A recent federal district court decision refusing to grant summary judgment to a defendant in a Computer Fraud and Abuse Act (“CFAA”) case highlights the importance of clearly delineating one’s rights in accessing a database that contains data owned by more than one party. In Snap-On Business Solutions Inc. v. O’Neil & Associates, Inc. 2010 WL 1539958 (N.D. Ohio April 16, 2010) Snap-On sued O’Neil under the CFAA for unlawfully accessing its servers and copying an electronic parts automotive database Snap-On had created for Mitsubishi Caterpillar Forklift.
Snap-On and Mitsubishi entered into a license agreement whereby Snap-On licensed to Mitsubishi use of its proprietary software and Mitsubishi supplied Snap-On with Mitsubishi’s electronic automotive catalog data to upload into the software. Both parties contributed proprietary and competitively sensitive data to create the system. Once the data was incorporated into the software, Snap-On licensed the database to Mitsubishi which in turn permitted its Dealers to access the database. Snap-On and Mitsubishi also entered into a Web Hosting Agreement whereby Snap-On hosted the database on its software. Mitsubishi had access to the system through a website.
Two years into this contract Mitsubishi approached O’Neil to create an electronics parts catalogue to replace the one created by Snap-On. To build a new system O’Neil used a scraper tool to retrieve automatically all of the data from the Mitsubishi/Snap-On system. “This automated tool, designed by O’Neil, would access Snap-On’s database, copy information stored on the system, and save it onto O’Neil’s database where O’Neil could then analyze and manipulate it.” Id. at *3. To avoid detection O’Neil accessed the system using passwords that had been assigned to “several of Mitsubishi’s dealers.”
In pressing for summary judgment to be granted on the CFAA claim O’Neil contended Mitsubishi had authorized it to access the web site containing the data. Snap-On, however, argued that its license agreement with Mitsubishi prohibited it “from giving a third party authorization to log into the system.” Id. at *7. The court denied summary judgment to O’Neil finding that “a genuine dispute of material fact exists as to Mitsubishi’s actual ability to authorize O’Neil’s activities as well as to the reasonableness of O’Neil’s belief that Mitsubishi could authorize it.”
The lessons here are obvious. If you are a business using an outside vendor to create a database or you are the outside vendor who creates the database, it is critical to spell out in an agreement precisely who is authorized to access the system and the scope of that authorized access. This is particularly important if both parties are contributing to the database with what each considers to be their own trade secret or proprietary information that they do not want to fall into the hands of a competitor.