X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Over the past three years, as public Web sites have become a business’s interface with the public, the federal Computer Fraud and Abuse Act, 18, U.S.C. 1030, et. seq., has emerged as a potent civil remedy to protect valuable competitive business information that is accessible through these Web sites. This article will examine this newly developed legal precedent and the proactive steps businesses should implement to take advantage of the CFAA. Primarily a federal criminal statute, the CFAA provides for “a civil action against the violator to obtain compensatory damages and injunctive relief.” 18 U.S.C. 1030(g). The critical element to proving a violation of the statute, which contains a number of civil causes of action, is the unauthorized access to a “protected computer,” which includes a company Web site. 18 U.S.C. 1030(e)(2)(B). The CFAA defines “unauthorized access” to mean “information in the computer that the accessor is not entitled so to obtain.” 18 U.S.C. 1030(e)(6). The information protected by the CFAA need only be valuable, not trade secret or copyright protected or even confidential. As the 1st U.S. Circuit Court of Appeals recognized in United States v. Czubinski, 106 F.3d 1069, 1078 (1st Cir. 1997), “[t]he value of information [protected by the CFAA] is relative to one’s needs and objectives.” A competitor who hacks “into the code … used to operate” a Web site or uses a stolen password to obtain valuable information is unquestionably in violation of those portions of the statute that outlaw theft of computer data (18 U.S.C. 1030(a)(2)(C), 1030(a)(4), Creative Computing v. Getloaded.Com LLC, 386 F.3d 930, 932 (9th Cir. 2004)) and trafficking in passwords. 18 U.S.C. 1030(a)(6). Competitors, however, have discovered a myriad of ways to retrieve valuable information from public Web sites, but few companies have instituted appropriate protections. A CFAA VIOLATION REQUIRES ‘UNAUTHORIZED’ ACCESS For example, in Business Information Systems v. Professional Governmental Research & Solutions Inc., 2003 WL 23960534 (W.D. Va. 2003), the litigants were “in the business of making scanned county land records available to subscribers of their respective websites.” Id. at 1. The defendant’s president subscribed to the plaintiff’s Web site “with his personal Visa card and was provided with an assigned username and password.” Thereafter, the defendant used that password and username to provide its customers with content from Business Information Systems’ Web site. The court found no violation of the CFAA because the defendants’ access and use of BIS’ data was not “unauthorized” — “BIS placed no restrictions on its users as to how they could make use of the information that they retrieved from BIS’s website or on whether they could allow another person to use their username and password to access BIS’s website.” Id. at 7. The court emphasized that “if BIS wanted to restrict its users in their abilities to make unfettered use of the records they were accessing, then it could have done so easily through its terms and conditions of usage.” Id. The plaintiff in I.M.S. Inquiry Management Sys. Ltd. v. Berkshire Information Sys. Inc., 307 F. Supp. 2d 521 (S.D.N.Y. 2004), imposed such terms upon Web site users. The court upheld I.M.S.’ claim for unauthorized access under the CFAA because the defendant competitor had gained access to I.M.S.’ Web site by obtaining “a user identification and password issued to a third party, thereby knowingly inducing that third party to breach an agreement it had with I.M.S.” Id. at 523. There is no requirement, however, that a contractual relationship exist between the user and Web site owner for terms of use to be effective in delineating unauthorized access under the CFAA. In Register.com v. Verio Inc., 126 F. Supp. 2d 238, 245 (S.D.N.Y. 2000), affirmed on other grounds, 356 F.3d 393 (2d Cir. 2004), the data at issue were customer contact listings for domain names registered by Register.com. As an accredited domain name registrar, Register.com is required to permit online access to names and contact information for its customers “to provide necessary information in the event of domain-name disputes, such as those arising from cybersquatting or trademark infringement.” Id. at 242. The database is set up to “allow the user to collect registrant contact information for one domain name at a time by entering the domain name into the provided search engine.” The defendant Verio, a direct competitor of Register.com, built “an automated software program or ‘robot’” and periodically downloaded all of Register.com’s customer information, so that the defendant could solicit those customers for the same Internet services offered by Register.com. Id. at 243. The robot’s automatic downloading allowed Verio to contact Register.com’s customers “within the first several days after their registration,” when they were most likely primed and ready to purchase the related services. Id. at 243. Verio conceded that “it had violated Register.com’s posted restriction on the use of … [the] data for direct mail and telephone marketing purposes.” Id. at 245. Accordingly, the court granted Register.com an injunction based on the CFAA, finding that Verio’s access to the data and its use of that data was “unauthorized.” A Web site’s terms of use also governed the scope of authorized use by a third party who tried to take commercial advantage of the Web site in Southwest Airlines Co. v. Farechase Inc., 318 F. Supp. 2d 435 (N.D. Texas 2004). Southwest Airlines, “developed and maintains the website Southwest.com, from which it ‘provides proprietary fare, route, and schedule information to its actual and potential customers in an interactive format.’” Id. at 437. The defendant Farechase licenses software that was used by a third party to “access, search, and obtain data from Southwest.com by ‘sending out a robot, spider, or other automated scraping device across the Internet’ ” for the purpose of allowing “ corporate travelers to search for airline fares, as well as various features designed for corporate travel.” Id. at 437. In denying Farechase’s motion to dismiss, the court found that Southwest had sufficiently alleged “unauthorized access” based on the terms of use that appeared on its Web site that “prohibited the use of ‘any deep-link, page-scrape, robot, spider or other automatic device, program, algorithm or methodology which does the same things.’” Id. at 439. While agreeing with Farechase “that the Use Agreement is not a contract,” the court found that the use agreement that was “accessible from all pages on the website” made it clear that Farechase’s software was not authorized to be used on Southwest’s Web site. Id. at 439. Also, in both Southwest and Register.com, the courts found that the lack of authorization existed by virtue of direct notice to both defendants that their access was unauthorized. Southwest did so prior to filing suit, and in Register.com, the court found that Verio was not authorized to use the automatic robot to mine data because “it is clear since at least from the date this lawsuit was filed that Register.com does not consent to Verio’s use of a search robot, and Verio is on notice that its search robot is unwelcome.” Register.com, 126 F. Supp. 2d at 249. FORMER EMPLOYEES MAY NOT VIOLATE CONFIDENTIALITY PACTS Terms of use are not the only way to establish unauthorized conduct on a public Web site. In EF Cultural Travel BV v. Explorica Inc., 274 F. 3d. 577 (1st Cir. 2001) the former president and other high-ranking employees of EF Cultural Travel (EF) used a specially designed scraper tool to download automatically through the company’s public Web site all of EF’s 154,293 prices for high school tours (which could ordinarily be taken off the Web site only several prices at a time). Id. at 580, n.3. The defendants used these prices systematically to undercut EF’s prices for their new competing business, Explorica. The 1st Circuit upheld the district court’s injunction, finding “excessive” unauthorized access “based on the confidentiality agreement between” EF and the former employee who orchestrated the download. Id. at 582. The court found that this former employee had “provided Explorica proprietary information about the structure of the website and the tour codes” which made it possible to develop the scraper program. The court further found that “if proven, Explorica’s wholesale use of EF’s travel codes to facilitate gathering EF’s prices from its website reeks of use-and, indeed, abuse-of proprietary information that goes beyond any authorized use of EF’s Web site.” Id. at 583. In a later decision relating to co-defendant Zefer Corp., the 1st Circuit recognized that “[a] lack of authorization could be established by an explicit statement on the website restricting access” including prohibiting “the use of scrapers.” EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58, 62 (1st Cir. 2003). Such restrictions are enforceable because the CFAA “is primarily a statute imposing limits on access and enhancing control by information providers.” Thus, the “website provider can easily spell out explicitly what is forbidden.” Id at 63. For Web site owners who want to take advantage of the remedies afforded by the CFAA to protect themselves from competitors using their information, the lessons are straightforward: Terms of use should be displayed conspicuously on the Web site and incorporated into agreements with Web site users. Written notice should immediately be sent to anyone suspected of violating the terms of use. Confidentiality agreements should be required of all employees familiar with the inner workings of the Web site. Passwords should be changed regularly to prevent former employees from using passwords to access company data through the Web site. Nick Akerman is a partner in the New York office of Dorsey & Whitney.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.