Nasty Flood of Phone Calls and E-Mails Gives Rise to Computer Fraud Damage Claim – 6th Cir.

In Pulte Homes International Union of North America, 648 F.3d 295 (6th Cir. 2011), the Sixth Circuit addressed the Computer Fraud and Abuse Act (CFAA) in a case where a national labor union launched a barrage of  harassing telephone calls and e-mails against a Michigan home builder that fired a union member.

The plaintiff home sued the union under the CFAA after orchestrated a nation-wide torrent of phone calls and e-mails to plaintiff and its key executives.  The volume of calls – many coming via an auto-dialer – and e-mails basically overburdened and shut down plaintiff’s phone system and computer server.

The 6th Circuit reversed the District Court’s 12(b)(6) dismissal of plaintiff’s CFAA “transmission” claim and reinstated it.  

The “Transmission” Claims 

A CFAA transmission claim requires a plaintiff to show a defendant’s knowing and unauthorized transmission of a program, code, or command that intentionally causes damage to a protected computer.  18 U.S.C. § 1030(a).  

An example of a transmission claim is a hacker or rogue employee who infects a computer system with a virus.  The Pulte Court held that plaintiff’s phone and email systems were “protected computers” under the CFAA and the defendants’ thousands of e-mail and phone blasts constituted “transmissions.”

Under the CFAA, any device that’s not a typewriter or calculator will qualify for protected computer status.

CFAA damage denotes “any impairment to the integrity or availability of data, a program, a system or information.”  18 U.S.C. §1030(e)(8).  The Court noted that the Oxford English Dictionary defined “impairment” as a “deterioration” or “injurious lessening or weakening.” 

The Court held that the Union’s alleged conduct fit squarely into this damage definition.  The Court noted that the volume of calls and e-mails sent by the union prevented plaintiff’s customers from contacting it and so overwhelmed plaintiff’s computer system that it severely stunted plaintiff’s normal business operations. 

On the CFAA intent element, the Court cited plaintiff’s wide-ranging allegations that the union’s conscious objective was to overwhelm and damage plaintiff’s business systems.  The cumulative effect of the allegations against the Union signalled the Union’s intentional conduct.  Since the plaintiff’s allegations demonstrated damage to its computer systems and the Union’s intent, the Court held that the plaintiff successfully pled a CFAA transmission claim.  Id.

The “Access” Claim

A CFAA access claim requires a plaintiff to allege a defendant “intentionally accessed a protected computer without authorization”. 18 U.S.C. § 1030(a)(5)(B), (C).  

Here, the plaintiff failed to demonstrate the Union accessed plaintiff’s phone and computer systems without authorization  under the CFAA since plaintiff allowed all members of the public to call its offices, visit its company web page, and send e-mails to it. 

Take-aways: Pulte provides a good summary of CFAA transmission and access claims and gives content to the CFAA’s damage requirement.  The case also shows how difficult it can be for an employer who has a freely available website, e-mail and phone system (basically, every single company in the U.S.), to meet the without authorization prong of a CFAA access claim. 

Facebooking at Work: A Federal Offense? (With ‘Aarons Law’ Update)

Can surfing the Net on company time get you fired?  Perhaps.  Can it subject you to Federal criminal and civil penalties?  Not yet.  At least not in the  Tampa, Florida area.  Wendy Lee v. PMSI, 2011 WL 1742028 (M.D.Fla. 2011) illustrates a creative attempt to expand the reach of the Computer Fraud and Abuse Act (CFAA)(which, incidentally, will be the subject of some future posts).  The CFAA, codified at 18 U.S.C. s. 1030, is a criminal statute with a civil component. It provides a private civil cause of action for anyone who sustains damage or loss as a result of an unauthorized user hacking into a computer system who then destroys, erases or transfers computer data.  It also prohibits authorized users from accessing protected information and from exceeding the limits of their authorization.  In this latter context, the CFAA is typically used by an employer when a rogue employee or “insider” accesses private employer computer data and sends the data to a competitor.

In PMSI, the Plaintiff filed a Federal pregnancy discrimination suit against her employer.  The employer fired back with a counterclaim based on the CFAA – saying that the Plaintiff spent her workdays surfing the Internet and playing on Facebook.  So egregious was the Plaintiff’s personal computer use, that the employer asserted a CFAA violation claiming the Plaintiff violated her employer’s published computer/Internet use policy.

The Court dismissed the CFAA count and said that while Facebooking at work may be a fireable offense; it does not subject one to Federal criminal or civil liability.  The court gave a narrow reading to the CFAA and held that the statute did not apply to a private employee’s violation of an employer’s internet policy.  Otherwise, the court said, every employee across the land who used a company computer to send and receive personal e-mails or who surfed the Net for non-work reasons could potentially be subject to Federal liability.

So, for now, Tampa area office workers can safely surf the net on company time without being subject to CFAA liability.   Whether the same workers can be fired for violating an employer computer policy, is an issue for another day and perhaps another post.

Update (7.15.13):  Recently, some proposed changes to CFAA were introduced by Zoe Lofgren and Ron Wyden, democratic congressman and senator from California and Oregon, respectively.  These changes, known as “Aarons” law (named for the late internet activist Aaron Schwartz), are designed to narrow the reach of the CFAA so that the statute is only used to prosecute outside hackers, rather than criminalize every-day violations of private employer computer policies or Internet terms of use.  Some helpful links follow.