Articles Posted in Computer Crime

Under the Computer Fraud and Abuse Act, “loss” and “damage” are not synonyms. The CFAA provides that “any person who suffers damage or loss” caused by a violation of its terms can sue for compensatory damages and or equitable relief. A natural assumption might be that the lawyers who drafted the statute didn’t intend “loss” to mean anything materially different than “damage” and that they just threw in an extra word or two for good measure as lawyers are wont to do. (Only a lawyer would write, “I hereby give, devise, and bequeath” instead of just “I give.”) In the case of the CFAA, however, “loss” and “damage” are not interchangeable; each has a distinct meaning. And suffering either one of them is sufficient to support a compensable claim. Let’s look at a recent real-world example.

Space Systems/Loral v. Orbital ATK was (and remains) a dispute in Virginia federal court between two companies specializing in the design and manufacturing of geostationary satellites, space systems, and robotics technology. In 2015, NASA solicited project proposals through an RFP entitled “Utilizing Public Private Partnerships to Advance Tipping Point Strategies.” NASA awarded Space Systems a contract for its “Dragonfly” project and Orbital a contract for its “CIRAS” project. NASA set up a server to facilitate the sharing of information with the various contractors, and gave both Space Systems and Orbital access to it. Some time later, NASA determined that one or more Orbital employees accessed at least four files on the shared server that contained Space Systems’ proprietary data.

Continue reading

Unauthorized access to another’s email account can give rise to a variety of claims. The Computer Fraud and Abuse Act (“CFAA”), for example, prohibits a wide variety of improper computer activity, including unauthorized access to another’s email account. Specifically, it makes it illegal to intentionally access a computer without authorization and to thereby obtain information which results in a loss worth at least $5000 over the course of a year. (See 18 U.S.C. § 1030(a)(2)(C)). In Virginia, the Computer Crimes Act prohibits “computer fraud,” which occurs when a person uses a computer without authority and thereby obtains property or services by false pretenses. It also makes it a crime to commit “computer invasion of privacy,” which occurs when a person, without permission, logs onto someone else’s computer and examines that person’s employment, salary, credit, or any other financial information.

To obtain relief under the Virginia Computer Crimes Act, a plaintiff must have suffered injury to person or property. (See Va. Code § 18.2-152.12). And as mentioned above, you need at least $5000 in damages to recover anything under the CFAA. But what if someone hacks into your email and reads your personal messages without actually causing any direct pecuniary loss or personal injury?

Continue reading

Suppose your employer asks you to create a Google account for the company. So you do. You set up everything yourself: Google Drive, Google+, Gmail–the works. You even set the password to your dog’s name. All of Google’s terms and conditions are accepted by you personally when creating the account. You proceed to use the account on behalf of the company, using Google Drive to store hundreds of company documents. Then you leave your job. Is the Google account yours? You created it, so are you free to make whatever use of the account you wish? Can you delete it?

Marcelo Cuellar thought so, but he was wrong. According to papers filed in Estes Forwarding Worldwide v. Cuellar in the Eastern District of Virginia, here are the facts. Cuellar joined Estes Forwarding Worldwide (“EFW”)–a transportation logistics company–in 2010. EFW has developed trade secrets relating to the best transportation solutions for various types of shipments, including information about type of freight, freight dimensions, routing decisions, vendor selection, and so on. It keeps this information in spreadsheets and other electronic documents.

Continue reading

The Stored Communications Act (“SCA”), found at 18 U.S.C. §§ 2701-2712, establishes both a criminal offense and a civil cause of action against anyone who “intentionally accesses without authorization a facility through which an electronic communication service is provided” or “intentionally exceeds an authorization to access that facility,” and by doing so “obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.” Successful plaintiffs may obtain damages, equitable or declaratory relief, and reasonable attorney’s fees. (See 18 U.S.C. § 2707(b)). In the employment context, the SCA is often understood to place restrictions on those situations in which an employer can access its employees’ private email accounts (i.e., accounts maintained by third-party email service providers like Google, Microsoft, and Yahoo). A few weeks ago, the Western District of Virginia decided Hoofnagle v. Smyth-Wythe Airport Commission, in which it rejected various justifications offered by an employer for accessing a former employee’s private Yahoo! email account.

Charles H. Hoofnagle was a government employee who worked as the Operations Manager for Mountain Empire Airport in Rural Retreat, Virginia. He reported to the Smyth-Wythe Airport Commission and his duties included answering phone calls and responding to emails from the public and customers. The Commission, however, did not have in place an official policy regarding use of computers or email. The airport did not even provide employees with an email address, so Hoofnagle created a Yahoo! Mail address, charliemkj@yahoo.com, which he used for both personal and business purposes. (MKJ is the airport’s FAA idendifier code). It was this Yahoo! address that was held out to the public as an official contact for the airport and provided to nearly all vendors and customers.

Continue reading

What kind of expense amounts to a “loss” under the Computer Fraud and Abuse Act (CFAA), and did a Virginia litigation-support company incur the required minimum of $5,000 in losses when it investigated an alleged breach of its computer systems, retaining the services of both an attorney and a computer forensics company to aid with the investigation? That was the issue recently before Judge T.S. Ellis III of the Eastern District of Virginia, who held that the investigative activities could support a CFAA claim, even if the expenses were not paid in cash.

The issue was particularly important to the plaintiff, Animators at Law, a graphics and technology litigation support company, because of the 13 claims it brought against two former employees and a competitor, all but the CFAA claim were based on state law, meaning that without it, there would be no basis for federal-court jurisdiction.

The CFAA provides for a civil action against anyone who intentionally gains access to a computer without authorization and obtains information from it. The CFAA has a minimum jurisdictional requirement of $5,000 in losses. Animators at Law claimed screen.jpgthat its former employees conspired with a competitor to leave Animators’ employment and join the competitor, taking with them confidential and proprietary information about Animators’ services, projects, and clients.

Too often, disgruntled departing employees will abuse their employer’s computer system on their way out, snooping into coworkers’ email accounts, erasing important files, downloading trade secrets or other confidential commercial information, or intentionally infecting computers with viruses. In recent years, the Computer Fraud and Abuse Act (CFAA) has become an important weapon in an employer’s arsenal for combating such computer crimes. Civil remedies are available under the CFAA for damage to any “protected computer,” which includes any “computer used in interstate or foreign commerce or communication.” However, a Virginia court recently clarified that the CFAA will not provide a remedy absent an actual “loss” as defined by the statute.

In Global Policy Partners, LLC, v. Yessin, a plaintiff brought claims against her husband and business partner under the CFAA and the Stored Communications Act (SCA), claiming that he had accessed her work email account in order to review her confidential communications with her divorce lawyer. The court rejected the husband’s initial attempts to dismiss the case on the ground that his access to his wife’s email was authorized in that he was a co-manager of the couple’s business. The court reasoned that because there was no legitimate business reason for the snooping, the access was unauthorized. At the summary judgment stage, however, the court granted summary judgment in his favor because the wife did not introduce sufficient evidence to show she had incurred a $5,000 “loss.”

To prevail on a claim brought under the CFAA, a plaintiff must demonstrate that the alleged violation “caused … loss … aggregating at least $5,000 in value.” 18 U.S.C. Section 1030(c)(4)(A)(i). The CFAA specifically defines four categories of potential loss: laptop.jpg“[i] the cost of responding to an offense, [ii] [costs of] conducting a damage assessment, and [iii] [costs of] restoring the data, program, system, or information to its condition prior to the offense, and [iv] any revenue lost, cost incurred, or other consequential damages incurred because of the interruption of service.” 18 U.S.C. § 1030(e)(11). According to the Fourth Circuit Court of Appeals, this list “plainly contemplates … costs incurred as part of the response to a CFAA violation, including the investigation of an offense.” A.V. ex rel. Vanderhye v. iParadigms, LLC, 562 F.3d 630, 646 (4th Cir. 2009).

Contact Us

Virginia: (703) 722-0588
Washington, D.C.: (202) 449-8555
Contact Information