Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act, July 2014 through February 2015 – Part One

Author: Scripta Ad Astra Staff

This week, we will have a two-part series on all of the substantive California district court Computer Fraud and Abuse Act opinions from July 2014 through February 2015. These posts are a follow up to a three – part series I wrote last summer discussing CFAA opinions from January 2014 through June 2014.

I decided to include some 2015 opinions in this Round Up because (1) there were not that many substantive opinions in the latter half of 2014 and (2) because I was a bit tardy on getting this post up – I figured I would bring you up to speed.

The next post will be on Friday, March 20. I hope you check it out!

Sprint Solutions, Inc. v. Pacific Cellupage Inc., 2014 U.S. Dist. LEXIS 101397 (C.D. Cal. July 21, 2014)

Judge: Christina A. Snyder, United States District Judge.

Sprint alleged that defendants obtained Sprint phones, altered the software so that the phones could be used outside of the Sprint wireless network, and then sold them for use on other wireless networks. Sprint asserted claims for trafficking in computer passwords in violation of 18 U.S.C. § 1030(a)(6); unauthorized access of protected computer networks in violation of 18 U.S.C. § 1030(a)(5)(C); and unauthorized access of computer networks with intent to defraud in violation of 18 U.S.C. § 1030(a)(4). Defendants brought a motion arguing that Sprint had not properly alleged “loss.” The court partially agreed.

Allegations that did not qualify as loss    

Sprint’s alleged that some of its “loss” included “lost subsidy investments in the trafficked phones,” “responding to Defendants’ with Sprint customer service,” and “tracking down fraudulently sold phones.” The court found this was not loss because they were not directly related to Sprint’s computer systems, noting that “business loss” does not qualify as CFAA losses. Losses must be “closely tied” to a claimant’s system, rather than a claimant’s business model more generally.

 Allegations that did qualify as loss

Sprint also alleged, however that it incurred expenses “investigating and assessing the possible impairment to the integrity of its protected computer networks,” “conduct[ing] a damage assessment regarding Defendants’ collection and dissemination of … codes/passwords,” and “investigating and assessing the possible impairment to the integrity of its protected computer systems.” These qualified as a loss under the CFAA.

While defendants brought up the issue of whether it was possible to allege “loss” even when no computer system had suffered impairment or damage, because Sprint alleged impairment, the court declined to address the issue.

Motion granted with leave to amend

Finally, although Sprint alleged it had “spent well in excess of $5,000,” it did not itemize what each lost cost. Because the court found that some of the losses it pled were cognizable under the CFAA and some were not, the court granted the motion but provided Sprint with leave to amend so that it could clarify how much each recognized CFAA loss cost.

 

NovelPoster v. Javitch Canfield Group, 2014 U.S. Dist. LEXIS 106804 (N.D. Cal. Aug. 4, 2014)*

Judge: William H. Orrick, United States District Judge.

Plaintiff NovelPoster hired defendants as independent contractors to operate its e-commerce business. The business relationship fell apart and defendants changed the passwords to the plaintiff’s online accounts, locking plaintiff out. Defendants continued to operate the business after the lockout, necessarily accessing the online accounts. Plaintiff filed suit, alleging, violations of the CFAA and its California brother, the Computer Data Access and Fraud Act, as well as various other common law violations.

Defendants brought a motion for judgment on the pleadings seeking to dismiss the computer fraud claims. The court addressed a number of CFAA issues in this opinion with respect to authorization and loss/damage. Tackling authorization, the court affirmed that the CFAA limits access to information, not the use of information. While the court declined to state whether accessing the accounts after the lockout constituted acts without authorization, – suggesting it was a factual issue – the court did suggest that plaintiffs’ protests after the lockout occurred suggested defendants’ actions were without authorization.

The court also addressed defendants’ technical access barrier argument – that since plaintiff provided them with the passwords to access accounts, defendants never circumvented a technical access barrier and therefore did not violate the CFAA. Citing United States v. Nosal, 930 F. Supp. 2d 1051, 1060 (N.D. Cal. 2013) (“Nosal II”), the court affirmed that a circumvention of a technical access barrier was not required to find a CFAA violation, and that use of the term “technological access barriers” in United States v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012) (“Nosal I”) “was an aside that does not appear to have been intended as having some precise definitional force.” In any event, the court stated that defendants could not fault plaintiffs for failing to erect technical access barriers when defendants took actions that prevented plaintiff from doing so.

The court also addressed whether it was important that the relationship between plaintiff and defendant was a contractor rather than employer-employee relationship. Judge Orrick’s Order said that the nature of the relationship was irrelevant and that the only “relevant question is whether authorization to access a protected computer was absent or exceeded.” Additionally, in footnote 6, the court also affirmed that plaintiff did not have to “own” a protected computer in order to have standing to bring a CFAA violation. In other words, simply having rights to the protected computers is sufficient. In this instance, the online accounts were protected computers.

Motion granted with leave to amend

Ultimately, the court granted the motion because plaintiff did not adequately plead loss or damage. Plaintiff’s claim that it “has suffered damages and/or loss in excess of $5,000 in the year preceding the date of this filing, but the damages grow each day that Defendants refuse to acknowledge termination of the Agreement,” was too conclusory and vague.

 

Novelposter v. Javitch Canfield Group, 2014 U.S. Dist. LEXIS 155445 (N.D. Cal. Nov. 3, 2014)*

Judge: William H. Orrick, United States District Judge.

The second NovelPoster motion for judgment on the pleadings brought a deeper discussion of loss and damage under the CFAA. Plaintiff alleged that the defendant had prevented plaintiff from accessing and data and information it was entitled to for a seven-month period. The court found this qualified as “impairment to the . . . availability of data,” and thus damage, as required to show damage under the 18 USC section 1030(e)(8). The court also clarified that a showing of damage under the CFAA does not require pleading physical damage to the protected computer – such as physical changes or erasing of data.

Regarding loss, the court found that plaintiff’s allegation that it had spent substantial time and energy “on their efforts to secure the restoration of NovelPoster and its data and information” to the condition they were in “prior to when defendants took control of NovelPoster” qualified as a loss under 18 USC section 1030(e)(11). Plaintiff was able to meet the $5,000 loss threshold by alleging the number of hours that plaintiff spent performing these actions. The court also noted that it was irrelevant that plaintiff knew who caused the alleged harm because loss encompasses not only the investigation of who caused harm, but how they caused harm, and how to restore the data and information to the condition prior to the offense.

Motion denied

Defendants’ motion for judgment on the pleadings was denied.

Thanks for reading! Please come back and check out my post on the first few CFAA opinions of 2015. It will be posted on Friday.

* I was a lead attorney that represented NovelPoster in this matter.