Update on CFAA Circuit Split: District Courts in 8th Circuit Adopt Minority View, Permitting Claims Where Defendant Exceeds His Authority to Access Computer

20 Oct 2015 By Leave a Comment

We have been watching closely the development of a Circuit split over whether Computer Fraud and Abuse Act (CFAA) – 18 U.S.C. § 1030 — claims can be brought against persons who have been given authority to access a computer, but then exceed the scope of this authority. The 7th Circuit holds that an employee has accessed his employer’s computer “without authorization” and can be sued under CFAA, if he uses legitimately-acquired access rights to advance an interest that is adverse to his employer. A recent ruling by a District Court in the Eastern District of Missouri, in Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting LLC, confirms that courts in the 8th Circuit are lining up behind this minority viewpoint.

The Lasco Foods case involves a common litigation scenario in which an executive has left a company to start a competing business. The defendants, Shaw and Hall, were long-time Lasco sales executives. Both were allegedly provided Lasco-owned laptops for use in company business. According to the complaint, in 2008, Shaw and Hall decided to start a competing business. Both before and after Lasco became aware of this new business, but which they were still Lasco employees, the defendants allegedly “accessed, printed, copied and/or downloaded” a substantial amount of data from their laptops, as well as Lasco’s network. Among this data allegedly was customer contact information stored in Shaw’s Outlook “Contacts” file. Shaw allegedly deleted the Contacts file from his laptop before returning it to Lasco — thus depriving the company of customer information that it had paid to develop. See Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting LLC, E.D.Missouri, No. 4:08-cv-01683, Third Amended Complaint (May 15, 2009).

Several state law remedies address what we will call the “absconding executive” situation, including interference with business relations, conversion, and trespass to chattels causes of action. However, companies have often attempted to sue absconding executives under CFAA, as well.

CFAA Section (a)(5) contains three provisions that permit suits against persons who knowingly access a “protected computer” and intentionally or recklessly cause damage. (A protected computer includes any computer which is used in interstate or foreign communication. 18 U.S.C. § 1030(e)(2). In today’s internet age, it includes just about every computer in the country.) However, each of these three provisions require that the defendant have accessed the computer “without authorization.” Therein lies the rub. As discussed in our September 24 and October 1 posts, the federal courts are divided on when an employee’s access to a computer is “without authorization.” The majority position, which was recently adopted by the 9th Circuit, is that “without authorization” only refers to persons who do not have permission to access the company’s computer in the first place. LVRC Holdings, Inc. v. Brekka, 9th Circuit, Case No. 07-17116 (Sept. 15, 2009). Under this interpretation, Shaw and Hall could not be sued under CFAA, because they had originally received permission from Lasco to access its computers.

We have been watching closely the development of a Circuit split over whether Computer Fraud and Abuse Act (CFAA) – 18 U.S.C. § 1030 — claims can be brought against persons who have been given authority to access a computer, but then exceed the scope of this authority. The 7th Circuit holds that an employee has accessed his employer’s computer “without authorization” and can be sued under CFAA, if he uses legitimately-acquired access rights to advance an interest that is adverse to his employer. A recent ruling by a District Court in the Eastern District of Missouri, in Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting LLC, confirms that courts in the 8th Circuit are lining up behind this minority viewpoint.

The Lasco Foods case involves a common litigation scenario in which an executive has left a company to start a competing business. The defendants, Shaw and Hall, were long-time Lasco sales executives. Both were allegedly provided Lasco-owned laptops for use in company business. According to the complaint, in 2008, Shaw and Hall decided to start a competing business. Both before and after Lasco became aware of this new business, but which they were still Lasco employees, the defendants allegedly “accessed, printed, copied and/or downloaded” a substantial amount of data from their laptops, as well as Lasco’s network. Among this data allegedly was customer contact information stored in Shaw’s Outlook “Contacts” file. Shaw allegedly deleted the Contacts file from his laptop before returning it to Lasco — thus depriving the company of customer information that it had paid to develop. See Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting LLC, E.D.Missouri, No. 4:08-cv-01683, Third Amended Complaint (May 15, 2009).

Several state law remedies address what we will call the “absconding executive” situation, including interference with business relations, conversion, and trespass to chattels causes of action. However, companies have often attempted to sue absconding executives under CFAA, as well.

CFAA Section (a)(5) contains three provisions that permit suits against persons who knowingly access a “protected computer” and intentionally or recklessly cause damage. (A protected computer includes any computer which is used in interstate or foreign communication. 18 U.S.C. § 1030(e)(2). In today’s internet age, it includes just about every computer in the country.) However, each of these three provisions require that the defendant have accessed the computer “without authorization.” Therein lies the rub. As discussed in our September 24 and October 1 posts, the federal courts are divided on when an employee’s access to a computer is “without authorization.” The majority position, which was recently adopted by the 9th Circuit, is that “without authorization” only refers to persons who do not have permission to access the company’s computer in the first place. LVRC Holdings, Inc. v. Brekka, 9th Circuit, Case No. 07-17116 (Sept. 15, 2009). Under this interpretation, Shaw and Hall could not be sued under CFAA, because they had originally received permission from Lasco to access its computers.

Filed Under: Blog, Cybercrime, News Tagged With: , , , ,

Court Split Widens over Whether DMCA Rules against Removal of Copyright

10 May 2015 By Leave a Comment

Among the anti-circumvention rules in the Digital Millennium Copyright Act (DMCA) are prohibitions against the removal or alteration of “copyright management information.” (17 USC §1202). While the popular understanding of the DMCA is that its provisions are specifically targeted to digital media, the definition of “copyright management information” appears very broad and includes:

• The title and other information identifying a work, including the information set forth in a notice of copyright.
• The name(s) and other identifying information of the author, owner and/or performer of the work.
• Terms and conditions for use of the work, and
• Identifying numbers or symbols referring to such information or links to such information.

At face value, nothing about these definitions appears to limit “copyright management information” to digital or other electronic information. However, the earliest District Court cases decided that Congress had intended to limit this provision to “automated copyright management systems functioning within a computer network environment.” IQ Group, Ltd. v. Wiesner Publishing, LLC, 409 F.Supp.2d 587, 596 (D. New Jersey 2006); Textile Secrets International, Inc. v. Ya-Ya Brand Inc., 524 F.Supp.2d 1184 (C.D. Cal. 2007). Among technological measures that these decisions indicated would qualify under this standard were electronic envelopes and digital watermarks. This interpretation was followed, without significant comment, in another recent Southern District of New York decision. See Silver v. Lavandeira, Southern District of New York, 08 Civ. 6522 (JSR) (January 7, 2009 Magistrate’s Report and Recommendation).

That early trend is meeting some resistance. In March 2007, a court in the Western District of Pennsylvania held that Section 1202(c) defines “copyright management information” broadly to include “any” of the information set forth in its defined categories, whether digital or not. McClatchey v. Associated Press, 2007 WL 776103 (W.D. Pa. 2007). This meant that cropping the title, author’s name and copyright notice on printouts of photographs could violate this provision of the DMCA. In February 2009, directly rejecting the IQ Group and Textile Secrets rulings, a court in the Southern District of New York stated that the phrase “the technological measures of automated systems” is not found in the statute. As such, it found that the statute could cover manual removal of copyright information. See Associated Press v. All Headline News Corp., Southern District of New York, 08 Civ. 323 (PKC) (February 17, 2009 Memorandum and Order).

It is too early to tell how this split will be resolved. If the broader view of the statute is accepted, it could substantially change the requirements even for fair use of copyrighted information. Under the statute removal or alteration of copyright information is prohibited “without the authority of the copyright owner or law” — without exception. Section 1202(b).

Filed Under: Blog, Cybercrime Tagged With: , , , , , , , ,