When a former employee leaves a company and there are issues as to whether he has wrongfully accessed the company’s computers, servers and/or e-mail accounts, in addition to traditional common law claims of breach of fiduciary duty, unfair competition, conversion and trespass, a litigator has in her arsenal a cause of action alleging civil violation of the federal Computer Fraud and Abuse Act.¹ For instance, fraudulently obtaining information from a company’s e-mail server or visiting a Web site and accessing unauthorized information from it with intent to defraud may constitute a violation of the act.

The Computer Fraud and Abuse Act (CFAA) was enacted in 1984 “to provide a clear statement of proscribed activity concerning computers to the law enforcement community, those who own and operate computers, and those tempted to commit crimes by unauthorized access to computers.”²

Discussing amendments enacted in 1996, the Senate remarked on Congress’ effort to keep up with technology, to protect both the government and private citizens, and to “remain vigilant to ensure that the [CFAA] is up-to-date and [provide] law enforcement with the necessary legal framework to fight computer crime.”

An individual violates the CFAA and is subject to civil penalties when he “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.”³

The act applies to computers “used in interstate or foreign commerce or communication.”⁴ Other grounds for violation include “knowingly [causing] transmission of a program, information, code or command, and as a result of such conduct, intentionally causing damage without authorization, to a protected computer,” “intentionally [accessing] a protected computer without authorization, and as a result, recklessly [causing] damage” or “intentionally [accessing] a protected computer without authorization, and as a result of such conduct, [causing] damage and loss.⁵

Four state Commercial Division cases⁶ have discussed the application of this statute, which, in each case, was narrowly construed. It is worth reviewing the CFAA when drafting a pleading as it provides grounds for “compensatory damages and injunctive relief or other equitable relief,” with a two-year statute of limitations from the date of the act complained of or the date of discovery of the damage.⁷

In Hecht v. Components International Inc.,⁸ the court granted summary judgment dismissing a counterclaim alleging violation of the CFAA, where a former CEO and shareholder of a company purportedly improperly deleted over 1,500 company e-mails using Web access to the company’s e-mail server following severance of his relationship with the corporation.

The court noted that the requirement of demonstrating lack of authorization to use a company computer could be met either implicitly, if, for instance, access was protected by a password or, explicitly, where notice limiting access had been given.

Plaintiff submitted an affidavit claiming his post-resignation access to the computer system was limited to his personal files maintained on Outlook Express. While noting that the company’s shutting down its server each time following plaintiff’s remote access to the system implicitly established that such access was not “authorized,” the court found no intent to defraud on the grounds that plaintiff only sought to obtain his personal files.

The court held that defendants failed to come forward with evidence of fraudulent intent where their computer report only revealed that plaintiff’s access to the company’s e-mail server was “standard,” suggesting that “sensitive information was not reached.”

In Zeno Group Inc. v. Wray,⁹ a former employee allegedly deleted from the company’s server documents relating to a firm client “as well as activity reports and new business files.”

The court granted summary judgment to defendant finding “there is no allegation that the server [defendant] accessed was beyond her authorization…[and that] “it strains reason that someone could delete files on a server beyond their authorization level,” noting that the alleged wrongful actions did not occur after any alleged loss of “authorization.”

As far as the allegations that plaintiff deleted computer files and e-mails from her laptop that had been provided to her by the company for business use prior to her departure, the court found these allegations to be “at best redundant” of plaintiff’s cause of action for conversion.

Statutory ‘Damage’ or ‘Loss’

In Scory LLC d/b/a The Intelligent Office v. Maroney,¹⁰ after defendant left plaintiff’s employ, he allegedly “remotely accessed [plaintiff's] computer ["to obtain [plaintiff's confidential information"] and telephone system,¹¹ and redirected two of [plaintiff's] toll free numbers to telephones unrelated to [plaintiff's] business.”

The court noted that, while plaintiff alleged that defendant “attempted” to access the computers without “authority,” it failed to allege that defendant actually obtained such access. The court noted that plaintiff further failed to provide proof that defendant obtained “anything of value” and that it sustained any “loss”¹² or “damage”¹³ under the CFAA.¹⁴

In Matter of Doubleclick Inc. Privacy Litigation,¹⁵ the court noted that “Congress intended the term ‘loss’ to target remedial expenses borne by victims that could not properly be considered direct damage caused by a computer hacker.”

In Alarmex Holdings, LLC v. Pianin,¹⁶ defendant, the former president and current owner of an equitable interest in plaintiff company, allegedly wrongfully used his company laptop to access the company’s e-mail system for purposes of unfair competition and tortious interference with [plaintiff's] business relations.

Plaintiff alleged that, after defendant left the company, he used the laptop issued to him to access an e-mail account in order to obtain proprietary information, including product pricing and production in an attempt to persuade a key customer of plaintiff to place orders with him, rather than with plaintiff.

The court held that, while the proposed pleading alleged lost profits from such key account as a result of defendant’s alleged wrongful access to e-mail accounts, and that he had deleted certain e-mails, this did not violate the CFAA. The court indicated that in order to maintain a cause of action under the CFAA, the complaint must allege “damage” to the company’s computer system and losses related to remedying the computer or losses incurred due to an interruption in service.

Because such alleged damages did not fall within the act and because the computer utilized was only a company-issued computer that belonged to defendant, there was no violation of the CFAA.

Conclusion

Taking into account the foregoing decisions, the Computer Fraud and Abuse Act should not be overlooked when drafting a complaint alleging improper conduct by a former employee, where there is a concern that she improperly accessed the firm’s computer network.

However, the statute is exacting and, as noted above, state courts narrowly construe its provisions.

Nevertheless, the CFAA remains a powerful tool with a built-in provision providing for injunctive and equitable relief that may be useful when a business is threatened by loss of critical data and information.¹⁷ As such, the act should be reviewed in any application for injunctive relief, and a CFAA cause of action should be considered in addition to pleading more typical common law causes of action.

Mark A. Berman, a partner at commercial litigation firm Ganfer & Shore, is secretary of the e-discovery committee of the Commercial and Federal Litigation Section of the New York State Bar Association.

Endnotes:

1. 18 U.S.C. §1030(a). The Computer Fraud and Abuse Act (CFAA) also provides for criminal penalties, which are not addressed herein. See 18 U.S.C. §1030(c). The CFAA does preempt state law claims. See Hecht v. Components International Inc., Index No. 3371/08 at 12 (Sup. Ct. Nassau Co. Nov. 10, 2008) (citing Pacific Aerospace & Electronics v. Taylor, 295 F. Supp. 2d 1188, 1194 (E.D. Wash. 2003)).

2. S. REP. NO. 104-357, at *3 (1996).

3. 18 U.S.C. §1030(a)(4). See 18 U.S.C. §1130(g).

4. 18 U.S.C. §1030(e)(2)(B).

5. 18 U.S.C. §1030(a)(5)(A)-(C).

6. As this article only addresses state court decisions and given the few decisions construing the CFAA, a litigator should review relevant precedent from the federal courts to ensure that all the elements of such a cause of action are properly pleaded.

7. 18 U.S.C. §1030(g).

8. Index No. 3371/08 at 12 (Sup. Ct. Nassau Co. Nov. 10, 2008)

9. 2008 WL 4532826, Index No. 602632/06 (Sup. Ct. N.Y. Co. Sept. 26, 2008).

10. Index No. 13251/06 (Sup. Ct. Nassau Co. May 25, 2007).

11. As the CFAA does not apply to telephones, the allegation that defendant “hacked into [plaintiff's] password protected telephone system and rerouted telephone numbers does not constitute a violation of the CFAA.” A computer is defined as “data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator or other similar device.” 18 U.S.C. §1030(e)(1).

12. “Loss” is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment and restoring the data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred or other consequential damages incurred because of interruption of service.”18 U.S.C. §1030(e)(11).

13. “Damage” is as “impairment to the integrity or availability of data, a program, a system or information.” 18 U.S.C. §1030(e)(8).

14. The CFAA provides that only a plaintiff who “suffers damage or loss by reason of a violation of this section may maintain a civil action.” 18 U.S.C. §1030(g).

15. 154 F.Supp. 2d 497, 521 (S.D.N.Y. 2001) (any loss actionable under the CFAA is subject to the Act’s damages minimum).

16. 2006 WL 5110875, Index No. 601987/05, at 1 (Sup. Ct. N.Y. Co. March 23, 2006).

17. S. REP. NO. 104-357, at *12.

E-discovery industry seeing slower growth, more mergers

A funny thing happened on the way to amending the federal Rules of Civil Procedure in 2006: That watershed event triggered a surge of investment in e-discovery software and services, fueling a mini tech bubble. The number of players exploded from a few dozen in 2000 to about 600 these days.

“It was almost like a gold rush,” says John Bace, research vice president of Gartner Inc. in Stamford, Conn. “People saw e-discovery as a quick and easy way to make money.”

With data and lawsuits proliferating, there still is plenty of money to be made in electronic data discovery. Look no further than the exhibit hall at ABA Techshow 2009, where e-discovery vendors were prominent.

Commercial spending in this young niche is expected to increase this year by 20 percent to $4.05 billion, according to consultant George J. Socha Jr., who co-founded the Electronic Discovery Reference Model, an industry consortium that sets guidelines and standards.

But growth has slowed sharply from annual rates of more than 40 percent just a few years ago, according to Socha’s surveys. And it’s getting much harder to compete profitably in an industry that is coming of age during the worst economic downturn in decades. For one thing, clients no longer are willing to write open-ended checks for services that easily can exceed $1.75 million for an average case.

“Growth has started to moderate and margins have started to decrease,” says Nick Baughan of investment banking firm Marks Baughan & Co. in Cornshohocken, Pa., which advised such deals as Applied Discovery’s sale to LexisNexis.

“There is real technology disruption,” he adds. Big tech companies continue developing tools to classify and store data in formats that permit more efficient archival and retrieval for litigation and regulatory review. “They can do it at a push of the button,” Baughan says.

SHRINKING FIELD

Gartner estimates that by the end of this year, one in four software vendors will be acquired, merge or exit the e-discovery business. Socha, founder of St. Paul, Minn.-based Socha Consulting, sees even more shrinkage over time; he estimates consolidation will reduce the number of service and software providers by about two-thirds to as few as 200. There will always be room for smaller service players, he says, but “the market truly cannot support this many vendors in the long haul.”

Players such as Autonomy, Iron Mountain and Symantec, to name only a few, have acquired smaller companies to build one-stop shops for e-discovery, from identifying data all the way through to pro­cessing, review and presentation. Mean­while, others are exiting the business.

Earlier this year, SPI Global Solu­tions substantially cut its e-discovery operation in Austin, Texas. In Feb­ruary, e-discovery pioneer Onsite3 simultaneously announced Chapter 11 bankruptcy and plans to be acquired by Integreon, a legal processing outsourcer based in Arlington, Va.

Churn is constant. Competi­tors who bought software and sys­tems several years ago now are stuck with higher legacy costs than new entrants at a time when profit margins are shrinking. And firms with good business, unable to borrow to cover temporary shortfalls, fall victim to the banking crisis.

“Many of the people in this space have for years talked about how it is somewhat recession-proof,” says Jason Derting, chief executive officer of Discover-e Legal, a 10-year-old company in Portland, Ore., with about 100 employees.

“I think this is the first test we’ve seen in a maturing space,” Derting says. “We’re certainly not immune to the challenges in the economy.”

His company continues to grow; Derting hired three sales vice presidents this year. Thanks to layoffs elsewhere, he has been pleased with the talent he found. “There are more qualified e-discovery sales executives available than I’ve seen,” he says.

At D4 in Rochester, N.Y., the economy’s nosedive played a role in the unraveling of the company’s May to December romance with litigation support services provider Ivize, which acquired D4 in June 2008. When D4’s owners bought their company back six months later, they assumed some of Ivize’s employees and expanded D4’s services. Now D4 is scouting for acquisitions.

“Our goal still is to have that national footprint,” says vice presi­dent Peter R. Coons. “We’re looking at opportunities that will help us move into different markets.”

TechLaw Solutions, a 25-year-old firm based in Chantilly, Va., also is expanding. “We’ve added staff at high levels for consulting and forensics and data collection” while investing in hardware and software, says president Mel Goldenberg.

Still, revenues are flat this year. “I think we’re lucky they’re flat given what I see going on in the marketplace,” he says.

POWER IN-HOUSE

Meanwhile, companies that once left e-discovery decisions to outside counsel and vendors are exerting far more control. Large corporations are bringing more work in-house, where general counsel team up with IT departments to cut costs and head off problems.

“We’re seeing them get involved, understanding the technology, making decisions about service providers, how data will be handled, what filtering will be used,” says Michele C.S. Lange of Eden Prairie, Minn., a director in Kroll Ontrack Inc.’s legal technologies division, which has 800 employ­ees worldwide.

Greg Swinehart, partner and national leader of forensic and dispute services at Deloitte Financial Advisory Services in New York City, says com­panies are paring their vendor lists. “There are a lot of providers, a lot of steps in the process, a lot of technologies,” he says. “This is complex and painful to manage. I’m seeing a trend to look for fewer professional service firms that can handle multiple aspects.”

So where is it all headed? Continued growth, fewer players and lower costs for clients. Says Swinehart: “I foresee a tremendous future of innovation and consolidation.”