Articles Posted in Computer Crime

No employer likes to see a large number of its employees band together and leave en masse to form a competing business. A large number of employees leaving at once can lead to a loss of institutional knowledge and experience, not to mention customers and revenues. Mass departures hurt morale and can lead to increased costs for recruitment and training. A company’s reputation can be irreparably damaged once word gets out that a mass resignation has taken place, making it more difficult for the business to attract new talent. Depending on the circumstances, litigation against the former employees, as well as against the company that hired them, may or may not be warranted.

Possible legal claims include breach of fiduciary duty, breach of non-compete and/or non-solicitation agreement, tortious interference, business conspiracy, misappropriation of trade secrets, and more. Let’s take a quick look at how a Hampton Roads body-piercing business dealt with the sudden resignation of seven employees who went on to form their own body-piercing business in the same region. In the case of Chanah, Inc. v. Summers, currently pending in the Chesapeake Circuit Court, the plaintiff pursued a number of business torts against the departing employees. Most of the counts survived demurrer.

Continue reading

About a year ago, a disgruntled systems engineer for government contractor Federated IT was sentenced to two years in prison for illegally accessing his former employer’s network systems, stealing critical servers and information, and causing a loss valued at over $1.1 million. In a civil lawsuit against his girlfriend and arising out of much of the same conduct, a former project manager at the same company has been held in default and ordered to pay over $150,000 in damages for breach of fiduciary duty, conversion, and conspiracy.

The facts of the case, which are assumed to be true by virtue of the fact the defendant was held in default for violating a court order, are as follows. Federated IT provides cyber security, information technology, and analytic and operations support services, and managed a contract with the U.S. Army Office of the Chief of Chaplains. Ashley Arrington was a project manager for the Army contract and a direct supervisor of Barrence Anthony, the engineer currently serving a two-year prison sentence. Arrington and Anthony were romantically involved but did not notify Federated IT about the relationship. At some point during Anthony’s tenure, he began to behave insubordinately and failed to show up for work, eventually leading to his termination. He decided to go out with a bang. Among other spiteful acts he was accused of before and after he left, Federated IT alleged he:

  • deactivated all administrator accounts except his own and refused to share the master password with his replacement
  • changed the responsible-party contact information on Federated IT’s Amazon Web Services account to “Anthony Enterprises”
  • modified Federated IT’s Help Desk email address to redirect emails to his personal email account
  • deleted files from a SharePoint project folder, including encryption keys, account information, and network diagram files
  • wiped the hard drive on his work laptop
  • made unauthorized copies of the Army’s servers which contained their Financial Management System
  • attempted thousands of “brute force cyberattacks” against the Chief of Chaplains’ web application system, which necessitated a shutdown of one of Federated IT’s servers.

Continue reading

The Stored Communications Act (“SCA”) establishes a criminal offense for whoever “intentionally accesses without authorization a facility through which an electronic communication service is provided” or “intentionally exceeds an authorization to access that facility,” and by doing so “obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.” 18 U.S.C. § 2701(a). The SCA also creates a civil cause of action, in which the plaintiff may obtain damages plus reasonable attorneys’ fees and other costs. 18 U.S.C. § 2707(b).

Federal district courts around the country have reached inconsistent conclusions when grappling with the issue of whether a particular communication is in “electronic storage” at the time it is accessed. The SCA defines electronic storage as “(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.” 18 U.S.C. § 2510(17). Some courts have interpreted subsection (A) as applying only to “unopened” communications, reasoning that the “temporary, intermediate” language contemplates the interception of a communication before it reaches its intended recipient. Others, like Hoofnagle v. Smyth-Wythe Airport Comm’n, No. 1:15CV00008 (W.D. Va. May 24, 2016), found no reason to draw a distinction between “opened” and “unopened” communications for purposes of evaluating SCA liability. Similar disagreement exists with respect to subsection (B), where courts reached different conclusions about the relevance of whether it is the Internet Service Provider or user for whose benefit a backup copy of an email is made. Earlier this month, the Fourth Circuit weighed in on both issues for the first time.

Continue reading

Hackers aren’t the only ones who can gain unauthorized access to your private data. Maybe you shared a password with your spouse, then got divorced and forgot to change it. Maybe you neglected to lock your phone and a passerby was able to pick it up and view your bank-account balances. There are innumerable ways in which your personal files can be exposed to someone you never intended to share them with. Revenge porn laws offer some protection when the files consist of sexually explicit selfies, but when the files at issue consist of mundane (but nevertheless private) emails or texts, the federal Stored Communications Act (“SCA”) often comes into play. The SCA establishes a criminal offense for whoever “intentionally accesses without authorization a facility through which an electronic communication service is provided” or “intentionally exceeds an authorization to access that facility,” and by doing so “obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.” 18 U.S.C. § 2701(a). The SCA also creates a civil cause of action, in which the plaintiff may obtain damages plus reasonable attorneys’ fees and other costs. 18 U.S.C. § 2707(b).

Many of us store all kinds of files in “the cloud” that we do not intend to share with the world: financial documents, proprietary information, trade secrets, personal notes–the list is endless. Suppose a former colleague intentionally accesses your Apple iCloud account–or your Dropbox account–or your Gmail account–without your knowledge or permission, finds your stuff and downloads copies. In many cases, this kind of behavior would create a right of action under the SCA. But the law contains a number of requirements that may or may not apply in your particular situation, and proof is often hard to come by.

Continue reading

Under the Computer Fraud and Abuse Act, “loss” and “damage” are not synonyms. The CFAA provides that “any person who suffers damage or loss” caused by a violation of its terms can sue for compensatory damages and or equitable relief. A natural assumption might be that the lawyers who drafted the statute didn’t intend “loss” to mean anything materially different than “damage” and that they just threw in an extra word or two for good measure as lawyers are wont to do. (Only a lawyer would write, “I hereby give, devise, and bequeath” instead of just “I give.”) In the case of the CFAA, however, “loss” and “damage” are not interchangeable; each has a distinct meaning. And suffering either one of them is sufficient to support a compensable claim. Let’s look at a recent real-world example.

Space Systems/Loral v. Orbital ATK was (and remains) a dispute in Virginia federal court between two companies specializing in the design and manufacturing of geostationary satellites, space systems, and robotics technology. In 2015, NASA solicited project proposals through an RFP entitled “Utilizing Public Private Partnerships to Advance Tipping Point Strategies.” NASA awarded Space Systems a contract for its “Dragonfly” project and Orbital a contract for its “CIRAS” project. NASA set up a server to facilitate the sharing of information with the various contractors, and gave both Space Systems and Orbital access to it. Some time later, NASA determined that one or more Orbital employees accessed at least four files on the shared server that contained Space Systems’ proprietary data.

Continue reading

Unauthorized access to another’s email account can give rise to a variety of claims. The Computer Fraud and Abuse Act (“CFAA”), for example, prohibits a wide variety of improper computer activity, including unauthorized access to another’s email account. Specifically, it makes it illegal to intentionally access a computer without authorization and to thereby obtain information which results in a loss worth at least $5000 over the course of a year. (See 18 U.S.C. § 1030(a)(2)(C)). In Virginia, the Computer Crimes Act prohibits “computer fraud,” which occurs when a person uses a computer without authority and thereby obtains property or services by false pretenses. It also makes it a crime to commit “computer invasion of privacy,” which occurs when a person, without permission, logs onto someone else’s computer and examines that person’s employment, salary, credit, or any other financial information.

To obtain relief under the Virginia Computer Crimes Act, a plaintiff must have suffered injury to person or property. (See Va. Code § 18.2-152.12). And as mentioned above, you need at least $5000 in damages to recover anything under the CFAA. But what if someone hacks into your email and reads your personal messages without actually causing any direct pecuniary loss or personal injury?

Continue reading

Suppose your employer asks you to create a Google account for the company. So you do. You set up everything yourself: Google Drive, Google+, Gmail–the works. You even set the password to your dog’s name. All of Google’s terms and conditions are accepted by you personally when creating the account. You proceed to use the account on behalf of the company, using Google Drive to store hundreds of company documents. Then you leave your job. Is the Google account yours? You created it, so are you free to make whatever use of the account you wish? Can you delete it?

Marcelo Cuellar thought so, but he was wrong. According to papers filed in Estes Forwarding Worldwide v. Cuellar in the Eastern District of Virginia, here are the facts. Cuellar joined Estes Forwarding Worldwide (“EFW”)–a transportation logistics company–in 2010. EFW has developed trade secrets relating to the best transportation solutions for various types of shipments, including information about type of freight, freight dimensions, routing decisions, vendor selection, and so on. It keeps this information in spreadsheets and other electronic documents.

Continue reading

The Stored Communications Act (“SCA”), found at 18 U.S.C. §§ 2701-2712, establishes both a criminal offense and a civil cause of action against anyone who “intentionally accesses without authorization a facility through which an electronic communication service is provided” or “intentionally exceeds an authorization to access that facility,” and by doing so “obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.” Successful plaintiffs may obtain damages, equitable or declaratory relief, and reasonable attorney’s fees. (See 18 U.S.C. § 2707(b)). In the employment context, the SCA is often understood to place restrictions on those situations in which an employer can access its employees’ private email accounts (i.e., accounts maintained by third-party email service providers like Google, Microsoft, and Yahoo). A few weeks ago, the Western District of Virginia decided Hoofnagle v. Smyth-Wythe Airport Commission, in which it rejected various justifications offered by an employer for accessing a former employee’s private Yahoo! email account.

Charles H. Hoofnagle was a government employee who worked as the Operations Manager for Mountain Empire Airport in Rural Retreat, Virginia. He reported to the Smyth-Wythe Airport Commission and his duties included answering phone calls and responding to emails from the public and customers. The Commission, however, did not have in place an official policy regarding use of computers or email. The airport did not even provide employees with an email address, so Hoofnagle created a Yahoo! Mail address, charliemkj@yahoo.com, which he used for both personal and business purposes. (MKJ is the airport’s FAA idendifier code). It was this Yahoo! address that was held out to the public as an official contact for the airport and provided to nearly all vendors and customers.

Continue reading

What kind of expense amounts to a “loss” under the Computer Fraud and Abuse Act (CFAA), and did a Virginia litigation-support company incur the required minimum of $5,000 in losses when it investigated an alleged breach of its computer systems, retaining the services of both an attorney and a computer forensics company to aid with the investigation? That was the issue recently before Judge T.S. Ellis III of the Eastern District of Virginia, who held that the investigative activities could support a CFAA claim, even if the expenses were not paid in cash.

The issue was particularly important to the plaintiff, Animators at Law, a graphics and technology litigation support company, because of the 13 claims it brought against two former employees and a competitor, all but the CFAA claim were based on state law, meaning that without it, there would be no basis for federal-court jurisdiction.

The CFAA provides for a civil action against anyone who intentionally gains access to a computer without authorization and obtains information from it. The CFAA has a minimum jurisdictional requirement of $5,000 in losses. Animators at Law claimed screen.jpgthat its former employees conspired with a competitor to leave Animators’ employment and join the competitor, taking with them confidential and proprietary information about Animators’ services, projects, and clients.

Too often, disgruntled departing employees will abuse their employer’s computer system on their way out, snooping into coworkers’ email accounts, erasing important files, downloading trade secrets or other confidential commercial information, or intentionally infecting computers with viruses. In recent years, the Computer Fraud and Abuse Act (CFAA) has become an important weapon in an employer’s arsenal for combating such computer crimes. Civil remedies are available under the CFAA for damage to any “protected computer,” which includes any “computer used in interstate or foreign commerce or communication.” However, a Virginia court recently clarified that the CFAA will not provide a remedy absent an actual “loss” as defined by the statute.

In Global Policy Partners, LLC, v. Yessin, a plaintiff brought claims against her husband and business partner under the CFAA and the Stored Communications Act (SCA), claiming that he had accessed her work email account in order to review her confidential communications with her divorce lawyer. The court rejected the husband’s initial attempts to dismiss the case on the ground that his access to his wife’s email was authorized in that he was a co-manager of the couple’s business. The court reasoned that because there was no legitimate business reason for the snooping, the access was unauthorized. At the summary judgment stage, however, the court granted summary judgment in his favor because the wife did not introduce sufficient evidence to show she had incurred a $5,000 “loss.”

To prevail on a claim brought under the CFAA, a plaintiff must demonstrate that the alleged violation “caused … loss … aggregating at least $5,000 in value.” 18 U.S.C. Section 1030(c)(4)(A)(i). The CFAA specifically defines four categories of potential loss: laptop.jpg“[i] the cost of responding to an offense, [ii] [costs of] conducting a damage assessment, and [iii] [costs of] restoring the data, program, system, or information to its condition prior to the offense, and [iv] any revenue lost, cost incurred, or other consequential damages incurred because of the interruption of service.” 18 U.S.C. § 1030(e)(11). According to the Fourth Circuit Court of Appeals, this list “plainly contemplates … costs incurred as part of the response to a CFAA violation, including the investigation of an offense.” A.V. ex rel. Vanderhye v. iParadigms, LLC, 562 F.3d 630, 646 (4th Cir. 2009).

Contact Us
Virginia: (703) 722-0588
Washington, D.C.: (202) 449-8555
Contact Information