Little did William the Conqueror know that when he won the Battle of Hastings in 1066, his victory would have ramifications for protecting computer data. The Norman Conquest established a system for addressing the theft of chattels that evolved to the present-day cause of action for conversion. This ancient common law civil remedy has recently emerged as a potential key legal theory in the fight against computer crime. Conversion “is the civil analog of the criminal actions of robbery and larceny,” which has long provided victims redress against the “unlawful taking or retention of tangible personal property” as opposed to intangible computer data. In re Robert R. Fox, 370 B.R. 104, 121 (B. A.P. 6th Cir. 2007). Since computer data have been viewed as intangible property, their theft has not been traditionally viewed as conversion. See e.g. Slim CD Inc. v. Heartland Payment Systems Inc., No. 06-2256, 2007 WL 2459349, at *12 (D.N.J. Aug. 24, 2007).
When company data are stolen or maliciously destroyed, the modern cause of action is the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030, a criminal statute that expressly provides for a civil action for damages and injunctive relief for anyone “who suffers damage or loss by reason of a violation of” the statute. 18 U.S.C. 1030(g). The CFAA was intended to provide law enforcement and private litigants with updated tools to combat criminal activity directed at computers. Pacific Aerospace & Electronics Inc. v. Taylor, 295 F. Supp. 2d 1188, 1194-95 (E.D. Wash. 2003). Based on the CFAA, a company is empowered to file a federal suit to recover its stolen computer data, seek an injunction to prevent their use and dissemination, and recover damages for stolen and destroyed data.
‘Thyroff’ opened another route to remedy data theft
The CFAA’s monopoly on the protection of computer data changed dramatically early this year with a decision from New York’s highest court in Thyroff v. Nationwide Mutual Insurance Co., 8 N.Y.3d 283 (N.Y. 2007). The court abandoned the tangible/intangible property distinction and held that conversion applies to computer data. This article examines the holding in Thyroff, how it extended the law of conversion that has been developing in other state jurisdictions and the practical differences between conversion and a cause of action based on the CFAA.
Louis E. Thyroff, an insurance agent, was simultaneously discharged from Nationwide and denied access to “his customer information and other personal information that was stored on the [company] computers.” Id. at 285. As a result, Thyroff sued Nationwide in federal court for, among other things, “the conversion of his business and personal information.” Id. The district court dismissed Thyroff’s claim on the ground that conversion does not apply to intangible computer data. On appeal, the 2d U.S. Circuit Court of Appeals determined that New York law was not clear as to whether a claim for conversion could be based on computer data, and certified the following question of law to the New York Court of Appeals, the state’s highest court: “Is a claim for the conversion of electronic data cognizable under New York law?” Id. at 285-86.
The court responded affirmatively, holding that electronic records maintained on a computer are “subject to a claim of conversion in New York.” Id. at 293. In doing so, the court reviewed the evolution of the tort of conversion in accordance “with emerging societal values” beginning with “the Norman Conquest of England in 1066” when a thief was either summarily executed or “rightful ownership of the property was usually determined by a ‘wager of battle’-a physical altercation or duel between the victim and thief…with the victor taking title to the goods.” Id at. 286-88.
These medieval practices were eventually replaced by legal actions for trespass, trover and ultimately conversion. New York later modified conversion’s strict requirement for tangible property, holding “that an intangible property right can be united with a tangible object for conversion purposes.” Id at 286-89. This required connection between the intangible property and a tangible object is known as the “merger doctrine,” and was adopted by the Restatement (Second) of Torts ß 242 (1965). Thus, intangible shares of stock in a company were considered to be the proper subject of a conversion claim because the shares are represented by a tangible stock certificate.
Thyroff abandoned the merger doctrine for two reasons. First, it recognized that “[a] document stored on a computer hard drive has the same value as a paper document kept in a file cabinet.” Id. at 292. Second, the court relied on the pervasive use of computer data to replace paper documents and determined that “the tort of conversion must keep pace with the contemporary realities of widespread computer use.” Id. at 292. As the court stated, “society’s reliance on computers and electronic data is substantial, if not essential,” and “[c]omputers and digital information are ubiquitous and pervade all aspects of business, financial and personal communication activities.” Id. at 291-92.
Thyroff undoubtedly is the future direction of the law in this country. While there are still jurisdictions that strictly apply the merger doctrine (see, e.g., Northeast Coating Technologies Inc. v. Vacuum Metallurgical Co. Ltd., 684 A.2d 1322, 1324 (Maine 1996)), the trend is with Thyroff. For example, in Kremen v. Cohen, 337 F.3d 1024, 1031 (9th Cir. 2003), the 9th Circuit held that California “does not follow the Restatement’s strict merger requirement” in upholding a conversion claim for the intangible property right in the domain name, “sex.com,” a profitable porn site. Courts in other cases, such as Perk v. Vector Resources Group Ltd., 253 Va. 310, 315 (Va. 1997) (conversion of “computer programs, data, and software”) and Mundy v. Decker, No. A-97-882, 1999 WL 14479, at *4-*5 (Neb. Ct. App. Jan. 5, 1999) (conversion by the plaintiff’s former secretary who had permanently “deleted the entire contents of the WordPerfect directory” from the company computer), have assumed that computer data are subject to a claim for conversion without reference to the tangible/ intangible property distinction.
The message in Thyroff is clear: Any company deciding to pursue self help through the courts to protect and retrieve its computer data or seek damages after a theft or destruction of its data would be well advised to base its complaint not only on violations of the CFAA, but also on conversion. Even if the state in which a suit is contemplated is one that currently adopts the merger doctrine or applies conversion only to tangible property, Thyroff is a well reasoned and powerful precedent to argue for a change in the law. While both causes of action provide for compensatory damages and injunctive relief to obtain the return of data and prevent their dissemination, there may be clear advantages to using conversion over the CFAA.
Depending on the state jurisdiction, a plaintiff is usually permitted to seek punitive damages for conversion. For example, Cole v. Control Data Corp., 947 F.2d 313, 319-20 (8th Cir. 1991), held that punitive damages could be awarded for the conversion of a software program when the plaintiff demonstrated under Missouri law that the defendants’ “conduct was outrageous.” Damages under the CFAA, however, are limited to compensatory damages “by the plain language of the statute.” Garland-Sash v. Lewis, No. 05 Civ. 6827, 2007 WL 935013, at *2 (S.D.N.Y. March 26, 2007).
Conversion action requires no minimum amount of loss
Conversion, unlike the CFAA, does not require proof of a jurisdictional amount of damage. As a predicate to obtaining the federal question jurisdiction under the CFAA, the plaintiff must prove $5,000 in “loss,” which is defined by statute to include various costs caused by the theft or destruction of computer data. See ß 1030(e)(11). Failure to allege and prove $5,000 in loss automatically results in dismissal of the claim. See, e.g., Nexans Wires S.A. v. Sark- USA Inc., 166 Fed. Appx. 559, 562-63 (2d Cir. 2006). No such loss need be alleged or proven for conversion. Conversion, of course, is a state cause of action, and, as such, does not confer federal question jurisdiction, as does the CFAA.
Finally, conversion provides a backstop for federal courts that may be hostile to the use of the CFAA against company insiders who have stolen data from their employer’s computers for use in competition against their employer at a new job. Four of the seven causes of action available in the CFAA are based on “unauthorized access” to the computers. There are several federal district courts that have held that an employee with access to the company computers does not have unauthorized access since an employee, as a part of the job, is authorized to access the company computers. See, e.g., Brett Senior & Associates v. Fitzgerald, No. 06- 1412, 2007 WL 2043377, at *3 -*5 (E.D. Pa. July 13, 2007).
To date, the law in the federal circuit courts, and the other federal district courts, runs counter to these few decisions. International Airport Centers LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006), held that an employee’s authorization to the company computers is governed by the law of agency, which is terminated when the employee enters the company computers to take data to compete against his employer. There are also courts that allow employers to define authorization to its computers though company rules. See, e.g., Doe v. Dartmouth- Hitchcock Medical Center, No. CIV. 00-100- M, 2001 WL 873063, at *2 (D.N.H. July 19, 2001). See also U.S. v. Phillips, 477 F.3d 215, 221 (5th Cir. 2007) (summarizing the various ways “unauthorized access” can be proven under the CFAA). Nonetheless, while the law interpreting the CFAA continues to develop, it is important not to ignore the ancient law handed down to us by the Norman Conquest. Conversion provides a plaintiff company with an alternative means to achieve many of the same remedies available under the CFAA.