No New i-Phone 4 for Convicted CFAA Felon Randal Craig

One person you will not see waiting in line to buy the new i-Phone 4 at the Apple Store is Randall Craig who pleaded guilty to violations of the Computer Fraud and Abuse Act. (“CFAA”).  Craig, a subcontractor at the Marine Corps Reserve Center, communicated by email with an undercover FBI agent posing as a Chinese agent.  In the course of their dealings Craig provided the FBI agent with the names and social security numbers of approximately 17,000 Marine employees from a private Marine database in exchange for $500.

During their email correspondence, Craig told the agent that he had tried to sell the data to other countries and said, “I’m a hacker.  Even if I was caught, I’d get out of jail and keep hacking.”  U.S. v. Craig, 2010 WL 2546082 *1 (5th Cir. June 23, 2010)  After Craig was arrested and indicted, he pled guilty to exceeding authorized computer access in violation of the CFAA, Title 18, U.S. C. § 1030(a)(2)(B) and (c)(2)(B)(I).

Despite his claim to be able to get out jail, the court sentenced him to 6 years in prison.  But the court did not stop there.  So that he would not “keep hacking” the court “also imposed three years of supervised release, during which Craig would be ‘prohibited from access to computers of any type or access to any device that can interface with the Internet, including cell phones and any other electronic devices.’”

Craig appealed the restriction to the Fifth Circuit Court of Appeals on his use of a cell phone.   He argued “that the effects of the restriction on his ability to communicate with others and to obtain employment call for reversal” claiming that “the burden imposed by the cell-phone ban is quite high.”  The court found that the district court’s prohibition on the use of a cell phone was not plain error justifying reversal because “the district court was reasonably concerned about potential access to the Internet and the condition reaches only cell phones that can access the Internet.”  Recognizing there was no precedent for this ban on cell phones in the 5th Circuit, the court pointed out that “other courts have allowed bans on all cell phones or placed the decision in the probation officer’s discretion.”  Id.

Sorry Craig, no i-Phone for you.

Investigating Ways to Make Website More Secure Constitutes Loss Under the Computer Fraud and Abuse Act

A federal court in Ohio last week held that the cost of investigating ways to make a website more secure after an authorized access into the website in violation of the Computer Fraud and Abuse Act (“CFAA”) constitutes “loss” to meet the $5,000 jurisdictional amount for loss under the CFAA.  Jedson Engineering, Inc. v. Spirit Construction Services, Inc., 2010 WL 2541619 *19 (S.D. Ohio June 18, 2010)

The court rejected the defendant’s motion for summary judgment on Jedson’s CFAA claim on the ground that Jedson had not met the $5,000 jurisdictional amount for loss required by the CFAA.  Jedson relied on the Affidavit of the person “who was involved in the set-up and management of the . . . website” and who attested “that as a result of the unauthorized access of the website by Baisch, he was asked to investigate ways to make the website more secure.”  Id.  Baisch, however, asserted “that Jedson cannot recover for costs associated with investigating ways to make the website more secure”  and “that the statute only allows recovery for costs associated with investigating and remedying damage to a computer, or a cost incurred because the computer’s service was interrupted.”  Id.

In rejecting Baisch’s argument the court held that “Jedson can recover for costs associated with investigating ways to make the website more secure” because “the statute itself provides that losses comprise costs incurred in “responding to an offense: and “restoring the data, program, system or information to its condition prior to the offense.” 18 U.S.C. § 1030(e)(11). Id.

Next week in my column in the National Law Journal I will be providing a comprehensive up-to-date summary of  where the courts are in interpreting the CFAA’s jurisdictional loss requirement and will be posting that article on this site

New York Court: CFAA Does Not Apply to Company Executives

A New York court held that the Computer Fraud and Abuse Act’s (“CFAA”) prohibition against unauthorized access does not apply to corporate executives who stole confidential and proprietary information from the company computers because, as company executives, they had been “granted unfettered access to . . . [the company’s] computer system and information residing on it.”  Orbit One Communications, Inc. v. Numerex Corp., 692 F.Supp2d 373, 386 (S.D.N.Y. 2010).  While recognizing that the “Courts have interpreted the CFAA’s prohibitions of ‘access without authorization’ and ‘exceed[ing] authorized access’ in two different ways,” and that the “Second Circuit has not addressed the issue squarely,” id. at 385, the court opted for the narrow interpretation for three reasons.

First, the court relied on the language of the statute which “does not prohibit misuse or misappropriation.”  Id. at 385.  Thus, the court held that “reading the phrases ‘access without authorization’ and ‘exceeds authorized access’ to encompass an employee’s misuse or misappropriation of information to which the employee freely was given access and which the employee lawfully obtained would depart from the plain meaning of the statute.”  Id.  In rejecting Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006), the court does not explain why the statute should not be interpreted in the context of the law of agency, i.e. once the employee determines to access the computers for a purpose that violates his fiduciary duty to his employer, the agency relationship and therefore the authorization to access the company computers terminates.

Neither this case nor any of the cases rejecting Citrin mention Carpentar v. United States, 484 U.S. 19, 27 (1987) in which the Supreme Court employed the Restatement (Second) of Agency, relied upon by Citrin, to interpret the scope of the mail and wire fraud statutes to affirm the convictions of a Wall Street Journal reporter who prior to publication had provided his upcoming financial columns to his confederates who bought or sold stock “based on the probable impact of the column on the market.”  Id. at 23.   Relying on the Restatement, the Court held that “an employee has a fiduciary obligation to protect confidential information obtained during the course of his employment” and that intentionally exploiting that information for his own personal benefit was a scheme to defraud his employer of confidential information outlawed by the mail and wire fraud statutes.  Id. Just as the Restatement proscribes the duty of an employee in the context of the mail and wire fraud statutes to safeguard his employer’s confidential information, there is no valid reason why it does not also proscribe the scope of an employee’s authority to access his employer’s computer in the context of the CFAA.

Second, the court found that “the statute as a whole indicates Congress’s intent to prohibit access of a computer without authorization, not an employee’s misuse of information that he or she was entitled to access or obtain.”  Id.  Thus, the court specifically read the CFAA’s definition of “damage” and “loss” to conclude that the statute was aimed at hacking and not the misuse or misappropriation of computer data.  Id. at 385-86.  The CFAA’s definitions of “damage” and “loss,” however, do not purport to limit the CFAA to hacking or misuse or misappropriation of information.  The  CFAA’s $5,000 loss requirement simply reflects “Congress’ general intent to limit federal jurisdiction to cases of substantial computer crimes.”  In re Doubleclick, Inc. Privacy Litigation, 154 F.Supp.2d 497, 522 (S.D.N.Y. 2001).  The definition of “damage” relates to certain provisions of the CFAA which require proof of damage to the computer that does not differentiate between damage caused by a hacker or a company insider.  Title 18, U.S.C. § 1030(e)(8).

Third, the court relied on the rule of lenity to interpret a criminal statute narrowly to provide fair warning as to conduct that is clearly covered by the statute.  Thus, the court concluded that “[i]t would be imprudent to interpret the CFAA, in a manner inconsistent with its plain meaning, to transform the common law civil tort of misappropriation of confidential information into a criminal offense.”  Id. 386.  In short, Orbit One Communications is simply expressing what many district courts do not like about the CFAA – the statute is federalizing the theft of trade secrets, an area of law that has traditionally been the provence of state law remedies.

California Court Holds that an Employee Can Be Sued Under the CFAA for Deleting Company Files

Without referring to its Circuit’s controlling decision of LVRC Holdings LLC v. Brekka, 581 F.3d 1127, (9th Cir. 2009) , a federal district court in San Jose, California permitted a Computer Fraud and Abuse (“CFAA”) claim to proceed against an ex-employee for deleting files from her former employer’s computer. Kal-Tencor Corp. v. Murphy, 2010 WL 1912029 *6-*7 (N.D. Cal. May 11, 2010). This case is significant because it allows a CFAA claim for unauthorized access to be predicated on an employee agreement requiring an employee to return company records at the time of termination from the company. This decision is contrary to another district court decision in the same federal judicial district — U.S. v. Nosal, 2010 WL 934257 *7 (N.D. Ca. Jan. 6, 2010) — leaving open the question of whether in the 9th Circuit employer policies can be used to define employee authorization to the company computers.

Brekka held that an employee’s authorization to access the company computer cannot be based on the law of agency.  Instead, the court held that the Computer Fraud and Abuse Act does not apply to employee theft from the company computers because an employee has permission from his employer to use the company computers and therefore cannot access the company computers “without authorization,” a critical element of most CFAA violations. Id. at 1133.  The earlier case, Nosal, 2010 WL at *7, recognized that “Brekka provides some indication, in dicta, that an employer might be able to define the scope of an employee’s access in terms of how the employee uses the information obtained from the computer system.” Id. at *7. Nosal, however, held that despite this dicta, the underlying rationale in Brekka that forbids a consideration of the employee’s motive for accessing the computer does not allow lack of authorization to be based on “corporate policies governing use of information.” Id.

Kal-Tencor does not acknowledge Nosal but interprets Brekka to allow authorization to be established by company policies. The plaintiff Kal-Tencor (“KT”) is a high tech company that offers solutions for the semiconductor and related microelectronics industries. Ruixia Chen, a KT employee, left KT to join a newly created competitor company, Inspecstar, LLC which was also named as a defendant. A computer forensic investigator who examined Chen’s company computer found that prior to leaving KT, Chen had used a software cleaning/wiping program called Evidence Eliminator to delete all of her emails, documents and internet history files.

The forensic examination also revealed that on her last day of work Chen “had accessed a number of files . . . including product and customer service analyses that KT considers confidential” and that “after the files were accessed and after . . . Evidence Eliminator had been deleted from the computer, an external 500 gigabyte storage device had been connected to the computer.” Id. at *4. “The [computer forensic] examiner concluded that “files were probably copied over to a removable storage device.” Id. A subsequent review of Chen’s personal home hard drive revealed that it “contained files belonging to KT, some labeled ‘confidential.’” Id. Chen claimed that she had only deleted personal files and had “only copied photographs and other personal information” to the hard drive. Id.

In arguing that Chen’s access to the computer was not authorized, KT relied on its employee agreement with Chen “requiring surrender of all proprietary information upon termination of employment [to] mean that KT employees are not authorized to delete confidential KT information residing on their computers.” Id. at *7. Based on the evidence presented by KT and Chen, the court denied KT’s motion for summary judgment on the CFAA claim finding that there “remains a genuine issue of material fact” for a jury. Id.

Alabama District Court: CFAA Does Not Apply to Employees

Bell Aerospace Services, Inc. v. US. Aero Services, Inc., 690 F.Supp.2d 1267 (M.D. Ala. 2010) recently followed the 9th Circuit’s decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009). The case alleges a classic employee theft of competitively sensitive data from the company computers for use at a competing business. Bell Aerospace Services fired one of its officers who two months later founded a competing company, U.S. Aero Services, and then recruited seven Bell Aerospace Services employees to join him at the new company.

While the seven employees were still employed by Bell Aerospace Services, they were alleged to have stolen intellectual property from the company computers. Bell Aerospace Services sued U.S. Aero, two of its officers, and the seven former employees for, among other things, violations of the Computer Fraud and Abuse Act (“CFAA”) for accessing the company computers without authorization or in excess of their authorizations.

The court granted summary judgment to the defendants on the CFAA claims on the basis of Brekka. Thus, the court found that “[t]he seven former Bell Aerospace [employees] accused of accessing the company computers without authorization were each employed at the company while accessing its computers and each had permission to do so; therefore, each had “authorization” to access the computers and the materials found on its server” and had not exceeded their authorized access. 690 F.Supp.2d at 1272 – 73. The court expressly rejected the holding in International Airport Centers, LLC v. Citrin, 440 F.3d 418, 420 (7th Cir.2006) that an employee’s authorization to the company computer is established by the law of agency. Citrin holds that once an employee, the agent, decides to access the company computer for a purpose that breaches his duty of loyalty to his principal, the employer, the employee thereby voids the agency relationship and his authorization to access the company computers.

In adopting Brekka the court approved Brekka’s reasoning that even if the phrase “without authorization” is ambiguous, it should be read narrowly because the CFAA is a criminal statute:

It is imperative when dealing with a criminal statute that “defendants are on notice as to which acts are criminal.” Brekka, 581 F.3d at 1135.  Thus, “ambiguity concerning the ambit of criminal statutes should be resolved in favor of lenity,” Rewis v. United States, 401 U.S. 808, 812, 91 S.Ct. 1056, 28 L.Ed.2d 493 (1971), which “requires courts to limit the reach of criminal statutes to the clear import of their text and construe any ambiguity against the government,” Brekka, 581 F.3d at 1135. While the plain language of the CFAA dictates reading “without authorization” to mean “without permission or access,” a finding of ambiguity would necessarily lead to the same result.

What is remarkable about the Bell Aerospace Services decision is that the court ignored controlling precedent in its own Circuit at odds with Brekka — U.S. v. Salum, 257 Fed. Appx, 225, 230-31 (11th Cir. 2007) — which upheld the criminal conviction of an employee under the CFAA for stealing information from the employer’s computer. Specifically, Salum held that there was sufficient evidence for the jury to convict a police officer with the Montgomery, Alabama Police Department of violating the CFAA for providing information from the FBI’s criminal record database to a private investigator. Although Salum, as an employee, “had authority to access the [National Crime Information Center] database,” the court held that “there was sufficient evidence to establish that that he knew [that he was providing the information to a private investigator who was not supposed to receive it] and that by providing information from the NCIC data base, Salum exceeded his authority by accessing it for an improper purpose.” Id. at 230.

The evidence in Salum on exceeding authorized access was strikingly similar to the evidence in Bell Aerospace Services. In Salum the Montgomery Police Department had rules expressly limiting the dissemination of the database information to law enforcement employees, and all Montgomery Police Department employees, including Salum, were provided with specific training and certification on these rules. 257 Fed. Appx. at 227. In Bell Aerospace Services each of the seven employees had signed confidentiality agreements promising not to remove any company records used in the performance of their work. 690 F.Supp.2d at 1271, but the court ignored this evidence in deciding that these seven employees had not exceeded their authorized access to the Bell Aerospace Services’ computers.

Another District Court Dismisses a CFAA Claim for Failure to Allege Jurisdictional Loss

Failure to allege proper “loss” under the Computer Fraud and Abuse Act (“CFAA”) continues to bedevil plaintiffs filing CFAA civil actions. The latest case decided this week, Devine v. Kapasi, 2010 WL 2293461 *4 (N.D. Ill. June 7, 2010), dismissed a CFAA claim on the ground that it did not allege that the Defendants’ actions “”caused … loss to 1 or more persons during any 1-year period … aggregating at least $5,000 in value.” § 1030(c)(4)(A)(i)(I).

One of the Plaintiffs, Jeff Devine, and one of the Defendants, Sabir Kapsi, each owned 50% of a computer-services company called Geus Technology, Inc. After Devine bought out Kapsi’s interest in the company Kapsi without authorization entered Devine’s Server that belonged to Devine as a result of their buy out agreement and “deleted or otherwise transferred from the Devine Solutions network” “more than 2000 files and 350 file folders containing electronically stored information and communications.” Id. *2.

The Defendants claimed that “Plaintiffs could not possibly have sustained at least $5,000 in losses as a result of the actions alleged in the complaint” because as “a technology company, . . . it [Devine Solutions] would have an information back-up system to ensure that the costs associated with any data loss remained minimal–indeed, it would not be acting reasonably if it did not,” and ‘[t]hus, $5,000 could not be a “reasonable cost.” Id. *5. The court held that the defendants’ claim “is premature” and dismissed the CFAA claim without prejudice, allowing the plaintiffs to amend their complaint to “attempt to cure the defects in their allegations of loss under the CFAA.” Id.

This is just another of the many recent court decisions that have dismissed CFAA claims for failure to allege or prove the $5,000 in loss required to provide subject matter jurisdiction for a CFAA claim. In my next National Law Journal column which is due out the end of this month I will survey the law on “loss” and provide guidance on the pitfalls to avoid in drafting and prosecuting a civil CFFA action.

New Washington Privacy Law Effective July 1, 2010

Washington is the third state to enact an encryption law and a payment card law.1 Massachusetts and Nevada enacted encryption laws and Minnesota and Nevada enacted payment card laws. Since this law takes effect July 1, 2010, any entity that could be subject to this law should begin assessing whether they are subject to and in compliance with this law.

Applies to Business, Processor and Vendor

This law applies to a business that (i) processes more than six million credit card and debit card transactions annually and (ii) provides, offers or sells goods or services to Washington residents. These typically are merchants that have the highest level of compliance obligations among businesses that process credit cards.

This law also applies to a processor that directly processes or transmits account information for or on behalf of another person as part of a payment processing service and a vendor that (i) manufactures and sells software or equipment designed to process, transmit or store account information or (ii) maintains account information that it does not own.
Account information means: (i) the full, unencrypted magnetic stripe of a credit card or debit card; (ii) the full, unencrypted account information contained on an identification device; or (iii) the unencrypted primary account number on a credit card or debit card or identification device, plus cardholder name, expiration date or service code, if not encrypted.
Encrypted means enciphered or encoded using standards reasonable for the breached business or processor taking into account the business or processor’s size and the number of transactions processed annually.

Liability for Data Breach

A business or processor is liable to a financial institution for reimbursement of reasonable actual costs related to the reissuance of credit cards and debit cards incurred by the financial institution to mitigate potential current or future damages to its credit card and debit card holders resulting from a data breach (even if the financial institution has not suffered a physical injury) if: (i) a business or processor fails to take reasonable care to guard against unauthorized access to account information in its possession or under its control and (ii) this failure is found to be the proximate cause of a data breach. The prevailing party is entitled to reasonable attorneys fees and costs incurred in connection with the legal action.
A vendor is liable to a financial institution for the foregoing damages: (i) to the extent that the damages were proximately caused by the vendor’s negligence and (ii) if the claim is not limited or foreclosed by another provision of law or by a contract to which the financial institution is a party.

A data breach is the unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by a business.2 Personal information means an individual’s name together with any of the following elements, when both the name and element are not encrypted: (i) Social Security Number, (ii) Washington driver’s license number or identification card number or (iii) account number, credit card number or debit card number, together with any required security code, access code or password permitting access to their financial account.3

Encryption

A business, processor or vendor is not liable if: (i) the account information was encrypted at the time of the data breach or (ii) the business, processor or vendor was certified compliant with the payment card industry data security standards, as adopted by the payment card security standards council (including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc.) and in force at the time of the data breach. The payment card industry data security standard include requirements for security management, policies, procedures, network architecture, software design and other critical protective measures and are intended to help organizations proactively protect consumer account data.
A business, processor or vendor will be considered compliant if its payment card industry data security compliance was validated by an annual security assessment and this assessment took place no more than one year before the time of the data breach (for this purpose, this security assessment of compliance is nonrevocable).

By: Melissa J. Krasnow and Brett Atwood

1 Wash. H.B. 1149.
2 RCW § 19.255.10(4).
3 RCW § 19.255.10(5).

Courts Adopt Tort Standard to Define CFAA “Loss”

The jurisdictional $5,000 “loss” requirement continues to be one of the most hotly contested issues arising out of civil actions filed under the federal Computer Fraud and Abuse Act (“CFAA”). A Washington State federal court last week entered summary judgment for a defendant on a CFAA claim on the ground that the plaintiff failed to produce evidence showing the $5,000 jurisdictional “loss.” Doyle v. Taylor, 2010 WL 2163521 (E.D. Wash. May 24, 2010). The plaintiff, Aaron Doyle, claimed that the defendant stole his thumb drive and disseminated copies of the documents on the thumb drive over the Internet.

The CFAA defines “loss” to mean “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. 18 U.S.C. § 1030(e)(11). The CFAA requires a Plaintiff to show that any such loss exceeded $5,000 in a one-year period. 18 U.S.C. § 1030(c)(4)(A)(i)(I). Without a showing of the $5,000 “loss” in the one year period the CFAA civil action will be dismissed.

To prove the requisite $5,000 in “loss,” the plaintiff Doyle submitted affidavits from a computer forensic examiner “detailing the work he anticipates would be required to determine what files were copied from the thumb drive and stored on other computers.” Id. at *2. The court found that this claim of “loss” for “examining others’ computer systems and deleting misappropriated files” is “outside the intended scope of the” CFAA. Id. at *3. In effect, the district court appears to be saying that the claimed “loss” of spending money to examine “every computer onto which such information might have been copied” was not proximately caused by the CFAA violation. Id. In other words, the costs of examining third party computers to find and remove stolen files is too far removed from the violation perpetrated on the computer that was the object of the CFAA violation to be considered “loss” under the statute.

This is the precise standard that had been enunciated earlier this year by a Virginia federal district court in Global Policy Partners, LLC v. Yessin, 686 F.Supp2d 642, 647(E.D. Va. 2010) when it adopted the tort standard of causation to decide whether certain costs incurred by the plaintiffs constituted “loss” under the CFAA. Yessin held that the “plaintiffs in this case must show that the losses they claim were the reasonably foreseeable result of the alleged CFAA violations.” Id.