Previously, I discussed the Computer Fraud and Abuse Act (“CFAA”). As reported in the Legal Intelligencer, a law firm recently utilized CFAA against one of its former partners and associates who abruptly departed and allegedly used the “Dropbox” software to continue accessing the plaintiff law firm’s computer systems for the benefit of the law firm departing defendants joined. As reported in the Legal Intelligencer, Elliott Greenleaf & Siedzikowski sued former partner Harrisburg office managing shareholder, two former associates, and others for not only barring plaintiff’s access to files located in the former attorneys’ locked offices, but for also for accessing, modifying, and deleting those files, in violation of the CFAA. In its complaint filed in the U.S. District Court for the Eastern District of Pennsylvania, plaintiff estimated that defendants deleted approximately five percent of plaintiff’s backup tapes and misappropriated approximately 78,000 proprietary files. While this case is illustrative of ownership of trade secrets, it also demonstrates how CFAA can be applied to matters involving computers and former business associates and employees.
In 1984 Congress enacted the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, to protect against hacking into U.S. government and financial institution computers. With the expansion of computer use, the explosion of the Internet and the adaption of crime to these expanding technologies, Congress broadened the CFFA to include almost any computer. Moreover, a 1994 amendment added a civil cause of action to the criminal statute.
The CFAA prohibits seven acts briefly summarized as:
- trespassing a computer to commit espionage;
- trespassing a computer and obtaining specified financial, credit, governmental or commercial information;
- trespassing a government computer;
- trespassing a computer to commit fraud;
- damaging a computer;
- trafficking in computer passwords; and
- threatening to damage a computer.
The CFAA contains several definitions that apply the statute broadly. For example, the CFAA applies to “protected computers.” This includes computers owned by the U.S. government, financial institutions and those “used in or affecting interstate or foreign commerce or communication.” Thus, the CFAA applies to virtually all computers.
As abbreviated above, trespassing includes accessing a computer “without authorization” or “exceeding authorized access.” A Computer Fraud and Abuse Act violator could have authorized computer access such as a log-in ID and password, but later access data that was not within that user’s authorized scope. By way of example, a bank employee may have authorization to access and modify data in the ordinary course of business, but if the bank employee violates computer use policies by viewing an acquaintance’s account records with no business need to do so, the CFAA is violated by exceeding authorized access.
Federal courts have creatively interpreted the terms “without authorization” and “exceeding authorized access.” In Shureguard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000), a federal court in Seattle held that a former employee lost “authorized access” when he became an agent of a competitor by e-mailing the competitor trade secrets and proprietary information belonging to the former employer while still employed there. The court did not rely on a non-disclosure agreement, but rather on an agency common law principle where the employee’s authority terminates when the employee “acquires adverse interests or if he is otherwise guilty of a serious breach of loyalty” to the employer. While some courts have disagreed with this ruling, see, e.g., Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962 (D. Ariz. 2008) others have followed this line of reasoning.
In another case involving a former employee who used confidential information obtained from the former employer to benefit a new competitor, the court focused on the use of “Confidential or Proprietary Information” and the existence of a confidentiality agreement. EF Cultural Travel BV. v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001). There, plaintiff was in the business of providing global tours for high school students. Former executive had confidential information of tour codes and data structure of proprietary information of former employer and was bound by a confidentiality agreement (“NDA”). The former executive assisted competitor’s Internet consultant in designing a “scraper” program to extract pricing information from former employer’s Web site. The competitor then used this data to undercut former employer’s prices. The First Circuit Court of Appeals did not reach the question of whether the competitor was authorized to navigate plaintiff’s Web site to obtain competitive data. Rather, the court held that defendant former executive exceeded that authorization “by providing proprietary information and know-how” to the Internet consultant to create the scraper program for the competitor.
The CFAA has also been invoked by Web site operators where the user had violated the Web site’s Terms of Service (“TOS”). America Online, Inc. v. LCGM, Inc., 46 F. Supp. 2d 444 (E. D. Virginia 1998), involved an AOL member who harvested AOL members e-mail addresses for sending unsolicited bulk e-mails (“spam”) via AOL’s network in breach of AOL’s Unsolicited Bulk E-Mail Policy and its TOS. While the case involved other serious issues such as trademark violations for “spoofing” the spam e-mail messages as being from the “aol.com” domain, the trial court held that the TOS violations rendered defendants’ access as unauthorized and in violation of the CFAA for computer trespassing and gaining commercial information.
While the AOL case involved a member TOS agreement, Southwest Airlines Co. v. Farechase, Inc., 318 F. Supp. 2d 435 (N.D. Texas 2004), involved Southwest Airline’s Web site’s TOS and directly warning defendants about prohibited activities on its Web site. Defendant software company created and licensed software that could “scrape” Southwest’s Web site to obtain data by “sending out a robot, spider, or other automated scraping device across the Internet.” Another defendant licensed the software to use in a product for corporate travelers to search airline fare information. Southwest sued under various theories, including violation of the CFAA. Defendants argued that Southwest’s Use Agreement (“TOS”) was an unenforceable contract. The court reserved that fact question as inappropriate in a motion to dismiss. Rather, the court relied on Southwest’s direct communication to one of the defendants that Southwest prohibited the use of “any deep-link, page-scrape, robot, spider or other automatic device, program, algorithm or methodology which does the same things.” Thus, Southwest directly informed one defendant that its access was authorized, giving the court grounds to deny defendants’ motion to dismiss this claim.
While the CFAA is a criminal statute, there is a private right of action. Generally, the prospective plaintiff needs to prove damage to the computer, or “loss” exceeding $5,000. Losses are defined as “any reasonable costs to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or consequential damages incurred because of interruption of service.” Proving the statutory minimum loss to institute a civil lawsuit for injunctive and/or monetary damages can be easily met with costs of investigation and plugging security holes. The fair value of in-house IT staff has been allowed in the calculation of “loss.”
The CFAA will likely be increasingly used in employment, trade secret and unfair competition cases. The key takeaways with respect to the CFAA include:
- Maintain network security;
- For employees and other “insiders,” require non-disclosure agreements (“NDAs”) and provide clear limits on data access, modification and deletion through a comprehensive IT or computer use policy; and
IT Digital Device Border Searches Cover More Than Just Laptop Contents. Those who travel frequently are used to TSA security searches that have become more extensive, time consuming and invasive. International travelers have likewise faced increased scrutiny when returning to the United States by the U.S. Customs and Border Protection (CBP). While many realize that enforcement of the customs mission involves inspection for contraband and collection of duties, anecdotal evidence indicates that there is an increased scrutiny to inspect for information that may be related to cybercrimes and the war on terror. Information may also relate to violation of intellectual property laws, child pornography and other obscene materials, and for violations of national security and export control laws. Information that once took volumes of books, photographs, CDs/DVDs, etc. can be stored in digital form and can be stored on a small USB flash drive, smart phone, an iPod, or a laptop. Thus, these digital storage devices while light and portable have become targets of CBP inspecting officers.
Right to Search Digital Devices. Legally, CBP inspecting officers have the authority to search digital devices incidental to a search at the border. One exception to the U.S. Constitution’s Fourth Amendment prohibition against unreasonable searches and seizures relates to searches incident to border entries. United States v. Montoya de Hernandez, 473 U.S. 531 (1985). The Ninth Circuit Court of Appeals recently ruled that the CBP’s search of digital files does not require any level of suspicion or probable cause prior to the warrantless search. United States v. Arnold, 533 F.3d 1003 (9th Cir. 2008). While the inspecting officer may have the authority and the international traveler may have nothing to hide, an inspection of digital devices can be more invasive than a search through one’s underwear. The inspection may lead to delays and possible impounding of the digital devices for further forensic analysis.
Traveler Responses to Digital Device Search Possibility. If the traveler wishes to minimize the invasiveness of digital device inspection or if the traveler believes that they may be a likely target due to nature of business, foreign countries visited or the result of perceived profiling (of which the author provides no opinion as to whether CPB uses profiling), there are some steps that the traveler can take to minimize the chances or extent of searches. First, the traveler can carry no digital device that the traveler does not want inspected or potentially impounded, even if the digital device is later timely released. Alternately, the traveler can securely delete or “wipe” any data contained on the digital devices to minimize effects of an inspection.
A second alternative is to use the power of “cloud computing” and work with all data through the Internet. This method is easy given the widespread use of Web access for mail servers and online data storage solutions. This also assumes that appropriate security procedures are in place such as VPN connections or use of SSL encryption protocols.
A third alternative is use whole or partial hard drive encryption on laptops used while traveling internationally. This alternative is a no-brainer as any laptop containing proprietary business data, including personally identifiable information subject to data breach notification laws, should already be encrypted. This begs the question of what should the traveler do if asked by a CBP official for the password. Not having the data in the first place avoids this issue, but traveling without the data or applications may not be an option. While travelers are expected and should cooperate with the inspection process, one trial court recently held that an inspected traveler had no duty to provide CBP with a password consistent with the Fifth Amendment of the U.S. Constitition’s privilege against self-incrimination. In re Boucher, 2007 WL 4246473 (Nov. 29, 2009).
While this post only discussed the issue of returning to the United States after international travel, the CBP can inspect an international traveler prior to departing the U.S. to foreign countries. Likewise, this post did not discuss the issue of foreign customs searches where foreign laws may be less predictable and as protective. Indeed, the option presented regarding data encryption may be unavailable in certain jurisdictions which also restrict or prohibit importation of strong encryption technology. U.S. export control laws may also restrict the “exportation” of strong encryption technology. Know before you fly.