Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act – January 2014 through June 2014 – Part One

Author: Scripta Ad Astra Staff

This week, we will have a three-part series on all of the substantive district court opinions in California regarding the Computer Fraud and Abuse Act (“CFAA”) (18 § U.S.C. 1030) for the first part of 2014 – January through June. We are concentrating on California because that is where most of the Ninth Circuit opinions are generated – not surprising given that Silicon Valley and many technology firms are located in California and within the Ninth Circuit’s jurisdiction.

The CFAA is important to businesses small and large because it provides them the opportunity to seek recourse for unauthorized access to data and information they store and protect on their internal servers or on the cloud.  CFAA violations address outside computer “hackers” as they are commonly perceived in the media, but also “inside” hackers: former employees or business partners that have found ways to access information from their former business associates which they are no longer supposed to view.  The CFAA does not address how information is used once it is acquired, but only covers the initial access of information that one has no authority to view or exceeded his or her authority in so viewing.

Over the next week – Monday, Wednesday, and Friday – we will provide a roundup of the first six months of published California federal opinions regarding the CFAA.

Oracle Am., Inc. v. TERiX Computer Co., 2014 U.S. Dist. LEXIS 561 (N.D. Cal. Jan. 3, 2014)
Judge: Paul S. Grewal, United States Magistrate Judge

Read More >

Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act – January 2014 through June 2014 – Part Two

Author: Scripta Ad Astra Staff

This is part two of a three-part series on federal district court opinions in California related to the CFAA.  The first part can be found here.  The third part will be posted on Friday, July 25, 2014.  Stay tuned and check it out.

Enki Corp. v. Freedman, 2014 U.S. Dist. LEXIS 9169 (N.D. Cal. Jan. 23, 2014)
Judge: Paul S. Grewal, United States Magistrate Judge.

Read More >

Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act – January 2014 through June 2014 – Part Three

Author: Scripta Ad Astra Staff

This is the third part of three part-series on federal district court opinions in California regarding the CFAA.  The first part of this series can be found here.  The second part of this series can be found here.

Overall, California district courts have regularly followed the holdings in Nosaland Brekka regarding “use” versus “access.”  In summary, courts in the Ninth Circuit have generally held that the CFAA does not prohibit misusing information, such as in a trade secrets misappropriation violation: if you are allowed to access information, what you do with that information is not a violation of the CFAA, even if it is contrary to the interests of your employer.  On the other hand, if were not allowed to access information – say you quit or were fired – then a CFAA claim could likely withstand Ninth Circuit scrutiny.

It will be interesting to see how the courts make their decisions, especially as the divide between employment-based CFAA claims (“inside hacker” claims) and non-employment-based (external “hacker” claims) become more prevalent. Of course, you can always come back to Scripta Ad Astra to read about the latest CFAA, computer crimes, and cyber security developments.

NetApp, Inc. v. Nimble Storage, 2014 U.S. Dist. LEXIS 65818 (N.D. Cal. May 12, 2014)
Judge: Lucy H. Koh, United States District Judge.

Read More >

Lenovo and Superfish Sued Under The Computer Fraud and Abuse Act.

Written by Keenan W. Ng

It was recently discovered that Lenovo has been selling laptops with preinstalled adware that creates a catastrophic security hole in the web browser leaving users vulnerable to hacks. Superfish, a small company in Palo Alto, develops the adware. Plenty has been written about the technical aspects of the security flaw and more will be written going forward.  As the ramifications of the Superfish vulnerability play out in the community, at least two lawsuits* have been filed. More lawsuits certainly will come. One of these cases, Sterling International Consulting Group (“SICG”) v. Lenovo, Inc. and Superfish, Inc.(collectively, “Lenovo”), alleges violations of the Computer Fraud and Abuse Act. SICG seeks class action certification and was filed in the Northern District of California. The problem with Sterling is that the plaintiffs may have a hard time establishing the authorization element of the CFAA.


Read More >

Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act, July 2014 through February 2015 – Part One

Author: Scripta Ad Astra Staff

This week, we will have a two-part series on all of the substantive California district court Computer Fraud and Abuse Act opinions from July 2014 through February 2015. These posts are a follow up to a three – part series I wrote last summer discussing CFAA opinions from January 2014 through June 2014.

I decided to include some 2015 opinions in this Round Up because (1) there were not that many substantive opinions in the latter half of 2014 and (2) because I was a bit tardy on getting this post up – I figured I would bring you up to speed.

The next post will be on Friday, March 20. I hope you check it out!

Sprint Solutions, Inc. v. Pacific Cellupage Inc., 2014 U.S. Dist. LEXIS 101397 (C.D. Cal. July 21, 2014)

Judge: Christina A. Snyder, United States District Judge.

Read More >

Opinion Roundup: California District Courts and the Computer Fraud and Abuse Act, July 2014 through February 2015 – Part Two

Author: Scripta Ad Astra Staff

This is the second part of a two part-series on federal district court opinions in California regarding the CFAA. The first part of this series can be found here.

NetApp, Inc. v. Nimble Storage, Inc., 2015 U.S. Dist. LEXIS 11406 (N.D. Cal. January 29, 2015)(“NetApp II”)

Judge: Lucy H. Koh, United States District Judge

Read More >

I’ve Been Hacked. Have I Been Damaged?

Pleading computer fraud damages

Written by Keenan W. Ng

Plaintiffs seem to have difficulty pleading damages related to computer fraud violations, including the Computer Fraud and Abuse Act (18 U.S.C. §1030), the Stored Communications Act (18 U.S.C. § 2701), the Electronic Communications Privacy Act (18 U.S.C. § 2501), and the California Computer Data Access and Fraud Act (Cal. Penal Code § 502). While litigants simply seem confused as to what they are allowed to ask for, pleading damages is a fairly straightforward process as most courts interpret the requisite sections by their plain meaning.

Computer Fraud and Abuse Act

The CFAA does not allow for traditional compensatory damages. Rather, the statute allows for the recovery of loss and damage as defined by the statute.

Read More >

Computer Crime Returns to the Ninth Circuit Court of Appeal

Author: Michael Dorsi[1]

Tomorrow the United States Court of Appeals for the Ninth Circuit will hear argument in United States v. Nosal, a case testing the meaning of the federal computer crime laws.

Petitioner David Nosal was convicted of a felony for his participation in a conspiracy by former employees of the executive search firm Korn/Ferry. The trial court found Nosal guilty of violating the federal Computer Fraud and Abuse Act[2] (“CFAA”) because his co-conspirators[3] used a password belonging to a then-employee of Korn/Ferry. After a jury trial, the district court concluded that the co-conspirators’ access was not authorized, and that using a current employee’s password falls within the CFAA.

This is the third time that the Ninth Circuit will hear argument in this case. In 2011, a three-judge panel considered an appeal of the dismissal of several charges. That panel reversed the district court, but on review en banc in 2012, the Ninth Circuit reversed the panel decision and affirmed the district court’s dismissal of causes of action. That decision held that the CFAA only prohibited wrongful access to — not wrongful use — protected computers and material found on those computers. Judge Kozinski’s opinion for the en banc panel[4] suggested that the court was concerned about the broad reach of the statute, but stopped short of striking down the statute for unconstitutional vagueness and overbreadth. That opinion considered but did not conclude that circumvention of a technological access barrier would be required to find a CFAA violation.

Interestingly, one of the eleven judges from the en banc decision in 2012, Judge M. Margaret McKeown, is on tomorrow’s panel. And during the en banc oral argument, Judge McKeown engaged in a brief colloquy with defense attorney Ted Sampsell-Jones, attempting to distinguish the charges now on appeal from those on appeal during the 2011 oral argument. Judge McKeown and Mr. Sampsell-Jones considered an analogy between passwords and keys to doors. Judge McKeown appeared to be under the impression that the defendants had kept their working passwords — like keeping a key after leaving — when in fact they used the password of a current employee. The text of the exchange suggests that Judge McKeown may not be as supportive of the defense argument now as she was in 2011–12:

“Mr. Sampsell-Jones: I don’t think that’s quite the same as picking a lock or stealing.

Judge McKeown: Well the one who’s left, has a key that he or she didn’t, quote, turn in, so to speak.

Mr. Sampsell-Jones: No the one who’s left doesn’t have a key anymore. The one who has left gets the key consensually from the one who is still there.

Judge McKeown: That’s called hacking.”[5]

While a single question is not entirely useful in forecasting the outcome, it will be interesting to see if Judge McKeown revisits the same question tomorrow.

[1] Mr. Dorsi is an associate at Ad Astra Law Group, counsel for amicus curiae NovelPoster. NovelPoster’s brief can be found here. All briefs are available online on a page hosted by the Electronic Frontier Foundation.

[2] The Computer Fraud and Abuse Act is codified at 18 U.S.C. § 1030. Mr. Nosal was convicted for his violation of 18 U.S.C. § 1030(a)(4).

[3] There are also arguments about whether Mr. Nosal can be guilty by way of conspiracy for these actions. Those arguments will not fit into a brief blog post, but are addressed in the briefs.

[4] 676 F.3d 854 (9th Cir. 2012).

[5] Oral Argument, Nosal, supra, 676 F.3d 854, at 46:45–47:10, available at http://www.ca9.uscourts.gov/media/view_video.php?pk_vid=0000006176.

Can Insiders be Guilty of Computer Hacking? Ad Astra attorney Michael Dorsi is interviewed

Among the questions posed in the Ninth Circuit Court of Appeals case of United States v. Nosal is whether a person can be convicted under an “anti-hacking statute” if they do not circumvent a technical or code-based access barrier. Ross Todd from The Recorder[1] interviewed Ad Astra associate Michael Dorsi and quoted Mr. Dorsi on the difficulty of defining a technical access barrier. The underlying events in the Nosal case took place in 2004. As stated in The Recorder:

Dorsi said one need only look at how long Nosal’s case has been pending to see the problem with tying CFAA allegations to some sort of technology-based standard.

Said Dorsi, “If we do end up with a ‘technological access barrier’ standard we will constantly be catching up with the question of ‘What is a barrier?’

In addition to its work on NovelPoster, Ad Astra Law Group presently represents workers’ compensation law firm Reyes & Barsoum in ongoing CFAA litigation in Los Angeles County Superior Court against another law firm, Knox Ricksen.

[1] Ross Todd, Nosal Appeal Could Extend Limits on Computer Hacking Law, The Recorder, October 16, 2015, available at http://www.therecorder.com/id=1202740085781/Nosal-Appeal-Could-Extend-Limits-on-Computer-Hacking-Law

Not Exactly A Midsummer Night’s Dream for Some

Author: David Nied

The Ninth Circuit has handed down two significant decisions under the Computer Fraud and Abuse Act in the past week.   In the first decision, United States v. Nosal, the court affirmed the CFAA conviction of David Nosal, a former Korn/Ferry employee who left to start his own competing business with several co-workers.  After Nosal and his co-workers left, Korn/Ferry revoked their computer access credentials.  Nevertheless, the departed employees used the computer access credentials of Mr. Nosal’s executive assistant—who remained at Korn/Ferry—to obtain access to the company’s proprietary database.  The court held that “without authorization” under the CFAA was unambiguous and means “accessing a protected computer without permission.”  Nosal argued that since his former executive assistant was authorized to access the company’s computers, he had not violated the statute.  Not so, said the court:  “once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door.”  Ad Astra’s David Nied and Michael Dorsi, and former associate, Keenan Ng, submitted an amicus brief on behalf of a former client and in support of the United States in which they discussed the importance of the remedies under the CFAA to small, entrepreneurial businesses in the Bay Area.  You can read The Recorder’s summary of the decision here. The Recorder quoted Mr. Nied’s observation that the decision “confirms that [small businesses] have a tool available to them under the CFAA to protect their business, their intellectual property, and their trade secrets from former employees.”

In the second decision, Facebook v. Vachani, the court concluded that a social-media aggregator, Power.com, and its principal, Steven Vachani, had violated the CFAA by continuing to use Facebook users’ accounts to send spam email and messages to other Facebook users to promote Power.com after Facebook had sent them a cease and desist notice.  Like Mr. Nosal, the defendants argued that they had not violated the CFAA because they had the consent of the Facebook users to send out the emails and messages.  The Ninth Circuit, however, concluded that the cease and desist notice revoked any permission the defendants had to use Facebook’s computers and that the defendants used Facebook’s computers “without authorization” after that point in time.  The court returned the case to the trial court to re-calculate Facebook’s damages from the date of the cease and desist notice.  The takeaway for small business owners is to send out a cease and desist notice the moment you become aware that a third party may be accessing your computers or cloud-based accounts without permission.  You can read more about the decision in The Recorder.