California Court Grants Summary Judgment to Cisco Systems on Computer Fraud and Abuse Claim, Holding that Brekka Does Not Apply to Ex-Employees

Last week a federal district court in California granted Cisco Systems, Inc. summary judgment on its Computer Fraud and Abuse Act (“CFAA”) claim against an ex-employee who “on multiple occasions and without authorization, . . . used a Cisco employee’s password to gain access to Cisco’s computer systems and download Cisco’s proprietary and copyrighted software.” Multiven, Inc. v. Cisco Systems, Inc., 2010 WL 2889262 *2 (July 20, 2010). This decision underscores the importance of instituting proper corporate computer policies as a predicate to using the CFAA as a tool to protect company data.

Peter Alfred-Adekeye (“Adekeye”), the ex-employee, had founded Multiven, Inc. after he left his employment at Cisco. Multiven “purports to provide service and maintenance support for router and networking systems, including those placed in the market by Cisco.” Id. at *1. The court held that Adekeye accessed Cisco’s computer system without authorization, a key element to finding that Adekeye had violated the CFAA, and that his ex-employment status provided an exception to the Ninth Circuit’s rule in LRVC Holdings LLC v. Brekka, 581 F.3d 1127, 1130-31 (9th Cir. 2009), that an employee cannot access the company computer without authorization because an employee, as part of his responsibilities, is authorized to use the company computers.

The court quoted Brekka’s holding that “’a person uses a computer ‘without authorization’ … when the person has not received permission to use the computer for any purpose … or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.’” Id. at 3, Brekka, 581 F.3d at 1135. The court found that “there is no evidence that any privileges . . . [Adekeye] had as an employee to access secure areas of the Cisco website extended beyond his employment” and that Cisco had “presented unrebutted evidence that upon leaving Cisco’s employ, neither Adekeye nor Multiven had Cisco’s permission or authorization to access Cisco’s network.” Id. at 3.

The court rejected Adekeye’s defense that he was authorized to access Cisco’s computer network by a current Cisco employee who had supplied him with his login and password. The court held that the Cisco employee’s actions “did not constitute a valid authorization” because it was “undisputed that an employee’s giving his login and password to Adekeye was a violation of Cisco’s policies.” Id.

In light of this case the obvious question to be asked is does your company computer policy prohibit employees from providing their user names and passwords to others? In another case decided this month in Connecticut, Westbrook Technologies, Inc. v. Wesler, 2010 WL 2826280 *7 (D. Conn. July 15, 2010 the court, in applying Brekka, found that a current employee “had authority to grant . . . [an ex-employee] direct access to the [company] database.” This is clearly a situation every company should avoid and can avoid with proper computer policies.

Two District Courts in the Second Circuit Follow Brekka To Dismiss Computer Fraud and Abuse Claims against Employees

Last week two federal district courts, one in Connecticut and the other in Manhattan, followed LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130-31 (9th Cir. 2009) in dismissing Computer Fraud and Abuse Act (“CFAA”) claims brought against employees who stole company data. In neither case did the plaintiff company employer rely on company computer policies or agreements limiting or defining the scope of an employee’s access to the company computers.

In University Sports Publications Co. v. Playmakers Media Co., 2010 WL 2802322 (S.D.N.Y. July 14, 2010) University Sports Publications (“USP”) alleged that both a current employee and a former employee stole confidential and proprietary data from its database containing “customer leads and historical sales data,” and that the data was stolen for the benefit of a competitor, Playmakers Media. The court relied upon Brekka to find that the current employee could not have violated the CFAA because he “was entitled to access all information on the database,” and there was no “evidence that . . . [the employee’s] authority to copy, download or otherwise gather information from the database was limited.” Id. at *5. As to the former employee, the court found that there was a genuine issue of fact as to whether that employee personally accessed the database after he left USP’s employ as opposed to receiving the stolen data from USP’s current employee.

The second case is Westbrook Technologies, Inc. v. Wesler, 2010 WL 2826280 (D. Conn. July 15, 2010). Brent Wesler was employed by Westbrook Technologies, Inc. (“WTI”) “as its Vice President of Promotional Services. In that capacity he had “full and unique access to WTI’s software source codes and software proprietary to WTI and also had access to other confidential and proprietary customer lists, customer information and marketing plans and other information and material.” Id. at *2.

After Wesler left WTI to join a competitor, “WTI discovered that, while still employed at WTI, Wesler forwarded electronic communications to IBS [his new employer] containing sets of programming code developed and owned by WTI.” Id. The court relied upon Brekka for the proposition “that the CFAA’s prohibition of improper “access” does not encompass an employee’s misuse or misappropriation of information that the employee lawfully accessed.” Id. at *3.

The lesson for companies from both cases is to institute proper computer policies to limit the scope of their employee’s access to the company computers.

Dismissal of CFAA Claim for Lack of Jurisdiction

The National Law Journal
July 5, 2010
An ALM publication
Daily updates at NLJ.COM

Under Computer Fraud and Abuse Act, plaintiff must properly specify a $5,000 loss or case will be tossed.

BY NICK AKERMAN

The Computer Fraud and Abuse Act (CFAA) is the omnibus federal computer crime statute outlawing theft and destruction of data, hacking, use of viruses, theft of passwords and extortionate threats to damage computers. 18 U.S.C. 1030. Any business or individual “who suffers damage or loss by reason of a violation of the” CFAA is entitled to sue for “compensatory damages and injunctive relief.” However, for there to be subject matter jurisdiction over most CFAA civil suits, the plaintiff must prove that the violation caused “loss to 1 or more persons during any 1-year period…aggregating at least $5,000 in value.” § 1030(c)(4)(A)(i)(I).

THE PRACTICE
Commentary and advice on developments in the law

The $5,000 in loss is not general damages but specific categories of costs to the CFAA victim. Failure to allege and prove these specific categories is fatal to the court’s jurisdiction, resulting in dismissal. This article will survey the current state of the law on what “loss” means and will highlight the pitfalls to avoid in drafting and prosecuting a CFAA action. “Loss” is defined in the statute as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 1030(e)(11). The $5,000 loss requirement reflects “Congress’ general intent to limit federal jurisdiction to cases of substantial computer crimes.” In re Doubleclick, Inc. Privacy Litigation, 154 F. Supp. 2d 497, 522 (S.D.N.Y. 2001).

As an initial matter, “to establish a viable CFAA claim,” the plaintiff must show the costs associated with the “loss” “were reasonable” and “directly causally linked to…the alleged CFAA violation.” A.V. v. iParadigms LLC, 562 F.3d 630, 646 (4th Cir. 2009). The causation requirement has been interpreted “to incorporate traditional principles of tort causation.” Global Policy Partners LLC v. Yessin, 686 F. Supp. 2d 642, 647 (E.D. Va. 2010). Thus, in determining whether a plaintiff has proven “loss,” a jury can “consider only those costs that were a ‘natural and foreseeable result’ of Defendants’ conduct.” U.S. v. Middleton, 231 F.3d 1207, 1213 (9th Cir. 2000).

The first category of “loss” set out in the statute is “responding to an offense” by “conducting a damage assessment” and “restoring” the computer system “to its condition prior to the offense.” The classic example of this type of loss was upheld in Middleton, in which Nicholas Middleton, a disgruntled former computer administrator for an Internet service provider, entered the company’s computer network and “changed all the administrative passwords, altered the computer’s registry, deleted the entire billing system (including programs that ran the billing software) and deleted two internal databases.” Id. at 1209.

At trial, the government offered proof of $10,092 in loss, required to support a five-year felony, based on the “hourly rates (calculated using their annual salaries)” of the victim company’s employees to respond to Middleton’s offense by investigating and repairing the damage caused to the company computer network. That amount also included the cost of recreating the destroyed databases and the cost of a consultant and new software. Id. at 1214. In addition, lost revenue to the business caused by an employee having to respond to an offense instead of conducting the operations of the business “may qualify as losses under the CFAA.” iParadigms, 562 F.3d at 651.

FORENSIC COMPUTER EXAMINATIONS

The cost of an outside forensic examiner to determine whether a Web site had been “compromised” as a result of a CFAA violation may also constitute “loss.” EF Cultural Travel B.V. v. Explorica Inc, 274 F.3d 577, 584, n.17 (1st Cir. 2001). The court in EF Cultural Travel rejected the defendants’ argument that “such diagnostic measures” do not constitute “loss” when there is no “physical damage” to the plaintiff’s Web site. Id. at 585. While EF Cultural Travel represents the prevailing law adopted by most federal courts, there are several district courts that have recently refused to find loss based on a forensic computer investigation when the plaintiff presented no evidence of “damage to its computers or that it suffered any service interruptions.” von Holdt v. A-1 Tool Corp., 2010 WL 1980101, at *12 (N.D. Ill. May 17, 2010). These cases ignore the plain language of the CFAA’s definition of “loss,” which clearly differentiates between costs of responding to an offense and costs related to interruption of service.

Nonetheless, simply paying for a forensic investigator to conduct an investigation without a focus on the CFAA’s requirements of “loss” is insufficient. In Chas. S. Winner Inc, v. Polistina, 2007 WL 1652292, at *4 (D.N.J. June 4, 2007) the court dismissed the CFAA claim because the plaintiff alleged no facts showing that the amount paid to the investigator “was related to investigating or remedying damage to the computer, or due to interruption of the computer’s service.” Absent such evidence, the court was left to assume that the investigation simply related to the “recovery” of evidence to prove the CFAA violation rather than responding to or remediating the offense.

Nor can “loss” be proved by “costs incurred investigating business losses, unrelated to actual computers or computer services.” Nexans Wires S.A. v. Sark-USA Inc.,166 Fed. Appx. 559, 563 (2d Cir. 2006). In Nexans Wires, the plaintiff argued that it satisfied the CFAA’s “$5,000 loss requirement because it spent approximately $8,000 to send its executives from Germany to New York to investigate the misappropriations of its stored data.” The court found that the plaintiff failed to prove “loss” because there was no connection between the travel costs incurred by its executives in visiting New York City and ” ‘any type of computer investigation or repair,’ or any preventative security measures or inspections.” Id.

Also, the investigation must relate to the computer that was the subject of the CFAA violation. In Doyle v. Taylor, 2010 WL 2163521 (E.D. Wash. May 24, 2010), Aaron Doyle, claimed that the defendant stole his thumb drive and disseminated copies of the documents on the thumb drive via the Internet. To prove the requisite $5,000 in “loss,” Doyle submitted affidavits from a computer forensic examiner “detailing the work he anticipates would be required to determine what files were copied from the thumb drive and stored on other computers.” Id. at *2. The court found that “examining others’ computer systems and deleting misappropriated files” from those other computers is “outside the intended scope of the” CFAA. Id. at *3.

The second independent category of “loss” is lost revenue, costs “or other consequential damages incurred because of interruption of service.” In Nexans Wires, the plaintiff, in addition to its executives’ travel expenses, claimed that the “defendants’ misappropriation of its confidential data caused it to lose ‘profits of at least $10 million.’ ” 166 Fed. Appx. at 562. The court held that “the plain language of the statute treats lost revenue as a different concept from incurred costs, and permits recovery of the former only where connected to an ‘interruption of service.'” Because there was no interruption of service, the plaintiff’s “asserted loss of $10 million is not a cognizable loss under the CFAA.” Id. at 563.

A motion to dismiss based on a failure to plead proper “loss” is a challenge to the court’s jurisdiction, and therefore the plaintiff must respond “with rebuttal evidence.” Polistina, 2007 WL 1652292, at *4. Given that procedural posture, it is critical that, before filing a CFAA action, a plaintiff carefully formulate its theory of “loss” in conformance with the holdings of the above-described judicial opinions detailing the types of factual circumstances that properly constitute “loss.” In doing so, the complaint must allege:

• “[S]pecific details from which a factfinder could calculate an amount of loss,” Taylor, 2010 WL 2163521, at *3, which can neither be speculative nor conclusory and are reasonable and not overreaching.

• Losses that are linked directly to the CFAA violation and the computer that was the object of the violation.

In Yessin, the court refused to consider plaintiffs’ proper categories of loss- “expenses incurred in…establishing, configuring, and designing a new web site and e-mail addresses” because the plaintiff failed “to provide evidence that may properly be considered on summary judgment” and failed to prove “that certain of these expenditures were a reasonably necessary response to the alleged CFAA violations, as required to prove a causal link.” 686 F. Supp. 2d at 648. Yessin underscores the need for carefully developing the factual basis for loss before filing the CFAA action.

Reprinted with permission from the July 5, 2010 edition of THE NATIONAL LAW JOURNAL (c) 2010 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382, reprints@alm.com or visit www.almreprints.com. #005-07-10-12