maintain a civil action under the CFAA, plaintiffs must show that the alleged violation “caused … loss … aggregating at least $5,000 in value.” 18 U.S.C. § 1030(c)(4)(A)(i). [FN2] On summary judgment, a CFAA plaintiff must therefore show that there are triable issues as to (i) whether a CFAA-qualifying “loss” aggregating at least $5,000 occurred, and (ii) whether this loss was “caused” by a CFAA violation.

FN2. Claims alleging (i) impairment of a medical diagnosis, (ii) physical injury to a person, (iii) a threat to public health or safety, or (iv) damage affecting a computer used by the United States Government in furtherance of the administration of justice, national defense, or national security are exempted from the $5,000 requirement. See 18 U.S.C. § 1030(c)(4)(A)(i), (g). None of these exemptions apply here.

The CFAA specifies that a qualifying “loss” under the statute
means any reasonable cost to any victim, including [i] the cost of responding to an offense, [ii] conducting a damage assessment, and [iii] restoring the data, program, system, or information to its condition prior to the offense, and [iv] any revenue lost, cost incurred, or other consequential damages incurred because of the interruption of service[.]
18 U.S.C. § 1030(e)(11). Plaintiffs’ alleged damages must fall within this definition in order to qualify as a “loss” under the CFAA and therefore satisfy the $5,000 jurisdictional minimum.

With respect to § 1030(e)(11), the Fourth Circuit has recently held that “[t]his broadly worded provision plainly contemplates … costs incurred as part of the response to a CFAA violation, including the investigation of an offense.” A.V. ex rel. Vanderhye v. iParadigms, LLC, 562 F.3d 630, 646 (4th Cir.2009). At issue on appeal in iParadigms was an allegation under the CFAA that the counterclaim defendant, A.V., had accessed iParadigms’s website without authorization by using a password assigned to certain authorized users. iParadigms offered evidence that it assigned several employees to investigate the breach and to “determine what happened.” Id. at 645. The district court granted summary judgment for A.V. on the ground that the expenditures incurred in assigning employees to investigate the intrusion were not “economic damages” cognizable under the CFAA. The Fourth Circuit reversed, defining loss to include economic damages resulting from the ” ‘cost of responding to an offense.’ ” Id. at 646 (quoting § 1030(e)(l 1) (defining “loss”)). Accordingly, the court of appeals reversed the district court’s grant of summary judgment.

*4 It is, of course, necessary, but not sufficient, for a CFAA plaintiff to show that qualifying costs were incurred; additionally, a CFAA plaintiff must also show, as iParadigm teaches, that the costs are “reasonable” and that they were “caused” by a CFAA violation. See id. Although the Fourth Circuit in iParadigms did not elucidate the causal requirement, [FN3] the Supreme Court has construed federal statutes containing similar requirements to incorporate traditional principles of tort causation, and such a reading is consistent with iParadigms. [FN4] It follows, therefore, that plaintiffs in this case must show that the losses they claim were the reasonably foreseeable result of the alleged CFAA violations, and that any costs incurred as a result of measures undertaken to restore and resecure the e-mail system were reasonably necessary in the circumstances. See United States v. Middleton, 231 F.3d 1207, 1213 (9th Cir.2000) (holding that jury instructions in CFAA criminal prosecution “correctly stated the applicable law” in requiring (i) that losses were “natural and foreseeable result” of any damage, and (ii) that losses included only cost of “what measures were reasonably necessary” to restore and resecure system). Accordingly, on summary judgment, plaintiffs here must show there is a triable issue of fact as to whether (i) alleged losses were reasonably foreseeable at the time of the alleged CFAA violations, and (ii) alleged losses resulting from measures undertaken in response to the alleged violations were reasonably necessary at the time.

FN3. See iParadigms, 562 F.3d at 646 (reserving judgment on whether alleged losses were “reasonable, sufficiently proven, [and] directly causally linked”).

FN4. See Jerome B. Grubart, Inc. v. Great Lakes Dredge & Dock Co., 513 U.S. 527, 541 (1995) (interpreting “caused by” language of Extension of Admiralty Jurisdiction Act, 46 U.S.C.App. § 740 to require causation in fact and proximate causation); Holmes v. Securities Investor Protection Corp., 503 U.S. 258, 268 (1992) (interpreting “injured … by reason of a violation” language of Racketeering Influenced Corrupt Organizations Act, 18 U.S.C. § 1964(c), to require causation in fact and proximate causation); Assoc. Gen. Contractors of Cal., Inc. v. Cal. State Council of Carpenters, 459 U.S. 519, 532 (1983) (requiring causation in fact and proximate causation to satisfy “injured … by reason of” antitrust violation jurisdictional requirement of Clayton Act, 15 U.S.C. § 15).

Plaintiffs allege that they have suffered three types of “loss” as a result of Mr. Yessin’s alleged CFAA violations: (i) costs incurred in the form of fees paid to the web designer Mr. Hilbig ($4,500) and to Internet service providers ($1,925) in order to register, configure, and design new web sites and e-mail accounts; (ii) over 50 hours of “lost” billable time by Ms. Friess that she spent investigating and responding to the offense, billed at a rate of $500 per hour ($27,500); and (iii) lost revenue from failing to win the India Project (“millions of dollars”). [FN5] Each of these alleged losses is addressed in turn.

FN5. Ms. Friess also claims that she is entitled to damages for the alleged impairment of her confidential communications with her attorney, but she does not claim that this alleged injury constitutes a CFAA-qualifying loss. Indeed, this injury, if proven, would not fall within even the broadest reading of iParadigms and § 1030(e)(11). See Nexans Wires S.A. v. Sark-USA, Inc., 166 F. App’x 559, 562-63 (2d Cir.2006) (holding that lost revenue resulting from misappropriation of confidential data is not a CFAA-qualifying “loss”).

A. Costs Incurred in Creating New Web Sites and E-Mail Accounts

First, plaintiffs contend that the expenses incurred in the course of establishing, configuring, and designing a new web site and e-mail addresses are “costs of responding to and addressing an offense and costs of restoring the system to its condition prior to the offense” and that they therefore satisfy the CFAA’s definition of “loss.” Opp. at 23. To be sure, these expenses, if properly proved and causally related to the alleged CFAA violations, are CFAA-qualifying losses. See iParadigms, 562 F.3d at 646. Yet, in this instance, plaintiffs fail to meet these requirements with respect to most of these expenditures because (i) they have failed to provide evidence that may properly be considered on summary judgment, and (ii) even assuming this evidence can be considered, plaintiffs nonetheless have made no showing that certain of these expenditures were a reasonably necessary response to the alleged CFAA violations, as required to prove a causal link.

*5 It is clear that evidence not in a form admissible at trial may nonetheless be considered on summary judgment. See Celotex, 477 U.S. at 324. [FN6] Nonetheless, it is also clear that to be considered on summary judgment, evidence must be in one of the forms specified by Rule 56(e). [FN7] See id. In this respect, the Fourth Circuit has held that “[t]o be admissible at the summary judgment stage, ‘documents must be authenticated by and attached to an affidavit that meets” Rule 56(e)’s requirements.’ ” Orsi v. Kirkwood, 999 F.2d 86, 92 (4th Cir.1993) (quoting 10A Charles Alan Wright et al., Federal Practice and Procedure § 2722). Yet, in this case, the document on which plaintiffs primarily rely to prove the nature of the expenses incurred–Mr. Hilbig’s invoice–does not meet these requirements. The invoice is offered to prove that plaintiffs incurred expenses in the amounts and for the purposes described therein, and yet there is no affidavit or certification by Mr. Hilbig to this effect. Indeed, plaintiffs do not offer an affidavit from Mr. Hilbig at all. Moreover, Mr. Yessin’s counsel noted that plaintiffs failed to identify Mr. Hilbig in their Rule 26(a) disclosures, plaintiffs initially declined to disclose Mr. Hilbig’s whereabouts, and that Mr. Yessin’s counsel “has made repeated attempts to serve Mr. Hilbig with a subpoena, but to no avail, as Mr. Hilbig continues to avoid service.” Rep. Br. at 6. It is clear, therefore, that Mr. Hilbig’s invoice is unreliable, unauthenticated, uncertified, and inadmissible. Accordingly, it cannot be considered on a motion for summary judgment. See Orsi, 999 F.2d at 92. [FN8] Only the total amount billed, $4,500, is corroborated by the check from Ms. Friess to Mr. Hilbig. But no reasonable jury could conclude merely from the fact that this payment occurred that the expense was causally related to any CFAA violation.

FN6. Of course, affidavits must, as always, be based upon personal knowledge. See Rule 56(c), Fed.R.Civ.P.

FN7. Specifically, Rule 56(e) specifies that affidavits, depositions, and answers to interrogatories may be considered on summary judgment. As Celotex and Orsi v. Kirkwood, 999 F.2d 86, 92 (4th Cir.1993), make clear, this list is exclusive.

FN8. Contrary to the suggestion of Mr. Yessin’s counsel, that evidence is hearsay inadmissible at trial is, without more, insufficient to warrant exclusion from consideration on summary judgment. See Celotex, 477 U.S. at 324. Instead, Mr. Hilbig’s invoice cannot be considered on summary judgment because it is not accompanied by an affidavit and therefore does not conform with the requirements of Rule 56. See id; Orsi, 999 F.2d at 92.

Moreover, even if one accepts the content of Mr. Hilbig’s invoice on its face and assumes that a causal link exists between the alleged CFAA violations and the costs necessary to set up a new web site and e-mail addresses at a new domain name, [FN9] the invoice, by itself, does not provide a sufficient basis for a reasonable trier of fact to conclude that various of the stated charges were reasonably necessary to respond to the alleged violations. For example, by far Mr. Hilbig’s largest line item is $1,800 for “Business Requirements/Content & Images for site.” Ex. 9 at 1. The new GPP website did not require new content and images–Ms. Friess simply could have transferred the content and images from the old site, which had not yet been taken down. [FN10] Mr. Hilbig further billed $900 for “Creating, updating, and uploading content,” a task that, in addition to being seemingly redundant with the “Content & Images” line item, would have been largely unnecessary had plaintiffs simply chosen to use the content and images that already existed on the old site. Mr. Hilbig also bills $450 for 4.5 hours of “Support Calls (Q and A),” without any elaboration about the nature of the calls and whether they concerned establishing the new domain and e-mail accounts, or whether they instead involved the content, images, and other “business requirements.” At most, the only invoice items that are plausibly causally related to the alleged CFAA violations are the first four listed, for (i) website purchase assistance ($90), (ii) e-mail address setup and support ($900), (iii) domain name auction support ($180), and (iv) search engine criteria ($90). Together, these four items total $1,260.

FN9. It is worth noting that it is far from clear that any of the charges incurred in setting up a web site and e-mail accounts at a new domain name are causally related to any CFAA violations. Indeed, the evidence appears to suggest that Ms. Friess’s decision to establish a web site on a new domain and through a different web hosting service provider was not caused by Mr. Yessin’s alleged CFAA violations but rather because of his threats to shut down the GPPwashington.com domain, and those threats were not themselves CFAA violations. Indeed, Ms. Friess’s first responsive act–changing her password–was the only act necessary to ensure that Mr. Yessin would not be able to access her e-mail account, and the record suggests that Ms. Friess probably knew as much. Thus, it would not have appeared to be reasonably necessary to incur any of the expenses necessary to migrate to a new domain name and to set up a new web site and e-mail addresses. Nonetheless, the summary judgment record is sufficiently disputed to create a triable issue of fact as to whether migrating from the gppwashington.com site to a new site and domain name was reasonably necessary to respond to, and therefore causally related to, the alleged CFAA violations.

FN10. It is not at all clear, and plaintiffs do not endeavor to explain, what else “Business Requirements” may have entailed.

*6 Plaintiffs provide three printouts that state additional expenses in connection with the migration to the new domain in an effort to clear the CFAA’s $5,000 “loss” hurdle. The first, Opposition Exhibit 12, is a grainy facsimile of a printout from a website called “Namejet.” [FN11] While the figure in the “Winning Bid” column is not legible, plaintiffs state that it says $499 and that this expense was required to secure the globalpolicypartners.com domain name, which was used to replace the gppwashington.com domain. Assuming the authenticity and reliability of this document–because Mr. Yessin does not dispute them–there is a triable issue of fact concerning whether this expense is causally related to the alleged CFAA violations because a reasonable jury could conclude that migrating to a new domain name was reasonably necessary in order to resecure the system following Mr. Yessin’s alleged violations. The second and third printouts are e-mail messages from “support@networksolutions.com” confirming purchases of $926.40 and $499.95–$1127.85 of which is for five years of web server hosting services and $298.50 of which is for one year of “MessageGuard” services, which plaintiffs suggest is an e-mail encryption service. Opp. Ex. 13 at 1-2. For the same reason that there is a triable issue of fact with respect to whether the domain name auction expenses were reasonably necessary restorative measures, there is a triable issue with respect to these expenses as well. Nonetheless, these expenses clearly overstate any CFAA-qualifying loss because they include five years of web hosting service that replaced continued service to the gppwashington.com domain. Accordingly, the proper calculation of loss would include these expenses, less any amount saved by canceling support for gppwashington.com. Plaintiffs have failed to produce any evidence of the amount saved through cancellation of the gppwashington.com domain, and, indeed, it may be that the expenses “cancel out” in their entirety. Nonetheless, construing the record in the light most favorably to plaintiffs, it is assumed for purposes of ruling on Mr. Yessin’s motion that there is a triable issue of fact that one year of the Network Solutions services constitutes a CFAA-qualifying loss. Accordingly, for summary judgment purposes, it is appropriate to consider that plaintiffs have adequately shown $524.07 in losses in connection with the payments to Network Solutions. [FN12]

FN11. Mr. Yessin does not object to the admissibility of Opposition Exhibits 12, 13, and 14.

FN12. This total is arrived at by adding the full expense of the MessageGuard service ($298.50) to one-fifth of the five years of web hosting costs ($225.57).

In summary, construing the record evidence in the light most favorable to plaintiffs, there exists a triable issue of fact as to whether plaintiffs incurred $2,283.07 in costs reasonably necessary to “respond to the offense” under the CFAA, and these costs, if proven, are CFAA-qualifying losses.

B. Lost Revenue From Time Spent Responding to the Alleged Offenses

Plaintiffs allege that they
lost $27,500 in loss [sic] income/revenue by spending more than 50 hours of Ms. [Yessin’s] time, for which she billed $500 an hour, investigating Defendant’s unauthorized access, changing her password and email domain name, changing her email accounts, encrypting emails, securing the website and transferring the website and emails, [and] obtaining a new information and technology specialist.
*7 Opp. at 9-10. Distilled to its essence, plaintiffs’ contention is that they lost $27,500 because Ms. Friess was occupied with investigating or responding to the alleged CFAA violations instead of working on GPP matters and this lost time qualifies as a “loss” within the meaning of § 1030(e)(ll).

As a general matter, lost revenue damages may qualify as losses under the CFAA when they result from time spent responding to an offense. In iParadigms, the Fourth Circuit quoted with approval a district court’s holding that the value of ” ‘many hours of valuable time away from day-to-day responsibilities’ ” are the type of damages that fall within the § 1030(e)(11) definition of “loss.” 562 F.3d at 646 (quoting SuccessFactors, Inc. v. Softscape, Inc., 544 F.Supp.2d 975, 980-81 (N.D.Cal.2008). Indeed, time spent “responding to an offense” appears plainly to fall within the CFAA’s understanding of “loss.” Thus, if plaintiffs adequately prove that Ms. Friess spent time away from her GPP responsibilities and that this lost time was reasonably foreseeable and reasonably necessary in the circumstances, then it is a CFAA-qualifying loss. Yet, because plaintiffs do not adduce evidence to prove (i) that this loss occurred and (ii) that its occurrence was a reasonably necessary consequence of the alleged CFAA violations, these alleged losses do not count toward the $5,000 CFAA threshold.

First, Ms. Friess’s assertion that she spent 50 hours investigating and responding to Mr. Yessin’s alleged CFAA violations is unsupported and indeed contradicted by other evidence. Ms. Friess testified in her deposition that she did not record or document that time in any way. Opp. Ex. 1 at 148. Instead, she stated that she reached the calculation by “look[ing] back” at the time that she had “spent with the IT guy, with Network Solutions, and [she] calculated it based on the time [she] knew [she] spent.” Opp. Ex. 1 at 148-49. She was unable to describe the specific tasks accomplished during those 50 hours except to state that “[s]etting up the new Web site and e-mail system was probably 80 percent, of the time, 85.” Opp. Ex. 1 at 149. The remaining 15 to 20 percent, she stated, was spent “investigating the intrusions.” Opp. Ex. 1 at 150. In this time, Ms. Friess claims, “I talked to GoDaddy [the gppwashington.com web hosting service provider], or tried to talk to GoDaddy, talked to our IT guy.” Id. She did not actually perform any analysis or investigation of any computer systems, nor did she instruct anyone else to do so. Opp. Ex. 1 at 151-53. Ms. Friess’s claim therefore appears to be that she spent 50 hours speaking with the two information technology specialists, Mr. Hilbig and Mr. Hageman, and speaking with or attempting to speak with someone who works at GoDaddy. Ms. Friess only identifies three of these telephone calls: one with Mr. Hageman on or about June 24, 2009, to change her e-mail account password, one on July 9, 2009, to discuss Mr. Yessin’s control of the gppwashington.com server and his failed attempt to obtain Ms. Friess’s password from Mr. Hageman, and one on or about July 27, 2009, to instruct Mr. Hageman to shut down the gppwashington.com domain. Indeed, Mr. Hageman only recalls having had at most these three brief telephone calls with Ms. Friess. Ex. 6 at 81-84. Moreover, Mr. Hilbig’s invoice only bills 4.5 hours for telephone calls, and thus this evidence contradicts Ms. Friess’s claim. Thus, there is simply no evidence–apart from her own vague, conclusory testimony that is contradicted by Mr. Hageman’s testimony and by Mr. Hilbig’s invoice–that Ms. Friess actually spent 50 hours investigating and responding to Mr, Yessin’s alleged CFAA violations. [FN13] Accordingly, no reasonable jury could conclude that this alleged lost time was a CFAA-qualifying loss.

FN13. Alternatively, this time is not a qualifying “cost of responding to an offense” because (i) there is no evidence that Ms. Friess would otherwise have been working on GPP matters and (ii) there is insufficient evidence that Ms. Friess’s lost time was worth $500 per hour. Ms. Friess candidly admitted in her deposition testimony that GPP ordinarily billed clients on a flat retainer basis, rather than by the hour. Ex. 6 at 141. Thus, even though Ms. Friess seeks to recover $500 per hour for her time, there was no one-to-one correspondence between her time and the amount of revenue she would normally generate. Additionally, Ms. Friess acknowledged that GPP only had one paying client during the summer of 2009, the International Council of Shopping Centers, and that client ended its contract with GPP in July 2009 for reasons unrelated to Mr. Yessin’s alleged CFAA violations. Ex. 6 at 138. On this record, a reasonable factfinder could not conclude that Ms. Friess’s alleged lost time was a “cost of responding to the offense” under the CFAA.

*8 Additionally, assuming, arguendo, that this lost time is sufficiently proven, the description of the tasks performed during these fifty hours is so vague that no reasonable jury could conclude that the expended time was reasonably necessary to restore or resecure the system. Indeed, Ms. Friess claims that she essentially spent the entire 50 hours asking questions of and giving directions to her two information technology consultants. By her own admission, she did not herself perform any analysis or investigation, nor did she direct her consultants to do so. Thus, 50 hours to perform these vaguely defined supervisory tasks is plainly excessive under the circumstances and no reasonable factfinder could conclude that this expenditure of time was reasonably necessary to respond to the alleged CFAA violations. Because plaintiffs have not adequately shown that they actually incurred any loss as a result of time spent responding to the alleged violations, and because the amount of time allegedly spent was clearly unreasonable and not causally related to any alleged CFAA violations, plaintiffs have not shown a triable issue of fact as to whether the alleged “lost time” is a loss under the CFAA. [FN14]

FN14. On very similar facts, a district court in New York granted summary judgment for defendants in B. U.S.A. Corp. v. Ecogloves, Inc., 2009 WL 3076042, at *8-*9 (S.D.N.Y. Sept. 28, 2009). There, the plaintiffs’ information technology consultant stated, in an affidavit, that he spent twelve hours investigating and remedying an alleged CFAA violation, and that he billed this time as part of the $16,000 annual fee that he charged plaintiffs. The district court rejected this alleged loss because, under an annual billing structure, “the amount attributable to any given item cannot really be calculated or is effectively zero.” Id. at *8. Moreover, a declaration asserting that plaintiffs’ employees “expended hundreds of hours” responding to an alleged offense did not create a triable issue as to the existence of qualifying losses because the claim was otherwise unsupported and it contradicted earlier deposition testimony. Id. at * 8-*9.

C. Lost Revenue from the India Project

Finally, plaintiffs claim that they lost “millions of dollars” in revenue because GPP was not awarded a consulting contract with the government of India that they believed that they would win. They allege that they were not awarded the India Project because Mr. Yessin sent an e-mail message to the Mattus, GPP’s business partners, containing copies of civil complaints filed in Florida court concerning an ongoing fight over control of GPP. This lost revenue claim does not qualify as a CFAA loss for two reasons. First, the undisputed facts show that GPP’s failure to win the India Project award was not caused by Mr. Yessin’s alleged CFAA violations. Second, even if adequately proven and causally linked, lost revenue claims such as those alleged here qualify as losses under the CFAA only when they result from an interruption of service, and no such interruption is alleged here.

There is no causal connection between the alleged CFAA violations and GPP’s failure to win the India Project contract. Plaintiffs allege that GPP did not win the India Project because in September 2009, Mr. Yessin sent an e-mail to the Mattus, GPP’s project partner, informing them of the ongoing dispute over control of GPP. But there is not even a scintilla of evidence to suggest (i) that this e-mail message was causally related to the alleged CFAA violations, or (ii) that is transmission caused GPP not to win the contract. Ms. Friess acknowledged in her deposition testimony that she had discussed the India Project with Mr. Yessin, and she sent him e-mails listing the project principals and containing draft teaming agreements with project partners. Ex. 8 at 308, 314; Ex. 13; Ex. 15. Thus, Mr. Yessin did not learn about the project’s existence, nor did he learn the identities of the principals, through any alleged CFAA violations. His e-mail to the Mattus, which plaintiffs contend caused GPP to “lose” the India Project contract, did not contain any confidential material or other information that he could have acquired through unauthorized access to Ms. Friess’s e-mail system. The e-mail message therefore had nothing whatever to do with the alleged CFAA violations. Moreover, plaintiffs have not adduced any evidence to suggest that the Indian government even received Mr. Yessin’s e-mail message, let alone that the message had anything to do with the apparent decision of the Indian government not to award the contract to GPP. Thus, no reasonable jury could find that any CFAA violations caused this alleged loss.

*9 Additionally, the CFAA does not recognize lost revenue damages as “loss” unless it was “incurred because of interruption of service .” § 1030(e)(11); see Nexans Wires S.A. v. Sark-USA, Inc., 166 F. App’x 559, 562 (2d Cir.2006) (“[T]he plain language of the statute treats lost revenue as a different concept from incurred costs, and permits recovery of the former only where connected to an ‘interruption in service.’ “). Plaintiffs’ misread iParadigms to hold that interruption in service is not required to prove lost revenue. The loss alleged in iParadigms involved the “cost of responding to an offense,” which implicates a separate provision of § 1030(e)(11) that does not require interruption of service. Where, as here, the revenue is alleged to have been lost as a consequence of misappropriation of information obtained through a CFAA violation, it is clear that an interruption of service is required. See Nexans Wires, 166 F. App’x at 562-63 (holding that loss of $10 million in revenue resulting from misappropriation of confidential data was not a CFAA-qualifying loss because it did not result from interruption in service). Because no interruption of service is alleged here, it is clear that plaintiffs’ claim for lost revenue from the India Project is not a loss under the CFAA.

It is therefore clear that no reasonable trier of fact could find that plaintiffs have met the CFAA’s $5,000 jurisdictional “loss” threshold. At most, they have adduced evidence that supports a claim of $2,283.07 in qualifying losses. Accordingly, their two CFAA claims, Counts 1 and 2, must be dismissed pursuant to § 1030(c)(4)(A)(I). Mr. Yessin’s additional argument that Count 2 must be dismissed because plaintiffs have failed to prove that he intended to defraud them is therefore neither reached nor decided.

IV.
Mr. Yessin also seeks partial summary judgment on the two counts arising under the SCA. Specifically, he argues that plaintiffs cannot prove actual damages and thus may not recover actual or statutory damages. The SCA authorizes as damages
the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $ 1,000.
18 U.S.C. § 2707(c). The Fourth Circuit, relying on the Supreme Court’s construction of a virtually identical Privacy Act provision in Doe v. Chao, 540 U.S. 614, 621 (2004), recently explained that proving actual damages or violator profits is a “prerequisite to recovering statutory damages” under the SCA. Van Alstyne v. Electronic Scriptorium, Ltd., 560 F.3d 199, 205 (4th Cir.2009). Thus, if plaintiffs cannot prove actual damages or profits by the violator, then they cannot recover statutory damages on their SCA claims.

The analysis requires a definition of “actual damages.” In its Doe v. Chao opinion, the Fourth Circuit held that the “actual damages” requirement is “more rigorous” than requiring an “injury in fact” or an “adverse effect”; indeed, the court of appeals found that requiring “actual damages” serves a “gatekeeping function of avoiding tremendous overcompensation of plaintiffs whose damages evidence fails to establish any meaningful injury at all.” Doe v. Chao, 306 F.3d 170, 181 n. 6 (4th Cir.2002), aff’d, 540 U.S. 614 (2004). Thus, while there is no identifiable fixed point at which nominal damages become actual damages, plaintiffs must show that they have suffered some concrete, compensable harm as a result of Mr. Yessin’s alleged SCA violations. Importantly, in construing the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq. (“FCRA”), the Fourth Circuit has repeatedly held that “actual damages” as understood by the FCRA “may include economic damages.” Robinson v. Equifax Info. Servs., LLC, 560 F.3d 235, 239 (4th Cir.2009) (citing Shane v. Equifax Info. Servs., LLC, 510 F.3d 495, 500 (4th Cir.2007). Moreover, consequential economic damages qualify as actual damages under the FCRA. Id. at 241 (upholding damages judgment for missed work time spent investigating and responding to FCRA violations). There is no reason in principle or in the statutory language that the definition of “actual damages” under the FCRA should be different from that under the SCA. Cf. Van Alstyne, 560 F.3d at 205 (construing SCA “actual damages” provision identically to Privacy Act “actual damages” provision).

*10 As discussed supra, plaintiffs have adequately shown that there is a triable issue as to $2,283.07 in consequential economic damages resulting from Mr. Yessin’s allegedly unauthorized access to Ms. Friess’s e-mail account. Because these are “actual damages” under the SCA, summary judgment with respect to whether plaintiffs are entitled to recover actual and statutory damages is not appropriate.

V.
In summary, Mr. Yessin is entitled to summary judgment on Counts 1 and 2 because plaintiffs have not adduced evidence from which a reasonable jury could conclude that they have suffered jurisidictional CFAA-qualifying losses of $5,000 or more. Yet, defendant’s motion is properly denied with respect to Counts 6 and 7 because the summary judgment record warrants the conclusion that plaintiffs may recover actual or statutory damages under the SCA.

An appropriate Order will issue.

Time to Review Corporate Computer Policies

Review Corporate Computer Policies

THE PRACTICE
Commentary on developments in the law

Three recent court decisions make it important for companies to begin the new year with a thorough review of their computer-use policies with a focus on two issues: ensuring that employees have no expectation of privacy in using the company computer systems and delineating the scope of the employee’s permissible accessto the company computers. This article will discuss these three decisions and their implications for creating effective corporate computer policies that protect the company against the theft of its data.

Two of these recent decisions—Quon v. Arch Wireless Operating Co. Inc., 529 F.3d 892 (9th Cir. 2008), cert. granted, 2009 WL 1146443 (2009), and Stengart v. Loving Care Agency Inc., 408 N.J. Super. 54 (N.J. App. Div. 2009)—af fect a company’s ability to gather evidence from its own computers. Both cases found company computer policies insufficient to defeat the employee’s expectation of privacy in using the company computers for per sonal reasons. Whether an employee has an expectation of privacy on the company com puters can become a critical issue when it is suspected that an employee may have stolen corporate data.

In Quon, the U.S. Court of Appeals for the 9th Circuit held that a review of text mes sages on pagers provided to municipal police officers violated the Fourth Amendment as an unreasonable search. Although the city had no express policy “directed to text mes saging by use of the pagers,” it did have a general “Computer Usage, Internet and E-Mail Policy” applicable to all employees that limited the “use of City-owned com puters and all associated equipment, software, programs, networks, Internet, e-mail and other systems operating on these computer” to city business.

The policy warned that “[t]he use of these tools for personal benefit is a sig nificant violation of” city policy, that “[a]ccess to all sites on the Internet is record ed and will be periodically reviewed by the City,” that the city “reserves the right to moni tor…all network activity, including email and Internet use,” and that “[u]sers should have no expectation of privacy or confidentiali ty when using these resources.” The policy also warned against using “these systems…for personal or confidential communications” because the information produced on the sys tem “is considered City property.” This policy was acknowledged in writing by each city employee, and it was announced orally that this policy applied to pagers.

The 9th Circuit affirmed the district court’s finding that Jeff Quon had a reason able expectation of privacy with respect to the text messages because the policy did not reflect the “operational reality” at the police department where the staff were told that the department “would not audit their pagers so long as they agreed to pay for any overages” that exceeded a “25,000 character limit.” Id. Consistent with that informal pol icy, Quon had exceeded that limit “ ‘three or four times’ and had paid for the overages every time without anyone reviewing the text of the messages,” demonstrating that the police department “followed its ‘infor mal policy’ and that Quon reasonably relied on it.”

In Stengart, the issue of the computer policies arose in the context of the attorney-client privilege. Marina Stengart used her employer’s laptop computer to communi cate with her attorney about an anticipated lawsuit against her employer “through her personal, web-based, password-protected Yahoo email account.” After Stengart filed a discrimination suit, her then-ex-employer found numerous e-mails on the company computer between Stengart and her attorney. The employer’s computer policy was nearly identical to the policy addressed in Quon with one significant exception. Unlike the written policy in Quon, which limited use of the computers to the employer’s business, the policy in Stengart provided that “[o]ccasional personal use is permitted.”

The court found two specific “ambiguities” with the computer policy that “cast doubt over the legitimacy of the company’s attempt to seize and retain personal e-mails sent through the company’s computer via the employee’s personal email account.” First, the “policy neither defines nor suggests what is meant by ‘the company’s media systems and services,’ nor do those words alone convey a clear and unambiguous understanding about their scope.” Second, the court found that one could reasonably conclude “that not all personal emails are necessarily company property because the policy expressly recognizes that occasional personal use is permitted.” Given these ambiguities, Stengart could have assumed her e-mails with her attorney would be confidential.

The third decision relates to a company’s ability to use evidence found on its own computers to bring a viable court action against the disloyal employee under the federal Computer Fraud and Abuse Act (CFAA) to retrieve the stolen data and pre vent its dissemination in the marketplace. The CFAA, the federal computer crime stat ute, provides a civil remedy for a company that “suffers damage or loss” by reason of a violation of the CFAA. 18 U.S.C. 1030(g). A critical element in proving most CFAA claims is that the violator accessed the com puter “without authorization” or “exceed ing authorized access.”

THE ISSUE OF PERMISSIBLE ACCESS

That case, LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), has made it more important than ever for corporate computer policies to address what is not permissible access to the company computer system. Until Brekka, no other circuit court had disagreed with the 7th Circuit’s holding in Int’l Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), that an employee’s authorization to access the company computers is predicated on his agency relationship with his employer such that when an employee violates his duty of loyalty by stealing his employer’s data, his authorization to access the company comput ers terminates. Brekka refused to apply the CFAA to a theft of employer data, holding that employees cannot act “without autho rization” because their employer gave them “permission to use” the company computer.

Although this division in the circuit courts will ultimately have to be resolved by the U.S. Supreme Court, from an employ er’s standpoint it is important to empha size that the agency relationship with the employee is not the only way to prove that an employee’s access to the company computer was unauthorized or exceeded authorization. Employers can proactively establish the predi cate for unauthorized access by promulgating the rules of access through company policies. The “CFAA…is primarily a statute imposing limits on access and enhancing control by information providers.” EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003). Thus, a company “can easily spell out explic itly what is forbidden” through a compliance code or an employee handbook or through employee agreements. See Cont’l Group Inc. v. KW Property Mgmt., 622 F. Supp. 2d 1357 (S.D. Fla. 2009); EF Cultural Travel B.V. v. Explorica Inc., 274 F.3d 577 (1st Cir. 2001).

In designing corporate computer policies and employee agreements, it is important not to lose sight of the well-established operating principle that company computers are com pany property, and, as such, the company can “attach whatever conditions to their use it wanted to,” even if these conditions are not “reasonable.” Muick v. Glenarye Electronics, 280 F.3d 741, 743 (7th Cir. 2002). Nonetheless, in light of Quon, Stengart and Brekka, a company should review its computer policies to ensure that they do the following:

  • Clearly define the computer systems cov ered by the policy; expressly encompass what ever technology is used, such as text mes saging or instant messaging; and address not only the servers but removable media such as thumb drives and disks.
  • Make clear that all data created in fur therance of any personal use belongs to the company—including use of the com­pany systems to access personal Web-based e-mail accounts—and may be monitored by the company and will not be confidential.
  • Reflect operational reality and are audited at least annually to ensure they reflect operational reality.
  • Spell out precisely the scope of an employee’s permissible authorization to the company computers, particularly what they are not permitted to do, e.g., access the company computers to retrieve company data for a competitor.

The time to get this right is now before the company finds itself the victim of a data theft.

Will the Justices Rule on the CFAA?

Nick Akerman

September 28, 2009

Two cases decided in the past month — LVRC Holdings LLC v. Brekka, No. 07-17116, 2009 WL 2928952, (9th Cir. Sept. 15, 2009) and U.S. v. Drew, No. CR 08-0582, 2009 WL 2872855 (C.D. Calif. Aug. 28, 2009) — raise the prospect that the federal Computer Fraud and Abuse Act (CFAA), U.S.C. 1030, will for the first time in its 25-year history be interpreted by the U.S. Supreme Court.  This article will review Brekka and Drew, their likely outcomes on appeal and what businesses should do in response to these decisions.

The CFAA, the federal computer crime statute, enumerates 12 separate violations of federal criminal law relating to computers.  Eight of these violations require proof that the violator accessed the computer “without authorization” or “exceeding authorized access.”  Brekka‘s and Drew‘s interpretation of “without authorization” in different factual and legal contexts raise significant conflicts with other federal decisions that will likely only be resolved by the Supreme Court.  The meaning of “without authorization” has significant implications for the protection of competitively sensitive business data and the control and protection of public Web sites.  Both criminal and civil cases are implicated since the CFAA is a criminal statute that provides a civil remedy for damages and injunctive relief for a company that “suffers damage or loss” by reason of a violation of the CFAA. 18 U.S.C. 1030(g).

EMPLOYEE THEFT OF DATA

Brekka, a civil case that affirmed summary judgment for the defendant employee, is the first circuit court opinion to hold that an employee’s authorization to access the company computer is not based on the law of agency.  Brekka involves the classic employee theft of data whereby employees, before they leave to compete, e-mail to themselves competitively sensitive company data.  The Brekka court refused to apply the CFAA to this theft of data, holding that employees cannot act “without authorization” because their employer gave them “permission to use” the company computer.  Brekka, 2009 WL 2928952, at *4.  The court acknowledged that its holding directly conflicts with the U.S.  Court of Appeals for the 7th Circuit’s decision in Int’l Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006)  In Citrin, the employee stole data from the company laptop and then destroyed the remaining data.  Based on the Restatement (Second) of Agency § 112 (1958), the court held that an employee’s authorization to access the company computers is predicated on his agency relationship with his employer and that, when the employee violates “his duty of loyalty,” i.e., when Jacob Citrin stole data and “resolved to destroy files that incriminated himself and other files that were also the property of his employer,” his authorization to access the company computers terminated. Id. at 420.

While the 9th Circuit rejected Citrin‘s premise that “[Christopher] Brekka would have acted ‘without authorization’…once his mental state changed from loyal employee to disloyal competitor,” Brekka at *6, it ignored the 11th Circuit’s contrary decision in U.S. v. Salum, 257 Fed. App’x 225, 230-31 (11th Cir. 2007), which interpreted “without authorization” based on the defendant’s change of mental state.  In Salum, a police officer with the Montgomery, Ala., Police Department was charged with a criminal violation of the CFAA for providing information from the FBI’s criminal record database to a private investigator.  Although Salum, as an employee, “had authority to access the [National Crime Information Center] database,” the court held that there was sufficient evidence for the jury to conclude that Salum had accessed the computer “without authorization” because at the time he accessed the computer Salum knew that he was accessing the information “for an improper purpose.”  Id. at 230.

Brekka‘s principle criticism of Citrin is that “[n]othing in the CFAA suggests that a defendant’s liability for accessing a computer without authorization turns on whether the defendant breached a state law duty of loyalty to an employer.”  Brekka, 2009 WL 2928952, at *6.  The court stated that an employee “would have no reason to know that making personal use of the company computer in breach of a state law fiduciary duty to an employer would constitute a criminal violation of the CFAA.”  Id.  For that reason, the court found that Citrin‘s interpretation of authorization “does not comport with the plain language of the CFAA.”  Id. at *7.  Brekka‘s reasoning, however, ignores the Supreme Court’s reliance in Carpenter v. U.S., 484 U.S. 19 (1987) on this same state law cited by Citrin to interpret the plain language of “scheme to defraud” in the mail and wire fraud statutes.  Carpenter affirmed the convictions of a Wall Street Journal reporter who, prior to publication, had provided his upcoming financial columns to confederates, who bought or sold stock “based on the probable impact of the column on the market.”  Id. at 23.  The Court held that “an employee has a fiduciary obligation to protect confidential information obtained during the course of his employment” and intentionally exploiting that information for his own personal benefit constituted a scheme to defraud his employer of confidential information.  Id. at 29.

‘WITHOUT AUTHORIZATION’

In contrast to Brekka, Drew has implications for the CFAA beyond the workplace.  It is a criminal prosecution in which the federal district court overturned a jury conviction on the ground that the CFAA’s element of “without authorization” makes the statute unconstitutionally vague.  The jury found 49-year-old Lori Drew guilty of violating the CFAA for using a MySpace account to harass and torment a 13-year-old girl, who, as a result, committed suicide.  Drew perpetrated what has been referred to as cyberbullying by posing as a fictitious 16- year-old boy in violation of MySpace’s terms of service (TOS) that required her, among other things, to provide truthful information on MySpace and not use MySpace to harass, abuse or harm other people or solicit personal information from anyone younger than 18.  Drew’s violation of MySpace’s TOS provided the proof that Drew accessed MySpace “without authorization.”

While recognizing that “most courts that have considered the issue have held that a conscious violation of a website’s terms of service/use will render the access unauthorized,” the court held that, as a matter of law, the CFAA is unconstitutionally vague.  Drew, 2009 WL 2872855, at *10.  The principle reasons it enumerated are that the CFAA “criminalizes breaches of contract” between the Web site owner and users; there is a lack of clarity as to which violation of a particular term of service amounts to a criminal violation; the CFAA permits the Web site owner to define the “criminal conduct” through its terms of service; and “a violation of a website’s terms of service, without more” would transform the CFAA “into an overwhelmingly overbroad enactment that would convert a multitude of otherwise innocent Internet users into misdemeanant criminals.”  Id. at *14-*16.

The court provided a number of hypothetical examples of absurd uses of the CFAA, including one that would permit the government to prosecute “the exasperated parent who sends out a group message to neighborhood friends entreating them to purchase his or her daughter’s girl scout cookies, which transgresses”  MySpace’s TOS against advertising and solicitation on its site.  Id at *16.

THE VAGUENESS ARGUMENT

In a different context, the 7th Circuit rejected the argument that the CFAA is unconstitutionally vague and held that “[t]here is no constitutional obstacle to enforcing broad but clear statutes” and that “[t]he statute itself gives all the notice that the Constitution requires.”  U.S. v. Mitra, 405 F.3d 492, 496 (8th Cir. 2005).  Lori Drew indisputably violated the letter of the statute by intentionally accessing MySpace “without authorization” and obtaining information from the juvenile girl.  Similarly, although Mitra did not involve cyberbullying, it did address a new computer technology, trunking communications systems, that did not exist when the CFAA was enacted.  The court explained that the reason why Congress “write[s] general statutes rather than enacting a list of particular forbidden acts” is because “complexity is endemic in the modern world and that each passing year sees new developments.”  Id. at 495.

Similarly, the Drew court assumed that, because the statute is worded so broadly, a simple transgression of a Web site’s term of use could constitute a violation of the CFAA because the CFAA’s element of “obtaining information” can be proved through “mere observation” of data.  Drew, 2009 WL 2872855, at *6.  That is not the correct legal standard, according to at least one other circuit.  U.S. v. Czubinski, 106 F.3d 1069, 1078 (1st Cir. 1997), held that there was insufficient proof to affirm a CFAA conviction when Richard Czubinski, an Internal Revenue Service employee, had exceeded his authorized access to the IRS computer but “merely” viewed restricted tax information relating to “friends, acquaintances, and political rivals.”  There must be a “showing of some additional end — to which the unauthorized access is a means.”  Id.

The Drew court’s view that the CFAA is unconstitutionally vague because it criminalizes a breach of contract overlooks the well-established fact that a breach of contract can in certain instances also constitute a crime.  For example, an employee who steals his employer’s trade secrets in breach of a confidentiality agreement can also be guilty of violating the Economic Espionage Act.  See, e.g., U.S. v. Chung, 622 F. Supp. 2d 971, 975 (C.D. Calif. 2009).  Moreover, that the CFAA permits Web site owners to “spell out explicitly what is forbidden” on its Web site, EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003), does not make it anymore unconstitutionally vague than a “No Trespass” sign that can form the predicate for criminal trespass in some jurisdictions.

Finally, because the CFAA is subject to abuse by prosecutors applying it to technical insubstantial violations does not make it unconstitutional.  The wire fraud statute, for example, could equally be applied to a student who calls home interstate from college asking his parents for money for books, when he intentionally lied, planning to use the money to buy beer. No one has ever seriously argued that this potential misuse of prosecutorial discretion makes the statute unconstitutional.

Assuming Brekka and Drew are appealed, it will be a long time before both cases are resolved.  In the meantime, businesses should continue to publish Web site terms of use that can be used as predicates for the CFAA by establishing the scope of authorized access with the goals of protecting their customers or users, such as MySpace does, and protecting their business data.  See, e.g., Register.com v. Verio Inc., 126 F. Supp. 2d 238, 245 (S.D.N.Y. 2004).  To meet the risk of employee computer theft, businesses should not rely solely on the agency theory to support a CFAA civil action.  “Unauthorized access” can also properly be established through written company policies delineating the scope of an employee’s authorization to access the company computers, whether through a compliance code or an employee handbook, or through employee agreements.  See, e.g., Cont’l Group Inc. v. KW Property Mgmt., No. 09-60202, 2009 WL 1098461, at *12 (S.D. Fla. 2009); EF Cultural Travel B.V. v. Explorica Inc., 274 F.3d 577, 583-84 (1st Cir. 2001).  Incorporating such policies and agreements into the workplace are now a must.