To have a valid CFAA claim, there must be an access to a computer. 

The Computer Fraud and Abuse Act is often referred to as an “access crime” because the act that is prohibited is accessing a computer. Misusing information that someone else obtained from a computer is not accessing a computer. Doing so may be wrong for other reasons, but it is not a CFAA violation because it does not entail accessing a computer.

The court in New Show Studios LLC v. Needle, 2014 WL 2988271 (C.D. Cal. June 30, 2014) addressed this issue where a former employee continued to use his former employer’s information after his employment terminated by having people who still worked for the company access information and supply it to him. The court dismissed the CFAA claim because the plaintiff did not plead any access to a computer:

To prevail on a CFAA claim, plaintiffs must establish, among other things, that defendants “intentionally accessed a computer.” LVRC Holdings LLC, 581 F.3d at 1132. But the FAC is devoid of any allegation that the defendants accessed any computer. Instead, the FAC only alleges that Needle “gained access to confidential and sensitive information.” FAC ¶ 37. Accessing plaintiffs’ information, however, is not the same thing as accessing plaintiffs’ computer systems, even if that information was at some point stored on those computers. The Ninth Circuit has specifically cautioned against reading the CFAA as an “expansive misappropriation statute.” Nosal, 676 F.3d at 857; see also id. at 863 (explaining that the “general purpose” of the CFAA “is to punish hacking—the circumvention of technological access barriers—not misappropriation of trade secrets”). If plaintiffs wish to assert a claim under the CFAA, they must plainly allege that defendants’ accessed their computer systems, and explain the basis for those allegations.

A person’s use of his single individual use password to access a news site to access content that he then shared with over 100 other people did not cause any impairment to the integrity or availability of data or loss due to interruption of service as required to bring a civil claim under the Computer Fraud and Abuse Act.

Capitol Audio Access, Inc. v. Umemoto, 980 F. Supp.2d 1154 (E.D. Cal. 2013).

The U.S. Eastern District of Louisiana recently sided with employers in the on-going judicial debate over interpreting the Computer Fraud and Abuse Act “CFAA”. See Associated Pump & Supply Co., LLC v. Dupre, et al., No. 14-0009 E.D. La.. Associated Pump sued its former employee Kevin Dupre for violating CFAA during his alleged scheme to steal Associated Pump’s trade secrets. The complaint sets forth a now familiar scenario: shortly before resigning, Dupre used his work computer to violate a confidentiality agreement and known company policies by improperly accessing and obtaining Associated Pump’s confidential information to use while employed by Associated Pump’s competitor. These allegations, the Court held, state a viable CFAA claim.

via Employers Receive Friendly Computer-Fraud-And-Abuse-Act Ruling From Louisiana Court | Silicon Bayou News.

On April 24, 2013, a jury convicted Defendant David Nosal of three counts of computer fraud in violation of the Computer Fraud and Abuse Act “CFAA”, 18 U.S.C. § 1030a4, two counts of unauthorized downloading, copying, and duplicating of trade secrets without authorization, in violation of the Economic Espionage Act “EEA”, 18 U.S.C. § 1832a2, and one count of conspiring to violate the EEA. During sentencing, the Court ordered Defendant to pay restitution to his victim and indicated that the amount of restitution would be determined at a subsequent hearing. Having considered the parties arguments, the Court orders that Defendant pay $827,983.25 in restitution to Korn/Ferry.

via US v. Nosal, Dist. Court, ND California 2014.

In Morgan v. Preston, 2013 WL 5963563 (M.D. Tenn. Nov. 7 2013), the U.S. District Court for the Middle District of Tennessee dismissed a Computer Fraud and Abuse Act claim brought by one ex-spouse against the other.

The basis for the CFAA claim was, following their separation and filing for divorce, the one spouse had installed Spector Pro monitoring software that was designed to capture all user activity on the computer without a user knowing, including all passwords typed, all emails sent and received, as well as all other activity which information it then automatically uploaded to a designated website or email address.

The reason the court dismissed the CFAA claim was because the plaintiff failed to meet the jurisdictional threshold for a civil claim by establishing a $5,000 loss.

In Miranda Tan and Hassan Miah v. John Doe, 14-CV-2663 (S.D.N.Y. May 5, 2014), the court held that defendant’s use of photographs from the plaintiff’s Facebook page, without express permission, did not violate the Computer Fraud and Abuse Act. The court gave three reasons: plaintiffs did not allege (1) what “protected computer” was alleged accessed or damaged; (2) what damage to data allegedly occurred; or (3) that the $5,000 loss was satisfied, which is a jurisdictional threshold for a civil claim.

In footnote 34 of Tharpe v. Lawidjaja, 2014 WL 1268820 (W.D. Va. Mar. 26, 2014), the court cites an unpublished opinion of the Fourth Circuit and states:

“As Defendant acknowledges, the installation and use of spyware is potentially a criminal act. See, e.g., United States v. Trout, 369 F. Appx 493 (4th Cir. 2010) (unpublished) (affirming admission of spyware evidence under Fed. R. Evid. 404(b) where county councilman was convicted under the Computer Fraud and Abuse Act, 18 U.S.C.A. § 1030, and the Electronic Communications Privacy Act, 18 U.S.C.A. § 2511, related to the use of spyware; the Court held ‘that the evidence pertaining to Trout’s history with the other council members … and other county staff is intertwined with and provided context to Trout’s conduct underlying the charges’).”

About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex digital information law and intellectual property issues. These issues include things such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act; helping companies with data security issues from assessing their data security strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. Shawn is a partner at BrittonTuma, a boutique business law firm with offices near the boarder of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as throughout the nation pro hac vice). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

Pinnacle Ins. Solutions, LLC v. Kolbe, 2014 WL 1272212 (D. N.J. Mar. 27, 2014)

Company insider is accused of passing sensitive information to competitor, directing potential clients away from employer and impugning employer’s reputation. Insider resigns.

Former employer sued in state court on several state law claims and then subsequently sued in federal court for violating the Computer Fraud and Abuse Act along with additional state law and federal law claims.

Defendants moved for dismissal of the federal case requesting that the federal court abstain from considering the complaint under the Colorado River doctrine. After determining the cases were parallel proceedings, the court examined the Colorado River factors and determined that the state court could appropriately adjudicate all of the claims at issue while protecting the plaintiff’s interests and granted the motion to dismiss.

About the author

Shawn Tuma is a lawyer who is experienced in advising clients on complex digital information law and intellectual property issues. These issues include things such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act; helping companies with data security issues from assessing their data security strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. Shawn is a partner at BrittonTuma, a boutique business law firm with offices near the boarder of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as throughout the nation pro hac vice). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.

“Damage” to a computer is an essential element to any Computer Fraud and Abuse Act claim made pursuant to 18 U.S.C. § 1030(a)(5):

(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

(B) intentionally accesses a protected computer without authorization and as a result of such conduct, recklessly causes damage; or

(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.

Continue reading →

Case: Absolute Energy Solutions, LLC v. Trosclair, 2014 WL 360503 (S.D. Tex. Feb. 3, 2014)

Access Principles

Motion to dismiss Computer Fraud and Abuse Act claim arguing that plaintiff’s allegations that defendants were not authorized to access plaintiff’s computers were wrong and defendants actually were authorized to access the computers, raised a factual dispute that could not be decided on a motion to dismiss.

The elements to a Section 1030(a)(2) claim require a plaintiff to show that a defendant: (1) intentionally accessed a computer, (2) without authorization or exceeding authorized access, and that he (3) thereby obtained information, (4) from any protected computer, and that (5) there was loss to one or more persons during any one-year period aggregating at least $5,000 in value.

The elements to a Section 1030(a)(4) claim require a plaintiff to show that a defendant: (1) accessed a protected computer, (2) without authorization or exceeding such authorization that was granted (3) knowingly and with intent to defraud, and thereby (4) furthered the intended fraud and obtained anything of value, causing (5) a loss to one or more persons during any one-year period aggregating at least $5,000 in value.

Intended Use Theory: The Fifth Circuit stated that “[a]ccess to a computer and data that can be obtained from that access may be exceeded if the purposes for which access has been given are exceeded.” quoting United States v. John, 597 F.3d 263, 272 (5th Cir. 2010).

Loss Principles

To satisfy the loss requirement and state a civil claim under the CFAA, plaintiff is not required to allege details or the exact nature of the loss. Rather, plaintiff must simply allege sufficient damages to establish that the elements of a 18 U.S.C. § 1030(g) claim have been met.