In International Airport Centers, L.L.C. v. Citrin1, decided in March, the Seventh Circuit Court of Appeals examined the difference between "without authorization" and "exceeding authorized access" under the Computer Fraud and Abuse Act ("CFAA") and held that, while it is "paper thin" it is "not quite invisible."
Citrin worked for International Airport Centers, L.L.C. ("IAC"), a real estate business, which lent him a laptop to use to identify potential acquisition targets. Citrin decided to leave IAC, in violation of his employment agreement, and go into business for himself. In preparation for doing so, he deleted all of the data on his laptop, which included data that would have revealed that he had engaged in improper conduct before deciding to quit. Moreover, Citrin had not simply pressed the "delete" button; rather, he had loaded a secure erasure program, which wrote over the files, making them unrecoverable.
IAC sued under 18 U.S.C. 1030(a)(5). Citrin moved to dismiss, arguing that he had authority to do what he did because his employment contract authorized him to "return or destroy" data on the laptop when his employment was ending. The Court of Appeals rejected his argument. As an initial matter, it held that "his authorization to access the laptop terminated when, having already engaged in misconduct and [having] decided to quit IAC in violation of his employment contract, he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee." In addition, it held that it was "unlikely, to say the least, that the provision [authorizing him to destroy data on the laptop] was intended to authorize him to destroy data that he knew the company had no duplicates of and would have wanted to have - if only to nail Citrin for misconduct."
Citrin's other argument, that simply erasing files is not a "transmission" within the meaning of the CFAA, met with a similar result. Although the Court of Appeals agreed that just because it transmits a command to a computer, simply pressing a "delete" key would be stretching the definition of a transmission; here, Citrin did not merely press a button, he transmitted a secure-erasure program to the computer. It made no difference whether it was done manually by virtue of physical access or remotely. "Congress was concerned with both types of attacks: attacks which come mainly from the outside, and attacks by disgruntled programmers who decide to trash the employer's data system on the way out (or threaten to do so in order to extort payments), on the other."
Available Remedies
In addition to injunctive relief, the CFAA provides for recovery in the event of "loss" or "damage." "Loss" is defined as "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." "Damage" is "any impairment to the integrity or availability of data, a system, or information."
Prior to 2001, there were few decisions construing the parameters of "damage" and "loss" under the CFAA. The district courts in Shurgard and In re Doubleclick Inc. Privacy Litig.2 both held, as did the First Circuit Court of Appeals in Explorica (all discussed in Part I of this article) and the Seventh Circuit Court of Appeals in Citrin, that in addition to losses caused directly by the unauthorized access - like actual physical damage to a computer hard drive - other associated costs are recoverable. For example, costs to assess whether Safeguard's actions compromised the integrity of Shurgard's computers and costs to assess whether EF's website was compromised to make its computer database "hacker-proof" were recoverable. On the other hand, plaintiff's emotional distress due to DoubleClick's "invasion of their privacy, [] trespass to their personal property, and [] misappropriation of confidential data" was not, because it was not economic loss.
The parameters for defining "loss" and "damages" under the CFAA were addressed in I.M.S. Inquiry Management Systems, Ltd. v. Berkshire Information Systems, Inc.3I.M.S. Inquiry Management Systems ("IMS"), provided a web-based service called "e-Basket" which was used by its clients to track magazine advertising. Berkshire Information Systems, Inc. ("Berkshire"), which operated a competing service called "Marketshareinfo.com," used a user identification and password belonging to a third party to access e-Basket and copied approximately 85 percent of its report formats. IMS sued claiming that Berkshire violated the CFAA. Berkshire moved to dismiss, asserting, among other things, that IMS had pled neither "damages" nor "loss" as required in the CFAA. The Court disagreed.
It held that the data available through the e-Basket was intended to be used exclusively by IMS customers, not for appropriation by its competitors. Copying 85 percent of IMS's report formats to assist in the development of a competing system impaired the integrity of IMS's data and system and was, therefore, damage as defined by the CFAA.4 In addition, IMS's claim that it incurred costs in damage assessment and remedial measures in excess of the $5,000 required by the CFAA was sufficient to constitute a loss under the statute.5
In United States v. Middleton,6 the Ninth Circuit Court of Appeals considered how the $5,000 minimum may be calculated. Middleton worked as a personal computer administrator for Slip.net, an Internet service provider. After quitting his job, he began writing threatening emails to the company. Thereafter, he gained access to the company computer, "changed all the administrative passwords, altered the computer's registry, deleted the entire billing system (including programs that ran the billing software), and deleted two internal databases." In addition to the cost of replacing the software Middleton had deleted, and of hiring an outside consultant, Slip.net employees spent over 150 hours investigating the source and extent of the damage and repairing it. Middleton was arrested, charged, tried and convicted of criminal violation of the CFAA.
Among his grounds of appeal, Middleton argued that since Slip.net paid its employees fixed salaries and there was no evidence that they were diverted from other responsibilities, Slip.net suffered no financial loss. In other words, he argued "unless Slip.net paid its salaried employees an extra $5,000 for the time spent fixing the computer system, or unless the company was prevented from making $5,000 that it otherwise would have made because of the employees' diversion, Slip.net has not suffered 'damage' as defined in the statute." The Court of Appeals disagreed, holding "[t]here is no basis to believe that Congress intended the element of 'damage' to depend on a victim's choice of whether to use hourly employees, outside contractors, or salaried employees to repair the same level of harm to a protected computer. Rather, whether the amount of time spent by the employees and their imputed hourly rates were reasonable for the repair tasks are questions to be answered by the trier of fact."
In Creative Computing v. Getloaded.com LLC,7the Ninth Circuit Court of Appeals considered whether a plaintiff's own negligence barred its claim for damages. It held that it did not. Creative Computing ("CC") developed an Internet site called truckstop.com through which truckers could find available loads within a given radius of their location which could fill vacant space on their trucks. The site dominated the load-board industry. Getloaded.com ("Getloaded"), in its efforts to compete, hacked into CC's website though a "back door" that would have been locked if CC had installed an available patch. In addition, to get CC's customer list, Getloaded hired a CC employee who, while still employed by CC, downloaded and sent information to his home email account which enabled him to access the CC server from home and retrieve customer lists.
CC sued and was granted a temporary restraining order. Getloaded violated it and destroyed evidence which showed that it had copied CC's source code during the pendency of the injunction. At trial, the jury found that Getloaded had violated the CFAA and awarded damages exceeding $500,000 and a permanent injunction. Getloaded appealed.
Among its grounds, Getloaded argued that if truckstop.com had installed the free patch, Getloaded would have been prevented from hacking into the site. The court disagreed, holding that "Getloaded's argument that truckstop.com could have prevented some of the harm by installing the patch is analogous to a thief arguing that 'I would not have been able to steal your television if you had installed deadbolts instead of that silly lock I could open with a credit card.' A causal claim from the thief to the victim is not broken by a vulnerability that the victim negligently leaves open to the thief."8
Conclusion
The CFAA can be a powerful deterrent. In addition to criminal penalties including fines and imprisonment, violation of CFAA carries substantial civil liability as well, since it can encompass a broad range of damages for economic loss. This includes not only actual damage to an employer's computer hardware and software. Costs to assess damage and to institute remedial measures are also recoverable. This may include the costs of hiring outside consultants or even the time billed by salaried employees. As the cases show, such damages can be very substantial and can present a potent deterrent to a disloyal departing employee bent on causing mischief or gaining an unfair competitive advantage. The CFAA can only act as a disincentive, however, if employees know of its existence. Therefore, in the section of an employee handbook addressing the use of company-owned computers, employers should include a description of the CFAA and the penalties it carries.
In addition, the CFAA is a substantial weapon in the employer's arsenal, after wrongful conduct has occurred. As such, computers used by departing employees should be examined promptly to determine whether they or the information they store have been tampered with. Even before an employee leaves, his or her email and Internet usage should be checked to ascertain whether valuable information has been pilfered. When it has, a claim under the CFAA provides a robust array of civil - and, in the appropriate case - criminal remedies. 1gt; 2006 U.S. App. LEXIS 5772 (7 th Cir. March 8, 2006).
2154 F.Supp.2d 497 (S.D.N.Y. 2001).
3307 F.Supp. 2d 521 (S.D.N.Y. 2004).
4 See also Credentials Plus, LLC v. Calderone , 230 F. Supp. 2d 890 (N.D. Ind. 2002) (accessing plaintiff's computer and altering plaintiff's website to redirect its email from clients and potential clients throughout the country to defendant's email address actionable under CFAA); but see Civic Center Motors, Ltd. v. Mason Street Import Cars , Ltd., 387 F.Supp.2d 378 (S.D.N.Y. 2005) (holding that lost profits due to defendant's unfair competitive edge and wasted costs for development of hacked database were "costs not related to computer impairment or computer damages are not compensable under the CFAA").
5"Courts have held that a loss under the CFAA includes remedial and investigative expenses incurred by the plaintiff." Physicians Interactive, 2003 U.S. Dist. LEXIS 22868 *19 (citations omitted).
6231 F.3d 1207 (9 th Cir. 2000).
7386 F.3d 930 (9 th Cir. 2004).
8In addition, the Ninth Circuit ruled that loss of business and business goodwill constituted economic damages for which CC could recover. In contrast, courts in the Southern District of New York have not recognized such claims as compensable losses as defined by the CFAA, unless they are related to computer impairment or damages. See e.g., Nexans Wires S.A. v. Sark-USA, Inc., 319 F.Supp.2d 468 (S.D.N.Y. 2004); Civic Center Motors, Ltd., 387 F.Supp.2d. 378.
Published June 1, 2006.