A decision from the U.S. District Court for the Northern District of California held that the costs associated with the tracking and discovery of the identity of the person who stole proprietary information from a company does constitute "loss" for the purposes of calculation of damages under the Computer Fraud and Abuse Act (CFAA).
The dispute in the case was between a company and its competitor. Plaintiff alleged that the defendant competitor company accessed privileged parts of plaintiff’s computer information system to, among other things, create a disparaging PowerPoint slide show. Plaintiff based its claim under CFAA which prohibits unauthorized access to a protected computer and any person who suffers damage or loss in excess of $5,000 due to another’s misuse may maintain a civil action.
Plaintiff relied on CFAA and its $5,000 threshold by arguing that the costs to identify that it was the competitor company who broke into its systems should be counted towards the $5,000 threshold. Defendant disagreed and moved for summary judgment, in reliance of Tyco Int’l v. Does, which holds that CFAA allows recovery for losses beyond mere physical damage to property but additional types of damages have generally been limited to accessing the damage caused to the system or to resecure the system following the attack.
The court distinguished the Tyco case on the facts and held that the costs of "responding to [the] offense" should include the costs, as in this case, of determining that defendant was one of the hackers who did access the computer system without authorization.
Many of our readers know that the principal cybercrime statute in the United States is the Computer Fraud and Abuse Act, 18 U.S.C. 1030. It has served well over the years since enaction but some prosecutors (and civil plaintiffs to which it also applies) have complained that it does not keep up with newer types of cybercrime. Possibly in response to these critics, Senators Hatch (UT), Biden (DE), and Cochran (MS) have introduced an amendment to Section 1030.
The new bill, "Cyber-Crime Act of 2007" (S. 2213) (Thomas tracker) would make three substantial amendments:
First, it would prohibit "conspiracy to commit an offense" as well as the offenses actually committed. Currently Section 1030 does not cover explicitly "conspiracy" to commit any of its prohibited offenses, although prosecution was possible under other "conspiracy" provisions of Title 18. This makes it explicit now.
Second, the bill seeks to expand the required damage to protected computers threshold from $5,000 in a one-year period to "damage affecting 10 or more protected computers during any one-year period." Currently, in order to be able to prosecute a cybercriminal under some provisions of 1030, there must have been a minimum threshold of $5,000 in damages caused by the alleged cybercrime. In many cases this was not an issue, for example where the cybercrime had a direct financial loss of $5,000. However, other cases may not be so clear-cut. For example, if a small company’s computer is breached and the company expends some time and effort to investigate and fix the problem, the question becomes whether the expenses that the company incurred meet the $5,000 threshold. Should full-time employees’ time be calculated on a per-hour basis to determine damages? How should loss of good will be calculated if the breach becomes public? In some cases these questions have created difficult questions.
Other reasons to introduce the damages to 10 computers requiremens are a couple of relatively new types of crime - Distributed Denial of Service (DDoS) and botnets. Both are very closely interrelated in that the cybercriminal obtains control of a high number of computers (sometimes called ‘zombies’ and almost always substantially more than 10) which they use to disable Internet resources, send spam or phish emails, or use the substantial aggregate computing and network power of these botnets for other evil purposes. Because by definition the owners of the zombie computers would not know that they are part of the botnet, they would not be able to assert damages and meet the $5,000 threshold. Creating a 10 or more damaged computers provision would allow prosecution of botnet operators under Section 1030 without having to show monetary damages to a particular zombie machine.
The reality is that botnet operators can possibly be targeted under Section 1030 for the damages they do as a result of using the botnet to commit a specific act (e.g. spam, phish, DDoS); however, the new proposed provision would allow prosecution before the cybercriminals strike, not after. Kudos for giving tools for proactive legal measures against such acts.
The third of the proposed substantial amendments adds cyber-extortion and threats to reveal confidential information illegally obtained from computer to be computer damage and thus eligible for prosecution under 1030. This provision also aims to deal with a frequent type of cybercrime where there is no verifiable damage. Cyber-extortion can take many forms, but most often the cybercriminals seek to obtain money or something of value in exchange of either i) not attacking or disabling a certain computer or network resource or ii) not releasing confidential information obtained in an illegal way. The new provision covers these and similar situations.
The proposed amendments to Section 1030 are a good step towards catching up with cybercriminals. Senator Biden’s statement in connection with the proposed bill says that, the "[c]urrent law hasn’t kept up with the fast pace of new criminal technologies–right now there are holes in the law that cyber-criminals can readily exploit. The Cyber-Crime Act will fix this, update the law and put us one step ahead of the cyber-criminals, instead of one step behind."
A Philadelphia Federal District Court held that an accountant who used his computer to copy information about his previous employer’s clients to share with his new employer did not violate the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030, but the act might have been in violation of the fiduciary duty owed to his employer by soliciting clients for his new employer while still working for his old employer. The case is Brett Senior & Assocs. v. Fitzgerald, E.D. Pa., No. 06-1412, 7/13/07.
The defendant, Stephen Fitzgerald, was an accountant who was employed by the law firm of Brett Senior & Associates since 1989. He did not sign an employment agreement at the time he was hired but in 1999 he signed a conflict of interest agreement that said employees were not allowed to "disclose to a competitor confidential or proprietary information, including client lists, if the information is not generally known to the public."
In early 2005, Fitzgerald interviewed for a job with Fesnak & Associates. In November 2006, Fitzgerald told BSA that he had accepted a job with Fesnak and just before leaving BSA a month later, Fitzgerald copied tax information from his work files information regarding BSA clients. BSA warned Fitzgerald not to use confidential information; however, Fitzgerald approached 20 clients to follow him to Fesnak and 15 of those 20 did. Subsequently more clients followed Fitzgerald to his new employer. As a result, BSA sued, alleging, among other claims, that Fitzgerald violated the Computer Fraud and Abuse Act.
The Court’s Holding
The court’s reasoning in dismissing the computer fraud claim under section 1030 was that a computer fraud claim must show an unauthorized procurement or alteration, not mere misuse or misappropriation. The court said that 10 U.S.C. 1030(a)(4) prohibits the unauthorized procurement or alteration of information, not its misuse or misappropriation. Because Fitzgerald had full and legally authorized access to BSA’s computer system when he copied the information before he left the firm, the court could not hold that he accessed BSA’s computers without authorization or that he exceeded his authorization.
The court, however, held that Fitzgerald’s actions may constitute a breach of fiduciary duty because Fitzgerald contacted 20 BSA clients to join him in moving to Fesnak while he was still employed at BSA.
Split of Authority?
The outcome of this case on the computer fraud claim is interesting because it goes against what other courts have held in the past. We wrote in August 2006, on similar facts in Lockheed Martin Corp. v. Speed (M.D. Fla.,) that an employee who copies computer files prior to departing for a rival firm has not "exceed[ed] authorized access" as that key phrase is defined under the Computer Fraud and Abuse Act. The Fitzgerald case and the Lockheed Marting cases have similar outcome on somewhat similar facts. However, they both seem to contradict what the 7th Circuit Court of Appeals held earlier in 2006.
Judge Richard Posner of the Seventh Circuit in International Airport Centers LLC v. Citrin, 440 F.3d 420 (7th Cir. 2006), held that CFAA imposed liability on the premise that the employee’s authorization vanished once he breached a duty of loyalty to the employer. Presumably, this may be long before the employee is terminated, so the employee "exceeds authorization" whenever he or she takes substantial steps towards breaching the duty of loyalty to the original employer - e.g. contracting a competitor, etc.
The Fitzgerald court held that he may have breached the fiduciary duty owed to his current employer by copying information to be used for the new employer. If the court had followed Judge Posner’s Citrin reasoning, then the Fitzgerald outcome must have come out differently because Fitzgerald breached his duty of loyalty before he was terminated (or quit) and he accessed BSA’s computer systems during and after this breach. Therefore, in the Seventh Circuit, this case should have came out the other way.
Is Citrin the Rule of the Exception?
It is unclear. Citrin certainly provides good Circuit Court authority for employers who want to go after they departing employees for breach of loyalty under the CFAA. But District Court opinions such as Fitzgerald and Lockheed Martin may slowly start undermining Citrin’s authority and gradually lead to its rejection in other circuits.