Eagle v. Morgan, 2012 WL 4739436 (E.D.Penn. 2012) is a case whose impact is likely to reverberate through the social media legal landscape for some time. It addresses interesting questions like who owns an employee’s social media account, what happens to the account when an employee is fired, and whether the account has monetary value to the employee. In Eagle, a former banking consultant sued her employer under various state and Federal laws when her employer fired her and promptly took over her LinkedIn account – preventing plaintiff (or anyone else) from accessing her account or retrieving messages from it for several weeks. One of plaintiff’s Federal claims was based on the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq. (CFAA), a criminal statute that also provides a private civil cause of action.
The plaintiff’s CFAA claim alleged that her employer first fired her and then commandeered her LinkedIn account (plaintiff had previously given her LinkedIn password to a co-worker); replacing plaintiff’s profile with her replacement’s. Ouch! The record evidence showed that for a period of at least 16 days, plaintiff was locked out of her Linkedin account. In addition, plaintiff claimed that she was unable to receive Linkedin messages from outside parties for nearly four months – resulting in her missing untold business opportunities. According to the plaintiff, because she was unable to access her account and receive messages, she suffered lost business opportunity damages as prospective clients or business contacts were rerouted to her replacement’s Linkedin profile.
The Court granted summary judgment for the defendant employer on the CFAA counts. In doing so, the Court briefly discussed the contours of the CFAA, which provides a private cause of action for a plaintiff who sustains damage or loss of at least $5,000 against a defendant who intentionally, and without authorization, accesses a “protected computer”. 18 U.S.C. 1030(a)(1)-(7).
The CFAA defines “damage” as any impairment to the integrity or availability of data, a program, a system, or information. 18 U.S.C. s. 1030(e)(8). CFAA “loss” denotes the reasonable cost to any computer fraud victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense. 18 U.S.C. s. 1030(e)(11). “Loss” also encompasses lost revenue and consequential damages incurred because of interruption of service. Id. Aside from certain exceptions not relevant here, Section 1030(g) of the CFAA requires a plaintiff to show damage or loss of at least $5,000 in any one-year period. 18 U.S.C. § 1030(e)(8)(A); 1030(c)(4)(A)(i)(I).
The court entered summary judgment for the employer on the basis that the plaintiff failed to show damages or loss of at least $5,000. The court held that plaintiff’s damages evidence was too speculative to survive summary judgment. As to plaintiff’s “loss” claim, the Eagle court gave a restrictive reading to the CFAA and ruled that lost business opportunities did not satisfy the CFAA’s loss threshold where there is no underlying impairment to a computer or computer system.
Conclusion: As a later post will discuss, there is a definite split in authority as to whether underlying physical damage to a computer system or computer data is a necessary condition for a showing of “loss”. Some cases require physical damage; while others only require the plaintiff to show that it spent more than $5,000 investigating and ameliorating a breach of its computer system – regardless of whether there was any physical computer or data damage. In Eagle, the Court apparently believed that lost business opportunities resulting from third-parties’ inability to access a social media page were too far removed from Congressional intent when it codified the CFAA’s damage and loss requirements.
Links (courtesy of www.tradesecretslaw.com):