Aleksandr Korzh
Spring 2012
Legal Research: Trouble Online
Analysis
of CFAA Unauthorized Access Requirement (18 U.S.C. ¤¤ 1030)
The CFAA provides that the following actions are prohibited:
Subsection
2:
(1) intentionally accesses a computer without authorization or exceeds
authorized access, and thereby obtain... (c) information from any protected
computer.
Subsection
4:
(1) knowingly and with intent to defraud; (2) accesses a protected computer
without authorization; (3) by means of such conduct furthers the intended fraud
and obtains anything of value; (4) the object of fraud and thing obtained
consists of more than the use of the computer and the value of such use is more
than $5,000 in any 1-year period.
18 U.S.C. ¤ 1030.
Under the CFAA, the standard for unauthorized access is articulated in
the statute as Òwithout authorization, or exceeds authorized access.Ó
(emphasis added) 18 U.S.C. 1030(a). Ò[A] violation for `exceeding
authorized access' occurs where initial access is permitted but the access of
certain information is not permitted.Ó
Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962 (D. Ariz.
2008). In the civil context,
subsection (g) provides for compensatory damages (limited to economic damages)
and injunctive or other equitable relief.
In
LVRC Holdings LCC v. Brekka, the
court analyzed the term Òwithout authorizationÓ in the context of an employee
who had access to a computer system.
581 F.3d 1127 (9th Cir. 2009).
There, the employee was found to have authorization during his
employment to access the company computer and the specific information. Therefore, his access was found to have
been with authorization. The court
also explained that a breach of loyalty to an employer also does not lead to
the conclusion that access was without or exceeding authorization.
In
Theofel v. Farey-Jones, a Òpatently
unlawfulÓ subpoena was used to gain access to e-mails on an internet service
providerÕs systems. 359 F. 3d 1066
(9th Cir. 2004). The court held
that the ECPA, discussed further below, applied to these communications. The court also held that access to these
e-mails was unauthorized for purposes of the CFAA explaining that access based
on the deceptive subpoena could not have been authorized.
Analysis of
ECPA (18 U.S.C. ¤ 2701)
An
action under the ECPA may be brought for (1) Intentional interception of
contents of electronic communications; or (2) intentional use, or
endeavors to use, the contents of any wire, oral, or electronic communication,
knowing or having reason to know that the information was obtained through the
interception of a wire, oral, or electronic communication in violation of this
subsection. 18 U.S.C. ¤ 2511.
Furthermore, ¤ 2515 provides that any communication intercepted in
violation of the act cannot be used in any trial, hearing or other proceeding. Under ¤ 2520, civil damages may be
recovered including injunctive and other equitable relief, damages computed
under subsection (c), attorneysÕ fees, and punitive damages. Damages
under subsection (c) are the greater of the sum of actual damages suffered by
the plaintiff and any profits made by the violators as a result of the
violation; or statutory damages of whichever is the greater of $100 a day for
each day of violation or $10,000.
Analysis
of Cal. Pen. Code ¤ 502(c)
California
Penal Code section 502(c) may be violated the following ways relevant to the
present case:
(1)
Knowingly accesses and without permission alters, damages, deletes, destroys,
or otherwise uses any data, computer, computer system, or computer network in
order to either (A) devise or execute any scheme or artifice to defraud,
deceive, or extort, or (B) wrongfully control or obtain money, property, or
data.
(2)
Knowingly accesses and without permission takes, copies, or makes use of any
data from a computer, computer system, or computer network, or takes or copies
any supporting documentation, whether existing or residing internal or external
to a computer, computer system, or computer network.
(3)
Knowingly and without permission uses or causes to be used computer services.
(4)
Knowingly accesses and without permission adds, alters, damages, deletes, or
destroys any data, computer software, or computer programs which reside or
exist internal or external to a computer, computer system, or computer network.
(5)
Knowingly and without permission accesses or causes to be accessed any
computer, computer system, or computer network.
Cal. Pen. Code ¤ 502(c). Subsection (e)(1) requires that a civil
plaintiff suffer damage or loss as a result of a violation of subsection
(c). Under subsection (e), injunctive,
compensatory, other equitable relief, attorneysÕ fees, and punitive or
exemplary damages (for oppression, fraud, or malice) are available.
Compensatory damages include any expenditure reasonably and necessarily
incurred by the owner/lessee of the computer system to verify that the computer
system/data was not altered, damaged, or deleted by the access. Under Cal. Pen. Code ¤ 502(c), the
standard for a violation is ÒknowinglyÓ access Òwithout permission.Ó If
the access to the information would fall under the scope of the employment,
then QMS would not be liable under ¤ 502(c) even if the purpose was for
something other than the purpose of the employment. See Chrisman v. City of Los Angeles, 65 Cal. Rptr. 3d 701, 705-7
(8th Dist. 2007). ÒA person acts within the scope of his or her
employment when he or she performs acts which are reasonably necessary to the
performance of his or her work assignment.Ó Cal. Pen. Code ¤ 502(h)(1).
Trespass
to Chattels in Internet Context
Common
law trespass to chattels as applied to unauthorized computer system access
requires (1) unauthorized system use and (2) measureable loss to computer
system resources. Intel v. Hamidi, 1 Cal. Rptr. 3d 32, 36
(2003). Damages include injunctive
relief as well as compensatory damages for the measurable loss to computer
system resources.
From Wikipedia found at http://en.wikipedia.org/wiki/Intel_Corp._v._Hamidi
Hamidi was a former
engineer at Intel's Automotive Group when September 1990, he was injured in a
car accident while returning from a business trip on behalf of Intel.[2] He returned to work for 18 months until his
worsening physical condition caused him to take a medical leave on January 27,
1992 at the advice of Intel's doctors.[3] He remained on medical leave until he was fired
on April 17, 1995 for failing to return to work after the medical leave.[4]
After termination,
Hamidi formed a support group for former and current employees of Intel:
Associated X-Employees of Intel (AXE-Intel), later renamed Former And Current
Employees of Intel (FACE-Intel).[5] Over a 21-Month period, Hamidi sent six waves of
e-mails to Intel employees on behalf of the organization.[6] The e-mails were critical of Intel's employment
practices and encouraged employees to become involved in FACE-Intel. Each
e-mail stated that the recipient could notify the sender to remove them from
the mailing list, and Hamidi stopped sending e-mails to those who requested.[7]
Although some of
the e-mails were blocked by Intel's internal filters, Hamidi succeeded in
evading blocking efforts by using different sending computers. In March, 1998
Intel demanded that Hamidi and FACE-Intel stop sending e-mails, but he sent
another mass e-mail in September, 1998. Intel sued Hamidi and FACE-Intel
pleading cause of action for trespass to
chattel and nuisance seeking damages and an injunction against further
messages. Intel later dismissed its nuisance claim and waived the demand for
damages. The trial court granted Intel's request for summary judgment and set a
permanent injunction against Hamidi and FACE-Intel from sending unsolicited
e-mails to the company.[8] Hamidi
appealed the decision, and with one justice dissenting, the appellate court
found that Intel "showed he was disrupting its business by using its
property and therefore is entitled to injunctive relief based on a theory of
trespass to chattels."