Harvester of Sorrow? (IL Fed. Court Tackles Computer Fraud Case

tape recorder (photo credit: Google Images: www.strangehistory.net)

Fidlar Technologies v. LPS Real Estate Data Solutions, Inc., 2013 WL 5973938 (C.D.Ill. 2013), a high-tech diversity suit, examines internet data “harvesting” and whether it gives rise to Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (CFAA) and common law tort liability. 

The plaintiff developed a computer program that allowed recorder of deeds’ offices from around the country to provide users with public access to real estate records for a fee.  The defendant software company developed a data harvester program that bypassed plaintiff’s protective controls and then captured the real estate data without paying fees.

When plaintiff found out, it brought CFAA claims and state law trespass to chattels claims against the defendant.  Defendant moved to dismiss plaintiff’s claims.

Held: Defendant’s motion to dismiss denied.

Reasons:

The CFAA provides a civil cause of action to a plaintiff injured by computer fraud or hacking.  A CFAA “transmission claim” prohibits a defendant from knowingly transmitting a program (such as a data harvester) without authorization that causes damage to a protected computer.  A CFAA plaintiff must show loss of at least $5,000 in any one-year period.  18 U.S.C. §§ 1030(a), (c).

The Court found that plaintiff sufficiently pled damage, loss and intent under Federal notice pleading rules.  Plaintiff’s claim that defendant’s harvesting activity compromised plaintiff’s software satisfied the CFAA’s damage definition – since it alleged an impact to the “integrity” of the software.  18 U.S.C. 1030(e)(8)(CFAA damage definition). 

Plaintiffs also adequately pled loss of at least $5,000 under the CFAA: plaintiff claimed it spent over $80,000 investigating the extent of defendant’s invasion of plaintiff’s software and in making software repairs and adjustments to prevent further service interruptions.  ¶¶ 7-8; 18 U.S.C. 1030(e)(11)(loss definition).  

Lastly, the Court found the plaintiff’s intentional conduct allegations – that defendant’s intentionally and without permission, used plaintiff’s software – were sufficient under FRCP 8’s “short plain statement” strictures.  ¶ 6.

The Court also sustained (in part) the plaintiff’s trespass to chattel claims.  Trespass to chattel – a sparingly used tort occasionally applied to cyberspace lawsuits – provides a remedy where a defendant intentionally interferes with the plaintiff’s personal property and causes harm to it.  ¶ 9. 

The plaintiff’s trespass to chattel claim based on its computer data wasn’t actionable since electronic public data isn’t physical or private property owned by the plaintiff.  

But plaintiff did make out a trespass to chattels claim with respect to its computer servers.  The servers were sufficiently tangible (or physical) to underlie a trespass to chattels claim.  Plaintiff’s claim that defendant accessed the servers and impaired the servers’ quality, condition and value adequately met the Federal notice pleading standard. ¶¶ 10-11.

Defendant’s Counterclaim

Defendant’s injunctive relief and tortious interference claims were rejected.  The court found that plaintiff’s conduct was privileged under the “honest advice” privilege and the First Amendment Petition Clause.  

The latter privilege applied since the counties with whom plaintiff dealt were all government agencies.  Plaintiff’s statements to the counties concerning the defendant’s unauthorized data mining were protected “petitions” to those counties: plaintiff asked the counties to cut off defendant’s access to plaintiff’s software.  ¶¶ 14-17.

Afterwords:

– Computer Fraud plaintiffs can satisfy notice pleading standards by alleging plausible facts of intent, damage and loss exceeding $5,000;

– Trespass to chattels tort applies to physical computer hardware and servers but not to computer data;

A business competitor has some latitude to make disparaging statements about a competitor where the statements are substantially true, opinions and not facts or are privileged.

 

Nasty Flood of Phone Calls and E-Mails Gives Rise to Computer Fraud Damage Claim – 6th Cir.

In Pulte Homes International Union of North America, 648 F.3d 295 (6th Cir. 2011), the Sixth Circuit addressed the Computer Fraud and Abuse Act (CFAA) in a case where a national labor union launched a barrage of  harassing telephone calls and e-mails against a Michigan home builder that fired a union member.

The plaintiff home sued the union under the CFAA after orchestrated a nation-wide torrent of phone calls and e-mails to plaintiff and its key executives.  The volume of calls – many coming via an auto-dialer – and e-mails basically overburdened and shut down plaintiff’s phone system and computer server.

The 6th Circuit reversed the District Court’s 12(b)(6) dismissal of plaintiff’s CFAA “transmission” claim and reinstated it.  

The “Transmission” Claims 

A CFAA transmission claim requires a plaintiff to show a defendant’s knowing and unauthorized transmission of a program, code, or command that intentionally causes damage to a protected computer.  18 U.S.C. § 1030(a).  

An example of a transmission claim is a hacker or rogue employee who infects a computer system with a virus.  The Pulte Court held that plaintiff’s phone and email systems were “protected computers” under the CFAA and the defendants’ thousands of e-mail and phone blasts constituted “transmissions.”

Under the CFAA, any device that’s not a typewriter or calculator will qualify for protected computer status.

CFAA damage denotes “any impairment to the integrity or availability of data, a program, a system or information.”  18 U.S.C. §1030(e)(8).  The Court noted that the Oxford English Dictionary defined “impairment” as a “deterioration” or “injurious lessening or weakening.” 

The Court held that the Union’s alleged conduct fit squarely into this damage definition.  The Court noted that the volume of calls and e-mails sent by the union prevented plaintiff’s customers from contacting it and so overwhelmed plaintiff’s computer system that it severely stunted plaintiff’s normal business operations. 

On the CFAA intent element, the Court cited plaintiff’s wide-ranging allegations that the union’s conscious objective was to overwhelm and damage plaintiff’s business systems.  The cumulative effect of the allegations against the Union signalled the Union’s intentional conduct.  Since the plaintiff’s allegations demonstrated damage to its computer systems and the Union’s intent, the Court held that the plaintiff successfully pled a CFAA transmission claim.  Id.

The “Access” Claim

A CFAA access claim requires a plaintiff to allege a defendant “intentionally accessed a protected computer without authorization”. 18 U.S.C. § 1030(a)(5)(B), (C).  

Here, the plaintiff failed to demonstrate the Union accessed plaintiff’s phone and computer systems without authorization  under the CFAA since plaintiff allowed all members of the public to call its offices, visit its company web page, and send e-mails to it. 

Take-aways: Pulte provides a good summary of CFAA transmission and access claims and gives content to the CFAA’s damage requirement.  The case also shows how difficult it can be for an employer who has a freely available website, e-mail and phone system (basically, every single company in the U.S.), to meet the without authorization prong of a CFAA access claim. 

Does the Computer Fraud Act Apply to ‘Dumbphones’?

While this Court does not disagree that unwanted text messages, like spam e-mail, are an annoyance, whether receipts of such messages can establish a civil action under the CFAA is, of course, a different question.

Czech v. Wall Street on Demand, Inc. 674 F.Supp. 1102, 1106 (N.D.Minn. 2009).

Anti-spam (e-mail and text) lawsuits and legislation are legion: a flurry of Federal and state laws govern junk e-mails and texts.  This post briefly discusses one case which examined whether sending unwanted texts can subject the texter to Federal Computer Fraud liability. 

In Czech v. Wall Street on Demand, 674 F.Supp. 1102 (N.D. Minn. 2009) a Minnesota plaintiff (representing a proposed class of spam texts recipients) was so fed up with unwanted texts that she literally made a Federal case out of it.  She sued in Minn. District Court under the Computer Fraud and Abuse Act, 18 U.S.C. s. 1030 et seq. (CFAA) after receiving unsolicited texts from an online trading company that mass-texted financial information to phone numbers in its database.  The Court granted the defendant’s 12(b)(6) motion to dismiss the Complaint. 

The basis for the court’s dismissal was that the plaintiff – who owned a cellphone which only made and received calls and texts (colloquially, a “dumbphone”)  – was unable to show (1) that defendant obtained information from plaintiff’s phone; or (2) that defendants intentionally tried to damage plaintiff’s phone; or (3) any statutory “damage” or “loss” due to the unwanted texts.  Id.  As noted in an earlier post, damage and loss are terms of art under the CFAA: damage denotes physical damage to a computer or data; while loss refers to the monetary expense incurred in ameliorating a CFAA violation.  See http://paulporvaznik.com/eagle-i-hijacking-a-linkedin-account-and-the-computer-fraud-act/803 (discussion of CFAA damage and loss under 18 U.S.C. s. 1030(e)).

While the Czech Court ultimately dismissed the plaintiff’s CFAA claims, it also applied the CFAA’s expansive definition of “computer” by acknowledging that the plaintiff’s no-frills cell phone qualified as a “computer” under the CFAA.  674 F.Supp.2d at 1107 (“there is no dispute that [plaintiff’s] cell phone (as well as the various similar wireless devices used by the proposed class members) would constitute…a ‘computer’ as further defined in [the CFAA]).  The CFAA defines a computer as any high-speed data processing device performing logical, arithmetic and storage functions – but that is not a calculator or typewriter.  18 U.S.C. s. 1030(e)(1).  The 8th Circuit Court of Appeals also held that a cell phone that only made calls and texts qualified as a protected computer under the CFAA in a criminal case setting in  U.S. v. Kramer, 631 F.3d 900 (8th Cir. 2011)(defendant used cell phone to entice minor across state lines to engage in criminal sexual conduct).

Declining to extend the Act to unwanted texts, the Czech Court stated succinctly that unwanted texts may be annoying, but they do not give rise to CFAA civil liability: “An annoyance? Quite possibly.  The basis for a civil action under [the CFAA]?  The Court thinks not.”  674 F.Supp.2d at 1105.

Take-away: Czech provides a very detailed analysis of CFAA information (defendant obtained information from a protected computer) transmission (defendant transmitted a virus or worm that damaged plaintiff’s computer), and access (defendant accessed plaintiff’s computer and caused damage or loss to plaintiff)claims.  All three of these claims are predicate acts under CFA sections 1030(a)(2)(C), (a)(5)(A) and (a)(5)(C).  The Court describes the elements and the damage and loss requirements for each of the three claims.  The Court also engages in an intricate and interesting (at least I think so) discussion of the difference between obtaining information from a plaintiff’s website as opposed to a plaintiff’s cell number.  But for this post’s purposes, the case is representative of the CFAA’s expansive definition of a “protected computer” and shows that virtually any mechanical device, wired or not, will qualify for coverage under the statute.