Civil Actions for the Misappropriation of Electronic Data: The Missouri and Federal Computer Tampering Acts

Similar documents
Three Threshold Questions Every Attorney Must Answer before Filing a Computer Fraud Claim

TITLE 18. CRIMES AND CRIMINAL PROCEDURE PART I. CRIMES CHAPTER 47. FRAUD AND FALSE STATEMENTS 18 USCS 1030

Case 2:10-cv WBS-KJM Document 21 Filed 04/29/2010 Page 1 of 16 UNITED STATES DISTRICT COURT EASTERN DISTRICT OF CALIFORNIA.

v. CIVIL ACTION NO. H

UNITED STATES DISTRICT COURT EASTERN DISTRICT OF PENNSYLVANIA

Trade Secrets Acts Compared to the UTSA

IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF MISSOURI WESTERN DIVISION

Corporate Litigation: Standing to Bring Consumer Data Breach Claims

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF HAWAII ) ) ) ) ) ) ) ) ) ) ) ) ) )

Georgia Computer System Protection Act

Case3:12-cv SI Document11 Filed07/13/12 Page1 of 6 UNITED STATES DISTRICT COURT

(Argued: November 8, 2012 Decided: December 26, 2012) Plaintiff-Appellant, JACKIE DEITER, Defendant-Appellee.

DAKOTA COUNTY PROPERTY RECORDS TECHNOLOGY AND INFORMATION SUBSCRIPTION AGREEMENT

FEDEX SAMEDAY CITY WEB SERVICES END USER LICENSE AGREEMENT

Case 2:13-cr KJM Document 167 Filed 06/08/16 Page 1 of 12

RETS DATA ACCESS AGREEMENT

IRB RELIANCE EXCHANGE PORTAL AGREEMENT

TERMS AND CONDITIONS

This Agreement was last updated on June 14th, It is effective between You and Axosoft as of the date of You accepting this Agreement.

IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF MISSOURI WESTERN DIVISION

Terms of Use. 1. Limited Use

The HIPAA E-Tool End User License and Software as a Service Agreement

PLEASE READ THE TERMS OF USE, PRIVACY POLICY, AND PRIVACY PRACTICES FOUND ON THIS WEBSITE.

End User License Agreement

Case 1:08-cv Document 14 Filed 07/16/2008 Page 1 of 12

TERMS OF USE AND LICENSE AGREEMENT BUCKEYE CABLEVISION, INC. Buckeye Remote Record. (Effective as of November 15, 2013) PLEASE READ CAREFULLY

Remote Support Terms of Service Agreement Version 1.0 / Revised March 29, 2013

Agency, Code, or Contract: Determining Employees' Authorization Under the Computer Fraud and Abuse Act

SDL Web Click Wrap DEVELOPER SOFTWARE AND DISTRIBUTION AGREEMENT RESTRICTED TO USE BY DEVELOPERS. Terms and Conditions

Municipal Code Online Inc. Software as a Service Agreement

Ethical Hacking. Countermeasures Version 6. Hacking Laws

Case4:07-cv PJH Document672 Filed03/31/10 Page1 of 10

DOLPHIN SOFTWARE LICENSE AGREEMENT

UNITED STATES DISTRICT COURT

ASSURANCE SYSTEMS INC. SUITE JIMMY CARTER BOULEVARD NORCROSS, GEORGIA TERMS OF SERVICE

LEGAL TERMS OF USE. Ownership of Terms of Use

Preliminary Injunctive Relief to Protect Trade Secrets and Enforce Non-Competes:

Site Builder End User License Agreement

WASHINGTON COUNTY PROPERTY RECORDS TECHNOLOGY AND INFORMATION SUBSCRIPTION AGREEMENT

UNITED STATES DISTRICT COURT MIDDLE DISTRICT OF FLORIDA TAMPA DIVISION. v. Case No. 8:10-cv-2904-T-23TBM

PROTECTING COMPANY RESOURCES: Non-competes and confidentiality agreements in employment

3T Software Labs EULA

Changing Landscape, US and Abroad 2017 In House Counsel Conference

CASELLE, INC. Software as a Service Agreement

1. THE SYSTEM AND INFORMATION ACCESS

Sangoma Remote Monitoring Service (RMS)

Ownership of Site; Agreement to Terms of Use

ENT CREDIT UNION ELECTRONIC DEPOSIT AGREEMENT

United States Court of Appeals For the Eighth Circuit

IN THE UNITED STATES COURT OF APPEALS FOR THE FIFTH CIRCUIT

TERMS AND CONDITIONS FOR CHECKMARX PRODUCTS AND SERVICES TERM SOFTWARE LICENSE AND SUPPORT AGREEMENT

ELECTRONIC ARTS SOFTWARE END USER LICENSE AGREEMENT FOR ORIGIN APPLICATION AND RELATED SERVICES

MOTOROLA LICENSE AGREEMENT FOR MOTOROLA RADIO SERVICE SOFTWARE

Case: 4:15-cv RWS Doc. #: 30 Filed: 05/04/15 Page: 1 of 2 PageID #: 183

UOB BUSINESS APPLICATION TERMS AND CONDITIONS

UACCEPT POINT OF SALE SYSTEM END USER LICENSE AGREEMENT

c) Parties: Collectively, the parties to this Agreement (the Company and You) will be referred to as Parties.

Kannaway Terms of Use Agreement

TERMS AND CONDITIONS

ELECTRONIC ARTS SOFTWARE END USER LICENSE AGREEMENT SYNDICATE

TERMS OF USE. We may provide, through the Site, Services that include without limitation the:

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF KANSAS

IN THE UNITED STATES DISTRICT COURT WESTERN DISTRICT OF MISSOURI WESTERN DIVISION

PeachCourt Document Access User Agreement Terms of Use

MOBILE CONNECT SERVICE PROVIDER ACCESS AGREEMENT STANDARD TERMS AND CONDITIONS

LIBRARY LICENSE AGREEMENT - DATABASE

UNITED STATES DISTRICT COURT EASTERN DISTRICT OF WISCONSIN

TERMS OF USE Last Modified: May/23/2018

MARVEL STUDIOS BLACK PANTHER CONTEST OFFICIAL RULES

WAVE END USER LICENSE AGREEMENT

Case 2:13-cr KJM Document 169 Filed 06/13/16 Page 1 of 6 IN THE UNITED STATES DISTRICT COURT EASTERN DISTRICT OF CALIFORNIA

IMPORTANT READ CAREFULLY BEFORE INSTALLING OR USING THIS PRODUCT

CASE 0:17-cv DSD-TNL Document 17 Filed 06/30/17 Page 1 of 7. UNITED STATES DISTRICT COURT DISTRICT OF MINNESOTA Civil No.

Basis Account Terms of Service Agreement. Statista, Inc.

Terms of Use. Last modified: January Acceptance of these Terms of Use

FireCast EasyStart End User License Agreement (EULA)

Last revised: 6 April 2018 By using the Agile Manager Website, you are agreeing to these Terms of Use.

Case 3:11-cv JPG-PMF Document 140 Filed 01/19/16 Page 1 of 11 Page ID #1785

LAB-on-line License Terms and Service Agreement

TERMS OF USE AGREEMENT

SOFTWARE LICENSE TERMS AND CONDITIONS

MOCO development company, LLC TERMS OF USE

IN THE UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF FLORIDA PENSACOLA DIVISION. CASE NO. 3:07cv528-RS-MD ORDER

UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF MICHIGAN NORTHERN DIVISION. v. Case No. 2:09-CV-271 OPINION

IN THE UNITED STATES DISTRICT COURT WESTERN DISTRICT OF MISSOURI ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) COMPLAINT

Terms of Use Terminated-Vested Cashout Website

OTTO Archive, LLC CONTENT LICENSE AGREEMENT

DEFENDING DATA PRIVACY AND BEHAVIORAL ADVERTISING PUTATIVE CLASS ACTION SUITS

* * * * * * IV. DISCUSSION

You may owe fees for use of the App or the Services. Check with your Financial Institution for applicable rates.

INFINITI OWNER CELEBRATION EVENT SWEEPSTAKES ENTER FOR A CHANCE TO WIN SWEEPSTAKES OFFICIAL RULES AND CONDITIONS

United States District Court

Case: 1:14-cv Document #: 37 Filed: 09/24/15 Page 1 of 17 PageID #:220

Case 1:07-mc GBL-BRP Document 21 Filed 04/18/2008 Page 1 of 17

Gottschlich & Portune, LLP

IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF MISSOURI CENTRAL DIVISION ) ) ) ) ) ) ) ) ) ) ORDER

The use of the Service for the following activities is prohibited:

Agreement for iseries and AS/400 System Restore Test Service

Case 1:18-cv NLH-KMW Document 1 Filed 06/22/18 Page 1 of 18 PageID: 1

SHARED WORKSPACE TERMS OF USE

Transcription:

I. Civil Actions for the Misappropriation of Electronic Data: The Missouri and Federal Computer Tampering Acts INTRODUCTION Virtually every business in America uses computers. And many companies allow their employees access to their computer systems remotely through Citrix, virtual private networks, or otherwise from home or offsite computers. In fact, many companies provide their employees with laptop computers or PDAs to facilitate employees ability to access and utilize company data. As a result, businesses are understandably concerned about safeguarding against the unauthorized access or misappropriation of their company s data or systems. The issue of whether an employee improperly accessed, altered, copied or downloaded computer data often arises when an employee s employment is terminated. This concern is particularly heightened when an employee accepts employment with a competitor or starts a competing business. In such a situation, the former employer may request that its information services department or a third-party computer forensics expert examine the hard drive of the departing employee s computer to determine if any computer data has been improperly accessed or taken from the employer s computer system. If it appears that there has been improper access, both federal and Missouri computer tampering statutes may provide businesses with remedies. The primary purpose of this article is to discuss these statutes, the remedies they provide, and other possible William M. Corrigan, Jr. 1 Jeffrey L. Schultz 1 causes of action for the improper access or misappropriation of data. II. CIVIL ACTION UNDER THE FED- ERAL COMPUTER FRAUD AND ABUSE ACT (CFAA) Although originally only a criminal statute, the Computer Fraud and Abuse Act (CFAA) now provides for both criminal and civil remedies. 3 The CFAA allows person[s] who suffer damage or loss by reason of computer fraud to file civil lawsuits seeking compensatory damages, injunctive relief, and other equitable relief. 4 The CFAA requires that any civil action for a violation must be brought within 2 years of the date of the act complained of or the date of the discovery of the damage. 5 Importantly, the CFAA can provide a plaintiff with a basis for federal question jurisdiction, allowing a plaintiff to bring its claims in federal court. A. Conduct Prohibited by the CFAA Among other things, 1030(a) 6 of the CFAA prohibits the following conduct: (1) [I]ntentionally access[ing] a computer without authorization or [by] exceeding authorized access and thereby obtaining information from any protected computer ; 7 or (2) [K]nowingly and with the intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] 1 Mr. Corrigan is a partner at Armstrong Teasdale LLP in St. Louis. He is a past president of The Missouri Bar. Corrigan is listed in Best Lawyers in America. The authors extend their thanks to Callan F. Yeoman for the research and drafting assistance he provided for this article while participating in Armstrong Teasdale LLP s summer associate program. 2 Mr. Schultz is an associate at Armstrong Teasdale LLP in St. Louis. Schultz is engaged in the practice of business litigation, with significant experience in trade secret, non-compete, unfair competition and intellectual property matters. 3 Violent Crime Control and Law Enforcement Act of 1994, Pub. L. No. 103-322, 108 Stat. 1796 (1994). 4 18 U.S.C. 1030(g). 5 Id. 6 It should be noted that Pub.L. No. 110-326, 122 Stat. 3560, which became effective September 26, 2008, amended certain language and renumbered various sections of the CFAA. 7 18 U.S.C. 1030(a) and (a)(2)(c). Prior to Pub. L. No. 110-326, 18 U.S.C. 1030(a)(2)(C) required that the conduct involved an interstate or foreign communication. Journal of The Missouri Bar July-August 2009 Page 172

authorized access, thereby further[ing] the intended fraud and obtain[ing] anything of value greater than $5,000 in any 1-year period ; 8 or (3) [K]nowingly causing the transmission of a program, information, code or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer[.] 9 A protected computer under the CFAA is any computer which is used in or affecting interstate or foreign commerce or communication. 10 With the widespread use of email and the internet, this encompasses virtually all computers. B. Establishing a Civil Action Under the CFAA The CFAA provides a civil action to [a]ny person who suffers damage or loss as a result of conduct prohibited by the CFAA. 11 Although the statute uses the conjunction or, courts disagree as to whether either damage or loss alone is sufficient to state a civil claim under the CFAA, or whether both are required. 12 Although the legislative history indicates that both are required, some courts have found otherwise. 13 Federal courts in Missouri have not resolved this dispute. 14 Thus, the safest practice is to allege both damage and loss when pleading a claim for violation of the CFAA. The CFAA defines damage as any impairment to the integrity or availability of data, a program, a system, or information. 15 In addition, the CFAA defines loss as any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. 16 The damage and/or loss resulting from the defendant s conduct must also include one of the following elements under 18 U.S.C. 1030(c)(4)(A)(i) in order for a civil action to exist under the CFAA: 17 [L]oss to 1 or more persons during any 1-year period aggregating at least $5,000 in value; 18 [T]he modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; 19 20 [P]hysical injury to any person; [A] threat to public health or safety; 21 or [D]amage affecting a computer [system] used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security[.] 22 The first element loss during one year aggregating at least $5,000 is the element most likely to be present in a civil action for damages under the CFAA. Damages recoverable for a violation involving only the first element are limited to economic damages, which precludes damages for death, personal injury, mental distress, and the like. 23 C. What Constitutes Unauthorized Access or Access Exceeding Authorization? As noted in subsection A, above, violations of the CFAA generally require that the defendant access the plaintiff s computers either without authorization or that the defendant exceeds authorized access. 24 The CFAA does not define the term without authorization. However, it does provide a definition for the term exceeds authorized access. According to the CFAA, the term exceeds authorized access means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter. 25 Significantly, federal courts are not in agreement regarding whether an employee accesses a computer either without authorization or exceeds authorized access when an employee accesses an employer s computer data that he or she is otherwise permitted to access before terminating his or her employment and subsequently uses that information to benefit a competitor. 26 Some courts hold that an employee loses his right to access his employer s computer once he decides to gather or use informa- 8 18 U.S.C. 1030(a)(4). 9 18 U.S.C. 1030(a)(5)(A). 10 18 U.S.C. 1030(e)(2)(B). 11 18 U.S.C. 1030(g). 12 Lasco Foods, Inc. v. Hall & Shaw Sales, Marketing, & Consulting, LLC, 600 F.Supp.2d 1045, 1050 (E.D. Mo. 2009). 13 Id. 14 Id.; see also H & R Block E. Enters., Inc. v. J & M Sec., LLC, No. 05-1056-CV-W-DW, 2006 WL 1128744 (W.D. Mo. Apr. 24, 2006) (plaintiff alleged both damages and loss and the court did not discuss whether either damages or loss alone would have been sufficient). 15 18 U.S.C. 1030(e)(8). 16 18 U.S.C. 1030(e)(11). 17 18 U.S.C. 1030(g); P.C. Yonkers, Inc. v. Celebrations the Party and Seasonal Superstore, L.L.C., 428 F.3d 504, 512 (3rd Cir. 2005). 18 18 U.S.C. 1030(c)(4)(A)(i)(I). 19 18 U.S.C. 1030(c)(4)(A)(i)(II). 20 18 U.S.C. 1030(c)(4)(A)(i)(III). 21 18 U.S.C. 1030(c)(4)(A)(i)(IV). 22 18 U.S.C. 1030(c)(4)(A)(i)(V). 23 Creative Computing v. Getloaded.com, L.L.C., 386 F.3d 930, 935 (9th Cir. 2004); 18 U.S.C. 1030(g). 24 18 U.S.C. 1030(a)(2), 1030(a)(4), 1030(a)(5)(A), 1030(a)(5)(B) and (C); Lasco Foods, at 1053; Condux Int l, Inc. v. Haugum, Civil No. 08-4824, slip.op., 2008 WL 5244818, at *3 (D. Minn. Dec. 15, 2008). It should be noted, however, that 18 U.S.C. 1030(a)(5)(A) is predicated on unauthorized damage, not unauthorized access. See Condux Int l, Inc., 2008 WL 5244818, at * 6. 25 18 U.S.C. 1030(e)(6). Journal of The Missouri Bar July-August 2009 Page 173

tion for an improper purpose. These courts generally reason that any access after this point is without authorization or in excess of authorized access under the statute, even if the employee is still employed in a position that would otherwise allow him to access the computer. 27 Other federal district courts have determined that what an employee does, or intends to do, with information accessed on a computer is irrelevant under the statute so long as the employee remained within the employee s authorized access when the employee obtained the information. These courts generally reason that the CFAA is meant to regulate whether access was authorized, not whether the use (or misuse) of the information accessed was authorized. 28 The Seventh Circuit Court of Appeals, in International Airport Centers, L.L.C. v. Citrin, concluded that an employee acted without authorization when, while still employed by plaintiff but after deciding that he was going to quit and pursue interests adverse to plaintiff, he accessed plaintiff s computer to destroy files. 29 The Citrin court noted that the difference between exceeded authorized access and without authorization is paper thin. 30 The court reasoned that the employee s breach of the duty of loyalty terminated his authority to access his employer s computer, regardless of the fact that he was still employed at the time he accessed the computer. Thus, accessing the computer for an improper purpose was without authorization. 31 Under somewhat similar circumstances, the U.S. District Court for the District of Connecticut in Modis, Inc. v. Bardelli used different reasoning than the Citrin court to conclude that a plaintiff properly pleaded that the defendant, a former employee of plaintiff, exceeded her authorized access. 32 The plaintiff claimed that the defendant had obtained and used information from plaintiff s database for the benefit of defendant s new employer. 33 Defendant claimed that she was authorized as an employee of plaintiff to access the database at issue. 34 Unlike in Citrin, the defendant had agreed in an employment agreement to refrain from taking or reproducing or allowing to be taken or reproduced any [plaintiff s] Property except in furtherance of [plaintiff s] Business. 35 The court held that plaintiff sufficiently pleaded that the defendant exceeded her authorized access when she used her access for the purpose of misappropriating plaintiff s confidential information because under the agreement her access was limited to access in furtherance of [plaintiff s] Business. 36 Contrary to the results in Citrin and Bardelli, some federal courts have reached entirely different conclusions in cases with similar facts, holding that the CFAA is not implicated by the misuse or misappropriation of information that a defendant was permitted to access while employed by the plaintiff. For example, in Shamrock Foods Co. v. Gast, the U.S. District Court for the District of Arizona held that the defendant did not access plaintiff s information without authorization or in a manner that exceeded authorization when, while still employed by plaintiff, the defendant emailed plaintiff s information to himself and provided it to his new employer. 37 The Shamrock Foods court adopted a narrow reading of the CFAA s authorization requirement, reasoning that the CFAA is intended to prevent the unauthorized accessing of information stored on a computer, not the subsequent use or misuse of the information after it has been properly accessed by an authorized user. 38 Recently, two district courts within the Eighth Circuit have agreed with the narrower reading of the CFAA. In Condux International, Inc. v. Haugum, the U.S. District Court for the District of Minnesota held that the plaintiff s allegations that defendant, plaintiff s former vice president, downloaded data for use in a competing business and attempted to delete evidence of his download while he was still employed by plaintiff were insufficient to establish that the defendant acted without authorization or exceeded his authorized access. 39 The defendant had been given access to plaintiff s computer system and confidential information while he was plaintiff s vice president. 40 The court agreed with the line of cases holding that the CFAA is implicated only by the unauthorized access, obtainment, or alteration of information, not the misuse or misappropriation of information obtained with permission. 41 The Condux court reasoned that this view is consistent with the plain language of the CFAA, the legislative history of the CFAA, and the principles of statutory construction. 42 Likewise, the U.S. District Court for 26 See Condux Int l, Inc., 2008 WL 5244818, at * 4 (observing that courts have split on the question of whether an employee with an improper purpose may be held civilly liable under the CFAA for accessing computer information that he is otherwise permitted to access within the scope of his employment, and collecting cases on both sides of the split); Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962, 964-965 (D.Ariz. 2008) (observing that there is a split and collecting cases). 27 See, e.g., Int l Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006); see also Condux Int l, Inc., 2008 WL 5244818, at * 4 (collecting cases). 28 See, e.g., Condux Int l, Inc., 2008 WL 5244818, at * 4-*5; Shamrock Foods Co. v. Gast, 535 F. Supp.2d 962, 965 (D. Ariz. 2008). 29 Citrin, 440 F.3d at 420. 30 Id. 31 Id. 32 Modis, Inc. v. Bardelli, 531 F. Supp.2d 314, 318 (D. Conn. 2008). 33 Id. at 316. 34 Id. at 319. 35 Id. 36 Id. 37 Shamrock Foods Co., 535 F. Supp.2d at 963, 968. 38 Id. at 965-967. 39 Condux, Int l, Inc., 2008 WL 5244818, at *1, *8. 40 Id. at *1, *4. 41 Id. at * 4. 42 Id. at * 4-*5. Journal of The Missouri Bar July-August 2009 Page 174

the Eastern District of Missouri, in Lasco Foods, Inc. v. Hall & Shaw Sales, Marketing, & Consulting, LLC, dismissed a purported CFAA claim that was based on the misuse or misappropriation of information by former employees. 43 In Lasco Foods, two former employees of plaintiff allegedly downloaded or copied information and deleted information from plaintiff s computer prior to leaving plaintiff s employment to form a competing business. 44 The Lasco Foods court dismissed the CFAA claim on the grounds that plaintiff failed to properly allege the defendants accessed plaintiff s information without authorization. 45 In support of its decision, the Lasco Foods court cited Condux for the proposition that where the heart of the dispute was not the access of the confidential business information but rather the alleged subsequent misuse or misappropriation of that information, plaintiff failed to state a claim under CFAA. 46 In some instances, the former employee may try to access the former employer s proprietary information after his employment has been terminated. There appears to be no dispute that these cases reflect the type of trespassing and hacking that the CFAA is intended to prevent. For example, in EF Cultural Travel BV v. Explorica, Inc., the First Circuit determined that the use of a computer software program by a competitor to glean prices from plaintiff s website, in order to allow systematic undercutting of those prices, exceeded authorized access within the meaning of the CFAA. 47 The competitor employed a number of plaintiff s former employees, at least one of whom had signed a confidentiality agreement with plaintiff and used his technical knowledge of plaintiff s website and his knowledge of plaintiff s proprietary codes to help develop the software program for his new employer. 48 The court concluded that this action exceeded authorized access. 49 It is important to note that the circumstances constituting unauthorized access for purposes of the CFAA are not limited only to those in which an employee or former employee accesses computer data belonging to a former employer. For example, in America Online, Inc. v. LCGM, Inc., the court determined that customers of America Online exceeded their authorized access when they maintained e-mail accounts with America Online for the purpose of using extractor software programs in chat rooms to harvest e-mail addresses of other AOL customers in order to send bulk e-mails to those customers. 50 The court reasoned that the harvesting of other e-mail addresses exceeded authorized access because such activity was not allowed by AOL s terms of service that were provided to customers. 51 A plaintiff is not required to go so far as to provide expert testimony that shows that a protected computer was accessed without authorization and something of value was taken. 52 In the absence of expert testimony, testimony from others who, for example, witnessed the printing of information or provided passwords, may be sufficient to allow a jury to reasonably find that a computer was accessed in violation of the CFAA. 53 The evidence for a CFAA claim, however, must consist of more than an attenuated series of inferences-on-inferences based on circumstantial evidence. 54 For example, one court determined that there was insufficient evidence to support a claim that plaintiffs former joint venturer had accessed plaintiffs computers where the evidence before the court was merely circumstantial, based on the former joint venturer s undisputed physical access to the plaintiffs computers and the frequent crashing and malfunctioning of plaintiffs computers (resulting in [a] loss of data). 55 In that case, the plaintiffs presented no evidence to demonstrate either unauthorized access in general or any access by the [venturer] leading to destruction of [the developer s] software or hardware. 56 The court found the utter lack of any expert opinion evidence supporting the [plaintiffs ] speculative assertions was fatal to plaintiffs case. 57 While an expert may not be required, the better course is to have a retained or non-retained computer forensics expert explain the analysis of the computer system that was performed to determine that the system was accessed and whether data was misappropriated. D. What Constitutes Intent for 1030(a)(2)(C) and Intent to Defraud for 1030(a)(4)? The CFAA, 1030(a)(2)(C), requires that the defendant intentionally access the plaintiff s computer system. Normally, whether the defendant acted intentionally will not be a contested issue. One case held that the intent element for 18 U.S.C. 103(a)(2)(C) was sufficiently pleaded when plaintiffs alleged that a web site operator intentionally placed cookies 43 Lasco Foods, 600 F.Supp.2d at 1053. 44 Id. at 1053. 45 Id. It should be noted that the plaintiff in Lasco Foods did not respond to defendants argument that plaintiff failed to properly allege that defendants accessed information without authorization as required under the CFAA. Id. at n.6 46 Id. 47 EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001). 48 Id. at 580-583. 49 Id. at 583-584. 50 America Online Inc. v. LCGM, Inc., 46 F. Supp.2d 444, 448 (E.D. Va. 1998). 51 Id. at 450. 52 Hanger Prosthetics & Orthotics, Inc. v. Capstone Orthopedic, Inc., No. 2:06-cv-2879-GEB-KJM, 2008 WL 2441067, 556 F. Supp.2d 1122, 1132-1133 (E.D. Cal. June 13, 2008). 53 Id. at 1132. 54 Expert Bus. Sys., LLC v. BI4CE, Inc., 411 F. Supp.2d 601, 605 (D. Md. 2006). 55 Id. at 506. 56 Id. 57 Id. at 605-606. Journal of The Missouri Bar July-August 2009 Page 175

on visiting users computers for [the] purpose of monitoring [the plaintiffs ] web activity. 58 Under 1030(a)(4), the defendant must have an intent to defraud. The intent to defraud requirement simply requires that the defendant have intended some wrongdoing and does not require proof of common law fraud. 59 In Hanger Prosthetics & Orthotics, Inc. v. Capstone Orthopedic, Inc., the court held that a jury could reasonably infer that the defendants had accessed their employer s computer with the intent to defraud because the evidence showed that a patient list owned by the former employer was intentionally accessed by the defendants who were employees of the plaintiff, the list was never again seen in the office, and the patients on the list began using the competitor s company after the defendant employees terminated their employment. 60 The court concluded this evidence was sufficient for the jury to establish that the defendant employees had engaged in wrongdoing by accessing the list. 61 E. The $5,000 Loss Requirement - 18 U.S.C. 1030(c)(4)(A)(i)(I) As noted above, the most likely element under 1030(c)(4)(A)(i)(I) to be alleged in order to bring a civil action under the CFAA is the requirement of loss to 1 or more persons aggregating at least $5,000 in value. 62 The term loss is defined in the CFAA to include any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. 63 The U.S. District Court for the Western District of Missouri has been lenient in its analysis of whether a plaintiff has sufficiently pleaded the requisite $5,000 loss under the statute. In H & R Block Eastern Enterprises, Inc. v. J & M Securities, LLC, the court held that a plaintiff sufficiently alleged damages and losses of at least $5,000 when the complaint simply stated that [a]s a result of defendants unauthorized, intentional access of [plaintiff s] protected computer system, [plaintiff] has suffered damages and a loss of no less than $5,000.00, including but not limited to its costs to respond to this offense. 64 The court noted, however, that it would consider [p]ersuasive authority narrowly construing compensable losses under the CFAA... when the facts are developed. 65 Similar to the analysis in H&R Block, some courts also have held that plaintiffs sufficiently allege damages when they claim loss due to a former employee giving confidential and proprietary information to competitors. 66 For example, the U.S. District Court for the District of Kansas, in Resource Center for Independent Living, Inc. v. Ability Resources, Inc., held that the plaintiff made a valid claim when it alleged loss of confidential and proprietary information for the benefit of [defendants ] competing enterprise. 67 Other courts, however, have focused on the language in the CFAA requiring that the loss be incurred because of interruption of service. 68 The U.S. District Court for the Eastern District of Missouri, in Lasco Foods, Inc. v. Hall & Shaw Sales, Marketing, & Consulting, LLC, expressly stated that under the CFAA a loss must result from an interruption in service. 69 In Lasco Foods, plaintiff alleged that defendants retained plaintiff s computers and electronic information and deleted some of plaintiff s information. Plaintiff further alleged that there was a 108-day gap in time between when plaintiff demanded the return of the computers and when plaintiff actually returned the computers. The court found this was sufficient to allege a loss from interruption of service. 70 In addition, plaintiff had to hire a computer expert to review defendants computers when they were returned to determine what information was deleted. The cost of these investigations also constituted a loss from interruption of service. 71 III. MISSOURI COMPUTER TAMPER- ING STATUTES A. Overview Similar to the CFAA, Missouri statutes provide that a civil lawsuit may be brought against individuals who tamper with computer data, computer equipment, or the users of computers. Like the CFAA, the Missouri computer tampering statutes (MCTS) contain both criminal and civil provisions. The criminal provisions are set forth in 569.095, 569.097, and 569.099, RSMo.; the civil provision is set forth in 537.525, RSMo. 58 Cookies are electronic files that online companies sometimes implant on a user s computer when the user visits a website. Cookies collect information about the user. In re Intuit Privacy Litigation, 138 F. Supp.2d 1272, 1274 (C.D. Cal. 2001). 59 Hanger Prosthetics & Orthotics, Inc. v. Capstone Orthopedic, Inc., No. 2:06-cv-2879-GEB-KJM, 2008 WL 2441067, 556 F. Supp.2d 1122, 1131 (E.D. Cal. June 13, 2008). 60 Id. at 1132. 61 Id. 62 18 U.S.C. 1030(c)(4)(A)(i)(I) and 1030(g). 63 18 U.S.C. 1030(e)(11). 64 See H & R Block Eastern Enterprises, Inc., 2006 WL 1128744, at *2, *4. 65 Id. at *4. 66 Resource Ctr. for Independent Living, Inc. v. Ability Resources, Inc., 534 F. Supp.2d 1204, 1211 and 1211 n.30 (D. Kan. 2008) (collecting cases from other courts holding that allegations of loss of confidential and proprietary information for the benefit of a competing enterprise are sufficient to state a cause of action under the CFAA and defeat a motion to dismiss). 67 Id. at 1211. 68 See American Family Mut. Ins. Co. v. Rickman, 554 F. Supp.2d 766, 771 (N.D. Ohio 2008); Cenveo Corp. v. CelumSolutions Software GMBH & Co. KG, 504 F. Supp.2d 574, 581 n.6 (D. Minn. 2007) (disagreeing with H&R Block, 2006 WL 1128744 and similar cases and dismissing CFAA claim that did not allege interruption in service). 69 Lasco Foods, 600 F.Supp.2d at 1046. 70 Id. at 1053. 71 Id. Journal of The Missouri Bar July-August 2009 Page 176

B. Statutory Scheme Section 537.525, RSMo,. establishes a civil action for compensatory damages to the owner (or lessee) of a computer system, network, program, service, or data against any person who violates 569.095 (tampering with computer data), 569.097 (tampering with computer equipment), and 569.099 (tampering with computer users). [C]ompensatory damages includ[e] any expenditures reasonably and necessarily incurred by the owner or lessee to verify that a computer system, network, program, service, or data was not altered, damaged, or deleted by the access. 72 In addition, the court may award attorney s fees to a prevailing plaintiff. 73 Similar to the CFAA, tampering with computer data, equipment or users under the MCTS must be done knowingly, and either without authorization or without reasonable grounds to believe one has authorization. 1. Tampering with Computer Data Section 569.095, tampering with computer data, provides: 1. A person commits the crime of tampering with computer data if he knowingly and without authorization or without reasonable grounds to believe that he has such authorization: (1) Modifies or destroys data or programs residing or existing internal to a computer, computer system, or computer network; or (2) Modifies or destroys data or programs or supporting documentation residing or existing external to a computer, computer system, or computer network; or (3) Discloses or takes data, programs, or supporting documentation, residing or existing internal or external to a computer, computer system, or computer network; or (4) Discloses or takes a password, identifying code, personal identification number, or other confidential information about a computer system or network that is intended to or does control access to the computer system or network; (5) Accesses a computer, a computer system, or a computer network, and intentionally examines information about another person; (6) Receives, retains, uses, or discloses any data he knows or believes was obtained in violation of this subsection. 2. Tampering with Computer Equipment Section 569.097, tampering with computer equipment, provides: 1. A person commits the crime of tampering with computer equipment if he knowingly and without authorization or without reasonable grounds to believe that he has such authorization: (1) Modifies, destroys, daages, or takes equipment or data storage devices used or intended to be used in a computer, computer system, or computer network; or (2) Modifies, destroys, damages, or takes any computer, computer system, or computer network. 3. Tampering with Computer Users Section 569.099, tampering with computer users, provides: 1. A person commits the crime of tampering with computer users if he knowingly and without authorization or without reasonable grounds to believe that he has such authorization: (1) Accesses or causes to be accessed any computer, computer system, or computer network; or (2) Denies or causes the denial of computer system services to an authorized user of such computer system services, which, in whole or in part, is owned by, under contract to, or operated for, or on behalf of, or in conjunction with another. C. Case Law Case law addressing civil actions brought pursuant to the MCTS is sparse. In Chrysler Corporation v. Carey, Chrysler filed suit against two attorneys who formerly worked at a law firm that represented Chrysler in defending various class action lawsuits involving alleged defects in certain Chrysler vehicles. 74 After leaving the [law] firm, the two attorneys formed their own firm and agreed to serve as plaintiff s counsel in a class action against Chrysler. 75 Before their departure from their previous law firm, the attorneys took copies of various pleadings and memoranda. 76 Some of the documents taken by one of the attorneys were copied from the law firm s computer system. 77 Chrysler sued the former attorneys on a number of theories, including tampering with computer data in violation of the MCTS. The attorneys admitted that they did not have express authority to take the documents at issue, but they claim[ed] that they reasonably believed that neither Chrysler nor [the law firm] would object to their doing so. 78 One of the attorneys testified that a number of lawyers left the law firm while he was employed there, and every lawyer [that he] knew at the firm maintained a form file, considered it their personal property, and took it with them when leaving the firm. 79 The Chrysler court denied the parties cross-motions for summary judgment, concluding that there was a question of fact as to whether the attorneys had reasonable grounds to believe that the removal of the documents from the law firm s computer system was authorized. 80 72 Section 537.525(1), RSMo (2008). 73 Section 537.525(2), RSMo (2008). It is also important to note that violation of these statutes may constitute a misdemeanor or felony. A discussion of the criminal exposure for violating these statutes is beyond the scope of this article. 74 Chrysler Corp. v. Carey, 5 F. Supp.2d 1023, 1025 (E.D. Mo. 1998). 75 Id. at 1025. 76 Id. at 1027. 77 Id. 78 Id. at 1035 79 Id. at 1036. 80 Id.; 569.095(1), RSMo (2008). Journal of The Missouri Bar July-August 2009 Page 177

In Pony Computer, Inc. v. Equus Computer Systems of Missouri, Inc., two former employees of the plaintiff had limited access to plaintiff s computer files, including customer invoices, shipping records, receiving records, credit records, and warranty records. 81 The plaintiff sued the two former employees and their current employer, a competitor, alleging a number of tort theories, including a claim under the MCTS. 82 The plaintiff claimed that the former employees disclosed confidential information while accessing the computer network in the course of their employment. In opposition to a summary judgment motion filed by the former employees, the plaintiff filed affidavits from its president and its St. Louis branch manager stating that the former employees disclosed confidential information. The district court granted summary judgment in favor of the former employees on the MCTS count. In affirming the judgment, 83 the Eighth Circuit noted that the two affidavits were conclusory, failing to enumerate specific evidence of any disclosure. 84 Because there was no independent evidence [of disclosure], other than the petitioner s unsubstantiated allegations[,] the court concluded that summary judgment was appropriate. 85 Like the CFAA, proof of the offense of tampering with computer data or computer equipment under the MCTS may involve testimony from a computer forensics expert because the method of accessing, modifying, or otherwise tampering with the data will sometimes be beyond the knowledge or understanding of any lay witnesses. IV. BREACH OF DUTY OF LOYALTY If a business learns through a forensic examination of a former employee s computer that the former employee misappropriated data to begin, or work for, a competing business, then the business, under an appropriate set of facts, also may have a cause of action against the former employee for a breach of the common law duty of loyalty. Under Missouri law, all employees owe their employers a duty of loyalty. 86 The Supreme Court of Missouri, in Scanwell Freight Express STL, Inc. v. Chan, confirmed that every employee owes his or her employer a duty of loyalty. 87 [T]he most common manifestation of the duty of loyalty is that an employee has a duty not to compete with his or her employer [during his or her employment] concerning the subject matter of the employment. 88 Therefore, although employees may plan and prepare for their competing enterprises while still employed, a breach of the duty of loyalty arises when [an] employee goes beyond the mere planning and preparation and actually engages in direct competition, which, by definition, is to gain advantage over a competitor. 89 In Scanwell, the ex-employee gave one of Scanwell s competitors confidential information about Scanwell s operations and customers while still employed. 90 Further, while still employed by Scanwell, the ex-employee secured Scanwell s office lease for its competitor. 91 The Court held that Scanwell made a submissible case for breach of the duty of loyalty because the ex-employee clearly went beyond mere planning and preparation to compete when she actually gave confidential client information to a competitor and secured her employer s office lease for the same competitor, all while working for Scanwell. 92 V. THE MISSOURI UNIFORM TRADE SECRETS ACT In some cases the Missouri Uniform Trade Secrets Act (MUTSA) also may provide a remedy for the unauthorized taking or disclosure of computer data. 93 The MUTSA provides a civil action for compensatory damages, punitive damages, and injunctive relief if the owner of the information can show: (1) that the information is a trade secret; and (2) actual or threatened misappropriation of the information. For an in-depth explanation of the MUTSA, the protections afforded by the MUTSA, and the remedies available to the owner of misappropriated trade secret information, see Trade Secret Litigation An Overview, 63 JOURNAL OF THE MISSOURI BAR. 94 VI. CONCLUSION The civil remedies under the CFAA give businesses a useful tool for protecting their electronically stored information both from outsiders who break into their networks and employees who use their access to misappropriate their employer s sensitive information. A plaintiff must show: (1) that the offender s access was either without authorization or exceeded authorized access; (2) that information was gained via intentional conduct that involved an interstate communication or that the offender was knowingly intending and furthering a fraud; and (3) that the offender s actions caused damage and a loss in excess of $5,000. In Missouri, the MCTS, the common law duty of loyalty owed by an employee to his or her employer, and the MUTSA provide businesses with additional tools for protecting their electronically stored information. When filing a claim relating to misappropriation or misuse of electronically stored information, Missouri businesses should analyze all of these causes of action as part of their claim. 81 Pony Computer, Inc. v. Equus Computer Sys. of Mo., Inc., 162 F.3d 991 (8th Cir. 1998). 82 Id. at 994. 83 Id. at 997. 84 Id. at 997. 85 Id. 86 Nat l Rejectors, Inc. v. Trieman, 409 S.W.2d 1, 41 (Mo. banc 1966); see also RESTATEMENT (SECOND) OF AGENCY, 396 & 393, cmt. e (1958). 87 Scanwell Freight Express STL, Inc. v. Chan, 162 S.W.3d 477, 479 (Mo. banc 2005). 88 Id. (citing RESTATEMENT (SECOND) OF AGENCY, 393, cmt. e (1958)). 89 Id. (citing RESTATEMENT (SECOND) OF AGENCY, 393, cmt. e (1958)). The Court observed that a jury instruction for breach of the duty of loyalty must set out that: (1) an employee must not act contrary to the employer s interest; (2) an employee may plan, prepare, and agree with others to compete with the current employer upon termination; and (3) an employee may not go beyond mere planning and preparation and act in direct competition with the employer while still employed by the employer. Id. at 481. 90 Id. at 480. 91 Id. 92 Id. 93 Sections 417.450-417.467, RSMo (2008). 94 William M. Corrigan, Jr. & Jeffrey L. Schultz, Trade Secret Litigation An Overview, 63 J. MO. BAR 234 (2007). Journal of The Missouri Bar July-August 2009 Page 178

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback