New York District Court Permits CFAA Case Against Ex-Employee

In Marketing Technology Solutions, Inc. v. Medizine LLC, 2010 WL 2034404 *6-7 (S.D.N.Y. May 18, 2010) the court denied the defendant’s motion to dismiss the CFAA claim for stealing trade secrets from the company computer. Medizine, the employee’s new employer, argued that the employee, Daniel Brandt, could not have accessed his former employer’s computer without authorization or in excess of authorization “because of the broad access Brandt had as an employee.” Id. at *7. Relying on the First Circuit’s decision in EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 581-84 (1st Cir. 2001), the court held that “[i]n light of the Employment Agreement between Brandt and MTS [the former employer], and its broad confidentiality section . . ., Brandt’s access to MTS’ computer(s) exceeded his authorized use.” Id.

Narrow Interpretation of CFAA’s Jurisdictional “Loss” Requirement

A district court in Illinois last week granted summary judgment to a defendant on a Computer Fraud and Abuse Act (“CFAA”) claim by narrowly interpreting the jurisdictional “loss” prerequisite under the CFAA to require a showing that the computer was “impaired” or “suffered an interruption of service.” Von Holdt v. A-1 Tool Corp., 2010 WL 1980101 *12 (N.D. Ill. May 17, 2010). The CFAA is the federal computer crime statute that provides for a private right of action for someone “who suffers damage or loss” as a result of a violation of the statute. Title 18, U.S.C. § 1030(g). Von Holdt and at least one other recent case requiring an actual showing of impairment or interruption of service to prove “loss” are contrary to established law interpreting the CFAA and the CFAA’s legislative history.

As a predicate for filing most CFAA civil actions, it is necessary to show that the offense caused “loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.” Title 18, U.S.C. § 1030 (c)(4)(A)(i)(I). “Loss” is defined by the CFAA to mean “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Title 18, U.S.C. § 1030(e) (11).

The prevailing interpretation of “loss” is found in the First Circuit Court of Appeal’s decision in EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 584-85 (1st Cir. 2001). In that case the plaintiff “paid $20,944.92 [to a computer forensic expert] to assess whether their website had been compromised.” Id. at n.17. The court rejected the defendants’ claim “that such diagnostic measures cannot be included in the $5,000 threshold because their actions neither caused any physical damage nor placed any stress on EF’s website.” Id. The court held “[t]hat the physical components were not damaged is fortunate, but it does not lessen the loss represented by consultant fees.” Id. at 585. The court explained that

To parse the words in any other way would not only impair Congress’s intended scope of the Act, but would also serve to reward sophisticated intruders. As we move into an increasingly electronic world, the instances of physical damage will likely be fewer while the value to the victim of what has been stolen and the victim’s costs in shoring up its security features undoubtedly will loom ever-larger. If we were to restrict the statute as appellants urge, we would flout Congress’s intent by effectively permitting the CFAA to languish in the twentieth century, as violators of the Act move into the twenty-first century and beyond.

Id. 585.

At the time of the EF Cultural decision the CFAA did not define “loss.” Shortly after EF Cultural was handed down the CFAA was amended to include, among other things, the definition of “loss” set forth above. The legislative history, however, is clear that this and other amendments to the CFAA were not intended to change the scope of the protections of the CFAA afforded to a civil plaintiff. United States Representative Jerrold Nadler in speaking about the amendment on the floor of the House of Representatives specifically clarified that this amendment was not designed to change the current law supporting the CFAA. Representative Nadler stated as follows:

Mr. Speaker, I rise to make a clarification to ensure that the legislative language of the bill reflects the reality of technology today and will not affect the status of pending civil actions brought under Section 1030. We need to encourage our businesses to protect their information and computer systems with redundant systems, and we must be careful not to limit legal protection to only one computer when an entire network may be affected.

As I understand the bill, the parenthetical in 1030 (a)(5)(B)(i) is not meant to change current law or inhibit the ability of a corporate Section 1030 plaintiff to base a claim upon loss incurred in connection with a database that is run from more than one server or other computer. In light of the interest in greater Internet security that is demonstrated by this legislation, and the need for data and server redundancy, which minimize potential risks to data integrity, such system redundancy is very important. The section amending 18 U.S.C. 1030 should not be read to undermine the current state of the law of or the goals behind data and system redundancy.

Von Holdt does not address EF Cultural– or this legislative history. Instead, it simply followed another district court decision, Mintel v. Neergheen, 2010 WL 145786, at *10 (N.D. Ill. Jan. 12, 2010) which held that “[t]he alleged loss must relate to the investigation or repair of a computer or computer system following a violation that caused impairment or unavailability of data or interruption of service”(emphasis in original). Von Holdt at *11. As the First Circuit pointed out, there is no good reason why there has to be actual impairment or interruption of service to prove “loss.”

Indeed, just last week another district court in Manhattan correctly stated what a plaintiff must establish to prove “loss,” when it recognized that “[t]he term ‘loss’ has been construed to mean a ‘cost of investigating or remedying damage to a computer, or a cost incurred because the computer’s service was interrupted,” Marketing Technology Solutions, Inc. v. Medizine LLC, 2010 WL 2034404, *7 (S.D.N.Y May 18, 2010), quoting Nexan Wires S.A. v. Sark-USA, Inc., 319 F.Supp.2d 468, 475 (S.D.N.Y. 2004). (emphasis added.)

Von Holdt and Mintel can only be explained as part of a growing trend of a number of federal district courts which are hostile to employers using the CFAA to sue employees who steal trade secret protected data from the company computers. This lower court effort to limit the CFAA is similar to what happened with the Racketeer Influenced and Corrupt Organizations Act (“RICO) to which various district courts repeatedly attempted to limit the statute only to be pushed back by the U.S. Supreme Court. The Supreme Court of course has yet to interpret the CFAA.

How Do You Sue an Unknown Hacker?

The question was answered this week by a federal district court in Connecticut in the case of GWA, LLC v. Cox Communications, Inc. and John Doe, 2010 WL 1957864 (D.Conn. May 17, 2010). When the company computer is hacked, the only evidence that is usually available on the hacked computer to identify the hacker is the Internet Protocol (“IP”) address left behind by the hacker. The IP address is a unique number assigned to every computer connected to the Internet by an Internet Service Provider (“ISP”) through which the computer connects to the Internet.

Armed with the identity of owner of the hacker’s IP address, the computer owner is able to file a federal lawsuit against the hacker under the federal Computer Fraud and Abuse Act (“CFAA”), Title 18, U.S.C. § 1030(g). The CFAA is the federal computer crime statute which provides for civil relief for any victim who “suffers damage or loss by reason of a violation of” the statute. In GWA the district court granted a petition by a corporate plaintiff to obtain pre-action discovery to identify the ISP account associated with the IP address from Cox Communications, the ISP owner of that address. The court relied upon Fed.R.Civ.P. 27 that permits discovery before the filing of a federal action to perpetuate testimony to “prevent a failure or delay of justice.” Rule 27(a)(3).

To obtain such pre-action discovery it is necessary under Rule 27(a)(1) to file a petition showing:

A) that the petitioner expects to be a party to an action cognizable in a United States court but cannot presently bring it or cause it to be brought;
(B) the subject matter of the expected action and the petitioner’s interest;
(C) the facts that the petitioner wants to establish by the proposed testimony and the reasons to perpetuate it;
(D) the names or a description of the persons whom the petitioner expects to be adverse parties and their addresses, so far as known; and
(E) the name, address, and expected substance of the testimony of each deponent.

The court also held that the “petitioner must show that absent prompt discovery, the testimony might be lost to a prospective litigant without immediate action.” GWA at *1.

The court found that the Petitioner made a proper showing under Rule 27 including “that it expects to be a plaintiff in an action against respondent John Doe related to Doe’s alleged unauthorized access into its computer systems,” that it “described the expected adverse party, respondent John Doe, even if it is currently unable to identify that party,” and that the ISP “Cox Communications will not maintain the requested testimony as needed by petitioner and the information will be lost or destroyed.” Id.

In short, Rule 27 and the recently decided GWA case provide an aggressive road map companies can follow to identify and sue hackers who gain access to their computers to steal or destroy data. The key to using this procedural device to gather sufficient evidence to file a federal lawsuit against the hacker for violating the CFAA is the universally recognized fact that “[electronic evidence can easily be erased and manipulated” and thus is likely to be lost or destroyed unless immediate action is taken to preserve it. Physicians Interactive v. Lathian Systems, Inc., 2003 WL 23018270 *10 (E.D. Va. Dec. 5, 2003).

Pennsylvania District Court adopts Brekka

The Magistrate Judge in Consulting Professional Resources, Inc. v. Concise Technologies LLC, 2010 WL 1337723 (W.D. Pa. March 9, 2010) held that the CFAA does not apply to an employee who removed trade secret protected data from the company computer and provided it to a competitor immediately prior to leaving her employer to become employed by that competitor. The court recognized that “[t]he Court of Appeals for the Third Circuit has not taken a position on the “unauthorized access” debate, but it has recognized the trend among employers to employ the “CFAA’s civil remedies to sue former employees and their new companies who seek a competitive edge through wrongful use of information from the former employer’s computer system.” P.C. Yonkers, Inc. v. Celebrations the Party and Seasonal Superstore, LLC., 428 F.3d 504, 510 (3d Cir.2005). Id. at *6. The court pointed out that “[t]he district courts throughout the Third Circuit, however, have grappled with the issue and have reached divergent results.” Id.

U.S. Companies Misrepresenting EU Data Protection Directive Safe Harbor Compliance Risk Federal Trade Commission Enforcement Action

U.S. companies that transfer personal data from the European Economic Area (i.e., the 27 Member States of the European Union (EU) and Iceland, Liechtenstein and Norway) (EEA) to the United States, and misrepresent that they have self-certified under the Safe Harbor framework, risk Federal Trade Commission (FTC) enforcement action under Section 5 of the Federal Trade Commission Act.

EU Data Protection Directive

By way of background, a company that transfers personal data from the EEA to the United States must comply with the EU Data Protection Directive (95/46/EC). Personal data means information about any identified or identifiable natural person (e.g., a person’s address, credit card number and bank statements). Transfers include sending paper documents via post or electronic documents via e-mail. In general, transfers of personal data from the EEA to the U.S. are prohibited unless they qualify for one of the following exceptions: (i) the data subject freely and unambiguously provides specific consent, (ii) the transfer is necessary on various grounds (i.e., performance or conclusion of a contract, legally required for the public interest or legal claims or protection of the vital interests of the data subject) or (iii) the transfer is made from a register intended to provide information to the public in accordance with law. If no exception is available, a company may utilize one of the following methods to comply with the Directive: (A) uses a model contract signed by both the EU data exporter and U.S. data importer, (B) adopts binding corporate rules approved by the EU countries from which personal data is to be transferred or (C) self-certifies to the U.S. Department of Commerce under the Safe Harbor framework initially and thereafter self-certifies on an annual basis. The FTC serves as a backstop enforcement authority for the Safe Harbor framework.

Self-Certification under the Safe Harbor Framework

To self-certify under the Safe Harbor framework, a company agrees to develop and publicly disclose a privacy policy that entails complying with seven Safe Harbor principles (i.e., notice, choice, onward transfer, access, security, data integrity and enforcement). In addition, a company must establish and implement an independent recourse mechanism (i.e., cooperate and comply with EU Data Protection Authorities or utilize a private sector dispute resolution program). A company also must accept the jurisdiction of the FTC (or the U.S. Department of Transportation in the case of air carriers and ticket agents). Finally, a company must submit a self-certification to the U.S. Department of Commerce. Not less than annually, Safe Harbor compliance must be monitored and verified (including reviewing policies and procedures) and a new self-certification must be submitted to the U.S. Department of Commerce.

FTC Enforcement Actions

In July 2009, the FTC brought its first enforcement action, obtaining a temporary restraining order against a U.S. company – Balls of Kryptonite – that advertised on its websites that it had self-certified, where there was no record of its participation in the Safe Harbor, in violation of Section 5 of the Federal Trade Commission Act. The order prohibited this company from misrepresenting the extent to which it was a member of, adhered to, complied with, was certified by, was endorsed by or otherwise participated in any privacy, security or other compliance program sponsored by any government or third party. According to the FTC, it ultimately stipulated to a preliminary injunction against this company.

The FTC subsequently brought enforcement actions against six other U.S. companies – World Innovators, ExpatEdge Partners (a Minnesota company), Onyx Graphics, Directors Desk, Collectify and Progressive Gaitways. The FTC issued consent orders in November 2009 and in January 2010 settling charges that these companies falsely claimed to have complied with the Safe Harbor framework in violation of Section 5 of the Federal Trade Commission Act. Each company previously had self-certified under the Safe Harbor framework. However, although each company had failed to self-certify annually as required by the Safe Harbor framework, it represented through privacy policies and statements on its website that it was a current participant in the Safe Harbor. These orders, which are in effect for approximately 20 years, require that the companies in question (i) not misrepresent expressly or by implication the extent to which they are a member of, adhere to, comply with, are certified by, are endorsed by or otherwise participate in any privacy, security or other compliance program sponsored by the government or any other third party; (ii) file with the FTC written reports regarding the manner and form of their compliance with the orders and (iii) maintain and upon request make available to the FTC copies of all documents relating to compliance with the orders for 5 years. The companies also could be subject to civil penalties if they engage in any such misrepresentations going forward.

Conclusion

U.S. companies need to be careful with the language they use in their privacy statements and other public documents regarding their self-certification status or compliance with the Safe Harbor or the seven Safe Harbor principles. Before representing that they adhere to the Safe Harbor framework, U.S. companies should ensure that they have in fact self-certified with the U.S. Department of Commerce and formally renewed their Safe Harbor compliance registration each year.

By: Melissa Krasnow, Partner, Dorsey Minneapolis Office; Barry D. Glazer, Partner Co-head of Dorsey London Office; and Harriet Bildsten Associate, Minneapolis Office