July 02, 2011
Court Finds That the Value of Bartered-For Services Constitutes Loss Under the Computer Fraud and Abuse Act -- Animators at Law v. Capital Legal Solutions
[Post by Venkat Balasubramani]
Animators at Law, Inc. v. Capital Legal Solutions, 10cv1342 (E.D. Va.; May 10, 2011)
This lawsuit presented an increasingly familiar fact pattern. Employees leave a company and the employer sues the ex-employees under the Computer Fraud and Abuse Act for accessing the employer's computers without authorization. I previously blogged about US v. Nosal, which held that any violation of an employer's network use policy can constitute "unauthorized access" under the CFAA. In addition to proving that the employee engaged in unauthorized access of an employer's computer system, the CFAA contains a $5000 jurisdictional loss threshold. This case focuses on what the employer must show in order to satisfy that jurisdictional threshold. The answer: not much.
The now ex-employees quit and took a company owned laptop. Animators, the employer, realized this a week from when the employees left, and promptly hired a forensic computer security/data recovery firm to assess the damage. The firm performed its services and realized that some files had been deleted from the laptop. Animators also concluded that the employees accessed its Dropbox account where the company stored files. The ex-employees apparently also accessed a time-keeping program which the employer used.
The court denied the ex-employees' motion to dismiss and granted limited discovery on the issue of what "losses" Animators had suffered as a result of the alleged data breach. Following limited discovery, the ex-employees brought a motion for summary judgment. The court denies the motion.
The forensic firm hired by Animators had an engagement letter in place with Animators which said that it would bill Animators on an hourly basis at $0 per hour. After the court denied the motion and allowed discovery, the forensic firm invoiced Animators. The invoice included approximately 63 hours of professional services for $24,000 and hosting services for $29,000. Animators acknowledged that it did not pay the forensic firm in cash for these services. However, the principal of Animators testified that he apparently made available the "Law Prospector" subscription services offered by one of his affiliated entities at no charge to the forensic firm.
The key issue was whether the invoices issued by the forensic firm were a sham or whether Animators actually incurred the costs. Animators explained the belated invoice on the basis of a credit relationship between Animators and the forensic firm. Apparently the parties did not operate on a cash basis. (!) The court agrees with Animators and rejects the ex-employees' position, finding that there is nothing in the Computer Fraud and Abuse Act which requires the aggrieved party to actually shell out cash in the course of taking remedial steps in response to an incident involving unauthorized access to its computers. The court notes that the CFAA expressly states that value of in-house time spent addressing a breach can go towards satisfying the loss requirement and this points in the direction that the CFAA does not restrict plaintiffs to claiming cash-based losses. (The CFAA contains a broad definition of "loss," which includes: (1) the cost of responding to an offense, (2) the cost of conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and (3) any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. Courts are split on whether lost revenues are recoverable absent an "interruption in service," and whether there has to be a relationship between the lost revenues and the unauthorized access.)
The court was required to take a view of the facts at summary judgment that was most favorable to Animators, but the record as described by the court was littered with red flags. The fact that the invoice was sent by the forensic firm after the court denied the motion to dismiss and the fact that the engagement letter between the forensic firm and Animators required the firm to provide Animators services at "zero dollars per hour" were just some of these red flags. Others included the fact that Animators' principal spent twelve hours setting up a box.net account after the dropbox account used by the ex-employees was determined to have been compromised. The court notes in passing that the Dropbox password "was not disabled" after the ex-employees left. As a final bonus, Animators' counsel spent thirty hours assisting Animators with its remediation efforts. (I'm not suggesting there was anything improper about this, but thirty hours is a lot of time.)
It's tough to get a clear sense of what happened from the record, but the court does not seem to take into account steps Animators could have taken which would have prevented or mitigated against the losses. For example, when the ex-employees left, Animators could have asked them to leave the laptop on their final day. Animators could have also disabled the Dropbox password which the ex-employees used to access Animators' account. The CFAA allows a plaintiff to use costs attributable to "reasonable" steps to satisfy the damages threshold, but the court does not employ a very strict definition of reasonable here. I blogged about US v. Nosal awhile back. ("9th Cir: Access of Computer in Violation of Employer's Use Policy Violates Computer Fraud and Abuse Act -- US v. Nosal.") That case held that any violation of an employers network policy--including for example, using internet access for personal reasons--is sufficient to find liability under the CFAA. When you add a lax definition of what's reasonable in response to an alleged breach, employers are virtually guaranteed to be able to make out a prima facie CFAA claim against ex-employees.
The CFAA was a statute that was intended to address hacking. The Lori Drew case was one example of a use of this statute by prosecutors outside its intended scope. Use by employers in this type of a case is another example. The CFAA has become a potent weapon in the hands of employers, who have taken to asserting CFAA claims against ex-employees as a matter of course.