Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Nick Akerman is a partner in the New York office of Dorsey & Whitney. The Computer Fraud and Abuse Act (CFAA) is a criminal statute outlawing a variety of crimes directed against computers, including the theft and destruction of data. 18 U.S.C. 1030, et. seq. A company that is the victim of data theft does not have to rely exclusively on the U.S. Department of Justice to prosecute the wrongdoers. The CFAA permits an injured party to pursue self-help by filing a civil action in federal court for injunctive relief to obtain the immediate return of the stolen data and for compensatory damages. 18 U.S.C. 1030(g). Four of the seven potential causes of action under the CFAA require the victim company to prove that the data thief was “unauthorized” to access the computer or “exceeded authorization.” 18 U.S.C. 1030(a)(2), (a)(4), 5(A)(ii) and 5(A)(iii). The CFAA does not define what is meant by unauthorized access, although it does define “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Id. � 1030(e)(6). The courts have acknowledged that the difference between unauthorized access and exceeding authorized access is “paper thin.” International Airport Centers LLC v. Citrin, 440 F.3d 418, 420 (2006). Two bodies of law on ‘unauthorized access’ Aside from the scenario where a hacker purposely circumvents the computer’s security to steal or maliciously destroy data, two distinct bodies of law have emerged interpreting “unauthorized” access. The first relies solely on the law of agency to find unauthorized access when an officer or employee enters the computer for a purpose contrary to the best interests of his company-typically to use the data to compete against the company. This breach of the “duty of loyalty” terminates “the agency relationship “and with it” the “authority to access” the computer. Citrin, 440 F.3d at 420-21; P.C. Yonkers v. Celebrations The Party and Seasonal Superstore LLC, 428 F.3d 504, 510 (3d Cir. 2005). There is, however, a second body of law interpreting “unauthorized” access that is predicated solely on company-created rules governing access to its computer systems. As the 1st U.S. Circuit Court of Appeals recognized in EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003), the “CFAA . . . is primarily a statute imposing limits on access and enhancing control by information providers.” Thus, a company “can easily spell out explicitly what is forbidden.” Id. at 63. To date, a number of courts have interpreted the CFAA’s critical element of unauthorized access in the context of company-created rules. This article will examine those cases and their implications for implementing an effective corporate data-protection program. The most obvious rules for a company to adopt are those relating to the conduct of its own officers and employees. In Doe v. Dartmouth-Hitchcock Medical Center, No. CIV. 00-100-M, 2001 WL 873063, at 2 (D.N.H. July 19, 2001), the court interpreted “unauthorized access” based on the Dartmouth hospital’s Graduate Medical Training Manual, which contained “policies governing the confidentiality of patient records, which generally prohibit interns and Fellows, like . . . [the defendant] from accessing patient records absent a professional ‘need to know.’ ” Based on these policies, the court found that the defendant, who was a resident in psychiatry at the Dartmouth hospital, “ was granted only limited access to Dartmouth’s computerized patient records” and that this limitation was imposed “for the very purpose of protecting patient confidentiality.” Id. at 5. The court held that the resident violated the CFAA by violating the hospital’s policies on patient confidentiality. The court further held that because the hospital was victimized by the breach of its “own policies,” it would be inconsistent with the purpose of the CFAA-”to protect computer systems . . . from unauthorized access and concomitant damage”-to find that the hospital was vicariously liable for the actions of the resident. Id. at 5. The court concluded that to do so “would turn the protective statute-meant to protect Dartmouth’s computer systems- on its head,” and dismissed the CFAA claim against the hospital. Id. at 6. Violation of company’s guideline for employees Similarly, in U.S. GreenFiber v. Brooks, No. Civ.A. 02-2215, 2002 WL 31834009, at 2 (W.D. La. Oct. 25, 2002), the court granted the company an injunction under the CFAA against a former employee who violated the company “guidelines for the employees’ use and handling of GreenFiber’s business information.” The former employee had removed from the company computer “all documents, e-mail files, and Microsoft Office, including the Outlook e-mail program.” Id. The court relied on the company policy to show lack of authorization, even though the employee had not signed the policy, as she was required to do “as a condition of employment.” Id. The court found that it was “clear from her e-mail that she was aware of this policy,” and that she, like other employees who had not signed the policy, had been sent an e-mail by the company president “explaining it to them again.” Id. The courts have also found unauthorized access by customers who have violated terms of use for accessing their vendors’ computers. In America Online Inc. v. LCGM Inc., 46 F. Supp. 2d 444, 448 (E.D. Va. 1998), the court granted summary judgment to America Online (AOL) on its CFAA claim against the defendant, who sent spam bulk e-mail through the AOL server in violation of AOL’s “Terms of Service[, which] bar . . . members [like the defendants] . . . from sending bulk e-mail through AOL’s computer systems.” Id. at 448. The court held that the “[d]efendants’ actions violated AOL’s Terms of Service, and as such [were] unauthorized.” Id. at 450. Business Information System v. Professional Governmental Research & Solutions Inc., No. Civ.A. 1:02CV00017, 2003 WL 23960534 (W.D. Va. Dec. 16, 2003), underscores the importance of creating terms of use for customer access to the company’s Web site. There, the parties were competitors “in the business of making scanned county land records available to subscribers of their respective Web sites.” Id. at 1. The president of the defendant bought his own subscription from Business Information System (BIS) and used his assigned user name and password to obtain records for his company’s competing Web site. The court, however, found that the defendant did not violate the CFAA because its access was not “without authorization.” Id at 7, 8. BIS did not restrict a subscriber from using the information for competitive purposes. The court concluded that “if BIS wanted to restrict its users in their abilities to make unfettered use of the records they were accessing, then it could have done so easily through its [customer] terms and conditions of usage.” Id. at 7. The same principle applies to a company’s Web sites open to the general public. For example, the 1st Circuit in Zefer explicitly stated that terms of use on a public Web site can properly limit how information can be downloaded from the Web site. There, the former vice president of the plaintiff’s high school tour business used an automatic scraper to download all of the plaintiff’s 154,293 tour prices for his new competing business. While the court found unauthorized access because the defendant built the scraper using confidential information about the architecture of the Web site, the court stated that there would have been unauthorized access if the Web site had an “explicit prohibition in place” banning the use of scrapers. 318 F.3d at 62. Thus, the court in Southwest Airlines Co. v. Farechase Inc., 318 F. Supp. 2d 435, 439 (N.D. Texas 2004), denied the defendant’s motion to dismiss the CFAA claim for lack of unauthorized access, holding that the terms of use on the Web site “prohibited the use of any deep-link, page-scrape, robot, spider or other automatic device, program, algorithm or methodology which does the same thing.” Companies need to adopt clear rules on authorization The message from the courts is clear. A company serious about protecting its computer data should adopt rules relating to the use of its computers that explicitly spell out not only the scope of authorizations for its own officers or employees who regularly use the computers to conduct the company’s business, but also the terms of use by which customers and members of the public are provided access to its Web sites. These policies provide the predicate under the CFAA for the company to bring a civil action and for the government to bring criminal charges. Also, computer policies can be relied upon by the company, as did the court in Dartmouth-Hitchcock Medical Center, to show that it is a victim when these policies are violated. Being the victim protects the company not only from being successfully named as a defendant in a civil action, as in Dartmouth-Hitchcock Medical Center, but also from being indicted on criminal charges which, like a civil action, can only be based on vicarious liability. Finally, it is critical that these policies be explicit enough to cover all of the activity that should be prohibited. For example, in Forge Industrial Staffing Inc. v. De La Fuente, No. 06 C 3848, 2006 WL 2982139, at 5 (N.D. Ill. Oct. 16, 2006), the defendants asserted that the “company policies and procedures . . . affirmatively demonstrate” that they did not limit their “authority to delete or erase data.” It is equally important to determine that current company policies do not authorize activity that undermines data security. For example, in Citrin, 440 F.3d at 421, the defendant claimed that he was authorized to destroy data based on his employment contract, which “authorized him to ‘return or destroy’ data in the laptop when he ceased being employed.”

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.