A Weapon Against Hackers on the Home Front

more+
less-

Although headlines have focused on foreign cyberattacks, plenty are U.S.-based—and can be remedied.

Over the past year the national press has repeatedly reported on the vulner­ability of our intellectual property to nation-state hackers like China, which have reportedly accessed and stolen highly con­fidential data by entering computer systems through public websites.

Lost in the headlines is the equally seri­ous threat of industrial espionage posed by U.S.-based data thieves. As a practical matter, companies victimized by foreign governments have no real remedy other than to reinforce their computer security defenses and report suspected violations to law enforcement.

But when the data thieves are domestic competitors, businesses do have a self-help remedy: the Computer Fraud and Abuse Act (CFAA). The federal computer crime statute can stop hackers dead in their tracks and retrieve stolen confidential data and intellectual property.

Some recently reported cases in which companies have successfully brought CFAA cases against intellectual property thieves demonstrate how businesses can aggres­sively take advantage of this statute to pro­tect their intellectual property.

The CFAA—18 U.S.C. 1030—outlaws criminal activity, including stealing data, directed at what the statute defines as a “protected computer” and provides for a civil action for damages and injunctive relief for companies that have been victim­ized by, among other crimes, the theft or destruction of their data. The CFAA defines a “protected computer” as one “used in or affecting interstate or foreign commerce or communications.” That definition includes a website “used to conduct business across states lines.” Millennium TGA Inc. v. Leon, 2013 WL 5719079 (E.D.N.Y. Oct. 18, 2013).

A critical element to proving a violation of the CFAA for stealing or destroying data is that the perpetrator accessed the protected computer without authorization or did so by exceeding authorized access. In four factual scenarios, companies have successfully used the CFAA against data thieves alleging a lack of authorized access to the company website.

THE FOUR SCENARIOS

The first scenario involves a competi­tor using a special tool such as a scraper or crawler to circumvent the technological con­straints of a public website in order to copy its data. For example, in Craigslist v. 3Taps, 942 F. Supp. 2d 962 (N.D. Calif. 2013), Craigslist sued the owners of a competitor’s website alleging that they were using a scraper that had “harvested and reproduced the contents of Craigslist’s website” to publish Craigslist’s ads on their own website.

In refusing to dismiss the CFAA claims, the court held that Craigslist properly alleged that the defendants had accessed its website without authorization based on two key facts: First, the defendants ignored the cease-and-desist letters sent to them by Craigslist denying them autho­rization to use the website “for any pur­pose,” and continued to scrape data from Craigslist’s website. Second, the main defendant evaded the technological bar­riers erected by Craigslist to block the defendant’s Internet Protocol addresses and “bypassed [the block] by using differ­ent IP addresses and proxy servers to con­ceal its identity.”

The second scenario for proving unauthor­ized access is when the competitor accesses a public website in violation of its terms of use. The Craigslist court refused to validate the defendants’ violation of Craigslist’s terms of use as a basis for finding unauthorized access based on the U.S. Court of Appeals for the Ninth Circuit’s decision in United States v. Nosal, 676 F.3d 854 (2012). Nosal narrowly limited the CFAA “to violations of restrictions on access to information, and not restrictions on its use.” The court found that Craigslist’s terms of use contained only “use” restric­tions, not true “access” restrictions as the term was used in Nosal.

However, the First Circuit in EF Cultural Travel v. Zefer, 318 F.3d 58, 62, 63 (2003) recognized that a “public website provider can easily spell out explicitly what is forbid­den,” and that “an explicit statement on the website” prohibiting use of a scraper could establish lack of authorization.

The third scenario for proving unauthor­ized access is when a competitor, posing as a legitimate customer, uses a company-issued password to obtain access to private areas of the website reserved exclusively for customers. This situation can include stealing passwords by hacking into the web-site, as was done in the Millennium TGA case, or by obtaining use of a password that belongs to a legitimate website customer. In Pixsys Technologies v. Agemni, 2013 WL 5739027 (N.D. Ala. Oct. 22, 2013), Pixsys Technologies Inc. had developed and was licensing a proprietary software package designed to enable DISH satellite television service providers to better manage their back-office function. Pixsys licensed its soft­ware to Southern Star Inc. under a standard agreement prohibiting it from, among other things, sharing its password to a Pixsys website where its software was accessible to its paying customers. In violation of this agreement, Southern Star provided its pass­word to a Pixsys competitor, Agemni LLC. Using that password on multiple occasions, Agemni was able to review Pixsys’ soft­ware features that Agemni’s product did not offer. Agemni obtained details about the Pixsys product, and based on its review, allegedly made “tons of enhancements” to its software.

Pixsys sued Agemni for violating the CFAA and moved the court for a temporary restraining order enjoining Agemni from accessing, viewing, obtaining and using any such information from the Pixsys website. Finding that Pixsys would likely succeed on the merits of its CFAA claim because the use of the password was without authoriza­tion, the court granted the TRO.

The fourth scenario is the classic inside job, in which a current employee steals data from the company computer to use in a competitive enterprise. For exam­ple, in Custom Hardware Engineering and Consulting v. Dowell, 918 F. Supp. 2d 916 (E.D. Mo. 2013), four disloyal employees, including the head of network security systems for Custom Hardware Engineering and Consulting Inc. (CHE), secretly formed their own business in competition with their employer to provide computer hardware maintenance services. These employees, while still employed by CHE, systematically stole their employer’s con­fidential and proprietary data, including copyrighted computer programs, to use in their competing business.

The court denied the defendants’ motion for summary judgment on the plain-tiff’s CFAA claim, finding genuine mate­rial issues of fact existed as to whether the defendants exceeded the scope of their authorization to access CHE’s protected computer. The court relied on the facts that the employees had signed employment agreements limiting their authorization to access the CHE computers “to the perfor­mance of CHE’s business,” and that their breaches of fiduciary duty terminated their authorization to the CHE computers.

Based on the Nosal case, the CHE action would not have survived a motion to dis­miss in the Ninth or Fourth circuits, the only other circuit to follow Nosal. For example, in Farmers Insurance Exchange v. Steele Insurance Agency, 2013 WL 3872950 (E.D. Calif. July 25, 2013), the court, with­in the jurisdiction of the Ninth Circuit, followed Nosal and dismissed CFAA claims against insurance agency employees who stole confidential insurance policy data from their employer’s computer for the purpose of using that data to divert insur­ance customers to their new employer. Because the employees were authorized to access the company’s computers while employed, Nosal dictates that they could not “exceed authorized access,” even though they “may have used such informa­tion for an improper purpose.”

STEPS FOR BUSINESSES

These recent cases suggest three key pro­active steps for businesses: First, be pre­pared to take advantage of the CFAA by delineating the scope of authorized access to the company computers and its public website through terms of use and employee and customer agreements. Second, regu­larly monitor who accesses the company website. If you provide customers with passwords, monitor their use, and if you can identify users who have no right to be on the site, immediately send them a cease-and-desist letter notifying them that their access is unauthorized. Third, if you decide to use the CFAA, consider where to file. Chances of success, particularly with employee thefts, are better outside the Fourth and Ninth circuits, where the CFAA is given a broader application.

Topics:  CFAA, Cyber Attacks, Cybersecurity, Data Protection, Hackers

Published In: Civil Remedies Updates, Intellectual Property Updates, Labor & Employment Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dorsey & Whitney LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »