United States Chess Federation Embroiled in Computer Fraud Prosecution

Last week the federal district court in Northern California downgraded felony Computer Fraud and Abuse Act (“CFAA”) counts to misdemeanors against Gregory Alexander who is charged with accessing “on thirty-four separate occasions . . . without authorization, the Yahoo! email account of Randall Hough, one of the board members of the United States Chess Federation (“USCF”).” U.S. v. Alexander, 2010 WL 3238961 *1 (N.D. Ca. Aug. 16, 2010). In opposing Alexander’s motion to dismiss the felony counts, the government’s papers described “how Alexander’s action were part of an internal power struggle among the USCF members.”

In reviewing the indictment the court observed that it “as factually and legally deficient as any the court has seen in its experience.” Id. This deficiency stemmed from the fact that the indictment charged 34 felony counts of Title 18, U.S.C., § 1030(a)(2)(c) of the CFAA for intentionally accessing a computer without authorization or exceeding authorized access and obtaining information. However, this section of the CFAA is a misdemeanor unless the government establishes pursuant to § 1030(c)(2)(B) that

(I) the offense was committed for purposes of commercial advantage or private financial gain;
(ii) the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or
(iii) the value of the information obtained exceeds $5,000

The felony/misdemeanor distinction is significant since a felony carries a maximum sentence of 5 years in prison as opposed to 1 year for a misdemeanor.

The court held that the indictment failed to invoke this felony provision by alleging the requisite tortious or criminal conduct. Id. The court viewed this failure as an obvious oversight “for which the government, at the hearing on the motion, had no explanation.” Id. Thus, the court concluded that the indictment filed against Gregory only alleged misdemeanors as opposed to felonies and gave the government 30 days to “inform defendant and the court whether it intends to seek a superseding indictment or proceed on the remaining thirty-four misdemeanor counts for violations of the CFAA.” Id. at *2.

Conn. District Court Refuses to Dismiss Computer Fraud and Abuse Claims Against Ex-Employee

Without referencing the conflicting positions between LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130-31 (9th Cir. 2009) and Int’l Airport Centers LLC v. Citrin, 440 F.3d 418, 420 (7th Cir.2006) a Connecticut federal district court refused to dismiss Computer Fraud and Abuse claims brought by an employer against an ex-employee. In Monson v. The Whitby School, Inc., 2010 WL 3023873 (D. Conn. August 2, 2010) Dr. Michelle Monson, former head of the Whitby School, sued her prior employer, the Whitby School, for sex discrimination. The Whitby School counterclaimed against her for violations of the CFAA.

The Whitby School alleged “that during her employment with the school, Dr. Monson gained unauthorized access to the Whitby email server to unlawfully view and delete email messages contained in the email accounts of other Whitby employees,” that “[u]pon learning of her impending termination, . . . Dr. Monson used this unauthorized access to delete more than 1,500 email messages,” and “that after she was terminated, Dr. Monson intentionally deleted data and software programs that resided on her school-issued computers before she returned them to the school.” Id. at *2.

Dr. Monson moved to dismiss the CFAA counterclaim on the ground that her accessing of the Whitby School’s computer was not “unauthorized.” Applying the Supreme Court’s pleading standard in Ashcroft v. Iqbal, 129 S.Ct. 1937, 1949 (2009) that the allegations in the complaint must be “plausible,” the court held that “[w]hile it may not be “plausible” that Dr. Monson was not authorized to delete emails from her own work-provided inbox while she was employed by Whitby, . . . there is nothing implausible about the allegations that she was not permitted to access her subordinate’s email accounts–much less to delete emails therein–or that she was not permitted to delete software programs, data, and even emails in her own email account once her employment was terminated.” Id. at *3.

As to her argument that “her authority in deleting emails is factually incorrect, based upon the authority she purportedly enjoyed as the Head of School,” the court held that it was based on evidence that had to be reserved for a motion for summary judgment, whereas on a motion to dismiss, “the Court must accept as true Whitby’s allegations, including that Dr. Monson’s actions in deleting data were in excess of her delegated authority.” Id. at *4.

In arriving at its decision the court took the common sense approach that unauthorized access to the computers means that the employee’s actions were “beyond the scope of whatever authorization . . [the employee] had been granted” to access the employer’s computer. Id. at * 4. This will be the factual issue on summary judgment or at trial. The Whitby School’s ultimate chances of success on its claims will obviously be enhanced if it had clearly delineated the scope of Dr. Monson’s authorization to access its computers in internal computer policies or in any agreement it might have had with Dr. Monson.

DC and Iowa District Courts Take Opposing Views as to Whether Employees Are Liable Under the Computer Fraud and Abuse Act

In American Family Mutual Insurance Co. v. Hollander, 2010 WL 2851639 *1 (N.D. Iowa, July 20, 2010) the court denied the defendant employee’s motion for summary judgment on the Computer Fraud and Abuse (“CFAA”) claim. The plaintiff claimed Hollander, “anticipating terminating his relationship with plaintiff, accessed and used plaintiff’s computer database to aid himself in competing with plaintiff.” Id. The court held “that a defendant may act “without authorization” or “exceed authorized access” even when he has permission to access the protected computer, but then uses that information in a manner inconsistent with the plaintiffs interests, where the defendant intended to use that information in that manner at the time of access.” Id.

About a week later a District of Columbia federal district court in Lewis-Burke Associates LLC v. Widder, 2010 WL 2926161 *3-*5 (D.C. July 28, 2010) followed LVRC Holdings LLC v. Brekka, 581 F.2d 1127, 1131 (9th Cir. 2009) to hold that an employee who stole confidential and proprietary information from the company computer could not be sued for violating the CFAA because, as an employee, he had the right to access the company computer. The court stated that it was “persuaded by the Brekka line of cases, which have recently gained critical mass.” Id. This “critical mass” to which the court referred consisted of three reported cases. Only one of these cases, ReMedPar, Inc. v. AllParts Medical, LLC, 683 F.Suupp.2d 605, 611 (M.D. Tenn. 2010), a district court opinion from the Sixth Circuit, stands on its own.

The second of these cases, Nat’l City Bank, N.A. v. Republic Mortgage Home Loans, LLC, 2010 WL 959925, *2 (W.D. Wash. Mar.12, 2010), is in the 9th Circuit, and had no option but to follow the precedent of the 9th Circuit’s decision in Brekka. The third federal district court opinion, Bell Aerospace Servs., Inc. v. U.S. Aero Servs., Inc., 690 F. Supp.2d 1267, 1272 (M.D. Ala. 2010) is from the 11th Circuit. That opinion, however, ignores its own Circuit’s holding in U.S. v. Salum, 257 Fed. Appx, 225, 230-31 (11th Cir. 2007). Salum upheld a criminal conviction for a violation of the CFAA finding that there was sufficient evidence for the jury to conclude that Salum, a Montgomery police officer, had accessed the Police Department’s computer “without authorization” because at the time he accessed the computer, he knew that he was accessing the computer “for an improper purpose,” i.e. to provide a private investigator with information from the FBI’s criminal record database.

In sum, these two recent district court decisions underscore the need for the Supreme Court to provide guidance on the CFAA’s meaning of lack of authorized access.