The 11th Circuit Rejects Brekka and Provides Guidance on Pursuing Ex-Employees Who Steal from Company Computers

This week the 11th Circuit upheld the Computer Fraud and Abuse Act (“CFAA”) conviction and one -year prison sentence of a former Social Security Administration (“SSA”) employee who accessed the agency’s computer for non-business reasons. U.S. v. Rodriguez, 2010 WL 5253231 (11th Cir. Dec. 27, 2010). This case is significant for two reasons.

First, the court refused to adopt the 9th Circuit’s decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), the poster child for not applying the CFAA to miscreant employees who steal their employer’s data. A critical element to prove a theft of data under the CFAA is that the defendant accessed the computer without authorization or exceeded authorized access. Brekka stands for the proposition that since an employee is permitted as part of his job to access the company computer, an employee cannot be found to have violated the CFAA. Rodriguez is the second of the Circuit Courts (in addition to the 5th Circuit) expressly to reject Brekka on an issue that ultimately will be decided by the U.S. Supreme Court.

Second, this case serves as a roadmap for employers who want to ensure that an employee who steals its data can be criminally or civilly prosecuted under the CFAA. While the CFAA is primarily the federal computer crime statute, it provides for civil remedies for anyone injured by a violation of the statute. Title 18, U.S.C. § 1030(g). Rodriguez illustrates the proactive steps a company can take to make it more likely that it can take advantage of the CFAA’s criminal and civil remedies.

Roberto Rodriguez had worked at the SSA as a TeleService representative. His job was to respond over the telephone to questions from the public about their social security benefits. “As a part of his duties, Rodriguez had access to Administration databases that contained sensitive personal information, including any person’s social security number, address, date of birth, father’s name, mother’s maiden name, amount and type of social security benefit received, and annual income.” Id. at *1.
The SSA policy on access to its computers was clear – employees are prohibited “from obtaining information from its databases without a business reason.” Id. The SSA “informed its TeleService employees about its policy through mandatory training sessions, notices posted in the office, and a banner that appeared on every computer screen daily” and “also required TeleService employees annually to sign acknowledgment forms after receiving the policies in writing.”  Id.

In addition, the SAA “warned employees that they faced criminal penalties if they violated policies on unauthorized use of databases.” Id. Nonetheless, “Rodriguez refused to sign the acknowledgment forms, stating to one supervisor, “’Why give the government rope to hang me?’”  The SSA also took steps “to monitor access and prevent unauthorized use” by issuing “unique personal identification numbers and passwords to each TeleService employee and review[ing] usage of the databases.” Id.

At trial the prosecution showed that Rodriguez “had accessed the personal records of 17 different individuals for nonbusiness reasons.” Id. All 17 of the individuals for whom he accessed information were women — his former wife, former girlfriends or women for whom he had a romantic interest. For example, Rodriguez accessed the SSA database “to determine how much . . . [his former wife] was earning,” accessed the personal information of a former girlfriend 62 times, and accessed the personal information of a number of women he met at a Universalist church study group. Id. at *2. One of these women testified at Rodriguez’ trial that “she received a letter from Rodriguez at her home address and was shocked because she had not given Rodriguez her address, she ordinarily receives all her mail at a post office box, and her middle initial was on the envelope although she had not used it since grade school.” Id. The SSA database records reflected that Rodriguez had accessed her personal information 45 times. At trial Rodriguez testified and “admitted that he did not access the victims’ records as a part of his duties as a TeleService representative.” Id. at 3. Rodriguez was convicted and sentenced to a year in prison.

On appeal Rodriguez relied on Brekka arguing that “he did not violate . . . [the CFAA] because he accessed only databases that he was authorized to use as a TeleService representative.” Id at *4. The court, however, rejected this argument and affirmed Rodriguez’ conviction. The court specifically found that based on SSA’s policy that “use of databases to obtain personal information is authorized only when done for business reasons” and the plain language of the CFAA, Rodriguez had exceeded his authorized access to the SSA’s database. Id. The court distinguished Brekka on its facts – Brekka’s employer “had no policy prohibiting employees from emailing company documents to personal email accounts, and there was no dispute that Brekka had been authorized to obtain the documents or to send the emails while he was employed;” whereas the SSA “told Rodriguez that he was not authorized to obtain personal information for nonbusiness reasons.” Id.

The lessons from this case to employers and their counsel who are drafting corporate computer policies are

• First, it is critical to establish corporate computer policies setting forth the employee’s scope of authorization to access the company computers,

• Second, this policy should be re-enforced on a periodic basis in a variety of ways that are designed for the particular circumstances and needs of the individual company, and

• Third, the company should actively monitor employee computer usage to ensure that its policies are being followed and take appropriate actions when its policies are violated.

Can You Rely on Your Corporate Computer Policies to Sue Ex-Employees who Steal Company Data

Two recent district court opinions add to the caselaw providing judicial guidance on how employers might update their corporate computer policies to be able to sue ex-employees for stealing company data based on the Computer Fraud and Abuse Act (“CFAA”), the federal computer crime statute. Title 18, U.S.C. §1030. This is a particularly significant problem when employees leave their current jobs to join competitors and attempt to gain an unfair advantage by stealing data from the company computers prior to their departure. 4 of the 7 sections of the CFAA that are the basis for a civil cause of action require that the employer prove that the employee’s access to the company computer was “without authorization or exceeds authorized access.”

One way the courts permit an employer to establish lack of authorized access is by showing that the employee violated a company policy defining the scope of the employee’s permission to access the company computers. Courts have sanctioned the use of corporate computer policies to prove unauthorized access because the “CFAA…is primarily a statute imposing limits on access and enhancing control by information providers.” EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003). Thus, a company “can easily spell out explicitly what is forbidden,” through employee agreements, policies and access-limiting technology.

For example, U.S. v. John, 597 F.3d 263, 269, 272 (5th Cir. 2010), upheld the CFAA conviction of Citigroup account manager Dimetriace Eva-Lavon John, who accessed Citigroup’s internal computer system to provide her brother with customer account information that he used to perpetrate fraudulent charges. The court found that John had exceeded authorized access based on “Citigroup’s official policy, which was reiterated in training programs that John attended, [that] prohibited misuse of the company’s internal computer systems and confidential customer information.” Id. at 272.

The two recent decisions — Sloan Financial Group, LLC v. Coe, 2010 WL 4668341 (D.S.C., Nov. 18, 2010) and Clark Street Wine And Spirits v. Emporos Systems Corp., 2010 WL 4878190 (Nov. 24, 2010) – directly address the issue of corporate computer policies in the context of the employer suing the employee for violating the CFAA. According to Sloan Financial Group LLC’s (“Sloan”) complaint, Marcus Coe had been an insurance agent employed by Sloan who left to set up a competing insurance agency. Sloan alleged that its former employee violated the CFAA by “(1) transmitting two spreadsheets of Sloan’s client information from his work email address to his home email address; (2) conducting searches on the Harleysville database [that contained confidential information on Sloan’s insurance clients] for his own benefit; and (3) at Sloan’s expense, ordering Choice Point reports on individuals who never became clients of Sloan’s, but later became clients of Coe’s new Agency.” Id. at *3.

Sloan claimed that Coe accessed its computers without authorization or in excess of authorized access based on its company policies. Those policies were in a memorandum circulated to its employees and in an employee handbook. The memorandum restricted “employees’ use of client information” and “stated, “[i]t is imperative that all office personnel understand that no client information be taken out of the office…. This information includes electronic data (laptops, CDs, disks, flash-drives, emails), files, paperwork, etc.” . . . Coe acknowledged receipt of this policy.” Id. at *2. Thereafter, “Sloan established a more detailed confidentiality policy relating to client and proprietary information . . . when it issued a new employee handbook” that “provides, in pertinent part, that “[i]nformation concerning [Sloan’s] clients is confidential…. Confidential information may not be released by anyone without proper authority, nor may it be used for personal gain.” . . . The handbook also includes a section on access to and use of Sloan’s computer systems, providing that “[a]ll computers, related equipment and computer accounts … are provided as tools to assist [employees] in performance of [their] job-related duties and responsibilities.” Id.

Despite these policies, the court dismissed the CFAA claims and granted Coe summary judgment, finding ‘that Sloan has not proffered evidence that Coe exceeded authorized access by performing any of the alleged actions.” Id. at *5. The court’s dismissal was based on its conclusion that Sloan’s company policies only “limit an employee’s use of information” rather than limiting “an employee’s right to access or obtain information” from the Sloan’s computers. Id.

Clark Street Wine And Spirits v. Emporos Systems Corp also focused on the employee’s right to access the information in question. The complaint alleged “that the defendant and its employees breached plaintiffs’ electronic credit and sales system (supplied largely by defendant), resulting in the stealing of credit card information and losses to plaintiffs’ customers, and ultimately, to plaintiffs.” Id. at *1. The district court denied defendants’ motion to dismiss the CFAA claim because the case required factual development in discovery on the issue of authorized access — “[i]f Emporos employees had permission to access Plaintiffs’ computers, but not their customers’ credit card information, [the CFAA] Count . . . might survive even a strict interpretation” of the element of authorized access. Id. *11.

However, that not all courts make such a fine distinction between access and subsequent use. For example, U.S. v. Salum, 257 Fed. App’x 225, 230-31 (11th Cir. 2007), interpreted “without authorization” based on the defendant’s intended use of the data at the time he accessed his employer’s computer. In Salum, a police officer with the Montgomery, Alabama, Police Department was charged with a criminal violation of the CFAA for providing information from the FBI’s criminal record database to a private investigator. Although Salum, as an employee, “had authority to access the [National Crime Information Center] database,” the court held that there was sufficient evidence for the jury to conclude that Salum had accessed the computer “without authorization “because at the time he accessed the computer Salum knew that he was accessing the information “for an improper purpose.” Id. at 230.

Based on the current state of the law, employers are well advised to establish corporate computer policies specifically for the CFAA to ensure their ability to use the statute against an ex-employee who might steal valuable data from the company computers to use unfairly in a competing venture. The policies must address the scope of employee’s permitted access to the company computers including 1) what information the employee is permitted to access and 2) for what purposes. These policies need to be precisely drafted to the unique circumstances of each company.

Can Breaching a Contract Be Computer Fraud?

Court in ticket resale case says ‘yes,’ if it results in unauthorized access, an essential element of the crime.

The U.S. Department of Justice has brought a Computer Fraud and Abuse Act (CFAA) prosecution in New Jersey against the owners and operators of Wiseguy Tickets Inc., an online ticket seller for concerts and sports events. A critical element in proving most violations of the CFAA, the federal computer crime statute, is that the defendant’s access to the computer (interpreted broadly to include a Web site) that is the object of the criminal activity was “without authorization or exceeds authorized access.” 18 U.S.C. 1030. The defendants are charged with unauthorized access to the Web sites of online ticket vendors (OTVs) such as Ticketmaster and Telecharge for violating the OTVs’ Web site terms of service that prohibit the purchasing of tickets in large amounts for resale to the public.

The district court hearing the case recently denied the defendants’ motion to dismiss the indictment on the ground that it seeks “to criminalize what otherwise would be a breach of contract action for violating the terms of service for ticket sales on” these OTVs. U.S. v. Lowson, No. 10-114 (D.N.J. Oct. 12, 2010). The defendants argued that, “under the government’s theory, a teenager hypothetically could be prosecuted under the CFAA for violating the age requirement restrictions in the terms of service when using a search engine like Google.” Id., slip op. at 10.

The notion that this prosecution is seeking to criminalize a breach of contract will be examined in light of established court decisions interpreting the CFAA and its implications for Web site owners whose legal remedy is not limited to reporting violations to the authorities for criminal prosecution. Web site owners are also entitled under the statute to bring a civil action for damages and injunctive relief. 18 U.S.C.1030 (g).

The contract upon which the defendants premised their motion to dismiss was the requirement on the OTVs’ Web sites that all Internet customers had “to accept” the rules in the terms of service “before buying Event tickets.” Indictment ¶ 1(f). These terms of service were designed “[t]o ensure fair access to Event tickets” to the general public. Thus, the OTVs “generally limited the number of seats that an online purchaser could obtain per event” and “prohibited the purchase of Event tickets on their website for commercial re-sale (i.e. purchase by ticket brokers).” Id.

The OTVs also “specifically prohibited computer programs that purchased tickets automatically, such as ‘bots,’ ‘worms,’ ‘spiders,’ and ‘crawlers’ from accessing their sites.” Id. “To enforce these restrictions and to protect their webpages from automated ticket purchasing software,” the OTVs “used computer code and software that was designed to detect and prohibit automated programs from accessing…[their] computer servers.” Id. ¶ 1(k).

In denying the Wiseguy defendants’ motion to dismiss, the court recognized that, as “the indictment makes clear, the unauthorized access charges at the heart of this indictment involve allegations of breaches of both contract- and code-based restrictions.” Lowson, slip op. at 10. As to the code-based restrictions, the defendants, assisted by “contract hackers,” are charged with employing sophisticated means to circumvent the OTVs’ computer code through “automated software,” “optical character recognition to defeat…difficult” security measures and “ ‘hacks’ and ‘backdoors’ to enable automated programs to purchase tickets” and make it appear that the tickets were bought by individual members of the public. Id. at 9. From 2002 through 2008, the defendants procured more than 1.5 million tickets by hacking into the OTVs and generated profits for themselves of nearly $30 million by selling event tickets at prices more than the face value to the public. Indictment ¶¶ 52-55.

Based on these facts, the U.S. courts of appeals for the 2d and 5th circuits would readily conclude that the defendants’ efforts to defeat the code-based restrictions on the Web sites were sufficient standing alone to prove the CFAA’s critical element of “unauthorized access.” In U.S. v. Morris, 928 F.2d 504, 505 (2d Cir. 1991), the defendant Robert Morris, a student in Cornell University’s computer science doctorate program, disseminated through e-mail “a computer program known as a ‘worm’ that spread and multiplied, eventually causing computers at various educational institutions and military sites to ‘crash’ or cease functioning.” In affirming his conviction, the court concluded that “Morris’s conduct here falls well within the area of unauthorized access” because he did “not use…[two standard computer programs] in any way related to their intended function,” but “instead he found holes in both programs that permitted him a special and unauthorized access route into other computers.” Id. at 510. That is precisely what the Wiseguy Tickets defendants are charged with — circumventing through sophisticated hacks the intended function of the OTV Web sites to prevent mass purchases by ticket sellers.

U.S. v. Phillips, 477 F.3d 215 (5th Cir. 2007), followed Morris’ intended-use test in upholding the conviction of Christopher Phillips, a student in the computer sciences department at the University of Texas who hacked into UT’s secure server, which only allowed access to an authorized user through the user’s Social Security number. Phillips launched what is known as a “brute-force attack” program, which automatically transmitted to the server as many as six random Social Security numbers per second. During the course of 14 months, Phillips gained “access to a mother lode of data about more than 45,000 current and prospective students, donors, and alumni.” Id. at 218. Phillips had also signed a UT acceptable- use computer policy in which he agreed not to perform certain scans on his university computer account that would permit him to search for vulnerabilities to hack into and attack the network. The court found that Phillips’ brute-force attack program not only was unauthorized by his agreement with UT, but that it “was not an intended use of the UT network within the understanding of any reasonable computer user and constitutes a method of obtaining unauthorized access to computerized data that he was not permitted to view or use.” Id. at 220.

Similarly, other courts have emphasized the importance of employment contracts and policies to define unauthorized access. In EF Cultural Travel B.V. v. Explorica Inc., 274 F.3d 577, 580-84 (1st Cir. 2001), the court, in affirming a preliminary injunction in a civil action brought under the CFAA, relied upon the defendants’ signed confidentiality agreement to find that the defendants’ access to EF’s Web site was unauthorized because they had used a scraper that had been built from their confidential knowledge about the topology of EF’s Web site for the purpose of automatically and accurately downloading EF’s 154,293 tour prices from the site.

U.S. v. John, 597 F.3d 263, 269, 272 (5th Cir. 2010), upheld the CFAA conviction of Citigroup account manager Dimetriace Eva- Lavon John, who accessed Citigroup’s internal computer system to provide her brother with customer account information that he used to perpetrate fraudulent charges. The court found that John had exceeded authorized access based on “Citigroup’s official policy, which was reiterated in training programs that John attended, [that] prohibited misuse of the company’s internal computer systems and confidential customer information.” Id. at 272.

As the above court decisions reflect, “authorization” is a “word…of common usage, without any technical or ambiguous meaning,” and is a question of fact to be decided by a jury based on all of the circumstances. Morris, 928 F.2d at 511. Criminal (or civil) liability for the CFAA only attaches if there is proof of the other essential elements of the crime, such as the theft or destruction of data. Thus, the risk raised by the Wiseguy defendants that a teenager would be prosecuted for a violation of the CFAA for simply lying about his age on Google is as well founded as a teenager being prosecuted for mail fraud for lying in a letter to his parents.

Given the Wiseguy Tickets prosecution and the case law underpinning it, there are several proactive steps every company can take to enhance the likelihood that violators of its Web site can be criminally prosecuted or sued in a civil action. This is because the “CFAA…is primarily a statute imposing limits on access and enhancing control by information providers.” EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003). Thus, a company “can easily spell out explicitly what is forbidden,” through employee agreements, policies and access- limiting technology.

Reprinted with permission from the November 29, 2010 edition of THE NATIONAL LAW JOURNAL © 2010 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382, or visit www. #005-11-10-13