Disgruntled Employee Lacked Criminal Intent to Be Sued for a Civil Violation of the Computer Fraud and Abuse Act

While the federal Computer Fraud and Abuse Act (“CFAA”) permits seven causes of action to be brought by individuals or companies who have been victims of violations of the statute, practitioners lose sight of the fact that the CFAA is at its core a criminal statute. Nyack Hospital v. Moran, 2010 WL 4118355 (S.D.N.Y. June 1, 2010) neatly illustrates the importance of being able to prove the criminal elements of the statute in order to obtain a civil remedy – damages or injunctive relief.

The defendant, Kevin Moran, had been employed by Nyack Hospital as its Manager of Organizational Development. After Nyack Hospital terminated Moran’s employment, Moran allegedly “sent e-mails, including a 17-page attachment, to over ‘100 Hospital senior managers and employees’ and others and misrepresented the source of the e-mails as David Freed, the president of the hospital.” The complaint asserted that the “emails ‘leaked certain aspects of an internal confidential employee survey, defamed the Hospital’s reputation and the reputations of the several Hospital employees … and urged the … recipients to report the alleged wrongdoings to the Hospital’s Board of Trustees and the Rockland Journal New News.’ Id. at *1.

The Hospital sued Moran, for among other things, that section of the CFAA which makes it a crime to “knowingly caus[e] the transmission of … information … and as a result of such conduct intentionally caus[e] damage without authorization [ ] to a protected computer [.]” 18 U.S.C. § 1030(a) (5)(A). The fatal defect with the Hospital’s complaint was that it did not allege that Moran had “intentionally caused any damage to the hospital’s computers, but rather that . . . [Moran] knew that the sending of bulk e-mail ‘could result in a ‘denial of service’ or ‘spamming’ attack against the Hospital’s information system.’” Id. at 6.

The best the Hospital could say was that “Moran accessed the Hospital’s e-mail system and server by creating a fake Yahoo account … to trick Hospital employees into reading [the e-mail].” Id. The court dismissed the CFAA claim on the ground that the Hospital failed to allege that Moran “acted with the specific criminal intent required to establish a violation of” the CFAA.” Id. The court also found the Hospital’s failure to allege damage resulting from Moran’s alleged conduct with specificity rather than as a possibility was “inadequate to support a cause of action for a violation of the CFAA.” Id. at 7.

This decision drives home the principle that the only difference between a criminal violation of the CFAA and a civil violation is the standard of proof – the government must prove the criminal violation beyond a reasonable doubt and the civil litigant must prove the violation by a preponderance of the evidence. In both instances there must be proof of the same criminal elements of the CFAA.

Sarah Palin Hacker’s Conviction Stands for Accessing Her Yahoo Email Account

The college student David C. Kernell who was convicted by a Chattanooga, Tennessee jury of various federal crimes including a violation of the Computer Fraud and Abuse Act (“CFAA”) for accessing Alaska Governor Sarah Palin’s Yahoo email account will be sentenced on October 29, 2010. What Kernell did was to decipher the password for Alaska Governor Sarah Palin’s Yahoo email account and distribute her emails over the Internet during the 2008 Presidential campaign. Kernell moved post-verdict pursuant to Rule 29, Fed.R.Cr.P. for a judgment of acquittal on the ground that the evidence was insufficient to support his conviction. The trial court just last month denied Kernell’s motion finding that there was sufficient evidence to convict. U.S. v. Kernell, 2010 WL 3937421 *4-5 (E.D. Tenn. Sept. 23, 2010). What is interesting about the court’s opinion is not what it says but what it does not say.

The motion directed at the CFAA was made on a very narrow ground challenging only whether Kernell had accessed a “protected computer.” This is an extremely weak defense since the Eight Circuit has recognized that “[e]very cell phone and cell tower is a “computer” under this statute’s definition; so is every iPod, every wireless base station in the corner coffee shop, and many another gadget.” U.S. v. Mitra, 405 F.3d 492, 495 (8th Cir. 2005).

The section of the CFAA upon which Kernell was convicted is 18 U.S.C. §1030(a)(2)(C) which makes it a crime for anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer if the conduct involved an interstate or foreign communication.” In pressing his motion to overturn the jury verdict Kernell claimed that the government had “failed to prove the ‘protected computer’ element . . . of [the crime]. . . because Yahoo! either would or could not identify the computer or computers on which the account and its attachments resided.” U.S. v. Kernell at *5.

In rejecting Kernell’s motion the court relied on the trial evidence of the “Yahoo! records [that] revealed that the computers managing the Account on the date of the offense were located in Quincy, Washington.” Id. The court emphasized that Kernell “does not dispute that a Yahoo! computer located in Quincy, Washington was managing the Account at that time.”Id. In addition, “[t]he records also showed that Defendant accessed the Account by using Internet Protocol address “66.253.190 .21.” Id.

The court concluded that “[i]t was not necessary for the Government to identify the specific Yahoo! computer that managed the Account because: (1) the location of the Yahoo! computer was verified; and (2) the IP address used by the Defendant to access the Account was verified.” Based on that evidence, the court held “that a rational trier of fact, when viewing the evidence in the light most favorable to the Government, could have found the essential elements of the” CFAA count. Id.

What is absent from this opinion is any defense that Kernell could have raised before the jury based on unauthorized access, a critical element of the CFAA. According to the press reports, Kernell was able to determine Palin’s Yahoo email address from publicly available information disseminated by Governor Palin about her background. Given her creation of a password based on facts provided to the entire world, a factual defense could have been raised that she gave everyone constructive access to her account. There is no mention in the opinion of any such defense having been advanced.

Would You Trade Your Tax Returns and Bank Statements for Free Music Downloads?

LimeWire sounds innocent enough – a file sharing program that allows individual users to download music over the Internet, video and other files directly from the hard drive of another LimeWire user. LimeWire and other similar software, described as peer-to- peer software, is a popular way to avoid paying for music and movies. There is, however, a catch. These free downloads pose enormous risks. An anonymous LimeWire user who can download a song or a movie from your computer can also download your highly sensitive personal information that can be used to steal your identity and, in turn, your bank accounts and credit cards.

Because “users of some versions of LimeWire risk inadvertently sharing sensitive information stored on their computers,” the Federal Trade Commission (“FTC”), Bureau of Consumer Protection, conducted an investigation into the LimeWire program as reported in a publicly released letter, dated August 19, 2010, from the FTC to the CEO of Lime Wire LLC. http://www.ftc.gov/os/closings/100919limewireletter.pdf. The FTC was concerned that “LimeWire might expose . . . [a user’s] tax returns, credit reports, and college loan applications to millions of people” because “[i]dentity thieves have used LimeWire to retrieve this information and injure consumers.”

This was not a theoretical concern. In 2009 Frederick Eugene Wood was prosecuted by the Seattle Washington U.S. Attorney’s Office for using the LimeWire program to steal personal information from the computers of 120 people across the United States. The stolen personal information included tax returns and bank statements. Armed with this personal information, Wood assumed the individuals’ identity and created forged checks that he used to buy high-end electronic equipment that he sold through Craigslist. Wood pleaded guilty to, among other things, a violation of the Computer Fraud and Abuse Act, Title 18, U.S. C. §1030(a)(4) and was sentenced to 39 months in prison. http://www.justice.gov/usao/waw/press/2009/aug/wood.html

The FTC, as its letter to Lime Wire reflects, did not recommend any enforcement action against Lime Wire because it had incorporated “safeguards against the inadvertent sharing of sensitive, personal documents into the user interface of more recent versions of its software.” Other reasons the FTC gave for not pursuing action against Lime Wire were “that the attrition rate for legacy versions is substantial, the apparent inability of Lime Wire to force users to upgrade legacy versions of the software to more recent versions; and the possibility that users of some of the older versions of LimeWire may have been able to avoid disclosure of sensitive information.”

Despite efforts by Lime Wire to rectify this issue, the FTC warned that consumers “who are still using insecure legacy versions” are still at “risk of inadvertent sharing of sensitive, personal information.” Moreover, LimeWire, as the FTC recognized, is not the only peer to peer software that is available to consumers. All computer users must be aware of the risks posed by software programs like LimeWire. This risk is increased if multiple people are using the same computer. For example, if your children are using the home computer that you use to prepare your income tax returns and conduct personal banking, you need to be extra vigilant that they are not using peer-to-peer software to create their music libraries.

Time to Check Whether Your Insurance Policies Cover Lawsuits Alleging Misuse of Advertising Software and Cookies

In the past six months approximately 6 class action lawsuits have been filed in Los Angeles federal district court against various companies for, among other things, violations of the Computer Fraud and Abuse Act (“CFAA”), Title 18 U.S. C. § 1030, based on advertising technology that tracks a computer’s web surfing practices. Unlike traditional cookies, the type of technology alleged in these complaints supposedly cannot be deleted from a computer. The corporate defendants in these cases, including CNN, Fox News, News Corp. and the Wall Street Journal, are certain to be checking whether their insurance policies cover the attorney’s costs to defend these lawsuits.

Having defended a number of similar cases myself, the cost of a legal defense can be costly. A recent case decided by the 8th Circuit Court of Appeals, Eyeblaster, Inc. v. Federal Insurance Co., 613 F.3d 797 (2010), addressed whether two insurance policies covered defense costs for a lawsuit based on on-line advertising practices and held that an insurer improperly refused to provide defense cost coverage. This is an important case for companies that advertise on the Internet.

The insured Eyeblaster, as described by court, “is a worldwide online marketing campaign management company that advertisers, advertising agencies, and publishers use to run campaigns across the Internet and other digital channels.” Id. at 799. Eyeblaster creates interactive ads and tracks the performance and effectiveness of these ads through cookies placed on consumer computers. It does not, however, “use spyware or introduce malicious contact such as spam, viruses, or malware.” Id.

A consumer sued Eyeblaster alleging, among other things, violations of the CFAA claiming that “his computer was infected with a spyware program from Eyeblaster . . . [that] caused his computer to immediately freeze up,” and that “he lost all data on a tax return on which he was working and that he incurred many thousands of dollars of loss.” Id. at 800. Once “his computer became operational again,” after supposedly being fixed by a computer technician, he still experienced “numerous pop-up ads; a hijacked browser that communicates with websites other than those directed by the operator; random error messages; slowed computer performance that sometimes results in crashes and ads oriented toward his past web viewing habits.” Id.

Eyeblaster requested its insurer, Federal Insurance Co., to provide it with a defense of the lawsuit, as set forth under its General Liability and Network Technology Errors or Omissions policies. Federal denied coverage claiming that the lawsuit in question did not obligate the insured under either policy to provide a legal defense. Eyeblaster sued, but the district court agreed with Federal.

On appeal Eyeblaster challenged two principal findings of the district court – 1) that the lawsuit did not involve damage to physical property as required by the General Liability policy, and 2) that the lawsuit “had not alleged that Eyeblaster committed a wrongful act (as defined by the [Information and Network Technology Errors or Omissions] policy in connection with a product failure or in performing or failing to perform its services.” Id.

The Circuit court reversed the district court and held that the policies obligated Federal to defend the lawsuit. The court rejected the district court’s finding on the General Liability policy that “the complaint does not allege damage to tangible property because it only claims damage to software, which is by definition excluded.” While the policy does not define tangible property, the court relied on its plain meaning to include the computer that the Plaintiff alleged “repeatedly” in the complaint that he lost the ability to use. Id. at 801-02.

The court also found that Federal did not meet its burden in showing that the exclusion, entitled, “Damage to Impaired Property or Property Not Physically Injured” applied. The court held that the computer at issue in the lawsuit “cannot be considered ‘impaired property’ because no evidence exists that the computer can be restored to use by removing Eyeblaster’s product or work from it.” Id. at 802. Thus, the court found that “[i]t is not clear that an Eyeblaster product or Eyeblaster’s work ever existed on . . . [the] computer, and thus it is equally unclear that such product or work could be removed from the computer.” Id.

As to the Information and Network Technology Errors or Omissions policy which “specifically covers intangible property, such as software, data, and other electronic information,” the court found that “Federal cannot [meet its burden to prove it has no duty to defend] and demonstrate that each claim in the . . . complaint falls outside the coverage of the policy.” Id. at 804. The court emphasized that while the complaint “alleges that Eyeblaster installed tracking cookies, Flash technology and JavaScript on . . . [the] computer, all of which are intentional acts” that Federal “can point to no evidence that doing so is intentionally wrongful.” Id. The court relied on an Eyeblaster Affidavit that “Federal’s parent company utilizes JavaScript, Flash technology, and cookies on its own website” and Federal’s failure to produce any “evidence that the allegation concerning tracking cookies, etc. spoke of intentional acts that were either negligent or wrongful.” Id.

Given the recent filings of CFAA civil suits based on advertising tracking software, any business that uses technology in its advertising campaign or as a means to track its customers should carefully check its insurance policies to be certain that it is covered for defense costs if it finds itself swept up in this recent rash of lawsuits directed at on-line advertising practices.