Over the past year the national press has repeatedly reported on the vulnerability of our intellectual property to nation-state hackers like China, which have reportedly accessed and stolen highly confidential data by entering computer systems through public websites.
Lost in the headlines is the equally serious threat of industrial espionage posed by U.S.-based data thieves. As a practical matter, companies victimized by foreign governments have no real remedy other than to reinforce their computer security defenses and report suspected violations to law enforcement.
But when the data thieves are domestic competitors, businesses do have a self-help remedy: the Computer Fraud and Abuse Act (CFAA). The federal computer crime statute can stop hackers dead in their tracks and retrieve stolen confidential data and intellectual property.
Some recently reported cases in which companies have successfully brought CFAA cases against intellectual property thieves demonstrate how businesses can aggressively take advantage of this statute to protect their intellectual property.
The CFAA—18 U.S.C. 1030—outlaws criminal activity, including stealing data, directed at what the statute defines as a “protected computer” and provides for a civil action for damages and injunctive relief for companies that have been victimized by, among other crimes, the theft or destruction of their data. The CFAA defines a “protected computer” as one “used in or affecting interstate or foreign commerce or communications.” That definition includes a website “used to conduct business across states lines.” Millennium TGA Inc. v. Leon, 2013 WL 5719079 (E.D.N.Y. Oct. 18, 2013).
A critical element to proving a violation of the CFAA for stealing or destroying data is that the perpetrator accessed the protected computer without authorization or did so by exceeding authorized access. In four factual scenarios, companies have successfully used the CFAA against data thieves alleging a lack of authorized access to the company website.
THE FOUR SCENARIOS
The first scenario involves a competitor using a special tool such as a scraper or crawler to circumvent the technological constraints of a public website in order to copy its data. For example, in Craigslist v. 3Taps, 942 F. Supp. 2d 962 (N.D. Calif. 2013), Craigslist sued the owners of a competitor’s website alleging that they were using a scraper that had “harvested and reproduced the contents of Craigslist’s website” to publish Craigslist’s ads on their own website.
In refusing to dismiss the CFAA claims, the court held that Craigslist properly alleged that the defendants had accessed its website without authorization based on two key facts: First, the defendants ignored the cease-and-desist letters sent to them by Craigslist denying them authorization to use the website “for any purpose,” and continued to scrape data from Craigslist’s website. Second, the main defendant evaded the technological barriers erected by Craigslist to block the defendant’s Internet Protocol addresses and “bypassed [the block] by using different IP addresses and proxy servers to conceal its identity.”
However, the First Circuit in EF Cultural Travel v. Zefer, 318 F.3d 58, 62, 63 (2003) recognized that a “public website provider can easily spell out explicitly what is forbidden,” and that “an explicit statement on the website” prohibiting use of a scraper could establish lack of authorization.
The third scenario for proving unauthorized access is when a competitor, posing as a legitimate customer, uses a company-issued password to obtain access to private areas of the website reserved exclusively for customers. This situation can include stealing passwords by hacking into the web-site, as was done in the Millennium TGA case, or by obtaining use of a password that belongs to a legitimate website customer. In Pixsys Technologies v. Agemni, 2013 WL 5739027 (N.D. Ala. Oct. 22, 2013), Pixsys Technologies Inc. had developed and was licensing a proprietary software package designed to enable DISH satellite television service providers to better manage their back-office function. Pixsys licensed its software to Southern Star Inc. under a standard agreement prohibiting it from, among other things, sharing its password to a Pixsys website where its software was accessible to its paying customers. In violation of this agreement, Southern Star provided its password to a Pixsys competitor, Agemni LLC. Using that password on multiple occasions, Agemni was able to review Pixsys’ software features that Agemni’s product did not offer. Agemni obtained details about the Pixsys product, and based on its review, allegedly made “tons of enhancements” to its software.
Pixsys sued Agemni for violating the CFAA and moved the court for a temporary restraining order enjoining Agemni from accessing, viewing, obtaining and using any such information from the Pixsys website. Finding that Pixsys would likely succeed on the merits of its CFAA claim because the use of the password was without authorization, the court granted the TRO.
The fourth scenario is the classic inside job, in which a current employee steals data from the company computer to use in a competitive enterprise. For example, in Custom Hardware Engineering and Consulting v. Dowell, 918 F. Supp. 2d 916 (E.D. Mo. 2013), four disloyal employees, including the head of network security systems for Custom Hardware Engineering and Consulting Inc. (CHE), secretly formed their own business in competition with their employer to provide computer hardware maintenance services. These employees, while still employed by CHE, systematically stole their employer’s confidential and proprietary data, including copyrighted computer programs, to use in their competing business.
The court denied the defendants’ motion for summary judgment on the plain-tiff’s CFAA claim, finding genuine material issues of fact existed as to whether the defendants exceeded the scope of their authorization to access CHE’s protected computer. The court relied on the facts that the employees had signed employment agreements limiting their authorization to access the CHE computers “to the performance of CHE’s business,” and that their breaches of fiduciary duty terminated their authorization to the CHE computers.
Based on the Nosal case, the CHE action would not have survived a motion to dismiss in the Ninth or Fourth circuits, the only other circuit to follow Nosal. For example, in Farmers Insurance Exchange v. Steele Insurance Agency, 2013 WL 3872950 (E.D. Calif. July 25, 2013), the court, within the jurisdiction of the Ninth Circuit, followed Nosal and dismissed CFAA claims against insurance agency employees who stole confidential insurance policy data from their employer’s computer for the purpose of using that data to divert insurance customers to their new employer. Because the employees were authorized to access the company’s computers while employed, Nosal dictates that they could not “exceed authorized access,” even though they “may have used such information for an improper purpose.”
STEPS FOR BUSINESSES