Author: Scripta Ad Astra Staff
This week, we will have a three-part series on all of the substantive district court opinions in California regarding the Computer Fraud and Abuse Act (“CFAA”) (18 § U.S.C. 1030) for the first part of 2014 – January through June. We are concentrating on California because that is where most of the Ninth Circuit opinions are generated – not surprising given that Silicon Valley and many technology firms are located in California and within the Ninth Circuit’s jurisdiction.
The CFAA is important to businesses small and large because it provides them the opportunity to seek recourse for unauthorized access to data and information they store and protect on their internal servers or on the cloud. CFAA violations address outside computer “hackers” as they are commonly perceived in the media, but also “inside” hackers: former employees or business partners that have found ways to access information from their former business associates which they are no longer supposed to view. The CFAA does not address how information is used once it is acquired, but only covers the initial access of information that one has no authority to view or exceeded his or her authority in so viewing.
Over the next week – Monday, Wednesday, and Friday – we will provide a roundup of the first six months of published California federal opinions regarding the CFAA.
Oracle Am., Inc. v. TERiX Computer Co., 2014 U.S. Dist. LEXIS 561 (N.D. Cal. Jan. 3, 2014)
Judge: Paul S. Grewal, United States Magistrate Judge
Plaintiff Oracle, a leading supplier of enterprise hardware and software systems, as well as technical and consulting services for those systems, is suing defendants, TERiX Computer Co. and Maintech, Inc., who offer support services related to Oracle’s Solaris-based software system. Oracle alleges that TERiX and Maintech duped Oracle’s customers into providing them with access to updates to Oracle’s Solaris operating system — access to which Oracle says TERiX and Maintech had no right.
The court provided opinions with respect to three aspects of the CFAA. First, it held that the heightened pleading standard of Rule 9(b) for fraud was inapplicable to Oracle because Oracle allegations do not rely on first-party reliance, but, rather, third-party (customer) reliance.
Second, the court considered whether Oracle had met the pleading standards for Sections 1030(a)(6), (a)(2), and (a)(4). Citing State Analysis, Inc. v. Am. Fin. Servs. Assoc., 621 F. Supp. 2d 309, 317 (E.D. Va. 2009), the court found that Oracle had not met the proper pleading standard for a Section 1030(a)(6) violation because it had only pled that defendants are alleged only to have received the login credentials from their customer and used the credentials themselves and did not amount to “trafficking” under the CFAA.
With respect to Sections 1030(a)(2) and (a)(4), the key issue revolved around whether the defendants acted “without authorization” or “exceeded” their “authorized access” when accessing Oracle’s support websites. Relying onUnited States v. Nosal, 676 F.3d 854 (9th Cir. 2012), and Oracle Am., Inc. v. Service Key, LLC, 2012 U.S. Dist. LEXIS 171406 (N.D. Cal. Nov. 30, 2012), defendants argued that because they received valid access credentials from Oracle’s customers, their use of the credentials was merely a violation of “use” restrictions, and therefore is not a violation of the CFAA.
The court dismissed defendants’ theory, stating that contrary to the factual scenario in Nosal and Service Key, defendants in the instant matter were alleged to have no access rights whatsoever and proceeded to login to Oracle’s secure website anyways. As a result, the court refused to dismiss the Section 1030(a)(2) and (a)(4) claims.
Sprint Nextel Corp. v. Welch, 2014 U.S. Dist. LEXIS 2119 (E.D. Cal. Jan. 8, 2014)
Judge: Stanley A. Boone, United States Magistrate Judge
In Welch, the court considered whether plaintiff’s CFAA allegations in its complaint were sufficient enough for an entry of default judgment. On July 26, 2013, plaintiff Sprint Nextel Corp. filed a complaint seeking damages and injunctive relief against Defendant Aaron Simon Welch d/b/a The Cell Cycle for an alleged “Bulk handset Trafficking Scheme” – Defendant and other co-conspirators acquired subsidized phones from Sprint and resold them to others. On October 20, 2013, Plaintiff filed a motion for default judgment.
With respect to the CFAA allegations – violations of Sections 1030(a)(4) and (a)(5), the court stated that “Plaintiff alleges that Defendant violated the Computer Fraud and Abuse Act by acquiring phones through fraud and gained unauthorized access by 1) unlocking the phones and 2) turning on the phones and thereby accessing Sprint’s wireless service network and billing network. Plaintiff further alleges that Defendant traffics in using the proprietary codes stored on the phones which access Sprint’s network and selling those codes along with the phones.” These pleadings were sufficient for plaintiff to have stated a cognizable claim under the CFAA, thus weighing in favor of entry of default judgment.
United States v. Nosal, 2014 U.S. Dist. LEXIS 4021 (N.D. Cal. Jan. 13, 2014)
Judge: Edward M. Chen, United States District Judge
On April 24, 2013, a jury convicted Defendant David Nosal of computer fraud crimes, including three counts of computer fraud in violation Section 1030(a)(4) of the CFAA. The main dispute between the parties is what constituted “loss” with respect to 18 U.S.S.G. §2B1.1. As the court noted, criminal sentencing under the CFAA is governed by United States Sentencing Guidelines Manual § 2B1.1. See U.S.S.G. app. A. Under § 2B1.1, courts are instructed to increase the base offense level based on the amount of “loss.” U.S.S.G. § 2B1.1(b). “Loss” is defined as the “greater of actual loss or intended loss.” Id. § 2B1.1 cmt. n. 3. “Actual loss,” which is involved in this case, means the “reasonably foreseeable pecuniary harm that resulted from the offense.” Id. at § 2B1.1 cmt. n.3(A)(i). Harm is reasonably foreseeable if the “defendant knew or, under the circumstances, reasonably should have known, [that the harm] was a potential result of the offense.” Id. § 2B1.1, cmt. n.3(A)(iv).
While the court considered a number of issues outside of the CFAA, with respect to the CFAA, the court held, for two reasons, that under ß 2B1.1 and Note 3(A)(v)(III) “actual loss” includes those costs incurred as part of an internal investigation reasonably necessary to respond to the offense, for example by identifying the perpetrator or the method by which the offender accessed the protected information. First, the plain language of Note 3(A)(v)(III) and ß 1030 itself both include in the definition of loss the cost of generally “responding to an offense.”
“Second, in situations where the CFAA violation constitutes covert, unauthorized access into a computer system, taking corrective actions or otherwise “responding to an offense” will often be difficult (if not impossible) until the victim knows (1) who perpetrated the offense; (2) how the offense was perpetrated, and (3) the scope of any resulting damage or the degree to which the integrity of its data has been compromised.”
The court also differentiated between costs incurred in directly responding to an offense, and costs preparing for litigation. The court held that “[c]osts incurred for the purpose of building or supporting the victim’s civil case should not be considered ‘loss’for purposes of the Guidelines calculation.”
In reviewing a declaration by aggrieved party Korn Ferry’s General Counsel, Peter Dunn, the court noted that first, he failed to differentiate between direct investigation costs – “the who, what, and how behind Defendant’s offenses” – and costs in preparation of litigation.
Second, Mr. Dunn did not distinguish between his time aiding a government investigation and his time spent aiding Korn Ferry’s internal investigation of Nosal’s access. The court noted this importance, as costs incurred by a victim with the primary purpose of aiding the government’s investigation are not included under §2B1.1.