<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:sy="http://purl.org/rss/1.0/modules/syndication/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" > <channel> <title>CFAA Archives - Ad Astra Law Group, LLP</title> <atom:link href="http://www.astralegal.com/tag/cfaa/feed/" rel="self" type="application/rss+xml" /> <link>https://www.astralegal.com/tag/cfaa/</link> <description></description> <lastBuildDate>Fri, 01 Feb 2019 04:17:14 +0000</lastBuildDate> <language>en-US</language> <sy:updatePeriod> hourly </sy:updatePeriod> <sy:updateFrequency> 1 </sy:updateFrequency> <generator>https://wordpress.org/?v=6.6.1</generator> <item> <title>Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act – January 2014 through June 2014 – Part One</title> <link>https://www.astralegal.com/opinion-roundup-california-district-courts-computer-fraud-abuse-act-january-2014-june-2014-part-one/</link> <comments>https://www.astralegal.com/opinion-roundup-california-district-courts-computer-fraud-abuse-act-january-2014-june-2014-part-one/#respond</comments> <dc:creator><![CDATA[Scripta Ad Astra Staff]]></dc:creator> <pubDate>Mon, 21 Jul 2014 01:36:57 +0000</pubDate> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[CFAA]]></category> <category><![CDATA[computer fraud]]></category> <category><![CDATA[Computer Fraud and Abuse Act]]></category> <category><![CDATA[cyber crime]]></category> <category><![CDATA[data security]]></category> <guid isPermaLink="false">http://www.astralegal.com/?p=1126</guid> <description><![CDATA[<p>Author: Scripta Ad Astra Staff This week, we will have a three-part series on all of the substantive district court opinions in California regarding the Computer Fraud and Abuse Act (“CFAA”) (18 § U.S.C. 1030) for the first part of 2014 – January through June. We are concentrating on California because that is where most … <a href="https://www.astralegal.com/opinion-roundup-california-district-courts-computer-fraud-abuse-act-january-2014-june-2014-part-one/" class="more-link">Continue reading<span class="screen-reader-text"> "Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act – January 2014 through June 2014 – Part One"</span></a></p> <p>The post <a rel="nofollow" href="https://www.astralegal.com/opinion-roundup-california-district-courts-computer-fraud-abuse-act-january-2014-june-2014-part-one/">Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act – January 2014 through June 2014 – Part One</a> appeared first on <a rel="nofollow" href="https://www.astralegal.com">Ad Astra Law Group, LLP</a>.</p> ]]></description> <content:encoded><![CDATA[<p>Author: Scripta Ad Astra Staff</p> <p>This week, we will have a three-part series on all of the substantive district court opinions in California regarding the Computer Fraud and Abuse Act (“CFAA”) (<a href="http://www.law.cornell.edu/uscode/text/18/1030">18 § U.S.C. 1030</a>) for the first part of 2014 – January through June. We are concentrating on California because that is where most of the Ninth Circuit opinions are generated – not surprising given that Silicon Valley and many technology firms are located in California and within the Ninth Circuit’s jurisdiction.</p> <p>The CFAA is important to businesses small and large because it provides them the opportunity to seek recourse for unauthorized access to data and information they store and protect on their internal servers or on the cloud. CFAA violations address outside computer “hackers” as they are commonly perceived in the media, but also “inside” hackers: former employees or business partners that have found ways to access information from their former business associates which they are no longer supposed to view. The CFAA does not address how information is used once it is acquired, but only covers the initial access of information that one has no authority to view or exceeded his or her authority in so viewing.</p> <p>Over the next week – Monday, Wednesday, and Friday – we will provide a roundup of the first six months of published California federal opinions regarding the CFAA.</p> <p><b><span style="text-decoration: underline;"><i>Oracle Am., Inc. v. TERiX Computer Co.</i>, 2014 U.S. Dist. LEXIS 561 (N.D. Cal. Jan. 3, 2014)</span></b><br /> <b>Judge</b>: Paul S. Grewal, United States Magistrate Judge</p> <p><span id="more-1126"></span></p> <p>Plaintiff Oracle, a leading supplier of enterprise hardware and software systems, as well as technical and consulting services for those systems, is suing defendants, TERiX Computer Co. and Maintech, Inc., who offer support services related to Oracle’s Solaris-based software system. Oracle alleges that TERiX and Maintech duped Oracle’s customers into providing them with access to updates to Oracle’s Solaris operating system — access to which Oracle says TERiX and Maintech had no right.</p> <p>The court provided opinions with respect to three aspects of the CFAA. First, it held that the heightened pleading standard of Rule 9(b) for fraud was inapplicable to Oracle because Oracle allegations do not rely on first-party reliance, but, rather, third-party (customer) reliance.</p> <p>Second, the court considered whether Oracle had met the pleading standards for Sections 1030(a)(6), (a)(2), and (a)(4). Citing <i>State Analysis, Inc. v. Am. Fin. Servs. Assoc.</i>, 621 F. Supp. 2d 309, 317 (E.D. Va. 2009), the court found that Oracle had not met the proper pleading standard for a Section 1030(a)(6) violation because it had only pled that defendants are alleged only to have received the login credentials from their customer and used the credentials themselves and did not amount to “trafficking” under the CFAA.</p> <p>With respect to Sections 1030(a)(2) and (a)(4), the key issue revolved around whether the defendants acted “without authorization” or “exceeded” their “authorized access” when accessing Oracle’s support websites. Relying on<i>United States v. Nosal</i>, 676 F.3d 854 (9th Cir. 2012), and <i>Oracle Am., Inc. v. Service Key, LLC</i>, 2012 U.S. Dist. LEXIS 171406 (N.D. Cal. Nov. 30, 2012), defendants argued that because they received valid access credentials from Oracle’s customers, their use of the credentials was merely a violation of “use” restrictions, and therefore is not a violation of the CFAA.</p> <p>The court dismissed defendants’ theory, stating that contrary to the factual scenario in <i>Nosal </i>and <i>Service Key</i>, defendants in the instant matter were alleged to have no access rights whatsoever and proceeded to login to Oracle’s secure website anyways. As a result, the court refused to dismiss the Section 1030(a)(2) and (a)(4) claims.</p> <p><b><span style="text-decoration: underline;"><i>Sprint Nextel Corp. v. Welch</i>, 2014 U.S. Dist. LEXIS 2119 (E.D. Cal. Jan. 8, 2014)</span></b><br /> <b>Judge</b>: Stanley A. Boone, United States Magistrate Judge</p> <p>In <i>Welch</i>, the court considered whether plaintiff’s CFAA allegations in its complaint were sufficient enough for an entry of default judgment. On July 26, 2013, plaintiff Sprint Nextel Corp. filed a complaint seeking damages and injunctive relief against Defendant Aaron Simon Welch d/b/a The Cell Cycle for an alleged “Bulk handset Trafficking Scheme” – Defendant and other co-conspirators acquired subsidized phones from Sprint and resold them to others. On October 20, 2013, Plaintiff filed a motion for default judgment.</p> <p>With respect to the CFAA allegations – violations of Sections 1030(a)(4) and (a)(5), the court stated that “Plaintiff alleges that Defendant violated the Computer Fraud and Abuse Act by acquiring phones through fraud and gained unauthorized access by 1) unlocking the phones and 2) turning on the phones and thereby accessing Sprint’s wireless service network and billing network. Plaintiff further alleges that Defendant traffics in using the proprietary codes stored on the phones which access Sprint’s network and selling those codes along with the phones.” These pleadings were sufficient for plaintiff to have stated a cognizable claim under the CFAA, thus weighing in favor of entry of default judgment.</p> <p><b><span style="text-decoration: underline;"><i>United States v. Nosal</i>, 2014 U.S. Dist. LEXIS 4021 (N.D. Cal. Jan. 13, 2014)</span></b><br /> <b>Judge</b>: Edward M. Chen, United States District Judge</p> <p>On April 24, 2013, a jury convicted Defendant David Nosal of computer fraud crimes, including three counts of computer fraud in violation Section 1030(a)(4) of the CFAA. The main dispute between the parties is what constituted “loss” with respect to 18 U.S.S.G. §2B1.1. As the court noted, criminal sentencing under the CFAA is governed by United States Sentencing Guidelines Manual § 2B1.1. See U.S.S.G. app. A. Under § 2B1.1, courts are instructed to increase the base offense level based on the amount of “loss.” U.S.S.G. § 2B1.1(b). “Loss” is defined as the “greater of actual loss or intended loss.” Id. § 2B1.1 cmt. n. 3. “Actual loss,” which is involved in this case, means the “reasonably foreseeable pecuniary harm that resulted from the offense.” Id. at § 2B1.1 cmt. n.3(A)(i). Harm is reasonably foreseeable if the “defendant knew or, under the circumstances, reasonably should have known, [that the harm] was a potential result of the offense.” Id. § 2B1.1, cmt. n.3(A)(iv).</p> <p>While the court considered a number of issues outside of the CFAA, with respect to the CFAA, the court held, for two reasons, that under ß 2B1.1 and Note 3(A)(v)(III) “actual loss” includes those costs incurred as part of an internal investigation reasonably necessary to respond to the offense, for example by identifying the perpetrator or the method by which the offender accessed the protected information. First, the plain language of Note 3(A)(v)(III) and ß 1030 itself both include in the definition of loss the cost of generally “responding to an offense.”</p> <p>“Second, in situations where the CFAA violation constitutes covert, unauthorized access into a computer system, taking corrective actions or otherwise “responding to an offense” will often be difficult (if not impossible) until the victim knows (1) who perpetrated the offense; (2) how the offense was perpetrated, and (3) the scope of any resulting damage or the degree to which the integrity of its data has been compromised.”</p> <p>The court also differentiated between costs incurred in directly responding to an offense, and costs preparing for litigation. The court held that “[c]osts incurred for the purpose of building or supporting the victim’s civil case should not be considered ‘loss’for purposes of the Guidelines calculation.”</p> <p>In reviewing a declaration by aggrieved party Korn Ferry’s General Counsel, Peter Dunn, the court noted that first, he failed to differentiate between direct investigation costs – “the who, what, and how behind Defendant’s offenses” – and costs in preparation of litigation.</p> <p>Second, Mr. Dunn did not distinguish between his time aiding a government investigation and his time spent aiding Korn Ferry’s internal investigation of Nosal’s access. The court noted this importance, as costs incurred by a victim with the primary purpose of aiding the government’s investigation are not included under §2B1.1.</p> <div></div> <div>That’s all for Part One of our series. Be sure to come back on Wednesday, July 23, for Part Two of our California District Courts’ CFAA Opinion Roundup.</div> <p>The post <a rel="nofollow" href="https://www.astralegal.com/opinion-roundup-california-district-courts-computer-fraud-abuse-act-january-2014-june-2014-part-one/">Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act – January 2014 through June 2014 – Part One</a> appeared first on <a rel="nofollow" href="https://www.astralegal.com">Ad Astra Law Group, LLP</a>.</p> ]]></content:encoded> <wfw:commentRss>https://www.astralegal.com/opinion-roundup-california-district-courts-computer-fraud-abuse-act-january-2014-june-2014-part-one/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act – January 2014 through June 2014 – Part Two</title> <link>https://www.astralegal.com/opinion-roundup-california-district-courts-computer-fraud-abuse-act-january-2014-june-2014-part-two/</link> <comments>https://www.astralegal.com/opinion-roundup-california-district-courts-computer-fraud-abuse-act-january-2014-june-2014-part-two/#respond</comments> <dc:creator><![CDATA[Scripta Ad Astra Staff]]></dc:creator> <pubDate>Wed, 23 Jul 2014 01:41:50 +0000</pubDate> <category><![CDATA[Blog]]></category> <category><![CDATA[CFAA]]></category> <category><![CDATA[computer fraud]]></category> <category><![CDATA[Computer Fraud and Abuse Act]]></category> <category><![CDATA[cyber crime]]></category> <category><![CDATA[data security]]></category> <guid isPermaLink="false">http://www.astralegal.com/?p=1130</guid> <description><![CDATA[<p>Author: Scripta Ad Astra Staff This is part two of a three-part series on federal district court opinions in California related to the CFAA. The first part can be found here. The third part will be posted on Friday, July 25, 2014. Stay tuned and check it out. Enki Corp. v. Freedman, 2014 U.S. Dist. … <a href="https://www.astralegal.com/opinion-roundup-california-district-courts-computer-fraud-abuse-act-january-2014-june-2014-part-two/" class="more-link">Continue reading<span class="screen-reader-text"> "Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act – January 2014 through June 2014 – Part Two"</span></a></p> <p>The post <a rel="nofollow" href="https://www.astralegal.com/opinion-roundup-california-district-courts-computer-fraud-abuse-act-january-2014-june-2014-part-two/">Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act – January 2014 through June 2014 – Part Two</a> appeared first on <a rel="nofollow" href="https://www.astralegal.com">Ad Astra Law Group, LLP</a>.</p> ]]></description> <content:encoded><![CDATA[<p><em>Author: Scripta Ad Astra Staff</em></p> <p>This is part two of a three-part series on federal district court opinions in California related to the CFAA. The first part can be found <a href="http://astralegal.com/page7/index.php?id=2677353842858620864">here</a>. The third part will be posted on Friday, July 25, 2014. Stay tuned and check it out.</p> <p><b><span style="text-decoration: underline;"><i>Enki Corp. v. Freedman</i>, 2014 U.S. Dist. LEXIS 9169 (N.D. Cal. Jan. 23, 2014)</span></b><br /> <b>Judge</b>: Paul S. Grewal, United States Magistrate Judge.</p> <p><span id="more-1130"></span></p> <p>The issue in <em>Enki</em> is whether defendant Keith Freedman, a former employee of plaintiff Enki Corp., and his current employer, co-defendant Zuora, Inc. can be held liable for violations of the CFAA for using a customer’s working log-in credentials to access Enki’s scripts.</p> <p>Enki’s facts are rather convoluted: Freedman, a former 12% stakeholder of Enki, left the firm in 2011. Shortly after, Enki hired Zuora to provide cloud computing and IT consulting services. As part of this arrangement, Enki installed Nimsoft on Zuora’s network. Nimsoft is a “software based system monitor” used to monitor computer resources and performance. Scripts are typically programs written for a particular runtime environment, such as Unix.</p> <p>Enki then hired Freedman, and his company, Freeform, to provide services for Zuora. Freedman then began to spread negative stories about Enki to Zuora, which led to his termination by Enki. Freedman was, however, then hired by Zuora directly.</p> <p>In February 2013, Zuora terminated its contract with Enki “for convenience.” Before the termination, however, Freedman and Zuora accessed the Nimsoft servers on Zuora’s network without authorization and copied Enki’s proprietary software, including Enki’s Nimsoft scripts, in order to terminate the contract and receive the benefits of Enki’s enterprise and technology without continuing to pay for Enki’s services.</p> <p>The first issue was whether Enki’s costs in investigating the breach and remedying it qualify as a “loss.” Looking at the statutory definition, which specifically lists the “the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense,” (court’s emphasis) the court determined that Enki’s investigation costs were considered “loss” as they were costs required to restore their systems back to their original state.</p> <p>Secondly, the court looked at whether defendant’s access of Nimsoft servers and copying of Enki’s proprietary software was “without authorization” or in “excess of [their] authorization.” The court found they were not as the complaint did not ever allege that Defendants were not ever unauthorized to access the information in questions – thus an abuse of use, as opposed to an abuse of access, which <i>Nosal</i> has stated does not qualify as an excess of authorization under the CFAA. <i>See United States v. Nosal</i>, 676 F.3d 854, 863 (9th Cir. 2012). The CFAA claim dismissed without prejudice and granted leave to amend.</p> <p><b><span style="text-decoration: underline;"><i>PQ Labs, Inc. v. Qi</i>, 2014 U.S. Dist. LEXIS 11769 (N.D. Cal. Jan. 29, 2014)</span></b><br /> <b>Judge</b>: Claudia Wilken, United States District Judge.</p> <p>Plaintiff, PQ Labs, Inc., manufactures and develops hardware and software for computer touch-screen product. PQ Labs alleged that between January 2011 and December 2011, defendants, Yang Qi, Jinpeng Li, and ZaagTech sent several “phishing” e-mails to PQ Labs in violation of the CFAA. These e-mails allegedly contained viruses which infected PQ Labs’ computer system.</p> <p>In its opinion, the court reviewed the issue of whether there was sufficient evidence of economic loss to meet summary judgment. The issue in PQ Labs was more a legal issue of whether a declaration submitted by the company’s CEO and co-founder, Frank Lu, after his deposition, was admissible because it conflicted with his prior deposition testimony.</p> <p>In his declaration, Lu stated that PQ Labs had received five emails containing malicious codes in 2011, and that the company had to expend $36,000 in costs to mitigate the damages to the hardware and network, and $42,000 in consulting fees and service costs. At his deposition, however, Lu was a little less certain, admitting to some uncertainty about the cause of the network damage.</p> <p>The court found that the testimony and the declaration did not “clearly and unambiguously” contradict each other. As such, the court held the declaration admissible, and that it contained sufficient evidence to support an inference that defendants violated the CFAA and were not entitled to summary judgment.</p> <p><b><span style="text-decoration: underline;"><i>Quad Knopf, Inc. v. South Valley Biology Consulting, LLC</i>, 2014 U.S. Dist. LEXIS 46985 (E.D. Cal. Apr. 3, 2014)</span></b><br /> <b>Judge</b>: Anthony W. Ishi, Senior United States District Judge.</p> <p>Plaintiff Quad Knopf, Inc. a consulting firm that provides professional services in the areas of, among other things, biology consulting services, are suing defendants, South Valley Biology Consulting (“SVBC”), and former staff biologists of Quad Knopf who were recruited to SVBC, for violations of the CFAA when defendants allegedly transmitted information from plaintiff’s computers while employed by plaintiff without plaintiff’s consent, and that information was then used by defendants to compete with plaintiff and caused plaintiff to suffer loss.</p> <p>Citing, <i>United States v. Nosal</i>, 676 F.3d 854, 860 (9th Cir. 2012), the court reminded the parties that the CFAA is a prohibition of abuse of access of information, not an abuse of information. Plaintiff argued that defendants’ authorization to access the information in question ended when they began acting against the interests of Quad Knopf, and instead in the interests of defendants’ competing company.</p> <p>The court rejected this argument affirming that duty of loyalty arguments and computer use restriction arguments are not accepted under <i>Nosal</i> and the Ninth Circuit. The court noted that defendants were employed with plaintiff and did not exceed their access at the time of the taking. While defendants then took the information that they were entitled to access as employees, they had permission to access the information and used it in an inappropriate manner contrary to plaintiff’s interest, so it did not constitute “without authorization” under Nosal because it was merely a violation of a use restriction.</p> <p>The post <a rel="nofollow" href="https://www.astralegal.com/opinion-roundup-california-district-courts-computer-fraud-abuse-act-january-2014-june-2014-part-two/">Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act – January 2014 through June 2014 – Part Two</a> appeared first on <a rel="nofollow" href="https://www.astralegal.com">Ad Astra Law Group, LLP</a>.</p> ]]></content:encoded> <wfw:commentRss>https://www.astralegal.com/opinion-roundup-california-district-courts-computer-fraud-abuse-act-january-2014-june-2014-part-two/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act – January 2014 through June 2014 – Part Three</title> <link>https://www.astralegal.com/opinion-roundup-california-district-courts-computer-fraud-abuse-act-january-2014-june-2014-part-three/</link> <dc:creator><![CDATA[Scripta Ad Astra Staff]]></dc:creator> <pubDate>Fri, 25 Jul 2014 01:44:17 +0000</pubDate> <category><![CDATA[Blog]]></category> <category><![CDATA[CFAA]]></category> <category><![CDATA[computer fraud]]></category> <category><![CDATA[Computer Fraud and Abuse Act]]></category> <category><![CDATA[cyber crime]]></category> <category><![CDATA[data security]]></category> <guid isPermaLink="false">http://www.astralegal.com/?p=1132</guid> <description><![CDATA[<p>Author: Scripta Ad Astra Staff This is the third part of three part-series on federal district court opinions in California regarding the CFAA. The first part of this series can be found here. The second part of this series can be found here. Overall, California district courts have regularly followed the holdings in Nosaland Brekka … <a href="https://www.astralegal.com/opinion-roundup-california-district-courts-computer-fraud-abuse-act-january-2014-june-2014-part-three/" class="more-link">Continue reading<span class="screen-reader-text"> "Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act – January 2014 through June 2014 – Part Three"</span></a></p> <p>The post <a rel="nofollow" href="https://www.astralegal.com/opinion-roundup-california-district-courts-computer-fraud-abuse-act-january-2014-june-2014-part-three/">Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act – January 2014 through June 2014 – Part Three</a> appeared first on <a rel="nofollow" href="https://www.astralegal.com">Ad Astra Law Group, LLP</a>.</p> ]]></description> <content:encoded><![CDATA[<p><em>Author: Scripta Ad Astra Staff</em></p> <p><em>This is the third part of three part-series on federal distr</em>ict court opinions in California regarding the CFAA. The first part of this series can be found <a href="http://www.astralegal.com/opinion-roundup-california-district-courts-computer-fraud-abuse-act-january-2014-june-2014-part-one/">here</a>. The second part of this series can be found <a href="http://www.astralegal.com/opinion-roundup-california-district-courts-computer-fraud-abuse-act-january-2014-june-2014-part-two/">here</a>.</p> <p>Overall, California district courts have regularly followed the holdings in <i>Nosal</i>and <i>Brekka</i> regarding “use” versus “access.” In summary, courts in the Ninth Circuit have generally held that the CFAA does not prohibit misusing information, such as in a trade secrets misappropriation violation: if you are allowed to access information, what you do with that information is not a violation of the CFAA, even if it is contrary to the interests of your employer. On the other hand, if were not allowed to access information – say you quit or were fired – then a CFAA claim could likely withstand Ninth Circuit scrutiny.</p> <p>It will be interesting to see how the courts make their decisions, especially as the divide between employment-based CFAA claims (“inside hacker” claims) and non-employment-based (external “hacker” claims) become more prevalent. Of course, you can always come back to Scripta Ad Astra to read about the latest CFAA, computer crimes, and cyber security developments.</p> <p><b><span style="text-decoration: underline;"><i>NetApp, Inc. v. Nimble Storage</i>, 2014 U.S. Dist. LEXIS 65818 (N.D. Cal. May 12, 2014)</span></b><br /> <b>Judge</b>: Lucy H. Koh, United States District Judge.</p> <p><span id="more-1132"></span></p> <p>Plaintiff NetApp, Inc. filed suit against Defendants Nimble Storage, Inc. (“Nimble”), a competitor of NetApp, some former NetApp employees, and Michael Reynolds, who used to work at Thomas Duryea Consulting (“TDC”). NetApp alleges that when it contracted with TDC, it provided Reynolds with access to NetApp’s computer systems and other information. In April 2013, Reynolds left TDC, but continued to access NetApp’s databases from June 2013 through August 2013, where he used confidential, proprietary information to solicit business for Nimble.</p> <p><span style="text-decoration: underline;">Allegations Against Reynolds</span><br /> With respect to the CFAA, defendant Reynolds argued that NetApp did not plead any facts supporting that he was acting “without authorization” or had “exceeded authorized access” because his access to NetApp’s system was never revoked, even after he stopped working for TDC, and thus did not breach any “technological barriers.”</p> <p>NetApp argued that “CFAA liability does not require circumvention of any technological barriers, and that Reynolds lost his permission to access NetApp’s systems (and knew that he lost that permission) as soon as he left TDC and no longer performed services for NetApp.”</p> <p>Relying on <i>LVRC Holdings LLC v. Brekka</i>, 581 F.3d 1127 (9th Cir. 2009),<i>United States v. Nosal</i>, 676 F.3d 854 (9th Cir. 2012), and <i>Weingand v. Harland Financial Solutions, Inc.</i>, 2012 U.S. Dist. LEXIS 84844 (N.D. Cal. June 19, 2012), among other cases, the court held that to state a claim under the CFAA it was not necessary to plead circumvention of a technological barrier, especially when such access to the information was performed after termination of contract or employment.</p> <p>The NetApp court next considered whether the CFAA needed to be pled with particularity as consistent with the fraud pleading standards of Fed. R. Civ. P. 9(b). The court concluded that the CFAA does not need to meet the same pleading standards required under Rule 9(b) as (1) Sections 1030(a)(2) and (a)(5) do not reference “fraud”; (2) most CFAA cases in the Northern District have not applied the Rule 9(b) pleading standard; and (3) even under Section 1030(a)(4), which does mention “fraud,” the heightened pleading standard is only applicable when the claim itself is grounded in patterns of fraudulent conduct.</p> <p>Reynolds lastly argued that NetApp failed to plead any “damage” under the CFAA with respect to Section 1030(a)(5) (but not Sections 1030(a)(2) and (a)(4), which requires “damage” to a plaintiff’s computer systems. The court held that “damage” means harm to computers or networks, not economic harm due to the commercial value of the data itself. As NetApp only alleged that Reynolds accessed its databases without permission, not that he damaged any systems or destroyed any data, it did not properly plead the damages element under the CFAA with respect to its Section 1030(a)(5) claim.</p> <p><span style="text-decoration: underline;">Allegations Against Nimble</span><br /> NetApp alleges that Nimble violated the CFAA under two theories: (1) Nimble is vicariously liable for Reynolds’s acts, and (2) Nimble conspired with Reynolds. The court denied both of these claims.</p> <p>With respect to the first theory, while the court acknowledged that courts have held that an employer can be vicariously liable for an employee’s violations of the CFAA if those transgressions occur in the scope of employment or the employer directs the employee’s conduct, the court found no allegation that Nimble AUS was Nimble’s alter ego, or that Nimble directed Reynolds’s unauthorized access, and that even if Reynolds “used” stolen information “on behalf of Nimble,” it would not establish that Reynolds violated the CFAA at Nimble’s behest.</p> <p>With respect to conspiracy, the court stated that other courts have required specific allegations of an agreement and common activities to state a conspiracy claim. The court found that NetApp did not allege specific enough facts to indicate conspiracy other than bare facts, and thus dismissed the allegation with leave to amend.</p> <p><b><span style="text-decoration: underline;"><i>Opperman v. Path, Inc.</i>, 2014 U.S. Dist. LEXIS 67225 (N.D. Cal. May 14, 2014)</span></b><br /> <b>Judge</b>: Jon S. Tigar, United States District Judge.</p> <p>Plaintiffs are a class action of consumers. With the exception of Apple, defendants are app developers (“App Defendants”). In short, plaintiffs allege that the App Defendants’ apps have been surreptitiously stealing and disseminating the contact information stored by customers on Apple devices. Plaintiffs bring their CFAA claims against the App Defendants only.</p> <p>With respect to the CFAA, the court affirmed that they key issue is whether defendants accessed plaintiffs’ computers “without authorization.” Because the plaintiffs had voluntarily downloaded the software applications in question, defendants had not operated “without authorization” in violation of the CFAA. See, e.g., <i>iPhone I</i>, 2011 U.S. Dist. LEXIS 106865, (“Where the software that allegedly harmed the phone was voluntarily downloaded by the user, other courts in this District and elsewhere have reasoned that users would have serious difficulty pleading a CFAA violation.”).</p> <p><b><span style="text-decoration: underline;"><i>Flextronics Int’l, Ltd. v. Parametric Tech. Corp.</i>, 2014 U.S. Dist. LEXIS 73354 (N.D. Cal. May 28, 2014)</span></b><br /> <b>Judge</b>: Paul S. Grewal, United States Magistrate Judge.</p> <p>Plaintiff Flexatronics International, Ltd. (“Flexatronics”) and Defendant Parametric Technology Corporation (“PTC”), executed an “Enterprise Agreement,” which granted Flextronics a license to use PTC’s software on its computers. PTC brought to Flexatronics attention that Flexatronics was using unauthorized copies of PTC’s software on its systems. In response, Flexatronics began an investigation and discovered that PTC had “concealed certain embedded technology in the PTC software” that it was using to access, obtain and transmit information in, from and about Flextronics’ system back to PTC.</p> <p>PTC challenges Flextronics’ CFAA claim on two grounds: (1) the complaint does not show that Flextronics suffered a “loss” of at least $5,000, and (2) Flextronics fails to allege facts indicating that PTC accessed its system “without authorization” or “in a manner that exceeds authorized access.”</p> <p>With respect to the “loss” requirement, the court found that Flexatronics had all alleged that its investigation and response to PTC’s actions imposed costs and expenses to Flexatronics in excess of $5,000 in a single year, thus meeting the CFAA’s loss requirement.</p> <p>Regarding the second issue, the court noted that in its amended complaint, plaintiff provided specific allegations that “‘[w]ithout notice to or authorization from Flextronics, PTC has concealed certain embedded technology in the PTC software provided to Flextronics [and] used that hidden technology to access, obtain, and transmit information in Flextronics’ computers that PTC is not entitled to access, obtain, or transmit,’ followed by almost five pages of details about how it does so.”</p> <p>While PTC argued that it could not be held liable under the CFAA because Flexatronics voluntarily installed PTC’s software, the court noted that while this argument may suffice as a defense to a “without authorization” claim, it does not necessarily have the same impact on a “exceeds authorized access” argument. The court then noted that Flexatronics listed the types of information to which PTC gained access, and specifically stated in its amended complaint that “PTC is not entitled to access, obtain, alter, or transmit” that information, and thus had stated sufficient information state claims under Rule 12(b)(6).</p> <p><b><span style="text-decoration: underline;"><i>New Show Studios LLC v. Needle</i>, 2014 U.S. Dist. LEXIS 90656 (C.D. Cal. June 30, 2014)</span></b><br /> <b>Judge</b>: Christina A. Snyder, United States District Judge</p> <p>Plaintiffs New Show Studios LLC, Anthony Valkanas, and Davison Design & Development, Inc. filed suit against defendants James Needle and Greg Howe. Plaintiffs allege that Needle agreed to supply Howe with New Show’s confidential client data and propriety information for the purposes of persuading New Show’s clients to breach their contracts with New Show and provide their business to one of New Show’s competitors, Television Writer’s Vault.</p> <p>The court found that the plaintiffs failed to state a claim under the CFAA for two reasons. First, plaintiffs did not allege that defendants accessed a computer. Reminding the parties that the CFAA is not simply a misappropriation statute (citing <i>Nosal</i>), the court pointed out that while plaintiffs allege that their information was taken – information that may have been stored on a computer at one point – plaintiffs did not allege that defendants accessed a computer in order to obtain this information.</p> <p>Secondly, the court noted that plaintiffs failed to allege that they suffered any “loss” as defined by the CFAA, which the court noted “must be the result of ‘damage to the computer system that was accessed without authorization.” Plaintiffs, in contrast, only pled that they lost “competitive benefit” to their competitor. The court noted that simply alleging that defendants “obtained a thing of value” was insufficient to support a claim of “loss.”</p> <div></div> <div></div> <div>That concludes our roundup of CFAA opinions. We hope you enjoyed our series and look forward to doing more of these posts in the future. Please check back in regularly. In the meantime, if you have any comments or questions about this series on the CFAA, feel free to email the author at <a href="mailto:kng@astralegal.com">kng@astralegal.com</a>.</div> <p>The post <a rel="nofollow" href="https://www.astralegal.com/opinion-roundup-california-district-courts-computer-fraud-abuse-act-january-2014-june-2014-part-three/">Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act – January 2014 through June 2014 – Part Three</a> appeared first on <a rel="nofollow" href="https://www.astralegal.com">Ad Astra Law Group, LLP</a>.</p> ]]></content:encoded> </item> <item> <title>Lenovo and Superfish Sued Under The Computer Fraud and Abuse Act.</title> <link>https://www.astralegal.com/lenovo-and-superfish-sued-under-the-computer-fraud-and-abuse-act/</link> <comments>https://www.astralegal.com/lenovo-and-superfish-sued-under-the-computer-fraud-and-abuse-act/#respond</comments> <dc:creator><![CDATA[Scripta Ad Astra Staff]]></dc:creator> <pubDate>Mon, 02 Mar 2015 19:24:58 +0000</pubDate> <category><![CDATA[Blog]]></category> <category><![CDATA[CFAA]]></category> <category><![CDATA[computer fraud]]></category> <category><![CDATA[Computer Fraud and Abuse Act]]></category> <category><![CDATA[cyber crime]]></category> <category><![CDATA[data security]]></category> <guid isPermaLink="false">http://www.astralegal.com/?p=1171</guid> <description><![CDATA[<p>Written by Keenan W. Ng It was recently discovered that Lenovo has been selling laptops with preinstalled adware that creates a catastrophic security hole in the web browser leaving users vulnerable to hacks. Superfish, a small company in Palo Alto, develops the adware. Plenty has been written about the technical aspects of the security flaw … <a href="https://www.astralegal.com/lenovo-and-superfish-sued-under-the-computer-fraud-and-abuse-act/" class="more-link">Continue reading<span class="screen-reader-text"> "Lenovo and Superfish Sued Under The Computer Fraud and Abuse Act."</span></a></p> <p>The post <a rel="nofollow" href="https://www.astralegal.com/lenovo-and-superfish-sued-under-the-computer-fraud-and-abuse-act/">Lenovo and Superfish Sued Under The Computer Fraud and Abuse Act.</a> appeared first on <a rel="nofollow" href="https://www.astralegal.com">Ad Astra Law Group, LLP</a>.</p> ]]></description> <content:encoded><![CDATA[<p><em>Written by Keenan W. Ng</em></p> <p>It was recently discovered that Lenovo has been selling laptops with preinstalled adware that creates a <a href="http://www.slate.com/articles/technology/bitwise/2015/02/lenovo_superfish_scandal_why_it_s_one_of_the_worst_consumer_computing_screw.html">catastrophic </a>security hole in the web browser leaving users vulnerable to hacks. Superfish, a small company in Palo Alto, develops the adware. Plenty has been written about the technical aspects of the security flaw and more will be written going forward. As the ramifications of the Superfish vulnerability play out in the community, at least two lawsuits* have been filed. <a href="http://www.rosenlegal.com/newsroom-93.html">More lawsuits </a>certainly will come. One of these cases, <a href="http://ia601506.us.archive.org/35/items/gov.uscourts.cand.284981/gov.uscourts.cand.284981.1.0.pdf"><em>Sterling International Consulting Group (“SICG”) v. Lenovo, Inc. and Superfish, Inc.</em></a>(collectively, “Lenovo”), alleges violations of the Computer Fraud and Abuse Act. SICG seeks class action certification and was filed in the Northern District of California. The problem with <em>Sterling</em> is that the plaintiffs may have a hard time establishing the <em>authorization</em> element of the CFAA.</p> <p><strong><span style="text-decoration: underline;">Allegations</span></strong></p> <p><span id="more-1171"></span></p> <p>SICG alleges Lenovo violated Section 1030(a)(5) of the CFAA:</p> <p>“a. Knowingly causes the transmission of a software program, information, code or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;</p> <ol> <li>Intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or</li> </ol> <ol> <li>Intentionally accesses a protected computer without authorization, and a result of such conduct, cases damage.”</li> </ol> <p>(Paragraph 54.)</p> <p>SICG alleges that Lenovo pre-installed the Superfish software without authorization. (Paragraph 55, 56.)</p> <p>SICG alleges that Lenovo caused damage under each of those three sections. SICG defines “damage” as including “‘any impairment to the integrity of availability of data, a program, a system, or information,’ that causes ‘loss to 1 or more persons during any 1-year period . . . aggregating at least $5000 in value . . . .’ 18 U.S.C. §§ 1030(e)(8),</p> <p>1030(a)(5)(B)(i).” (Paragraph 57.)</p> <p>SICG’s “aggregate damages” exceed $5,000 and include: (1) “plaintiff and Class members will have to spend time and labor repairing their Lenovo notebook computers”; (2) “Superfish Visual Discovery program has consumed the resources and hindered the performance of plaintiff’s and Class members’ Lenovo notebook computers”; and (3) “lost personal and business opportunities, data and information and goodwill.” (Paragraph 58.)</p> <p>These damages, as defined by section 1030(e), have caused SICG to suffer “an impairment to the integrity or availability of data software programs including the operating system. Such impairment has caused and will cause losses aggregating to at least $5,000 in value in any one-year period to plaintiff and Class members.” (Paragraph 61.)</p> <p><span style="text-decoration: underline;"><strong>Problems with the Complaint</strong></span></p> <p>While SICG pleads it spent time repairing the computers and lost business opportunities, the face of the complaint does not quantify that this loss aggregates to $5,000. It could plead the number of hours spent and the value of the time spent to overcome this jurisdictional hurdle.</p> <p>Second, the pleading seems to confuse “loss” and “damage.” Paragraph 57 defines “damage” as including “‘any impairment to the integrity of availability of data, a program, a system, or information,’ that causes ‘loss to 1 or more persons during any 1-year period . . . aggregating at least $5000 in value . . . .’ 18 U.S.C. §§ 1030(e)(8),</p> <p>1030(a)(5)(B)(i).” Not only does 1030(a)(5)(B)(i) not exist, but “damage” does not have a $5,000 barrier to clear – “loss” does.** So, curiously, while the allegation happens to plead “loss,” it does not specify that it is pleading loss as opposed to damage. This confusion was probably an oversight owing to the fact the firm was trying to get the complaint filed as quickly as possible so that it could take advantage of the vast amount of media attention already being paid to the issue. The muddled pleading of loss versus damage will be cleared up if SICG is given an opportunity to amend its CFAA claims.</p> <p>Third, and most importantly, the “authorization” allegation may be fatal as it is not clear that Lenovo acted without authorization. SICG alleges that Lenovo pre-installed the Superfish software prior to consumer sales and that the installation was without authorization. This suggests that the authority to provide authorization to install comes from the consumers who were harmed by the software.</p> <p>SICG’s theory of authority does not work. Because Lenovo owned the laptops at the time Superfish was installed, it was always authorized to access the computers and install the software. The Northern District of California seems to agree with the sentiment that native installations by hardware manufacturers are not without authorization because the end-user purchased the pre-installed software thus volunteering to its application. See <em>In re iPhone Application Litig.</em>, 844 F. Supp. 2d 1040, 1066 (N.D. Cal. 2012)(“Apple had authority to access the iDevice and to collect geolocation data as a result of the voluntary installation of the software (either as an update or as a native installation”).)</p> <p>Moreover, following SICG’s theory, would all pre-loaded applications on computers and smart phones be potential CFAA violations (putting aside the issue of damage and loss)? Would a laptop with Superfish installed, but never sold, be violative of the CFAA? Probably not. Because Lenovo installed the software on computers it owned at that time, it was authorized to install Superfish.</p> <p>Once the laptop was sold and ownership was shifted to the consumer, then the consumer possesses authority to deny or grant authorization. So, if the software was installed after the laptop sale, a plausible CFAA violation could exist. But not before ownership changed hands.</p> <p>On a final note, I am interested to see how a court might interpret the <em>mens rea</em> standard of 1030(a)(5)(a) because there are potentially two <em>mens rea</em> standards to apply. (I think it is the only clause with a “knowing” and “intentional” standard built in.) Section 1030(a)(5)(a) makes it a CFAA violation to “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.” It is clear the defendant has to act “knowingly” when transmitting a program. But, does the defendant have to “intentionally” seek to cause damage without authorization when transmitting the program. Or, does the program have to “intentionally” have to cause damage? Must the program intentionally be programmed to have a specific purpose of destruction?</p> <p>For example, is it a CFAA violation to knowingly transmit a program that was programmed to intentionally destroy if you did not know about its destructive properties? Or, does a defendant have to knowingly transmit a destructive program and intend for it to cause destruction? Why not make both standards “intentional”?</p> <p>Superfish is definitely a problem and Lenovo might have some liability for pre-installing the software and potentially exposing its consumers to significant security vulnerability. But, if this case is litigated, I suspect the CFAA claims may be dismissed at the pleading stage.</p> <p>* The other lawsuit is <a href="https://www.documentcloud.org/documents/1674514-gov-uscourts-casd-467335-1-0.html"><em>Bennett v. Lenovo, Inc., et. al.</em></a>, filed on February 19, 2015 in the Southern District of California.</p> <p>** “Loss” means “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Section 1030(e)(11).</p> <p>The post <a rel="nofollow" href="https://www.astralegal.com/lenovo-and-superfish-sued-under-the-computer-fraud-and-abuse-act/">Lenovo and Superfish Sued Under The Computer Fraud and Abuse Act.</a> appeared first on <a rel="nofollow" href="https://www.astralegal.com">Ad Astra Law Group, LLP</a>.</p> ]]></content:encoded> <wfw:commentRss>https://www.astralegal.com/lenovo-and-superfish-sued-under-the-computer-fraud-and-abuse-act/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act, July 2014 through February 2015 – Part One</title> <link>https://www.astralegal.com/opinion-roundup-california-district-courts-and-the-computer-fraud-and-abuse-act-july-2014-through-february-2015-part-one/</link> <dc:creator><![CDATA[Scripta Ad Astra Staff]]></dc:creator> <pubDate>Wed, 18 Mar 2015 16:01:38 +0000</pubDate> <category><![CDATA[Blog]]></category> <category><![CDATA[CFAA]]></category> <category><![CDATA[computer fraud]]></category> <category><![CDATA[Computer Fraud and Abuse Act]]></category> <category><![CDATA[cyber crime]]></category> <category><![CDATA[data security]]></category> <guid isPermaLink="false">http://www.astralegal.com/?p=1215</guid> <description><![CDATA[<p>Author: Scripta Ad Astra Staff This week, we will have a two-part series on all of the substantive California district court Computer Fraud and Abuse Act opinions from July 2014 through February 2015. These posts are a follow up to a three – part series I wrote last summer discussing CFAA opinions from January 2014 through June 2014. I … <a href="https://www.astralegal.com/opinion-roundup-california-district-courts-and-the-computer-fraud-and-abuse-act-july-2014-through-february-2015-part-one/" class="more-link">Continue reading<span class="screen-reader-text"> "Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act, July 2014 through February 2015 – Part One"</span></a></p> <p>The post <a rel="nofollow" href="https://www.astralegal.com/opinion-roundup-california-district-courts-and-the-computer-fraud-and-abuse-act-july-2014-through-february-2015-part-one/">Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act, July 2014 through February 2015 – Part One</a> appeared first on <a rel="nofollow" href="https://www.astralegal.com">Ad Astra Law Group, LLP</a>.</p> ]]></description> <content:encoded><![CDATA[<p>Author: Scripta Ad Astra Staff</p> <p>This week, we will have a two-part series on all of the substantive California district court Computer Fraud and Abuse Act opinions from July 2014 through February 2015. These posts are a follow up to a <a href="http://www.astralegal.com/opinion-roundup-california-district-courts-computer-fraud-abuse-act-january-2014-june-2014-part-one/">three</a> – <a href="http://www.astralegal.com/opinion-roundup-california-district-courts-computer-fraud-abuse-act-january-2014-june-2014-part-two/">part</a> <a href="http://www.astralegal.com/opinion-roundup-california-district-courts-computer-fraud-abuse-act-january-2014-june-2014-part-three/">series</a> I wrote last summer discussing CFAA opinions from January 2014 through June 2014.</p> <p>I decided to include some 2015 opinions in this Round Up because (1) there were not that many substantive opinions in the latter half of 2014 and (2) because I was a bit tardy on getting this post up – I figured I would bring you up to speed.</p> <p>The next post will be on Friday, March 20. I hope you check it out!</p> <p><strong><em><span style="text-decoration: underline;">Sprint Solutions, Inc. v. Pacific Cellupage Inc.</span></em></strong><strong><span style="text-decoration: underline;">, 2014 U.S. Dist. LEXIS 101397 (C.D. Cal. July 21, 2014)</span></strong></p> <p><strong>Judge</strong>: Christina A. Snyder, United States District Judge.</p> <p><span id="more-1215"></span></p> <p>Sprint alleged that defendants obtained Sprint phones, altered the software so that the phones could be used outside of the Sprint wireless network, and then sold them for use on other wireless networks. Sprint asserted claims for trafficking in computer passwords in violation of 18 U.S.C. § 1030(a)(6); unauthorized access of protected computer networks in violation of 18 U.S.C. § 1030(a)(5)(C); and unauthorized access of computer networks with intent to defraud in violation of 18 U.S.C. § 1030(a)(4). Defendants brought a motion arguing that Sprint had not properly alleged “loss.” The court partially agreed.</p> <p style="padding-left: 30px;"><strong>Allegations that did not qualify as loss </strong></p> <p>Sprint’s alleged that some of its “loss” included “lost subsidy investments in the trafficked phones,” “responding to Defendants’ with Sprint customer service,” and “tracking down fraudulently sold phones.” The court found this was not loss because they were not directly related to Sprint’s computer systems, noting that “business loss” does not qualify as CFAA losses. Losses must be “closely tied” to a claimant’s system, rather than a claimant’s business model more generally.</p> <p style="padding-left: 30px;"> <strong>Allegations that did qualify as loss</strong></p> <p>Sprint also alleged, however that it incurred expenses “investigating and assessing the possible impairment to the integrity of its protected computer networks,” “conduct[ing] a damage assessment regarding Defendants’ collection and dissemination of … codes/passwords,” and “investigating and assessing the possible impairment to the integrity of its protected computer systems.” These qualified as a loss under the CFAA.</p> <p>While defendants brought up the issue of whether it was possible to allege “loss” even when no computer system had suffered impairment or damage, because Sprint alleged impairment, the court declined to address the issue.</p> <p style="padding-left: 30px;"><strong>Motion granted with leave to amend</strong></p> <p>Finally, although Sprint alleged it had “spent well in excess of $5,000,” it did not itemize what each lost cost. Because the court found that some of the losses it pled were cognizable under the CFAA and some were not, the court granted the motion but provided Sprint with leave to amend so that it could clarify how much each recognized CFAA loss cost.</p> <p> </p> <p><strong><em><span style="text-decoration: underline;">NovelPoster v. Javitch Canfield Group</span></em></strong><strong><span style="text-decoration: underline;">, 2014 U.S. Dist. LEXIS 106804 (N.D. Cal. Aug. 4, 2014)*</span></strong></p> <p><strong>Judge</strong>: William H. Orrick, United States District Judge.</p> <p>Plaintiff NovelPoster hired defendants as independent contractors to operate its e-commerce business. The business relationship fell apart and defendants changed the passwords to the plaintiff’s online accounts, locking plaintiff out. Defendants continued to operate the business after the lockout, necessarily accessing the online accounts. Plaintiff filed suit, alleging, violations of the CFAA and its California brother, the Computer Data Access and Fraud Act, as well as various other common law violations.</p> <p>Defendants brought a motion for judgment on the pleadings seeking to dismiss the computer fraud claims. The court addressed a number of CFAA issues in this opinion with respect to authorization and loss/damage. Tackling <em>authorization</em>, the court affirmed that the CFAA limits access to information, not the use of information. While the court declined to state whether accessing the accounts after the lockout constituted acts <em>without authorization</em>, – suggesting it was a factual issue – the court did suggest that plaintiffs’ protests after the lockout occurred suggested defendants’ actions were <em>without authorization.</em></p> <p>The court also addressed defendants’ technical access barrier argument – that since plaintiff provided them with the passwords to access accounts, defendants never circumvented a technical access barrier and therefore did not violate the CFAA. Citing <em>United States v. Nosal, </em>930 F. Supp. 2d 1051, 1060 (N.D. Cal. 2013) (“<em>Nosal II</em>”), the court affirmed that a circumvention of a technical access barrier was not required to find a CFAA violation, and that use of the term “technological access barriers” in <em>United States v. Nosal</em>, 676 F.3d 854, 863 (9th Cir. 2012) (“<em>Nosal I</em>”) “was an aside that does not appear to have been intended as having some precise definitional force.” In any event, the court stated that defendants could not fault plaintiffs for failing to erect technical access barriers when defendants took actions that prevented plaintiff from doing so.</p> <p>The court also addressed whether it was important that the relationship between plaintiff and defendant was a contractor rather than employer-employee relationship. Judge Orrick’s Order said that the nature of the relationship was irrelevant and that the only “relevant question is whether authorization to access a protected computer was absent or exceeded.” Additionally, in footnote 6, the court also affirmed that plaintiff did not have to “own” a protected computer in order to have standing to bring a CFAA violation. In other words, simply having rights to the protected computers is sufficient. In this instance, the online accounts were protected computers.</p> <p style="padding-left: 30px;"><strong>Motion granted with leave to amend</strong></p> <p>Ultimately, the court granted the motion because plaintiff did not adequately plead loss or damage. Plaintiff’s claim that it “has suffered damages and/or loss in excess of $5,000 in the year preceding the date of this filing, but the damages grow each day that Defendants refuse to acknowledge termination of the Agreement,” was too conclusory and vague.</p> <p> </p> <p><strong><em><span style="text-decoration: underline;">Novelposter v. Javitch Canfield Group</span></em></strong><strong><span style="text-decoration: underline;">, 2014 U.S. Dist. LEXIS 155445 (N.D. Cal. Nov. 3, 2014)*</span></strong></p> <p><strong>Judge</strong>: William H. Orrick, United States District Judge.</p> <p>The second NovelPoster motion for judgment on the pleadings brought a deeper discussion of loss and damage under the CFAA. Plaintiff alleged that the defendant had prevented plaintiff from accessing and data and information it was entitled to for a seven-month period. The court found this qualified as “impairment to the . . . availability of data,” and thus <em>damage</em>, as required to show damage under the 18 USC section 1030(e)(8). The court also clarified that a showing of <em>damage</em> under the CFAA does not require pleading physical damage to the protected computer – such as physical changes or erasing of data.</p> <p>Regarding <em>loss</em>, the court found that plaintiff’s allegation that it had spent substantial time and energy “on their efforts to secure the restoration of NovelPoster and its data and information” to the condition they were in “prior to when defendants took control of NovelPoster” qualified as a <em>loss</em> under 18 USC section 1030(e)(11). Plaintiff was able to meet the $5,000 loss threshold by alleging the number of hours that plaintiff spent performing these actions. The court also noted that it was irrelevant that plaintiff knew who caused the alleged harm because <em>loss</em> encompasses not only the investigation of who caused harm, but how they caused harm, and how to restore the data and information to the condition prior to the offense.</p> <p style="padding-left: 30px;"><strong>Motion denied</strong></p> <p>Defendants’ motion for judgment on the pleadings was denied.</p> <p>Thanks for reading! Please come back and check out my post on the first few CFAA opinions of 2015. It will be posted on Friday.</p> <p>* I was a lead attorney that represented NovelPoster in this matter.</p> <p>The post <a rel="nofollow" href="https://www.astralegal.com/opinion-roundup-california-district-courts-and-the-computer-fraud-and-abuse-act-july-2014-through-february-2015-part-one/">Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act, July 2014 through February 2015 – Part One</a> appeared first on <a rel="nofollow" href="https://www.astralegal.com">Ad Astra Law Group, LLP</a>.</p> ]]></content:encoded> </item> <item> <title>Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act, July 2014 through February 2015 – Part Two</title> <link>https://www.astralegal.com/opinion-roundup-california-district-courts-and-the-computer-fraud-and-abuse-act-july-2014-through-february-2015-part-two-2/</link> <dc:creator><![CDATA[Scripta Ad Astra Staff]]></dc:creator> <pubDate>Fri, 20 Mar 2015 17:00:32 +0000</pubDate> <category><![CDATA[Blog]]></category> <category><![CDATA[CFAA]]></category> <category><![CDATA[computer fraud]]></category> <category><![CDATA[Computer Fraud and Abuse Act]]></category> <category><![CDATA[cyber crime]]></category> <category><![CDATA[data security]]></category> <guid isPermaLink="false">http://www.astralegal.com/?p=1245</guid> <description><![CDATA[<p>Author: Scripta Ad Astra Staff This is the second part of a two part-series on federal district court opinions in California regarding the CFAA. The first part of this series can be found here. NetApp, Inc. v. Nimble Storage, Inc., 2015 U.S. Dist. LEXIS 11406 (N.D. Cal. January 29, 2015)(“NetApp II”) Judge: Lucy H. Koh, … <a href="https://www.astralegal.com/opinion-roundup-california-district-courts-and-the-computer-fraud-and-abuse-act-july-2014-through-february-2015-part-two-2/" class="more-link">Continue reading<span class="screen-reader-text"> "Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act, July 2014 through February 2015 – Part Two"</span></a></p> <p>The post <a rel="nofollow" href="https://www.astralegal.com/opinion-roundup-california-district-courts-and-the-computer-fraud-and-abuse-act-july-2014-through-february-2015-part-two-2/">Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act, July 2014 through February 2015 – Part Two</a> appeared first on <a rel="nofollow" href="https://www.astralegal.com">Ad Astra Law Group, LLP</a>.</p> ]]></description> <content:encoded><![CDATA[<p>Author: Scripta Ad Astra Staff</p> <p>This is the second part of a two part-series on federal district court opinions in California regarding the CFAA. The first part of this series can be found <span style="color: #000000;"><a href="http://www.astralegal.com/opinion-roundup-california-district-courts-and-the-computer-fraud-and-abuse-act-july-2014-through-february-2015-part-one/">here</a>.</span></p> <p><strong><em><span style="text-decoration: underline;">NetApp, Inc. v. Nimble Storage, Inc.</span></em></strong><strong><span style="text-decoration: underline;">, 2015 U.S. Dist. LEXIS 11406 (N.D. Cal. January 29, 2015)(“<em>NetApp II</em>”)</span></strong></p> <p><strong>Judge</strong>: Lucy H. Koh, United States District Judge</p> <p><span id="more-1245"></span> This case may sound familiar as I discussed its predecessor opinion, <em>NetApp</em>, 2014 U.S. Dist. LEXIS 65818 (N.D. Cal. May 12, 2014) (“<em>NetApp I</em>”), in a previous <a href="http://www.astralegal.com/opinion-roundup-california-district-courts-computer-fraud-abuse-act-january-2014-june-2014-part-three/">blog post</a>. <em>NetApp I</em>, discussed <em>authorization</em> and <em>damage</em> with respect to defendant Michael Reynolds and vicarious liability with respect to defendant Nimble Storage, Inc. (“Nimble”).</p> <p>As a factual recap, NetApp filed suit against (1) Nimble, a competitor of NetApp, (2) some former NetApp employees, and (3) Reynolds, who used to work at Thomas Duryea Consulting (“TDC”). NetApp alleges that when it contracted with TDC, it provided Reynolds with access to NetApp’s computer systems and other information. In April 2013, Reynolds left TDC, but continued to access NetApp’s databases from June 2013 through August 2013, where he used confidential, proprietary information to solicit business for Nimble.</p> <p><em>NetApp I</em> granted NetApp, Inc. (“NetApp”) leave to amend, which NetApp did. Nimble brought a motion to dismiss NetApp’s amended 18 U.S.C. § 1030 (a)(5) claim arguing that NetApp had still not properly pled <em>damage</em> under the CFAA.</p> <p>In its amended compliant, NetApp alleged that Reynolds caused <em>damage</em> to NetApp’s computers, violating § 1030(a)(5), in three ways:</p> <p>(1) Reynolds “cop[ied] certain information from NetApp’s protected computers and transferr[ed] it to a non-secure area or device”;</p> <p>(2) Reynolds “diminish[ed] the value of NetApp’s data by compromising its exclusivity, for which it derives value because it is not available to competitors”; and</p> <p>(3) Reynolds “alter[ed] or modif[ied] NetApp’s performance data contained on its protected computers.”</p> <p>Nimble argued that NetApp failed to allege that Reynolds “impair[ed] the integrity or availability of any part of NetApp’s systems—he did not crash NetApp’s systems, delete data, or prevent any other user’s access” as required by 18 U.S.C. § 1030 (e)(8). NetApp argues that “rendering a computer system less secure should be considered ‘<em>damage’</em> under § 1030(a)(5)[], even when no data, program, or system is damaged or destroyed.”</p> <p style="padding-left: 30px;"><strong>Copying information, without more, does not constitute damage</strong></p> <p><em>NetApp II</em> looked at cases in the Northern District that asked whether copying of information, without more, constitutes <em>damage</em>. It does not. <em>NetApp II</em> found these cases based their holdings on three main points:</p> <p>(1) The CFAA “is not intended to expansively apply to all cases where a trade secret has been misappropriated by use of a computer:”</p> <p>(2) To state a claim for damage, the CFAA requires “impairment to integrity . . . of data, a program, a system, or information.” 18 U.S.C. § 1030(e)(8). Typically, the mere copying of information does not, without more, impinge on that information’s “integrity”;</p> <p>(3) There must be actual damage to data, information, a program, or system in order to state a claim under the relevant provision of the CFAA. Such damage occurs where there is “the destruction, corruption, or deletion of electronic files, the physical destruction of a hard drive, or any diminution in the completeness or usability of the data on a computer system.”</p> <p><em>NetApp II</em> did note that not all cases followed this line of reasoning, pointing to <em>Shurgard Storage Centers, Inc. v. Safeguard Self Storage</em>, Inc., 119 F. Supp. 2d 1121 (W.D. Wash 2000), cited by NetApp, which held that copying of information, without more, can constitute “damage” under the CFAA. <em>NetApp II</em> found <em>Shurgard</em> unpersuasive because Senate reports accompanying the 1996 amendment said nothing about imposing liability for the taking of information, but gave specific examples of other conduct that “arguably” causes “no damage” but is nevertheless prohibited by the CFAA – namely password stealing.</p> <p style="padding-left: 30px;"><strong>Diminished value of NetApp’s data</strong></p> <p><em>NetApp II</em> dismissed NetApp’s second argument: that Reynolds’ actions caused <em>damage</em> to NetApp because his actions “diminish[ed] the value of NetApp’s data by compromising its exclusivity, for which it derives value because it is not available to competitors.” The court noted that <em>damage</em> requires a showing there be an “impairment to the integrity or availability of data” and that a diminution of data value is not equivocal.</p> <p style="padding-left: 30px;"><strong>Modification of NetApp’s performance data</strong></p> <p>Lastly, NetApp alleged that Reynold caused <em>damage</em> by altering or modifying “NetApp’s performance data contained on its protected computers.” The court was not persuaded by this argument. It noted that, without more detail, this allegation did not demonstrate an “impairment to the integrity or availability of data” occurred.</p> <p style="padding-left: 30px;"><strong>Motion granted without leave to amend</strong></p> <p>Because the court was not persuaded by NetApp’s arguments, it granted Nimble’s motion with respect to the CFAA. Because this was the court’s second time dismissing the 18 U.S.C. § 1030 (a)(5) claim, and NetApp’s third complaint, the court denied NetApp leave to amend with respect to that claim.</p> <p> </p> <p><strong><em><span style="text-decoration: underline;">Facebook, Inc. v. Grunin</span></em></strong><strong><span style="text-decoration: underline;">, 2015 U.S. Dist. LEXIS 2075 (N.D. Cal. January 8, 2015)</span></strong></p> <p><strong>Judge</strong>: William Alsup, United States District Judge</p> <p>Facebook sued Martin Grunin under the CFAA (18 U.S.C. §§ 1030 (a)(2), (a)(4)) and other claims for opening up advertising accounts with Facebook under false pretenses and then not paying for the advertisements. The “complaint alleged … that after Grunin’s access was terminated and after he received two cease-and-desist letters, Grunin intentionally accessed Facebook’s computers and servers to obtain account credentials, Facebook credit lines, Facebook ads, and other information, causing more than $5,000 in losses to Facebook. Grunin intentionally circumvented Facebook’s technical measures by impersonating others to obtain Facebook accounts to run ads which were never paid for.”</p> <p>Defendant represented himself and failed to file a timely responsive pleading. Facebook moved for a default judgment.</p> <p>The court found that Defendant had violated the CFAA by violating a restriction on access. The court stated “Facebook implemented a complete access restriction by sending Grunin two cease-and-desist letters and by taking technical measures to block his access. Grunin nevertheless continued to access Facebook’s site and services without authorization and to impersonate others, resulting in alleged damages.” As such, Facebook was entitled to a default judgment on the CFAA claims.</p> <p> </p> <p><strong><em><span style="text-decoration: underline;">Facebook, Inc. v. Grunin</span></em></strong><strong><span style="text-decoration: underline;">, 2015 U.S. Dist. LEXIS 20166 (N.D. Cal. February 19, 2015)</span></strong></p> <p><strong>Judge</strong>: William Alsup, United States District Judge</p> <p>A follow up to <em>Facebook, Inc. v. Grunin</em>, 2015 U.S. Dist. LEXIS 2075 (N.D. Cal. January 8, 2015), the court reviewed Facebook’s subsequent motion for damages, fees, and costs in light of its successful motion for default judgment. The court awarded partial damages and fees.</p> <p style="padding-left: 30px;"><strong>Facebook sought</strong>: Compensatory damages in the amount of $116,067.41 for fraud in connection with the Thinkmodo account and $300,032.49 for fraud in connection with the Imprezzio.</p> <p style="padding-left: 30px;"><strong>Facebook awarded</strong>: $340,000.</p> <p style="padding-left: 30px;"><strong>Court’s reasoning</strong>: The “well-pled” complaint alleged that Defendant ran $40,000 in ads related to the Thinkmodo account and $300,000 in ads connected to Imprezzio.</p> <p> </p> <p style="padding-left: 30px;"><strong>Facebook sought</strong>: $500,000 in punitive damages.</p> <p style="padding-left: 30px;"><strong>Facebook awarded</strong>: $0.</p> <p style="padding-left: 30px;"><strong>Courts’ reasoning</strong>: Facebook concedes that “it is hard to know how much will deter [Grunin] from doing it again” and that Facebook “does not know how much money Grunin made as a result of his unlawful activities.” The court found that a “permanent injunction has been entered and Grunin himself has stated that he ‘ceased any business with Facebook well before the lawsuit was filed.’” The court described Facebook’s punitive damages claims as a “grossly excessive, bald request.”</p> <p> </p> <p style="padding-left: 30px;"><strong>Facebook sought</strong>: $326,129.11 in attorney’s fees and costs. As the court described, “counsel only appended two one-page summary exhibits to their declaration. No timesheets, no invoices, and no details specifically identifying the amount of time incurred on each specific task were filed. Instead, counsel vaguely stated that they spent (1) $8,516.50 on pre-litigation investigations; (2) $58,908.50 on drafting the complaint; (3) $60,149 on ‘case management;’ (4) $80,751.50 on Facebook’s motion to strike Grunin’s improper filings and Grunin’s motion to set aside the default; and (5) $118,032.50 on Facebook’s motion for default judgment and damages… One partner, three associates, and a paralegal worked on this matter.”</p> <p style="padding-left: 30px;"><strong>Facebook awarded</strong>: $75,000.</p> <p style="padding-left: 30px;"><strong>Court’s reasoning</strong>: The court found that Facebook was entitled to “$75,000 in fees, which is the sum of $5,000 for the complaint and case management, $10,000 for Facebook’s motion to strike and Grunin’s motion to set aside the default, and $60,000 for Facebook’s motion for default judgment, damages, fees, and costs. These reductions account for inefficiency, overstaffing, an inadequate documentation.</p> <p> </p> <p style="padding-left: 30px;"><strong>Facebook sought</strong>: $8,516.50 in <em>loss</em> pursuant to the CFAA.</p> <p style="padding-left: 30px;"><strong>Facebook awarded</strong>: $0.</p> <p style="padding-left: 30px;"><strong>Court’s reasoning</strong>: A showing of <em>loss</em> requires a showing that it occurred within a one-year period. Facebook stated that it incurred $8,516.50 in fees between March 2011 and January 2014. Thus, Facebook submitted no evidence of a <em>loss</em> of more than $5,000 in a one-year period was provided.</p> <p> </p> <p style="padding-left: 30px;"><strong>Facebook sought</strong>: $8,287.61 in costs.</p> <p style="padding-left: 30px;"><strong>Facebook awarded</strong>: $0.</p> <p style="padding-left: 30px;"><strong>Court’s reasoning</strong>: Facebook’s documentation – a summary table – was inadequate.</p> <p>In total, Facebook was awarded $340,000 in compensatory damages and $75,000 in attorneys’ fees.</p> <p>That concludes this edition of the Ad Astra CFAA Round-Up! I hope you thought it was informative. I’ll do another Round Up in a couple of months, so check back in soon! Feel free to email me with any questions or comments.</p> <p>The post <a rel="nofollow" href="https://www.astralegal.com/opinion-roundup-california-district-courts-and-the-computer-fraud-and-abuse-act-july-2014-through-february-2015-part-two-2/">Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act, July 2014 through February 2015 – Part Two</a> appeared first on <a rel="nofollow" href="https://www.astralegal.com">Ad Astra Law Group, LLP</a>.</p> ]]></content:encoded> </item> <item> <title>I’ve Been Hacked. Have I Been Damaged?</title> <link>https://www.astralegal.com/ive-been-hacked-have-i-been-damaged/</link> <comments>https://www.astralegal.com/ive-been-hacked-have-i-been-damaged/#respond</comments> <dc:creator><![CDATA[Scripta Ad Astra Staff]]></dc:creator> <pubDate>Wed, 01 Apr 2015 17:13:05 +0000</pubDate> <category><![CDATA[Uncategorized]]></category> <category><![CDATA[CDAFA]]></category> <category><![CDATA[CFAA]]></category> <category><![CDATA[computer fraud]]></category> <category><![CDATA[Computer Fraud and Abuse Act]]></category> <category><![CDATA[data security]]></category> <category><![CDATA[ECPA]]></category> <category><![CDATA[SCA]]></category> <category><![CDATA[Stored Communications Act]]></category> <guid isPermaLink="false">http://www.astralegal.com/?p=1262</guid> <description><![CDATA[<p>Pleading computer fraud damages Written by Keenan W. Ng Plaintiffs seem to have difficulty pleading damages related to computer fraud violations, including the Computer Fraud and Abuse Act (18 U.S.C. §1030), the Stored Communications Act (18 U.S.C. § 2701), the Electronic Communications Privacy Act (18 U.S.C. § 2501), and the California Computer Data Access and … <a href="https://www.astralegal.com/ive-been-hacked-have-i-been-damaged/" class="more-link">Continue reading<span class="screen-reader-text"> "I’ve Been Hacked. Have I Been Damaged?"</span></a></p> <p>The post <a rel="nofollow" href="https://www.astralegal.com/ive-been-hacked-have-i-been-damaged/">I’ve Been Hacked. Have I Been Damaged?</a> appeared first on <a rel="nofollow" href="https://www.astralegal.com">Ad Astra Law Group, LLP</a>.</p> ]]></description> <content:encoded><![CDATA[<p><em><strong>Pleading computer fraud damages</strong></em></p> <p><em>Written by <a href="http://www.astralegal.com/attorney/keenan-ng-associate-attorney/">Keenan W. Ng</a></em></p> <p>Plaintiffs seem to have difficulty pleading damages related to computer fraud violations, including the Computer Fraud and Abuse Act (18 U.S.C. §1030), the Stored Communications Act (18 U.S.C. § 2701), the Electronic Communications Privacy Act (18 U.S.C. § 2501), and the California Computer Data Access and Fraud Act (Cal. Penal Code § 502). While litigants simply seem confused as to what they are allowed to ask for, pleading damages is a fairly straightforward process as most courts interpret the requisite sections by their plain meaning.</p> <p><strong>Computer Fraud and Abuse Act</strong></p> <p>The CFAA does not allow for traditional compensatory damages. Rather, the statute allows for the recovery of <em>loss</em> and <em>damage</em> as defined by the statute.</p> <p><span id="more-1262"></span></p> <p><em>Loss</em> means “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, <strong><span style="text-decoration: underline;">and</span></strong> any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” (Emphasis added) 18 U.S.C. § 1030 (e)(11).</p> <p><em>Loss</em> breaks down into two elements: (1) the cost of responding to an offense; and (2) lost revenue or consequential damages arising as a result of an interruption of service. Importantly, the conjunctive word, “and,” is generally interpreted to mean “or” as opposed to requiring both elements to show <em>loss</em>. This is an important distinction because it provides litigants two paths to meeting the $5,000 threshold to bring a civil claim.</p> <p><em>Damage</em> means “any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. § 1030 (e)(8). Unlike loss, the CFAA does not require a quantitative threshold of <em>damage</em> to bring a CFAA claim. Any impairment to integrity or availability of data – such as any deletion of data or a lockout/denial or service – is sufficient to show <em>damage</em>.</p> <p><strong>Stored Communications Act</strong></p> <p>The SCA allows the plaintiff to recover the <strong><span style="text-decoration: underline;">sum of</span></strong> any actual damages suffered <strong><span style="text-decoration: underline;">and</span></strong> any profits made by the violator as a result of the violation, and that in no case shall the recovery be for less than $1000.18 U.S.C. § 2707 (c). Note that the statute allows for a plaintiff to essentially double recover: the can claim “the sum of” their actual damages in addition to the any profits made by the violator. More importantly, even if the damages and/or profit are $0, a plaintiff can still recover statutory damages of $1000 <strong><span style="text-decoration: underline;">per occurrence</span></strong>.</p> <p>Moreover, if the violation is willful or intentional, the plaintiff can seek punitive damages. 18 U.S.C. § 2707 (c). The court may also impose reasonable attorneys fees. 18 U.S.C. § 2707 (b)(3), (c).</p> <p><strong>Electronic Communications Privacy Act</strong></p> <p>Similar to the SCA, the ECPA provides that the plaintiff to recover the <strong><span style="text-decoration: underline;">sum of</span></strong> any actual damages suffered <strong><span style="text-decoration: underline;">and</span></strong> any profits made by the violator as a result of the violation. 18 U.S.C. § 2520 (c)(2)(A). Alternatively, the court may impose statutory damages of the greater of $100 a day for each day of the violation, or $10,000. 18 U.S.C. § 2520 (c)(2)(B).</p> <p><strong>California Computer Data Access and Fraud Act</strong></p> <p>Finally, under the CDAFA, a plaintiff may recover compensatory damages, which is defined as “any expenditure reasonably and necessarily incurred by the owner or lessee to verify that a computer system, computer network, computer program, or data was or was not altered, damaged, or deleted by” an access that violates the CDAFA. Cal. Penal Code § 502 (e).</p> <p>Similar to the CFAA definition of <em>loss</em>, the CDAFA allows for the recovery of any costs the victims incurred in determining whether or not their computers or data were harmed as a result of the intrusion. Costs to hire consultants and/or experts, as well as paying your staff to investigate any violation qualify for compensation under the CDAFA. Unlike the CFAA, the CDAFA does not require any sort of monetary threshold to qualify for CDAFA protection.</p> <p><strong>Conclusion</strong></p> <p>Pleading computer fraud damages is not as daunting as some litigants might make it out to be. By sticking to the plain language of the statutes and being fairly specific when pleading what your damages are, you should have no problems at the pleading stage.</p> <p>The post <a rel="nofollow" href="https://www.astralegal.com/ive-been-hacked-have-i-been-damaged/">I’ve Been Hacked. Have I Been Damaged?</a> appeared first on <a rel="nofollow" href="https://www.astralegal.com">Ad Astra Law Group, LLP</a>.</p> ]]></content:encoded> <wfw:commentRss>https://www.astralegal.com/ive-been-hacked-have-i-been-damaged/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>Computer Crime Returns to the Ninth Circuit Court of Appeal</title> <link>https://www.astralegal.com/computer-crime-returns-to-the-ninth-circuit-court-of-appeal/</link> <comments>https://www.astralegal.com/computer-crime-returns-to-the-ninth-circuit-court-of-appeal/#respond</comments> <dc:creator><![CDATA[Scripta Ad Astra Staff]]></dc:creator> <pubDate>Mon, 19 Oct 2015 21:37:32 +0000</pubDate> <category><![CDATA[Blog]]></category> <category><![CDATA[CFAA]]></category> <category><![CDATA[Ninth Circuit]]></category> <category><![CDATA[Nosal]]></category> <guid isPermaLink="false">http://www.astralegal.com/?p=1442</guid> <description><![CDATA[<p>Author: Michael Dorsi[1] Tomorrow the United States Court of Appeals for the Ninth Circuit will hear argument in United States v. Nosal, a case testing the meaning of the federal computer crime laws. Petitioner David Nosal was convicted of a felony for his participation in a conspiracy by former employees of the executive search firm … <a href="https://www.astralegal.com/computer-crime-returns-to-the-ninth-circuit-court-of-appeal/" class="more-link">Continue reading<span class="screen-reader-text"> "Computer Crime Returns to the Ninth Circuit Court of Appeal"</span></a></p> <p>The post <a rel="nofollow" href="https://www.astralegal.com/computer-crime-returns-to-the-ninth-circuit-court-of-appeal/">Computer Crime Returns to the Ninth Circuit Court of Appeal</a> appeared first on <a rel="nofollow" href="https://www.astralegal.com">Ad Astra Law Group, LLP</a>.</p> ]]></description> <content:encoded><![CDATA[<p>Author: <a href="http://www.astralegal.com/attorney/michael-dorsi-associate/">Michael Dorsi</a><a href="#_ftn1" name="_ftnref1">[1]</a></p> <p>Tomorrow the United States Court of Appeals for the Ninth Circuit will hear argument in <u>United States v. Nosal</u>, a case testing the meaning of the federal computer crime laws.</p> <p>Petitioner David Nosal was convicted of a felony for his participation in a conspiracy by former employees of the executive search firm Korn/Ferry. The trial court found Nosal guilty of violating the federal Computer Fraud and Abuse Act<a href="#_ftn2" name="_ftnref2">[2]</a> (“CFAA”) because his co-conspirators<a href="#_ftn3" name="_ftnref3">[3]</a> used a password belonging to a then-employee of Korn/Ferry. After a jury trial, the district court concluded that the co-conspirators’ access was not authorized, and that using a current employee’s password falls within the CFAA.</p> <p>This is the third time that the Ninth Circuit will hear argument in this case. In 2011, a three-judge panel considered an appeal of the dismissal of several charges. That panel reversed the district court, but on review <em>en banc</em> in 2012, the Ninth Circuit reversed the panel decision and affirmed the district court’s dismissal of causes of action. That decision held that the CFAA only prohibited wrongful access to — not wrongful use — protected computers and material found on those computers. Judge Kozinski’s opinion for the <em>en banc </em>panel<a href="#_ftn4" name="_ftnref4">[4]</a> suggested that the court was concerned about the broad reach of the statute, but stopped short of striking down the statute for unconstitutional vagueness and overbreadth. That opinion considered but did not conclude that circumvention of a technological access barrier would be required to find a CFAA violation.</p> <p>Interestingly, one of the eleven judges from the <em>en banc</em> decision in 2012, Judge M. Margaret McKeown, is on tomorrow’s panel. And during the <em>en banc</em> oral argument, Judge McKeown engaged in a brief colloquy with defense attorney Ted Sampsell-Jones, attempting to distinguish the charges now on appeal from those on appeal during the 2011 oral argument. Judge McKeown and Mr. Sampsell-Jones considered an analogy between passwords and keys to doors. Judge McKeown appeared to be under the impression that the defendants had kept their working passwords — like keeping a key after leaving — when in fact they used the password of a current employee. The text of the exchange suggests that Judge McKeown may not be as supportive of the defense argument now as she was in 2011–12:</p> <p>“Mr. Sampsell-Jones: I don’t think that’s quite the same as picking a lock or stealing.</p> <p>Judge McKeown: Well the one who’s left, has a key that he or she didn’t, quote, turn in, so to speak.</p> <p>Mr. Sampsell-Jones: No the one who’s left doesn’t have a key anymore. The one who has left gets the key consensually from the one who is still there.</p> <p>Judge McKeown: That’s called hacking.”<a href="#_ftn5" name="_ftnref5">[5]</a></p> <p>While a single question is not entirely useful in forecasting the outcome, it will be interesting to see if Judge McKeown revisits the same question tomorrow.</p> <p><a href="#_ftnref1" name="_ftn1">[1]</a> Mr. Dorsi is an associate at Ad Astra Law Group, counsel for amicus curiae NovelPoster. NovelPoster’s brief can be found <u><a href="https://www.eff.org/document/novelposter-amicus-brief-support-government">here</a></u>. All briefs are available online on a <u><a href="https://www.eff.org/cases/u-s-v-nosal" target="_blank">page</a></u> hosted by the Electronic Frontier Foundation.</p> <p><a href="#_ftnref2" name="_ftn2">[2]</a> The Computer Fraud and Abuse Act is codified at 18 U.S.C. § 1030. Mr. Nosal was convicted for his violation of 18 U.S.C. § 1030(a)(4).</p> <p><a href="#_ftnref3" name="_ftn3">[3]</a> There are also arguments about whether Mr. Nosal can be guilty by way of conspiracy for these actions. Those arguments will not fit into a brief blog post, but are addressed in the briefs.</p> <p><a href="#_ftnref4" name="_ftn4">[4]</a> 676 F.3d 854 (9th Cir. 2012).</p> <p><a href="#_ftnref5" name="_ftn5">[5]</a> Oral Argument, <u>Nosal</u>, <u>supra</u>, 676 F.3d 854, at 46:45–47:10, available at http://www.ca9.uscourts.gov/media/view_video.php?pk_vid=0000006176.</p> <p>The post <a rel="nofollow" href="https://www.astralegal.com/computer-crime-returns-to-the-ninth-circuit-court-of-appeal/">Computer Crime Returns to the Ninth Circuit Court of Appeal</a> appeared first on <a rel="nofollow" href="https://www.astralegal.com">Ad Astra Law Group, LLP</a>.</p> ]]></content:encoded> <wfw:commentRss>https://www.astralegal.com/computer-crime-returns-to-the-ninth-circuit-court-of-appeal/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>Can Insiders be Guilty of Computer Hacking? Ad Astra attorney Michael Dorsi is interviewed</title> <link>https://www.astralegal.com/can-insiders-be-guilty-of-computer-hacking-ad-astra-attorney-michael-dorsi-is-interviewed/</link> <comments>https://www.astralegal.com/can-insiders-be-guilty-of-computer-hacking-ad-astra-attorney-michael-dorsi-is-interviewed/#respond</comments> <dc:creator><![CDATA[Scripta Ad Astra Staff]]></dc:creator> <pubDate>Thu, 22 Oct 2015 22:22:26 +0000</pubDate> <category><![CDATA[Blog]]></category> <category><![CDATA[anti-hacking statute]]></category> <category><![CDATA[CFAA]]></category> <category><![CDATA[United States v. Nosal]]></category> <guid isPermaLink="false">http://www.astralegal.com/?p=1483</guid> <description><![CDATA[<p>Among the questions posed in the Ninth Circuit Court of Appeals case of United States v. Nosal is whether a person can be convicted under an “anti-hacking statute” if they do not circumvent a technical or code-based access barrier. Ross Todd from The Recorder[1] interviewed Ad Astra associate Michael Dorsi and quoted Mr. Dorsi on … <a href="https://www.astralegal.com/can-insiders-be-guilty-of-computer-hacking-ad-astra-attorney-michael-dorsi-is-interviewed/" class="more-link">Continue reading<span class="screen-reader-text"> "Can Insiders be Guilty of Computer Hacking? Ad Astra attorney Michael Dorsi is interviewed"</span></a></p> <p>The post <a rel="nofollow" href="https://www.astralegal.com/can-insiders-be-guilty-of-computer-hacking-ad-astra-attorney-michael-dorsi-is-interviewed/">Can Insiders be Guilty of Computer Hacking? Ad Astra attorney Michael Dorsi is interviewed</a> appeared first on <a rel="nofollow" href="https://www.astralegal.com">Ad Astra Law Group, LLP</a>.</p> ]]></description> <content:encoded><![CDATA[<p>Among the questions posed in the Ninth Circuit Court of Appeals case of <u>United States v. Nosal</u> is whether a person can be convicted under an “anti-hacking statute” if they do not circumvent a technical or code-based access barrier. Ross Todd from <em>The Recorder</em><a href="#_ftn1" name="_ftnref1">[1]</a> interviewed Ad Astra associate Michael Dorsi and quoted Mr. Dorsi on the difficulty of defining a technical access barrier. The underlying events in the <u>Nosal</u> case took place in 2004. As stated in <em>The Recorder</em>:</p> <p style="padding-left: 30px;">Dorsi said one need only look at how long Nosal’s case has been pending to see the problem with tying CFAA allegations to some sort of technology-based standard.</p> <p style="padding-left: 30px;">Said Dorsi, “If we do end up with a ‘technological access barrier’ standard we will constantly be catching up with the question of ‘What is a barrier?’</p> <p>In addition to its work on NovelPoster, Ad Astra Law Group presently represents workers’ compensation law firm Reyes & Barsoum in ongoing CFAA litigation in Los Angeles County Superior Court against another law firm, Knox Ricksen.</p> <p><a href="#_ftnref1" name="_ftn1">[1]</a> Ross Todd, <em>Nosal Appeal Could Extend Limits on Computer Hacking Law</em>, The Recorder, October 16, 2015, <em>available at </em>http://www.therecorder.com/id=1202740085781/Nosal-Appeal-Could-Extend-Limits-on-Computer-Hacking-Law</p> <p>The post <a rel="nofollow" href="https://www.astralegal.com/can-insiders-be-guilty-of-computer-hacking-ad-astra-attorney-michael-dorsi-is-interviewed/">Can Insiders be Guilty of Computer Hacking? Ad Astra attorney Michael Dorsi is interviewed</a> appeared first on <a rel="nofollow" href="https://www.astralegal.com">Ad Astra Law Group, LLP</a>.</p> ]]></content:encoded> <wfw:commentRss>https://www.astralegal.com/can-insiders-be-guilty-of-computer-hacking-ad-astra-attorney-michael-dorsi-is-interviewed/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> <item> <title>Not Exactly A Midsummer Night’s Dream for Some</title> <link>https://www.astralegal.com/not-exactly-midsummer-nights-dream/</link> <comments>https://www.astralegal.com/not-exactly-midsummer-nights-dream/#respond</comments> <dc:creator><![CDATA[Scripta Ad Astra Staff]]></dc:creator> <pubDate>Thu, 14 Jul 2016 21:28:14 +0000</pubDate> <category><![CDATA[Blog]]></category> <category><![CDATA[CFAA]]></category> <category><![CDATA[David Nied]]></category> <category><![CDATA[Facebook v. Vachani]]></category> <category><![CDATA[United States v. Nosal]]></category> <guid isPermaLink="false">http://www.astralegal.com/?p=1769</guid> <description><![CDATA[<p>Author: David Nied The Ninth Circuit has handed down two significant decisions under the Computer Fraud and Abuse Act in the past week. In the first decision, United States v. Nosal, the court affirmed the CFAA conviction of David Nosal, a former Korn/Ferry employee who left to start his own competing business with several co-workers. … <a href="https://www.astralegal.com/not-exactly-midsummer-nights-dream/" class="more-link">Continue reading<span class="screen-reader-text"> "Not Exactly A Midsummer Night’s Dream for Some"</span></a></p> <p>The post <a rel="nofollow" href="https://www.astralegal.com/not-exactly-midsummer-nights-dream/">Not Exactly A Midsummer Night’s Dream for Some</a> appeared first on <a rel="nofollow" href="https://www.astralegal.com">Ad Astra Law Group, LLP</a>.</p> ]]></description> <content:encoded><![CDATA[<p>Author: <a href="http://www.astralegal.com/attorney/david-nied-partner/">David Nied</a></p> <p>The Ninth Circuit has handed down two significant decisions under the Computer Fraud and Abuse Act in the past week. In the first decision, <a href="https://cdn.ca9.uscourts.gov/datastore/opinions/2016/07/05/14-10037.pdf">United States v. Nosal</a>, the court affirmed the CFAA conviction of David Nosal, a former Korn/Ferry employee who left to start his own competing business with several co-workers. After Nosal and his co-workers left, Korn/Ferry revoked their computer access credentials. Nevertheless, the departed employees used the computer access credentials of Mr. Nosal’s executive assistant—who remained at Korn/Ferry—to obtain access to the company’s proprietary database. The court held that “without authorization” under the CFAA was unambiguous and means “accessing a protected computer without permission.” Nosal argued that since his former executive assistant was authorized to access the company’s computers, he had not violated the statute. Not so, said the court: “once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door.” Ad Astra’s David Nied and Michael Dorsi, and former associate, Keenan Ng, submitted an amicus brief on behalf of a former client and in support of the United States in which they discussed the importance of the remedies under the CFAA to small, entrepreneurial businesses in the Bay Area. You can read The Recorder’s summary of the decision <a href="http://www.therecorder.com/id=1202761741198/Ninth-Circuit-Affirms-Nosal-Computer-Crime-Conviction-in-Key-CFAA-Ruling?mcode=0&curindex=0&curpage=ALL">here</a>. The Recorder quoted Mr. Nied’s observation that the decision “confirms that [small businesses] have a tool available to them under the CFAA to protect their business, their intellectual property, and their trade secrets from former employees.”</p> <p>In the second decision, <a href="https://cdn.ca9.uscourts.gov/datastore/opinions/2016/07/12/13-17102.pdf">Facebook v. Vachani</a>, the court concluded that a social-media aggregator, Power.com, and its principal, Steven Vachani, had violated the CFAA by continuing to use Facebook users’ accounts to send spam email and messages to other Facebook users to promote Power.com after Facebook had sent them a cease and desist notice. Like Mr. Nosal, the defendants argued that they had not violated the CFAA because they had the consent of the Facebook users to send out the emails and messages. The Ninth Circuit, however, concluded that the cease and desist notice revoked any permission the defendants had to use Facebook’s computers and that the defendants used Facebook’s computers “without authorization” after that point in time. The court returned the case to the trial court to re-calculate Facebook’s damages from the date of the cease and desist notice. The takeaway for small business owners is to send out a cease and desist notice the moment you become aware that a third party may be accessing your computers or cloud-based accounts without permission. You can read more about the <a href="http://www.therecorder.com/home/id=1202762363922/Siding-With-Facebook-Circuit-Says-Computer-Hacking-Law-Covers-Spammer?mcode=1202617072607&curindex=3">decision</a> in The Recorder.</p> <p> </p> <p> </p> <p>The post <a rel="nofollow" href="https://www.astralegal.com/not-exactly-midsummer-nights-dream/">Not Exactly A Midsummer Night’s Dream for Some</a> appeared first on <a rel="nofollow" href="https://www.astralegal.com">Ad Astra Law Group, LLP</a>.</p> ]]></content:encoded> <wfw:commentRss>https://www.astralegal.com/not-exactly-midsummer-nights-dream/feed/</wfw:commentRss> <slash:comments>0</slash:comments> </item> </channel> </rss>