The Computer Fraud and Abuse Act (CFAA)[1] was enacted by Congress in 1986 as an amendment to existing computer fraud law (18 U.S.C. § 1030), which had been included in the Comprehensive Crime Control Act of 1984. It was written to clarify and increase the scope of the previous version of 18 U.S.C. § 1030 while, in theory, limiting federal jurisdiction to cases "with a compelling federal interest-i.e., where computers of the federal government or certain financial institutions are involved or where the crime itself is interstate in nature." (see "Protected Computer", below). In addition to clarifying a number of the provisions in the original section 1030, the CFAA also criminalized additional computer-related acts. Provisions addressed the distribution of malicious code and denial of service attacks. Congress also included in the CFAA a provision criminalizing trafficking in passwords and similar items.[1]
The Act has been amended a number of times—in 1989, 1994, 1996, in 2001 by the USA PATRIOT Act, 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act.
In January 2015 Barack Obama proposed expanding the CFAA and the RICO Act in his Modernizing Law Enforcement Authorities to Combat Cyber Crime proposal.[2] DEF CON organizer and Cloudflare researcher Marc Rogers, Senator Ron Wyden, and Representative Zoe Lofgren have stated opposition to this on the grounds it will make many regular Internet activities illegal, and moves further away from what they were trying to accomplish with Aaron's Law.[3][4]
Contents
Protected computers[edit]
The only computers, in theory, covered by the CFAA are defined as "protected computers". They are defined under section 18 U.S.C. § 1030(e)(2) to mean a computer:
- exclusively for the use of a financial institution or the United States Government, or any computer, when the conduct constituting the offense affects the computer's use by or for the financial institution or the Government; or
- which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States...
In practice, any ordinary computer has come under the jurisdiction of the law, including cellphones, due to the inter-state nature of most internet communication.[5]
Criminal offenses under the Act[edit]
(a) Whoever—
- (1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
- (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
- (A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) [1] of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
- (B) information from any department or agency of the United States; or
- (C) information from any protected computer;
- (3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;
- (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
- (5)
- (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
- (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
- (C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.
- (6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if—
- (A) such trafficking affects interstate or foreign commerce; or
- (B) such computer is used by or for the Government of the United States;
- (7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any—
- (A) threat to cause damage to a protected computer;
- (B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or
- (C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion[6]
Specific sections[edit]
- : Computer Espionage. This section takes much of its language from the Espionage Act of 1917, with the notable addition being that it also covers information related to "Foreign Relations", not simply "National Defense" like the Espionage Act.
- : Computer trespassing, and taking government, financial, or commerce info
- : Computer trespassing in a government computer
- : Committing fraud with computer
- : Damaging a protected computer (including viruses, worms)
- : Trafficking in passwords of a government or commerce computer
- : Threatening to damage a protected computer
- : Conspiracy to violate (a)
- : Penalties
CFAA Civil Cases[edit]
First Circuit Cases:
| Slip Copy | 2015 WL 4725377 | 8/10/15 | Pla-Fit Franchise, LLC v. Cole | Maine District | Civil | Plaintiff moved for an emergency temporary restraining order against an employee, who was the company's payroll manager. Plaintiff alleged that the defendant had refused to delete a confidential, protected email as he had been directed, and that the company believed that he had also misused other privileged information. Among other claims, Plaintiff alleged a violation of the CFAA. | Without providing any detailed analysis, the court held that the plaintiffs had shown a likelihood of success on the merits related to its CFAA claim. The court pointed to the defendant's admission during a meeting with the plaintiff that he had downloaded an email after being told to delete it as creating a reasonable probability that defendant had downloaded other confidential information and intends to publish this and other confidential information. |
| Slip Copy | 2014 WL 347624 | 1/29/14 | Mahoney v. DeNuzzio | Massachusetts | Civil | Plaintiff brought suit against former girlfriend/mother of his child for altering information in his email and on Facebook and sending racist messages from these accounts on multiple occasions, in relation to a child custody dispute. | Plaintiff's motion to amend was GRANTED after he provided more specific information about the CFAA violation. |
| Slip Copy | 2014 WL 652938 | 2/18/14 | MOCA Systems, Inc. v. Bernier | Massachusetts | Civil | Plaintiff alleges that defendant used resources while working at the company to develop his competitor company and push a major client towards his new company. Defendant moved to compel arbitration under his employee agreement. | Court GRANTED defendant's movement for arbitration. |
| Slip Copy | 2014 WL 2048416 | 5/16/14 | Enargy Power (Shenzhen) Co. Ltd. v. Xiaolong Wang | Massachusetts | Civil | Plaintiff alleges that before defendant terminated his working relationship with them, he took project files relating to a confidential aircraft DC power converter and gave to the company he currently works for. | Information about bank accounts is ordered to be produced in limited scope (unrelated to the CFAA claim). |
| Slip Copy | 2015 WL 5156558 | 9/2/15 | iQuartic, Inc. v. Simms | Massachusetts District | Civil | Plaintiff sought a preliminary injunction against former employee, who allegedly refused to surrender proprietary confidential information and company materials following his termination. In addition to breach of contract claims, plaintiff alleged violation of the CFAA, and asked the court to enjoin defendant from working with any potential competitor. | The court found that plaintiff had established a substantial likelihood of success on it CFAA claims by presenting evidence that the defendant had access to plaintiff's computer systems and protected information, refused to surrender all proprietary and confidential information upon termination of his employment, shared details of his work product with plaintiff's prospective clients during unauthorized meetings, and cause harm to plaintiff by forcing it to expend time and effort interpreting his code without the necessary information and by jeopardizing plaintiff's future business prospects. |
| Enargy Power (Shenzhen) Co. Ltd. v. Xiaolong Wang | |||||||
| 2014 WL 2048416 | Massachusetts | x | |||||
| Mahoney v. DeNuzzio | 2014 WL 347624 | Massachusetts | |||||
| Pine Environmental Services, LLC v. Carson | 43 F.Supp.3d71 | United States District Court, D. Massachusetts (1st Cir.) | X | ||||
| MOCA Systems, Inc. v. Bernier | 2014 WL 652938 | Massachusetts | x | ||||
| General Linen Service, Inc. v. General Linen Service Co. | 2015 WL 471011 | United States District Court, D. New Hampshire (1st Cir.) | X | ||||
| Slip Copy | 2015 WL 6158888 | 10/20/15 | General Linen Service, Inc. v. General Linen Service Co., Inc. | New Hampshire District | Civil | Plaintiff brought a CFAA claim alleging that defendant - a competitor - accessed its confidential information through a software vendor that they both used, and that it suffered a loss in trying to determine and stop the unauthorized access. The defendant moved for summary judgment, arguing that the plaintiff did not sustain a "loss" recognized by the CFAA, and even if it did, any loss did not amount to $5,000 as required by the statute. | The court rejected the defendant's argument that a loss must be the result of an interruption of service in order to be actionable under the CFAA. The court concluded that a loss also includes some specific costs such as responding to the offense, conducting a damage assessment, and any lost revenue and associated costs. The court also held that the expenses plaintiff incurred investigating and fixing the data breach, including dollar value of the time spent by employees investigating the problem, qualifies as a loss under the CFAA. Because the plaintiff alleged that these expenses amounted to over $5,000, the defendant's motion for summary judgment was denied. |
| 25 F.Supp.3d 187 | 2014 WL 2605430 | 6/11/14 | General Linen Service, Inc. v. General Linen Service Co., Inc. | New Hampshire | Civil | Trademark granted to Plaintiff, and Defendant alleges misrepresentations in the plaintiff's trademark application; plaintiff alleges CFAA violation. | Plaintiff's motion to dismiss DENIED. |
| General Linen Service, Inc. v. General Linen Service Co., Inc. | 2014 WL 2605430 | New Hampshire | x | ||||
| American Health Inc. v. Chevere | 37 F.Supp.3d 561 | United Stated District Court, D. Puerto Rico (1st Cir.) | X |
Second Circuit Cases:
| Amphenol Corp. v. Paul | 2014 WL 272337 | Connecticut | x | ' | ' | ' | ' |
| Slip Copy | 2014 WL 2722849 | 6/16/14 | Massre v. Bibiyan | New York Southern District | Civil | Court entered a default judgment against defendant for violations of the CFAA after he launched DoS attacks and alleged that the plaintiff was under investigation for a Ponzi scheme, and awarded damages to the plaintiff. | While plaintiffs sought punitive damages against the defendant for his DoS attacks, the court GRANTED damages only for their losses in revenue. |
| Slip Copy | 2014 WL 1779048 | 5/5/14 | Tan v. Doe | New York Southern District | Civil | After plaintiffs had a business dispute with defendant that was settled, defendant started posting harassing posts on blogs about plaintiffs with damage to their personal and professional images. They alleged CFAA violations and sought to have the posts removed from the internet. | The court DISMISSED for failure to state a claim, but did so without prejudice with leave to amend. |
| Slip Copy | 2014 WL 902965 | 3/5/14 | Mount v. PulsePoint, Inc. | New York Southern District | Civil | Class action plaintiffs alleged a violation of the CFAA related to cookies and Google -- defendants sought to stay the litigation pending resolution of the Google litigation. | Motion to stay the litigation from defendants GRANTED. |
| Slip Copy | 2014 WL 116197 | 1/8/14 | Direct Access Partners LLC v. Chinea | New York Southern District | Civil | Plaintiff alleges that Chinea, the former CEO, unlawfully retained electronic files, and wants a preliminary injunction to enjoin him from using/disclosing information in those files; to return the files; and other relief. These claims are alleged under the CFAA. | Preliminary injunction DENIED for lack of a showing of actual, imminent harm in the absence of such restraint. |
| LivePerson, Inc. v. 24/7 Customer, Inc. | |||||||
| 83 F.Supp. 3d 501 | United States District Court, S.D. New York (2nd. CIr.) | X | |||||
| Advance Watch Co., Ltd. Pennington | 2014 WL 5364107 | United States District Court, S.D. New York (2nd. CIr.) | X | ||||
| New York Pizzeria, Inc. v. Syal | 56 F.Supp.3d 875 | United States District Court, S.D. Texas, Galveston Division (5th Cir.) | X | ||||
| Sewell v. Bernardin | 50 F.Supp.3d 204 | United States District Court, E.D. New York (2nd Cir.) | X | ||||
| Hyo Jung v. Chorus Music Studio, Inc. | 2014 WL 449375 | United States District Court, S.D. New York (2nd. CIr.) | X | ||||
| U.S. v. Ulbricht | 2014 WL 3362059 | New York Southern District | |||||
| U.S. v. Valle | 2014 WL 2980256 | New York Southern District | |||||
| Massre v. Bibiyan | 2014 WL 2722849 | New York Southern District | x | ||||
| Tan v. Doe | |||||||
| 2014 WL 1779048 | New York Southern District | ||||||
| Mount v. PulsePoint, Inc. | 2014 WL 902965 | New York Southern District | |||||
| T-Mobile USA, Inc. v. Wholesaler212 Inc. | 2014 WL 689042 | New York Eastern District | x | ||||
| Direct Access Partners LLC v. Chinea | |||||||
| 2014 WL 116197 | New York Southern District | x | |||||
| U.S. v. Y%20ucel | 2015 WL 1609041 | United States District Court, S.D New York (2nd Cir.) | X |
Third Circuit Cases:
| Slip Copy | 2014 WL 1272212 | 3/27/14 | Pinnacle Ins. Solutions, LLC v. Kolbe | New Jersey | Civil | Plaintiff company is owned by def's brother in law; defendant worked as in house counsel and an investment broker and took information and disparaged the company to another defendant. | Motion for abstention GRANTED for defendants | ' | ' | ' | ' |
| Slip Copy | 2014 WL 1705617 | 4/29/14 | American Financial Resources, Inc. v. Money Source, Inc. | New Jersey | Civil | Company sought preliminary injunction against defendant to enjoin them from soliciting business from AFR clients using allegedly misappropriated business information. | Preliminary injunction GRANTED. | ||||
| Spiniello Companies v. moynier | 2014 WL 7205349 | United States District Court, D. New Jersey (3rd Cir.) | X | X | |||||||
| Spinello Companies v. Silva | |||||||||||
| 2014 WL 4896530 | United States District Court, D. New Jersey (3rd Cir.) | X | X | ||||||||
| American Financial Resources, Inc. v. Money Source, Inc. | 2014 WL 1705617 | New Jersey | x | x | |||||||
| Pinnacle Ins. Solutions, LLC v. Kolbe | |||||||||||
| New Jersey | x | ||||||||||
| x | |||||||||||
| Slip Copy | 2014 WL 896636 | 3/6/14 | Carnegie Strategic Design Engineers, LLC v. Cloherty | Pennsylvania Western District | Civil | ||||||
| Plaintiffs showed adequately damage and loss, but did not sufficiently demonstrate that the employees had unauthorized access. Employees were allowed to access information on the system. Therefore motion to dismiss GRANTED. | |||||||||||
| Slip Copy | 2014 WL 869505 | ||||||||||
| Municipal Revenue Service, Inc. v. Houston Cas. Co. | Pennsylvania Western District | Civil | Case where employers alleged CFAA claims against their employees who tried to take business away to their next employer -- case was already litigated and current case is about indemnification. | CFAA claim not mentioned in present case. | |||||||
| Slip Copy | 2014 WL 271634 | 1/23/14 | Curran v. Mark Zinnamosca & Associates | Pennsylvania Middle District | Civil | -- | Plaintiff's motions for default judgment are DENIED, defendants' motion to dismiss GRANTED. Plaintiff given leave to amend complaint. | ||||
| 28 F.Supp.3d 306 | |||||||||||
| 2014 WL 2770231 | 6/18/14 | ||||||||||
| Pennsylvania Middle District | Civil | Plaintiff AFS found that after some of its employees suddenly resigned they had been working for defendant company and taken some information in violation of the CFAA. Defendant alleged P couldn't show any unauthorized access. | Plaintiff successfully put up a CFAA claim alleging unauthorized access but needed to amend to recalculate loss under the CFAA. | ||||||||
| 25 F.Supp.3d 617 | 2014 WL 2579286 | 6/5/14 | Synthes, Inc. v. Emerge Medical, Inc. | Pennsylvania Eastern District | Civil | Synthes accused defendants of misappropriating trade secrets relating to orthopedic devices, and claims that it suffered loss investigating what happened to its confidential information taken by defendants. | Synthes did not allege a cognizable loss, and the court GRANTED summary judgment to defendants on this account. | ||||
| 15 F.Supp.3d 586 | 2014 WL 1661160 | 4/25/14 | Doe v. Hesketh | ||||||||
| Civil | Plaintiff sues defendants who were convicted of illegally possessing her image from child pornography; her case didn't parallel other 3rd Cir. CFAA litigation. | Defendants' motions to dismiss for lack of personal jurisdiction GRANTED. | |||||||||
| Slip Copy | |||||||||||
| 2014 WL 1612632 | 4/22/14 | Cunningham Lindsey U.S., Inc. v. Bonnani | Pennsylvania Middle District | Civil | Plaintiff alleges two former employees and other individuals from Vericlaim orchestrated a shceme to instigate a mass exodus of CL employees in 2013; Count IX alleges a CFAA violation. | While the defendants moved to dismiss some claims, the CFAA claim was not at issue and still remains. | |||||
| Slip Copy | 2014 WL 1490529 | 4/15/14 | Brooks Group & Associates, Inc. v. LeVigne | Pennsylvania Eastern District | |||||||
| Defendant was a consultant for plaintiff company, and when she started working for her own company, plaintiff found she was retaining contact with their client and others after reading her emails. Plaintiff also alleges download by defendant of their materials. | Court ORDERED arbitration/settlement between parties because of a contractual dispute. | ||||||||||
| Slip Copy | 2014 WL 2616824 | 6/11/14 | Synthes, Inc. v. Emerge Medical, Inc. | Pennsylvania Eastern District | Civil | Synthes brought suit against former employee for putting his technical expertise to use with a new company to develop a product line very similar to the one he worked on with plaintiff. | In 208 page opinion, court GRANTED summary judgment for plaintiff. | ||||
| Slip Copy | 2014 WL 1808652 | 5/7/14 | Advanced Fluid Systems, Inc. v. Huber | Pennsylvania Middle District | Civil | AFS sought injunctive relief, and compensatory and punitive damages after defendants allegedly misappropriated trade secrets and violated the CFAA. One defendant attempted to erase all data from his cell phone and computer, and AFS found he shared data with a competitor. | Defendants' motion to dismiss on CFAA counts DENIED. | ||||
| Slip Copy | 2015 WL 4508922 | 7/24/15 | Penn--Air & Hydraulics Corp. v. Lutz | Pennsylvania Middle District | Civil | Plaintiff sued former employees and their new employer alleging that they conspired to steal and illegally use plaintiff's sensitive information and divert business away from the plaintiff. As grounds for its CFAA claim, the plaintiff alleged that following his termination the defendant refused to return all of the computers issued to him and later copied all of the data on the remaining computer before he returned it to the plaintiff. Plaintiff moved for a temporary restraining order or a preliminary injunction to compel the defendants to return to plaintiff all copies of its sensitive information and all equipment that contained its sensitive information, as well as from using any of plaintiff's information in their possession. | The court found that plaintiff demonstrated a likelihood of success on the merits with respect to the CFAA cliam because plaintiff made credible allegations that the defendant accessed its computers intentionally with the knowledge that he was not authorized to do so, and caused plaintiff to incur more than $5,000 in costs to reconstruct the computer as it existed before its files were deleted. | ||||
| --- F.Supp.3d ---- | |||||||||||
| 2015 WL 1187500 | 3/13/15 | QVC, Inc. v. Resultly, LLC | Pennsylvania Eastern District | Civil | Online retailer moved for a preliminary injunction after filing a CFAA claim against an advertiser that used certain software to "crawl" its website, which caused the plaintiff's website to crash. The plaintiff alleged that the defendant "knowingly caused the transmission of a program, information, code, or command, and as a result of such conduct intentionally caused damage to a protected computer" by allowing the web crawling program to operate and make requests at such a high rate the plaintiff's website become inaccessible. The defendant argued that the plaintiff would not be able to show that the it had the requisite knowledge and intent (scienter) to violate the CFAA | The court denied the plaintiff's motion for a preliminary injunction, finding that the plaintiff was unlikely to succeed on the merits in establishing that the defendant intended to cause damage to its server. The evidence suggested the opposite - that the defendent actually had no incentive to cause the plaintiff's server to slow down or overload, but instead that the defendant's entire business plan required the websites its crawls to be functioning propertly. Because the defendant was a "young" company, it had not yet "ironed out the wrinkles" in its business operations, and therefore can not be charged with knowingly and intentionally damaging the plaintiff's computers. |
Fourth Circuit Cases:
| Not Reported in F.Supp.2d | 2014 WL 988857 | 3/12/14 | Cognate BioServices, Inc. v. Smith | Maryland | Civil | After defendant's resignation he retained company passwords and a laptop that had been provided to him, in violation of his employee contract. He improperly accessed the VPN after his departure. | Defendant's motion to dismiss was DENIED, plaintiff's motion to preserve evidence also DENIED. | ' |
| Cognate BioServices, Inc. v. Smith | 2014 WL 988857 | Maryland | x | |||||
| U.S. v. Shah | 2015 WL 72118 | United States District Court, E.D. North Carolina (4th Cir) | X | |||||
| Slip Copy | 2014 WL 229588 | 1/21/14 | Walsh v. Logothetis | Virginia Eastern District | Civil | Afer being terminated from Virginia Commonwealth University for a sexual harrassment issue, inappropriate emailing, and alleged salary misrepresentations, Walsh brought a suit against the chairman of his department, alleging a claim under the CFAA for accessing his computer. | There were no facts to support a legal conclusion that VCU violated the CFAA. The court DISMISSED plaintiff's claims WITH PREJUDICE. | |
| Slip Copy | ||||||||
| 2015 WL 4937441 | 8/17/15 | Microsoft Corp. v. John Does 1-8 | Virginia Eastern District | Civil | Slip Copy | |||
| 8 F.Supp.3d 743 | 2014 WL 1268820 | 3/26/14 | Tharpe v. Lawidjaja | Virginia Western District | Civil | Plaintiff sought modeling work, and defendant worked as a photographer. P signed a photographic release agreement with no mention of nudity. D then took nude photos of P. Relations deteriorated afterwards. | Use of spyware on cell phone actionable under CFAA. Defendant's other motions DENIED. | |
| Slip Copy | 2014 WL 2967942 | 7/1/14 | Consumer Source Holding, Inc. v. Does | Virginia Eastern District | Civil | The plaintiff and 24 John Does litigated about use of similar domain names and trademarks. | Court ruled in favor of the plaintiffs. | |
| Slip Copy | 2014 WL 1338677 | |||||||
| Microsoft Corp. v. Does 1-18 | Virginia Eastern District | Civil | Plaintiffs seek to enjoin defendant and others for operating a computer botnet that has harmed plaintiff and their customers. | Plaintiff was GRANTED permanent injunction. | ||||
| Slip Copy | ||||||||
| 2/11/14 | Pro-Concepts, LLC v. Resh | Virginia Eastern District | Civil | Plaintiff brought suit against defendant and defendant counterclaimed; plaintiff filed for summary judgment. | Defendant alleged sufficiently in his counterclaim that he had experienced loss related to his servers. There were other claims related to copyright as well. | |||
| 2014 WL 549294 | Virginia Eastern District | x | ||||||
| Walsh v. Logothetis | 2014 WL 229588 | Virginia Eastern District | ||||||
| Consumer Source Holding, Inc. v. Does | 2014 WL 2967942 | Virginia Eastern District | x | |||||
| Microsoft Corp. v. Does 1-18 | 2014 WL 1338677 | Virginia Eastern District | x | |||||
| Tharpe v. Lawidjaja | 2014 WL 1268820 | Virginia Western District | ||||||
Fifth Circuit Cases:
| Slip Copy | 2014 WL 1330196 | 4/3/14 | Associated Pump & Supply Co., LLC v. Dupre | Louisiana Eastern District | Civil | Defendant downloaded secret files from his employer, attempted to conceal his actions, and started a competitor business in the same region. | Plaintiff stated a claim for civil liability on CFAA claim, therefore motion to dismiss for defendants DENIED. | ' |
| Slip Copy | 2014 WL 1691551 | 4/29/14 | Total Safety U.S., Inc. v. Rowland | Louisiana Eastern District | Civil | Defendant resigned from plaintiff's employ, and plaintiff brought suit to prevent defendant from engaging in competitive activities, and violation of CFAA. | Court GRANTED plaintiff's request to ensure compliance with discovery protocols about privilege documentation, emails, and logs. | |
| Slip Copy | 2014 WL 1330196 | 4/3/14 | Associated Pump & Supply Co., LLC v. Dupre | Louisiana Eastern District | Civil | Defendant downloaded secret files from his employer, attempted to conceal his actions, and started a competitor business in the same region. | Plaintiff stated a claim for civil liability on CFAA claim, therefore motion to dismiss for defendants DENIED. | |
| Slip Copy | 2014 WL 28858 | 1/2/14 | Higgins v. NMI Enterprises, Inc. | Louisiana Eastern District | Civil | Defendants appealed whether or not plaintiff alleged facts sufficient to state a claim for personal injuries under the CFAA. | Claim was not before the court on that appeal, so the court did not undertake the analysis. | |
| Slip Copy | ||||||||
| 2014 WL 793453 | 2/26/14 | Total Safety U.S., Inc. v. Rowland | Louisiana Eastern District | Civil | Defendant alleged in a counterclaim a CFAA violation against his former employer, who accused him of accessing trade secrets. | Plaintiff's motion to amend complaint GRANTED, plaintiff's motion for a TRO DENIED. | ||
| Total Safety v. Rowland | 2014 WL 4693114 | United States District Court, E.D. Louisiana (5th Cir.) | X | |||||
| Total Safety U.S., Inc. v. Rowland | 2014 WL 2739392 | Louisiana Eastern District | x | |||||
| Associated Pump & Supply Co., LLC v. Dupre | 2014 WL 1330196 | |||||||
| x | ||||||||
| Higgins v. NMI Enterprises, Inc. | ||||||||
| Louisiana Eastern District | ||||||||
| 2015 WL 422892 | United States District Court, E.D. Louisiana (5th Cir.) | X | ||||||
| Total Safety U.S., Inc. v. Rowland | 2014 WL 1691551 | Louisiana Eastern District | x | |||||
| Total Safety v. Rowland | 2014 WL 6485641 | United States District Court, E.D. Louisiana (5th Cir.) | X | |||||
| Total Safety U.S., Inc. v. Rowland | 2014 WL 793453 | Louisiana Eastern District | x | |||||
| W.L. Doggett LLC v. Paychex, Inc. | 92 F. Supp.3d 593 | United States District Court, S.D. Texas, Houston Division (5th Cir.) | X | |||||
| In Re Mud King Products, Inc. | 525 B.R. 43 | United States Bankruptcy Court, S.D. Texas, Houston Division (5th Cir) | X | |||||
| U.S. ex rel. Rigsby v. State Farm Fire and Cas. Co. | 2014 WL 691500 | Mississippi Eastern District | ||||||
| x | ||||||||
| Slip Copy | 2015 WL 5785689 | 3/31/15 | Atwood v. Lyons | Mississippi Southern District | Civil | Plaintiff filed a number of claims against the defendant, including a claim for violation of the CFAA, after the defendant made a number of disparaging statements about him on a website that the defendant had appropriated and had allegedly hacked into the plaintiff's website and YouTube accounts. The defendant moved to dismiss, arguing that the CFAA claim failed to state a claim. | The court dismissed the CFAA claim based on two facts: first, the defendant was actually the lawful registrant of the domain name that the plaintiff claimed was hacked - thus making him an authorized user - and second, the plaintiff failed to allege that the defendant accessed a protected computer with the intent to defraud. | Slip Copy |
| Slip Copy | ||||||||
| 2/21/14 | U.S. ex rel. Rigsby v. State Farm Fire and Cas. Co. | Mississippi Eastern District | Civil | Relators argue that State Farm attempted to shift responsibility for wind damage by classifying wind damage as storm surge damage post Hurricane Katrina to place the obligation o nthe government to pay under Nat'l Flood Ins. Prog. | Relators petitioned for attorenys fees and expanded discovery; State Farm counterclaims under CFAA. CFAA claim unrelated to the current claim -- court BIFURCATED CFAA claim and left it pending. | |||
| 2014 WL 5437358 | United States District Court, S.D. Mississipp, Eastern Division (5th Cir.) | X | ||||||
| Slip Copy | 2015 WL 6144012 | 7/7/15 | Sprint Solutions, Inc. v. Tech Pimps | Texas Southern District | Civil | Slip Copy | ||
| Slip Copy | 2015 WL 1893531 | 4/27/15 | Quantlab Technologies Ltd. (BGI) v. Godlevsky | Texas Southern District | Civil | Plaintiff brought CFAA claims against the defendant arising from his alleged unauthorized access to it network after he was terminated from the company. Specifically, the plaintiff alleged that the defendant obtained the network credentials of his friend and former co-worker, then used the friends credentials to access the plaintiff's network in 2007. The plaintiff also brought CFAA claims against another former employee based on her access to the company's network while still an employee. The first employee raised a statute of limitations defense, seeking dismissal of the claims against him. | The court held that summary judgment on the SoL issue was improper because an issue of material fact existed regarding whether the plaintiff authorized access to its network from the plaintiff's home by the plaintiff's friend, which would have moved the date of its knowledge of unauthorized access back one year, thereby keeping the plaintiff's claim within the two year filing date for the CFAA. The court also held that the plaintiff could use the costs of its investigation and recovery efforts to constitute damages under the CFAA. With respect to the second defendant, CFAA claims against her were not time barred because although they were brought more than two years after the alleged violation, they related back to claims made in an earlier complaint that were based on the same transaction. | Slip Copy |
| Slip Copy | 2015 WL 5089169 | 8/27/15 | Simmonds Equipment, LLC v. GGR Intern., Inc. | Texas Southern District | Civil | Plaintiff company sued a website development company, alleging violation of the CFAA based on allegations that the defendant contacted one the plaintiff's employees and obtained the password to the company's website in order to access the site without authorization. Defendant moved to dismiss the CFAA claim, arguing that the plaintiff failed allege that the defendant accessed a protected computer or had the intent to defraud, and the plaintiff had not suffered any damages. | The court rejected all of the defendant's arguments and allowed the CFAA claim to go forward. Specifically, the court found that the fact that the defendant allegedly had to obtain a password from one of plaintiff's employees is sufficient to allege that the computer was protected. The court further held that the plaintiff did not have to allege facts capable of showing that the defendant had an intent to defraud or received anything of value under the asserted CFAA claims. Finally, the court found that the plaintiff's claim that the defendant's access to its website caused it lose a business opportunity worth $1 million was sufficient to survive a motion to dismiss; the plaintiff did not have to prove damages at this point. | Slip Copy |
| Slip Copy | 2014 WL 2931824 | 6/27/14 | Brink's Inc. v. Patrick | Texas Northern District | Civil | Company showed that defendants took information from the company from computers unlawfully and against an noncompete agreement. | Court GRANTED a preliminary injunction enforcing a noncompete agreement but DENIED to extend it beyond December 2015 as plaintiffs requested. | |
| 300 F.R.D. 311 | 2014 WL 2800746 | 6/17/14 | Merritt Hawkins & Associates, LLC v. Gresham | Texas Northern District | Civil | Plaintiffs filed a complaint alleging a CFAA violation, and defendant moved to dismiss. The Court denied this motion, and the plaintiff then sought to add Consilium as a defendant to the suit. | Court GRANTED plaintiffs; motion to amend. | |
| Slip Copy | 2014 WL 360503 | 2/3/14 | Absolute Energy Solutions, LLC v. Trosclair | Texas Southern District | Civil | Plaintiff alleges that defendant was no longer authorized to access computer files after he was terminated, and his wife was never authorized -- both defendants then allegedly engaged in a business that competed with plaintiff's after taking plaintiff's files/emails. | Plaintiff plausibly stated a CFAA violation. Court retained subject matter over the CFAA and misappropriation of trade secrets claims. | |
| 514 B.R. 496 | 2014 WL 3564503 | 7/17/14 | In re Mud King Products, Inc. | Texas Southern District (Bankruptcy) | Civil | In a bankruptcy proceeding, NOV sought to claim damages from Mud King Products for allegedly accessing its servers unlawfully. An employee of MK obtained engineering blueprints for parts from an NOV employee. | NOV failed to prove violation of the CFAA - court found no evidence of damage and no one from MK directly accessed NOV servers; the court also noted that "damage" and "loss" were not shown. | |
| Merritt Hawkins & Associates, LLC v. Gresham | 79 F.Supp. 3d 625 | United States District Court, N.D. Texas, Dallas Division (5th Cir) | X | |||||
| St. Jude Medical S.C., Inc. v. Janssen-Counotte | 2014 WL 7237411 | United States District Court, W.D. Texas, Austin Division (5th Cir.) | X | |||||
| K-Tek Computers, Inc. v. Serhal | 2014 WL 6901212 | United States District Court, W.D. Texas, Austin Division (5th Cir.) | X | |||||
| Rajee v. Design Tech Homes, Ltd. | 2014 WL 5878477 | United States District Court, S.D. Texas, Houston Division (5th Cir.) | X | |||||
| New York Pizzeria, Inc. v. Syal | 56 F.Supp.3d 875 | United States District Court, S.D. Texas, Galveston Division (5th Cir.) | X | |||||
| New York Pizzeria, Inc. v. Syal | 56 F.Supp.3d 962 | United States District Court, S.D. Texas, Galveston Division (5th Cir.) | X | |||||
| Donahue v. Tokyo Electron America, Inc. | 42 F.Supp.3d 829 | United States District Court, W.D. Texas, Austin Division (5th Cir.) | X | |||||
| In re Mud King Products, Inc. | 2014 WL 3564503 | Texas Southern District (Bankruptcy) | ||||||
| Brink's Inc. v. Patrick | 2014 WL 2931824 | Texas Northern District | x | |||||
| Merritt Hawkins & Associates, LLC v. Gresham | 2014 WL 2800746 | Texas Northern District | x (law firm) | |||||
| New York Pizzeria, Inc. v. Syal | ||||||||
| 56 F.Supp.3d 962 | United States District Court, S.D. Texas, Galveston Division (5th Cir.) | X | ||||||
| Absolute Energy Solutions, LLC v. Trosclair | 2014 WL 360503 | Texas Southern District | x |
Sixth Circuit Cases:
| Slip Copy | 2015 WL 3580500 | 6/5/15 | Rickett v. Smith | Kentucky Western District | Civil | Defendants brought a counterclaim against the plaintiff, who was a former partner / joint-venturer, alleging that he failed to return a computer that belonged to the defendant/counterclaimant and used the computer without authorization to access and manipulate others' email and to transmit a program intending to harm them. Plaintiff/counterdefendant moved to dismiss, arguing that his access was authorized and that the there were no damages. | The court held that the termination of the relationship clearly rescinded the plaintiff's authorized access to the computer, thereby making any use of the computer an instance of exceeding authorized access. With respect to damages, however, the court held that the counterclaim only alleged that the plaintiff/counterdefendant issued fake stock certificates, but not that he received anything of value or caused the counterclaimant any financial loss. Accordingly, the counterclaims alleging CFAA violations were dismissed. | Slip Copy |
| Slip Copy | 2015 WL 5461528 | 9/15/15 | Fabreeka International Holdings, Inc. v. Haley | Michigan Eastern District | Civil | Plaintiff sued its former employee and his new employer alleging that he unlawfully accessed its computers to obtain confidential information in violation of the CFAA. Plaintiff moved for a temporary restraining order and expedited discovery. | The court denied the plaintiff's request for a temporary restraining order, finding that there is too much speculation surrounding whether the defendant exceeded authorized access by violating the company's computer use policy and misappropriating confidential information. Because the plaintiff could only speculate that the defendant had taken confidential information, and could not point to specific evidence that he had downloaded or otherwise accessed its data, the court denied the TRO since the plaintiff, by its own admission, could not show the extent and exact methods of the alleged data theft. The court did, however, allow for limited expedited discovery in order for the plaintiff to try to ascertain whether and what data was taken from its servers. | Slip Copy |
| --- F.Supp.3d ---- | 2015 WL 2124794 | 5/6/15 | American Furukawa, Inc. v. Hossain | Michigan Eastern District | Civil | Employer sued former employee, alleging violation of the CFAA after employee downloaded numerous files and otherwise accessed employer's computer system in an effort to obtain information that would help him to set up a competing company. Employee/defendent moved for partial summary judgment on the pleadings, arguing that his former employer did not state a proper claim under the CFAA because it failed to plead sufficient facts to show that he accessed files "without authorization" or "exceeded authorized access" when he downloaded certain files. | The Court denied the defendant's request, holding that the plaintiff did plead sufficient facts to make a viable claim under the CFAA. Specifically, although the Court adopted a narrow interpretation of "without authorization," the fact that the plaintiff alleged that the defendent downloaded some files while he was on a temporary leave of absence, when he was not allowed to work, was enough to claim he acted without authorization. The Court also adopted the definition of "exceeds authorized access" that is provided in the statute, and used this definition to find that because the defendent violated a company policy that was focused on how files were accessed, there is a viable claim that he exceeded that authorization. | --- F.Supp.3d ---- |
| Slip Copy | 2015 WL 5714541 | 9/29/15 | Experian Marketing Solutions, Inc. v. Lehman | Michigan Western District | Civil | Plaintiff brought a series of claims against a former employee for violations of the CFAA, alleging that while he was employed by the plainiff he access confidential information for a competitive purpose (to start his own business), retained a company owned computer and access information on it after he left the company, and deleted some information before returning the computer. The defendant moved to dismss for failing to state a claim under the CFAA. | The court rejected the defendant's agrument that the plaintiff did not suffer any loss as defined by the CFAA because there was no interruption of service, noting that the definition of loss is "disjunctive" and can consist of "any reasonable cost to the victim, including responding to an offense, conducting a damage assessment, and restoring the data," as well as lost revenues or damages resulting from an interruption of service. With respect to authorized access, however, the court found that the defendant was authorized to access plaintiff's computers and did not exceed his authorized access, despite a company policy addressed how certain information and data is used. Likewise, the court found that the defendant did not violate the CFAA when he instructed other employees (who were still employed at the plaintiff company) to obtain certain information, because at the time they also acted with authorization. The court allowed a claim under the CFAA for "knowingly causing a transmission of a program ... that resulted in damage to a protected computer," based on the defendant's deletion of certain files. According to the court, this allegation was sufficient to state a viable claim under the CFAA. | Slip Copy |
| Slip Copy | 2014 WL 634075 | 2/18/14 | Global Fleet Sales, LLC v. Delunas | Michigan Eastern District | Civil | Defendant operates a website in violation of a soured business arrangement with plaintiffs, and has interfered with plaintiff's business after the termination of the business relationship. | The CFAA claim was DISMISSED with prejudice because the plaintiff never definitively established that defendant breached the CFAA. | |
| Slip Copy | ||||||||
| 2014 WL 3420524 | 7/14/14 | Ajuba Intern., LLC v. Saharia | Michigan Eastern District | Civil | Ajuba alleged misappropriation of trade secrets in violation of the CFAA. | The court DISMISSED the CFAA claim. | ||
| Slip Copy | 2014 WL 2763618 | 6/18/14 | Dice Corp. v. Bold Technologies Ltd. | Michigan Eastern District | Civil | Plaintiffs lost on their CFAA claim against defendants, and defendants sought attorneys' fees. | Attorneys' fees were granted in part and supplemental briefs were requested by the court. | |
| Cranel Inc. v. Pro Image Consultants Group, LLC | 57 F.Supp.3d 838 | United States District Court, S.D. Ohio, Eastern Division (6th CIr.) | ||||||
| Cranel Inc. v. Pro Image Consultants Group, LLC | 57 F.Supp.3d 838 | |||||||
| X | ||||||||
| MRi Software, LLC v. Lynx Systems, Inc. | ||||||||
| United States District Court, N.D. Ohio, Eastern Division (6th Cir.) | X | |||||||
| 2014 WL 3900236 | United States District Court, S.D. Ohio, Eastern Division (6th CIr.) | X | ||||||
| Dean's Cards LLC v. Perstein | ||||||||
| 2014 WL 3793575 | United States District Court, S.D. Ohio, Western Division (6th Cir.) | X | ||||||
| Goken America, LLC v. Bandepalya | ||||||||
| 2014 WL 6673830 | United States District Court, S.D. Ohio, Eastern Division (6th CIr.) | X | ||||||
| Slip Copy | 2015 WL 5332348 | 6/18/15 | Williams-Sonoma Direct, Inc. v. Arhaus, LLC | Tennessee Western District | Civil | |||
| Without discussing the CFAA claims, the court granted the plaintiff's motion for a preliminary injunction. | Slip Copy | |||||||
| DeSoto v. Board of Parks and Recreation | 64 F.Supp.3d 1070 | United States District Court, M.D. Tennessee, Nashville Division (6th Cir) | ||||||
Seventh Circuit Cases:
| Not Reported in F.Supp.2d | 2014 WL 3562828 | 7/14/14 | International Brotherhood of Electrical Workers, Local 134 v. Cunningham | Illinois Northern District | Civil | Plaintiff filed a three-count complaint against Defendant alleging that the Defendant unlawfully accessed its "Labor Power" database, obtained the e-mail addresses of the Plaintiff's members, and e-mailed members in an effort to foment discord and cause the union to breach its contract with the Chicago Public School System. | Plaintiff stated a claim for loss under CFAA, therefore defendant's request to dismiss is DENIED. | ' |
| CMB Export, LLC v. Atteberry | 2014 WL 4099721 | United States District Court, C.d. Illinois, Rock Island Division (7th Cir.) | X | |||||
| Not Reported in F.Supp.2d | 2014 WL 2619505 | 6/12/14 | Ocean Tomo, LLC v. Barney | Illinois Northern District | Civil | Plaintiff sued former managing director for failing to return a laptop computer to the company after he left the company. Defendant crossclaimed that the plaintiff violating the CFAA by accessing his computer. | Plaintiff moves to dismiss defendant's state law claims, and the court DENIED the motion to dismiss. | |
| 22 F.Supp.3d 880 | 2014 WL 2441969 | 5/28/14 | Paragon Micro, Inc. v. Bundy | Illinois Northern District | Civil | Plaintiff brings suit against defendants for destruction of data in violation of the CFAA (diverted data to others, falsified his transactions, and destroyed information to conceal his deception). Defendant counterclaims to compel arbitration. | Court GRANTED defendants' motion to compel arbitration. | |
| 40 F.Supp.3d 989 | ||||||||
| 2014 WL 1759184 | 5/2/14 | Instant Technology, LLC v. DeFazio | Illinois Northern District | Civil | Company sued former employees and non-employees for violating the CFAA by taking information from the company to a new company that several of them ended up moving to. | Plaintiff did not show loss of data for the purposes of showing damages, and so the CFAA claim could not be sustained, judgment GRANTED for defendants. | ||
| Not Reported in F.Supp.2d | 2014 WL 1674650 | 4/25/14 | Network Cargo Systems International, Inc. v. Pappas | Illinois Northern District | Civil | Defendant is former regional sales manager of plaintiff company, plaintiff alleges violations of the CFAA. Defendant copied hundreds of files from a computer, and then attempted to mass-delete the files. | P adequately alleged misconduct over computer, and adequately showed loss and damage. P's amended complaint sufficiently alleged CFAA violation. Motion to dismiss from defendant on CFAA counts DENIED. | |
| Not Reported in F.Supp.2d | 2014 WL 499001 | 2/7/14 | SBS Worldwide, Inc. v. Potts | Illinois Northern District | Civil | Plaintiff is a global logistics corporation that compiles confidential information about its customers. Defendant was a former employee who connected with new customers and increased sales to existing customers. D took files and forwarded personal information to himself which he then used at his new employer's place of business. | SBS failed to allege any damage or loss within the context of the CFAA. Defendant's motion to dismiss GRANTED on that count. | |
| Not Reported in F.Supp.2d | 2014 WL 258808 | |||||||
| Sprint Nextel Corporation v. AU Electronics, Inc. | Illinois Northern District | Civil | Plaintiffs brought suit alleging defendants were involved in the bulk purchase and resell of Sprint cellphones. Parties had a settlement agreement, defendants then repudiated. Litigation occurred about whether the agreement was enforceable. Sprint brought a motion to enforce the agreement. | Motion to enforce the agreement is GRANTED. | ||||
| Not Reported in F.Supp.2d | ||||||||
| 1/23/14 | T-Mobile USA, Inc. v. AU Electronics, Inc. | Illinois Northern District | Civil | Plaintiffs brought suit alleging defendants were involved in reselling phones, and removing SIM cards; and they alleged CFAA claims. Plaintiffs submitted a motion to enforce the settlement agreement, and defendants petitioned to reform the agreement. | Language was accordingly modified, but the court also granted a stipulated order of dismissal -- case DISMISSED WITH PREJUDICE. | |||
| 2015 WL 5693594 | 9/24/15 | National Auto Parts, Inc. v. Automart Nationwide, Inc. | Illinois Northern District | Civil | Plaintiff sued former employees and a competitor after former employees allegedly provided competitor with plaintiff's proprietary software prior to joining competitor's business. Specifically, defendants changed the plaintiff's computer passwords, removed and destroyed trade secret and confidential information contained on plaintiffs software, removed proprietary information completely from plaintiff's computers, removed or destroyed personnel and customer files, and provided trade secrets to the competitor. Defendants moved to dismiss plaintiff's CFAA claims, arguing that they were authorized to access the plaintiffs computers, and that the plaintiffs had not alleged a "transmissio" as required by the statute. | The court denied the defendants motion to dismiss, finding that the plaintiff's complaint allege violation of §§1030(a)(5)(B) and (C), which do not require a "transmission" to substantiate a claim. Further the court held that, because the plaintiffs claimed that the defendant's authority to access its computers terminated when they violated their duty of loyalty to the plaintiff, the defendant's argument that they were authorized to access the plaintiff's computers would likely fail under controlling Seventh Circuit precedent, which has expressly held that once an employee engages in conduct that violates his duty of loyalty to his emploer, his agency relationship (and associated rights as the employer's agent) is terminated. | Slip Copy | |
| --- F.Supp.3d ---- | 2015 WL 3484335 | 6/1/15 | Bittman v. Fox | Illinois Northern District | Civil | Public library employee brought CFAA claims against library patrons who opposed the library's internet access policy and created a Facebook page that attempted to ridicule the employee/plaintiff. Plaintiff claimed that these actions violated Facebook's terms of use, thereby exceeding authorized access to Facebook's computers. The defendants moved to dismiss for failure to state a claim under the CFAA. | The court sided with the defendants and dismissed the plainiff's claims, holding that even if the defendants violated Facebook's terms of use by creating a fake social media account to impersonate the plaintiff, such conduct does not constitute access "without authorization" or "exceeding authorized access." The court noted that the defendants are "not hackers, nor are they virus or worm writers... they did not access a computer to damage, steal, or tamper with data" and there could not have violated the CFAA. | |
| Not Reported in F.Supp.3d | 2015 WL 3919115 | 6/25/15 | PolyOne Corp. v. Lu | Illinois Northern District | Civil | Plaintiff, an American plastics manufacturer, claims that the defendants conspired with plaintiff's former employee in an illegal effort to compete with plaintiff in the manufacture and sale of soft plastics. Specifically, plaintiff claimed that its former employee downloaded thousands of files before he left the company and installed a file deletion program on one of its protected computers. Defendant moved to dismess the CFAA claims. | The court held that the plaintiff failed to allege an actionable loss under the CFAA with respect to the allegations concerning the defendant's installation of a document destruction program on its computers because there was no claim that the program actually ever destroyed any files. The court recognized, however, that the plaintiff's allegations that it spent in excess of $5,000 investigating and responding to the offense constitutes an actionable loss under the CFAA. Accordingly, the court refused to dismiss the CFAA claim. | Not Reported in F.Supp.3d |
| Pascal Pour Elle, Ltd. v. Jin | 75 F.Supp.3d 782 | United States District Court, N.D. Illinois, Eastern Division (7th CIr.) | X | |||||
| First Financial Bank, N.A. v. Bauknecht | 71 F.Supp.3d 819 | United States District Court, Central District of Illinois, Peoria Division, (7th Cir.) | X | |||||
| Halperin v. International Web Services, LLC | 70 F.Supp.3d 893 | United States District Court, N.D. Illinois, Eastern Division (7th CIr.) | ||||||
| X | ||||||||
| Lemko Corporation v. Federal Insuranc Company | 70 F.Supp.3d 905 | United States District Court, N.D. Illinois, Eastern Division (7th CIr.) | ||||||
| Intertek USA Inc. v. AmPsec, LLC | 2014 WL 4477933 | United States District Court, N.D. Illinois, Eastern Division (7th CIr.) | X | |||||
| Charles River Laboratories, Inc. v. Beg | ||||||||
| United States District Court, N.D. Illinois, Eastern Division (7th CIr.) | X | |||||||
| 2014 WL 3562828 | Illinois Northern District | |||||||
| Ocean Tomo, LLC v. Barney | 2014 WL 2619505 | Illinois Northern District | x | |||||
| Paragon Micro, Inc. v. Bundy | 2014 WL 2441969 | Illinois Northern District | x | |||||
| Instant Technology, LLC v. DeFazio | 2014 WL 1759184 | Illinois Northern District | x | |||||
| Network Cargo Systems International, Inc. v. Pappas | 2014 WL 1674650 | Illinois Northern District | x | |||||
| U.S. v. Yihao Pu | 2014 WL 1621964 | Illinois Northern District | x | |||||
| SBS Worldwide, Inc. v. Potts | 2014 WL 499001 | Illinois Northern District | x | |||||
| Sprint Nextel Corporation v. AU Electronics, Inc. | 2014 WL 258808 | Illinois Northern District | x | |||||
| T-Mobile USA, Inc. v. AU Electronics, Inc. | 2014 WL 258495 | Illinois Northern District | x | |||||
| Fidlar Technologies v. LPS Real Estate Data Solutions, Inc. | 82 F. Supp. 3d 844 | United States District Court, C.d. Illinois, Rock Island Division (7th Cir. Appeal filed.) | X | |||||
| Sprint Solutions, Inc. v. Aldridge | 50 F.Supp.3d 1024 | United States District Court, S.D. Indiana (7th Cir.) | X |
Eighth Circuit Cases:
| 1 F.Supp.3d 961 | 2014 WL 583421 | 2/14/14 | Reliable Property Services, LLC v. Capital Growth Partners, LLC | Minnesota | Civil | Plaintiff brings suit against defendant for disabling their software and crippling their business. They filed for a preliminary injunction. | Motion for injunction GRANTED. | ' |
| Slip Copy | 2014 WL 2574747 | 6/9/14 | Ahlers v. CFMOTO Powersports, Inc. | Minnesota | Civil | Defendant alleges plaintiff accessed company email and computer systems to send emails to others claiming CFMOTO had unsafe products and unfair dealings. Defendant alleges a CFAA violation. | Court found that the defendant did not state a claim under the CFAA. CFAA claim was DENIED. | |
| Ahlers v. CFMOTO Powersports, Inc. | 2014 WL 2574747 | Minnesota | ||||||
| Reliable Property Services, LLC v. Capital Growth Partners, LLC | 2014 WL 583421 | Minnesota | x | |||||
| Hand & Nail Harmony, Inc. v. Sims | ||||||||
| 2014 WL 2515141 | Missouri Western District | x | ||||||
| Slip Copy | 2014 WL 2515141 | 6/4/14 | Hand & Nail Harmony, Inc. v. Sims | Missouri Western District | Civil | Plaintiff claims defendant downloaded files from the computer of his ex-wife and VP of plaintiff company, violating the CFAA. Plaintiff wants a TRO to prevent defendant from revealing information to others about plaintiff company. | Motion for TRO is DENIED without prejudice. | |
| Slip Copy | 2014 WL 2208073 | 5/28/14 | Dewitt Insurance, Inc. v. Horton | Missouri Eastern District | Civil | Defendant worked for plaintiff, and concealed his daughter's ownership in a company to plaintiff. Plaintiff alleges CFAA violation. | Plaintiff failed to allege a loss as defined under the CFAA. Plaintiff's claim was DISMISSED under the CFAA. | |
| Dewitt Insurance, Inc. v. Horton | 2014 WL 2208073 | |||||||
| x | ||||||||
| U.S. v. Stratman | ||||||||
| Nebraska | x |
Ninth Circuit Cases:
| Pl | 2014 WL 289924 | 1/24/14 | Wichansky v. Zowine | Arizona | Civil | Plaintiff alleges violations of the CFAA -- he and defendant founded a company specializing in employee placement services, and after the company gained success, the defendant started being harrassing and aggressive. Some employees loyal to the defendant stole servers and computers; an expert in defendant's employ stole information from the plaintiff's computer. | Court found that plaintiff failed to show that defendant was not authorized to access all information and convey said information to employees. The court DISMISSED CFAA claims. | ' |
| Wichansky v. Zowine | 2014 WL 5594086 | United States District Court, D. Arizona (9th Cir.) | X | |||||
| Not Reported in F.Supp.3d | 2015 WL 1289984 | 3/20/15 | Koninklijke Philips N.V. v. Elec-Tech International Co., Ltd. | California Northern District | Civil | Plaintiff brought a CFAA claim against a former employee and his subsequent employer, alleging that while he was still an employee of plaintiff he downloaded thousands of files containing trade secrets pertaining to LED lighting, and then began working for a competitor in China. Six months after defendant's departure, his new employer announced new products that plaintiff alleges were based on the information downloaded by the defendant. The defendant moved to dismiss for failure to state a claim under the CFAA because the defendant was authorized to access the information at time he downloaded it. | The court found that at the time the former employee defendant accessed and downloaded the plaintiff's information, he was authorized to do so, and therefore dismissal of the plaintiff's complaint was warranted. The court rejected the plaintiff's argument that the defendant was acting as an agent of his subsequent employer at the time of the download and therefore provided them with indirect unauthorized access. | Not Reported in F.Supp.3d |
| Not Reported in F.Supp.3d | 2015 WL 3561671 | 6/4/15 | BHRAC, LLC v. Regency Car Rentals, LLC | California Central District | Civil | Plaintiff brought CFAA claim against defendant, a former employee, and his new employer for allegedly gaining access to plaintiff's computer's - using knowledge that he learned while working for the plaintiff - and obtaining records of recent rental transactions, which was then used to steal plaintiff's customers. Plaintiff also claimed that the defendent also launched a Website Attack against its website, which caused it to crash. Defendant moved to dismiss for failure to state a claim under the CFAA. | The court ruled in favor of the defendant, dismissing both CFAA claims. The court relied upon previous rulings on the CFAA, which have held that a loss of business due to the theft of information from a computer system is not the sort of injury for which the CFAA provides a resume; lost revenue due to lost business opportunity does not constitute a loss under the CFAA. With respect to the Website, the court found that the individual defendant employees were not liable under the CFAA because the plaintiff's claim did not sufficiently allege that they were involved in the attack. Their employer, the defendent company, was, however, potentially responsible for the attack and therefore the CFAA claim against it was allowed to stand. | Not Reported in F.Supp.3d |
| Slip Copy | ||||||||
| 2015 WL 5680904 | 9/28/15 | Ewiz Express Corporation v. Ma Laboratories, Inc. | California Northern District | Civil | Plaintiff brought a CFAA claim alleging that defendants "undertook a scheme to steal plaintiff's customers and business by forming competing companies having misleadingly similar business names and internet domains as used by the plaintiff" and that the defendants sought to "take down plainiff's webpage and delete information so that plaintiff could not sell products and at the same time divert customer orders to the defendant." Defendant moved to dismiss, arguing that the plaintiff's complaint did not meet the heightened pleading standard for a claim of fraud. | The court agreed with the defendant and dismissed the CFAA claims. Specifically, because the plaintiff only generally alleged that the defendant instructed unnamed employees, at an unknown time, with unspecified authority, to access its computers, and that this failed to describe the "who, what, when, where, and how of defendant's allegedly unauthorized access. | Slip Copy | |
| --- F.Supp.3d ---- | 2015 WL 5316333 | 9/11/15 | SunPower Corporation v. SunEdison, Inc. | California Northern District | Civil | Plaintiff was a former employer of the defendants and brought a claim against them alleging that they violated the CFAA when they downloaded thousands of documents to an external USB drive while they were still employees, in violation of company policies. | The court held that because the former employees were authorized to access the plaintiff's computers at the time of the downloads, no violation of the CFAA occurred, regardless of whether their actions violated the company's computer use policies In this instance, the employees did not circumvent the employer's security measures or access unauthorized information. Accordingly, the court granted the employee defendant's motion to dismiss. | --- F.Supp.3d ---- |
| Slip Copy | 2015 WL 5173535 | 9/3/15 | Vaquero Energy, Inc. v. Herda | California Eastern District | Civil | Plaintiff moved for a preliminary injunction against the defendant based on allegations that the defendant accessed a number of the plaintiff's systems and changed the passwords, ladder logic, and/or deleted other data previously installed on those systems after its termination. The defendant argued that the plantiff was unable to show a likelihood of success on the merits because the plaintiff could not show unauthorized access by the defendant or that it suffered damages under the CFAA. | The court granted the preliminary injunction, finding that the defendant itself had already acknowledged that several of its employees had accessed the plaintiff's systems following the defendant's termination, and that despite the fact that plaintiff may be able to shut down its energy systems manually, the defendant was unable to show that this would cost less than $5,000. | Slip Copy |
| Slip Copy | 2015 WL 5687688 | |||||||
| Vaquero Energy, Inc. v. Herda | California Eastern District | Civil | Plaintiff brought CFAA claims against the defendant based on allegations that the defendant accessed a number of the plaintiff's systems and changed the passwords, ladder logic, and/or deleted other data previously installed on those systems after its termination. Plaintiff further alleged that the defendant violated section (a)(7) of the CFAA because it intended to extort money from the plaintiff. The defendant moved to dismiss both claims. | The court granted the defendant's motion to dismiss with respect to the intent to extort claim, finding that the mere allegation that the defendant had changed the passwords in order to extort money from the plaintiff was insufficient, especially where the defendant had not made any sort of demand for payment and had claimed that it was protecting its copyright interest when it refused to release the passwords. The court refused to dismiss the other CFAA claims, finding sufficient allegations that the defendant changed passwords and otherwise access the plaintiff's computers following its termination. | Slip Copy | |||
| --- F.Supp.3d ---- | ||||||||
| 8/25/15 | Welenco, Inc. v. Corbell | California Eastern District | Civil | Company filed a claim against a former employee alleging, among other claims, that he violated the CFAA when he downloaded numerous proprietary files and documents, including customer lists, while still an employee but with the intent of starting his own business as a competitor. The defendant moved for summary judgment on the CFAA claim, arguing that the plaintiff failed could not show that he acted without authorization or exceeded authorized access. | The court granted the defendant's motion for summary judgment on the CFAA claim, finding that since the alleged downloads occurred while the defendant was an employee and had authorization to access the information, he may be guilty of misappropriation, but not hacking. | --- F.Supp.3d ---- | ||
| 2015 WL 2380876 | 5/19/15 | Garay v. Tabah | California Central District | Civil | Plaintiff filed a variety of different against its former employee, including a CFAA claim for theft of confidential information. The CFAA claim was first partially dismissed and later dismissed all together because it was a compulsory cross-complaint that had to be alleged in the state-action. The defendant moved for Rule 11 sanctions to be imposed on the plaintiff for improperly bringing the CFAA claim. | The court examined the reasons why the majority of the plaintiff's CFAA claims were initially dismissed and found that the plaintiff had failed to allege that the defendant's actions caused any damage and that the defendant accessed material without authorization (since he was an employee and had authorized access). The court next conducted the "reasonable inquiry test" and held that the plaintiff's attorney's should have known from the language of the statute and the relevant controlling case law that the CFAA claims would fail. Accordinlgly, sanctions were warranted. | Not Reported in F.Supp.3d | |
| Slip Copy | 2015 WL 5158639 | 9/2/15 | Loop AI Labs Inc v. Gatti | California Northern District | Civil | Defendant moved to dismiss plaintiff's claims for violation of the CFAA, arguing that the dedendant accessed the plaintiff's information with authority. Specifically, the plaintiff alleged that its former CEO conspired with the other defendants to missappropriate the defendant's trade secrets and generally frustraate the success of the company when she was directed to provide a competitor with critical and confidential information while she was still CEO at the plaintiff's company. | The court agreed with the defendant and granted the motion to dismiss the CFAA claims. The court held that the Ninth Circuit's position that "it is not a violation of the CFAA to access a computer with permission, but with the intent to use the information gained thereby in violation of a use agreement." Thus, although the plaintiff alleged that some of the defendants activities occured after her termination, it premised its CFAA allegations on the incorrect proposition that she lost authority to access the plaintiff's computers when she bagan an agent of the other defendants. | |
| Not Reported in F.Supp.3d | 2015 WL 1927697 | 4/28/15 | Telesocial Inc. v. Orange S.A. | California Northern District | Civil | Plaintiff sued defendant for violations of the CFAA and theft of trade secrets after negotiation for a business deal between the two broke down and defendant allegedly hacked into plaintiff's serviers and misappropriated its technology. Plaintiff moved to dismiss on the ground that the forum selection claiuse in the NDA required the case to be heard in Paris, France. | The court rejected the defendant's argument that all of the claims in the first amended complaint traced back to the confidential discussions held under the NDA, and were therefore subject to the forum selection clause. Noting that all of the events that gave rise to the CFAA claims occurred after termination of the discussions subject to the NDA; instead, the CFAA claims were based on the defendant's alleged unauthorized access to information that the plaintiff did not disclose during negotiations. Since none of the CFAA claims required the interpretation of the NDA, the forum selection clause in the agreement was irrelevent and the court denied the motion to dismiss. | Not Reported in F.Supp.3d |
| Slip Copy | 2015 WL 5697365 | 9/29/15 | Delacruz v. State Bar of California | California Northern District | Civil | |||
| The court granted the motion to dismiss, finding that the plaintiff's allegations were insufficient to bring a CFAA claim because the complaint did not state that the defendant accessed his computer or that the defendant obtained any information as a result of intentional access. Further, the plaintiff failed to show that he suffered any loss cognizable under the CFAA, since his claim that this caused him to be denied a law license did not qualify as either damages to a computer or costs associated with investigation and prevention of additional unauthorized access. | Slip Copy | |||||||
| Slip Copy | 2014 WL 130526 | 1/14/14 | Welenco, Inc. v. Corbell | California Eastern District | ||||
| Corbell purchased Welenco, a company that repaired water-wells and did geophysical logging. Another person bought Welenco after Corbell, and it became apparent that Corbell took information from Welenco before he left, and continued to take information after he left as well. Plaintiff alleged violation of the CFAA for this. | Defendants' motion to transfer venue was DENIED. | |||||||
| 87 F.Supp.3d 1018 | 2014 WL 1973378 | 5/14/14 | Opperman v. Path, Inc. | |||||
| Civil | Plaintiffs brought suit against multiple defendants regarding apps for Apple products and disclosure of personal information. | Plaintiffs did not specifically present arguments about "without authorization" and so the court DISMISSED their claim on the CFAA count. | ||||||
| Not Reported in F.Supp.2d | 2014 WL 121519 | 1/13/14 | ||||||
| California Northern District | Civil | Nosal was convicted of three counts of computer fraud in violation of the CFAA. During sentencing, the court determined that Nosal had to pay restitution. | Restitution was set at $827,983.25. | |||||
| Slip Copy | 2014 WL 68957 | 1/8/14 | Sprint Nextel Corp. v. Welch | California Northern District | Civil | Sprint alleges that defendant purchased phones from Sprint and resold them to others in an organized scheme to defraud; they allege unauthorized access for the scheme under the CFAA and trafficking in passwords. | Sprint's motion for default judgment against the defendant was GRANTED. | |
| Not Reported in F.Supp.2d | ||||||||
| 1/8/14 | Flextronics International, Ltd. v. Parametric Technology Corporation | California Northern District | Civil | After a contractual agreement gone sour after unauthorized copies of PTC's software were found on computers not covered by their agreement with Flextronics, PTC moves to dismiss under the CFAA claiming that they have failed to allege injuries, and have not alleged specific instances of unauthorized access. | The court GRANTED the motion to dismiss from PTC. Flextronics had leave to amend their claims under the CFAA. | |||
| 2014 WL 1922833 | 5/14/14 | Farmers Ins. Exchange v. Steele Ins. Agency, Inc. | California Eastern District | Civil | Plaintiff sues defendant for misappropriation of trade secrets in conjunction with the CFAA -- defendant allegedly copied customer lists from Farmers. | Cross-defendants moved for a motion to strike, attorneys' fees, and a motion to dismiss. The only motion GRANTED was the motion to strike. All other motions DENIED. | ||
| 41 F.Supp.3d 816 | 2014 WL 1903639 | 5/12/14 | NetApp, Inc. v. Nimble Storage, Inc. | California Northern District | Civil | Plaintiff claims defendants used to work for its company and then departed within a short period of each other to go work for another company; P alleges Ds took, copied, and destroyed confidential data. (Discussion/determination of the Nosal standards). | Court DENIED defendants' motion to dismiss the CFAA claim after defendants alleged that authorization was at issue. Some CFAA claims were DISMISSED from NetApp with leave to amend to better clarify damages. | |
| Slip Copy | 2014 WL 1588715 | 4/18/14 | NobelBiz, Inc. v. Wesson | California Southern District | Civil | Plaintiff filed complaint alleging their former employee unlawfully accessed a computer and misappropriated trade secrets, and wrongly disclosed confidential information. Defendant also attempted to conceal his access and disclosure by destroying evidence. P petitioned for expedited discovery for an injunction or TRO. | The expedited discovery was GRANTED but with limited scope, and specific to documents originating to or belonging to the plaintiff. | |
| Slip Copy | 2014 WL 1333999 | 4/3/14 | Quad Knopf, Inc. v. South Valley Biology Consulting, LLC | California Eastern District | Civil | P alleges former employees removed work product and transmitted that to D. | P didn't show specifically how Ds exceeded authorized access. Therefore CFAA claim DENIED, and MSJ GRANTED. | |
| Not Reported in F.Supp.2d | 2014 WL 1312111 | 4/1/14 | NovelPoster v. Javitch Canfield Group | California Northern District | Civil | Defendants refused to relinquish control of plaintiff company's website and allegedly accessed company email without authorization. | Defendants' motions to dismiss were both DENIED. | |
| Not Reported in F.Supp.2d | 2014 WL 1338474 | 3/28/14 | In re Carrier IQ, Inc. Consumer Privacy Litigation | California Northern District | Civil | Plaintiffs allege software on Defendants' cell phones can intercept their private user data and allege a CFAA violation. Defendants moved to compel arbitration with the class. | Defendants' motion to compel arbitration DENIED. | |
| Not Reported in F.Supp.2d | 2014 WL 1025120 | 3/13/14 | Gotham City Online, LLC v. Art.com, Inc. | California Northern District | Civil | Feuding poster companies -- defendant moves to disqualify plaintiffs' counsel because counsel obtained emails sent from defendant to plaintiff that defendant alleges violate the attorney-client privilege. | Motion to disqualify counsel GRANTED in part, plaintiff ordered to find new counsel. | |
| Slip Copy | 2014 WL 223082 | 1/21/14 | CollegeSource, Inc. v. AcademyOne, Inc. | California Southern District | Civil | Plaintiff brought suit against defendant for violating the CFAA, and sought to lift a discovery stay to determine whether or not evidence needs to be preserved after there were concerns of deletion of files, use of passwords/usernames of CollegeSource customers, etc. | Motion to lift stay DENIED by the court. | |
| Not Reported in F.Supp.2d | 2014 WL 988889 | 3/10/14 | In re Google Android Consumer Privacy Litigation | California Northern District | Civil | Plaintiffs allege that third-party apps knowingly collected their data and then brought it to Google, in violation of their privacy rights and the CFAA. | Google's request to dismiss the CFAA claim for failure to show damage or loss on the part of the plaintiffs is GRANTED. | |
| Not Reported in F.Supp.2d | 2014 WL 869486 | 3/3/14 | Sprint Nextel Corporation v. Thuc Ngo | California Northern District | Civil | Court adopted default judgment, no further information provided. | Court adopted default judgment, no further information provided. | |
| Wichansky v. Zoel Holding Co. Inc | 2014 WL 6633513 | United States District Court, D. Arizona | X | |||||
| NetApp, Inc. v. Nimble Storage, Inc. | 2015 WL 400251 | United States District Court, N.D. California, San Jose Division (9th Cir.) | X | |||||
| In re Carrier IQ, Inc. Consumer Privacy Litigation | 2015 WL 1338474 | United States District Court, N.D. California (9th Cir.) | X 18 indivudals from thirteen different states | |||||
| PQ Labs, Inc. v. Qi | 2015 WL 224970 | United States District Court, N.D. California (9th Cir.) | X | |||||
| Facebook, Inc. v. Grunin | 77 F.Supp. 3d 965 | United States District Court, N.D. California, (9th Cir.) | X | |||||
| NovelPoster v. Javitch Canfield Group | 2014 WL 7149216 | United States District Court, N.D. California (9th Cir.) | X | |||||
| Farmers Ins. Exchange v. Steele Ins. Agency, Inc. | 2014 WL 7140975 | United States District Court, E.D. California (9th Cir.) | X | |||||
| SA Luxury Expeditions LLC v. Latin America for Less, LLC | 2014 WL 6065838 | United States District Court, N.D. California (9th Cir.) | X | |||||
| NovelPoster v. Javitch Canfield Group | ||||||||
| 2014 WL 5687344 | United States District Cout, N.D. California (9th Cir.) | X | ||||||
| NovelPoster v. Javitch Canfield Group | 2014 WL 5594969 | United States District Cout, N.D. California (9th Cir.) | X | |||||
| PolyOne Corp. v. Kutka | 2014 WL 7211692 | United States District Cout, N.D. California (9th Cir.) | X | |||||
| Facebook, Inc. v. Grunin | 2014 WL 5499279 | United States District Cout, N.D. California (9th Cir.) | X | |||||
| In re JPMorgan Chase Derivative Litigation | 2014 WL 5430487 | United States District Court, E.D. California (9th Cir.) | X | |||||
| PQ Labs, Inc. v. Qi | ||||||||
| 2014 WL 4954161 | United States District Court, N.D. California | X | ||||||
| Jewel Systems, Inc. v. Centinel Group, Inc. et all | 2014 WL 4704815 | United States District Court, S.D. California (9th Cir.) | X | |||||
| Newcomb Anderson Mccormick, Inc. v. ARC Alternatives | 2014 WL 3885898 | United States District Court, N.D. California (9th Cir.) | X | |||||
| NovelPoster v. Javitch Canfield Group | 2014 WL 3845148 | United States District Court, N.D. California | X | |||||
| New Show Studios LLC v. Needle | 2014 WL 2988271 | California Central District | x | |||||
| Agardi v. Hyatt Hotels Corporation | 2014 WL 2860658 | California Northern District | ||||||
| In re Hulu Privacy Litigation | 2014 WL 2758598 | California Northern District | ||||||
| x | ||||||||
| Flextronics International, Ltd. v. Parametric Technology Corporation | 2014 WL 2213910 | California Northern District | x | |||||
| United States v. Nosal | 2014 WL 2109948 | California Northern District | x | |||||
| Opperman v. Path, Inc. | 2014 WL 1973378 | |||||||
| California Northern District | ||||||||
| Farmers Ins. Exchange v. Steele Ins. Agency, Inc. | 2014 WL 1922833 | California Eastern District | x | |||||
| NetApp, Inc. v. Nimble Storage, Inc. | 2014 WL 1903639 | California Northern District | x | |||||
| NobelBiz, Inc. v. Wesson | 2014 WL 1588715 | California Southern District | ||||||
| Quad Knopf, Inc. v. South Valley Biology Consulting, LLC | 2014 WL 1333999 | California Eastern District | x | |||||
| NovelPoster v. Javitch Canfield Group | 2014 WL 1312111 | California Northern District | x | |||||
| In re Carrier IQ, Inc. Consumer Privacy Litigation | 2014 WL 1338474 | California Northern District | x | |||||
| Gotham City Online, LLC v. Art.com, Inc. | 2014 WL 1025120 | California Northern District | x | |||||
| In re Google Android Consumer Privacy Litigation | 2014 WL 988889 | California Northern District | x | |||||
| Sprint Nextel Corporation v. Thuc Ngo | 2014 WL 869486 | California Northern District | x | |||||
| Farmers Ins. Exchange v. Steele Ins. Agency, Inc. | 2014 WL 466274 | California Eastern District | x | |||||
| PQ Labs, Inc. v. Yang Qi | 2014 WL 334453 | California Northern District | x | |||||
| CornerStone Staffing Solutions, Inc. v. James | 2014 WL 310089 | California Northern District | x | |||||
| Enki Corporation v. Freedman | 2014 WL 261798 | California Northern District | x | |||||
| CollegeSource, Inc. v. AcademyOne, Inc. | 2014 WL 223082 | California Southern District | x | |||||
| Welenco, Inc. v. Corbell | 2014 WL 130526 | California Eastern District | x | |||||
| United States v. Nosal | 2014 WL 121519 | California Northern District | x | |||||
| Sprint Nextel Corp. v. Welch | 2014 WL 68957 | California Northern District | x | |||||
| Not Reported in F.Supp.2d | 2014 WL 310089 | 1/28/14 | CornerStone Staffing Solutions, Inc. v. James | California Northern District | Civil | Plaintiff had asked defendant to inspect his computer hard drives and he objected. His files were eventually inspected and he claims to have suffered stress and embarrassment after his private communications were spread around the company in spite of a protective order. | Defendant's motion to dismiss DENIED, and plaintiff was ordered by the court to provide additional information for the case. | |
| Flextronics International, Ltd. v. Parametric Technology Corporation | 2014 WL 69532 | California Northern District | x | |||||
| Oracle America, Inc. v. TERiX Computer Company, Inc. | 2014 WL 31344 | California Northern District | x | |||||
| Grear v. Comcast Corporation | 2015 WL 926576 | United States District Court, N.D. California (9th Cir.) | X | |||||
| Facebook, Inc. v. Grunin | 2015 WL 884035 | United States District Court, N.D. California (9th Cir.) | X | |||||
| Slip Copy | 2014 WL 466274 | 2/5/14 | Farmers Ins. Exchange v. Steele Ins. Agency, Inc. | California Eastern District | Civil | Plaintiffs brought a claim against defendants for misappropriation of trade secrets in conjunction with the CFAA claim. The plaintiffs claim that the defendants took policyholder information to steal clients away. | Defendants only moved to dismiss the civil conspiracy claim, which was DENIED. The CFAA claim was not affected. | |
| Lei v. City of Lynden | 2014 WL 6611382 | United States District Court, W.D. Washington at Seattle (9th Cir.) | X | |||||
| Not Reported in F.Supp.2d | 2014 WL 2988271 | 6/30/14 | New Show Studios LLC v. Needle | California Central District | Civil | Former employee of NSS allegedly asked other employees to provide him access to their computer databases. | Court DENIED CFAA claim because plaintiffs failed to show defendants accessed computers, and failed to show loss under the CFAA. | |
| Not Reported in F.Supp.3d | 2014 WL 334453 | 1/29/14 | PQ Labs, Inc. v. Yang Qi | California Northern District | Civil | PQ Labs brought suit against defendants for misappropriation of trade secrets (unlawful download of hardware schematics, customer information, and software code). Specifically, P alleges D sent phishing emails with viruses to infect PQ Labs' computers. | Even though there were testimonial inconsistencies, P alleged specific evidence to infer that defendants violated the CFAA. Defendants were DENIED summary judgment on the CFAA claim. | |
| Not Reported in F.Supp.2d | 2014 WL 261798 | 1/23/14 | Enki Corporation v. Freedman | California Northern District | Civil | An employer sued an employee for using a customer's working log-in credentials to access the employer's scripts. The employee downloaded Enki's proprietary information and the customer then terminated the contract. | Defendants' motion to dismiss is GRANTED as to the CFAA claims. | |
| Not Reported in F.Supp.2d | 2014 WL 31344 | 1/3/14 | Oracle America, Inc. v. TERiX Computer Company, Inc. | California Northern District | Civil | Defendants brought a motion to dismiss after Oracle brought them to court alleging CFAA violations for unlawfully accessing Oracle's database to download Solaris updates to Oracle software, or unlawfully directing others to access Oracle intellectual property and download it. | Court found that 1) heightened pleading requirements under Rule 9(b) of the FRCP not applicable in the instant case; 2) Oracle did not specifically outline "trafficking" in passwords/conspiracy; and 3) while the credentials worked for Oracle customers, the defendants exceeded access by using their passwords/login info, etc. Therefore, the court GRANTED and DISMISSED in part the motion to dismiss, and gave leave to refile. | |
| Not Reported in F.Supp.3d | 2014 WL 2758598 | 6/17/14 | In re Hulu Privacy Litigation | California Northern District | Civil | Viewers of Hulu videos brought a class action alleging that Hulu improperly allowed their video viewing selections and preferences to be disclosed to third parties. | Certification of the class DENIED without prejudice. | |
| Not Reported in F.Supp.2d | 2014 WL 2860658 | 6/23/14 | Agardi v. Hyatt Hotels Corporation | California Northern District | Civil | The plaintiff alleges that Hyatt worked in conjunction with her former boss whom she accused of sexual harrassment to defame her by searching her internet files, unlawfully accessing information about her, and defaming her character through information allegedly found from these searches. | Defendant filed motion to dismiss and because of statute of limitations issues and the plaintiff's failure to state her claims adequately, the court GRANTED the motion to dismiss and did not allow plaintiff to amend. | |
| Not Reported in F.Supp.2d | 2014 WL 2213910 | 5/28/14 | Flextronics International, Ltd. v. Parametric Technology Corporation | California Northern District | Civil | Defendant moves to dismiss plaintiff's claims under the CFAA. Plaintiff alleges that defendant had concealed certain embedded technology in software to gain information about the plaintiff's product. | Defendant claimed that P didn't show loss of $5k+, and that "without authorization" wasn't demonstrated. P specifically said what kind of information D accessed and why it was not permitted to do so. Motion to dismiss DENIED on that CFAA claim. | |
| Not Reported in F.Supp.2d | 2014 WL 2452803 | 5/30/14 | Property Rights Law Group, P.C. v. Lynch | Hawai'i | Civil | Plaintiff brought suit alleging that defendant violated the terms of her contract after she left the law firm. Defendant allegedly kept files when she started her own law firm and the plaintiff alleges she also kept other business records, forms, etc. | Plaintiff did not specifically indicate how the defendant accessed the firm's shared drive ("without authorization"). Summary judgment for defendants was GRANTED. | |
| Slip Copy | 2015 WL 1413391 | 9/24/15 | New England Life Ins. Co. v. Lee | Nevada District Court | Civil | Plaintiff sued defendants, all of whom were former employees, after they left plaintiff's company and joined the offices of a competitor. The plaintiff alleged breach of contract and violations of the CFAA, among other claims. In its CFAA claim, the plaintiff alleged that the lead defendant exceeded authorized access to his work computer by impermissably copying documents and confidential information without authority. The defendant moved to dismissed. | The court dismissed plaintiff's CFAA claim based on the fact that plaintiff failed to allege that the defendant accessed any forbidden documents. Applying the narrow definition of "exceeds authorized access" that has been adopted by the Ninth Circuit, the court found that even though the defendant may have breached a duty of loyalty when he used the information in violation of a company policy, such actions do not constitute a violation of the CFAA. | Slip Copy |
| Oracle USA, Inc. v. Rimini Street, Inc. | 2014 WL 576097 | Nevada | x | |||||
| Not Reported in F.Supp.2d | 2014 WL 1365903 | 4/7/14 | Mitchell Enterprises, Inc. v. Mr. Elec. Corp. | Idaho | Civil | Two contractors joined together and P became a franchisee of D. After relations soured, D used ZWARE software to link up the hard drives of P's company and personal computers to download files and lock Ps out after taking files about proprietary software. | D's motion to dismiss CFAA claim GRANTED because CFAA claim is time-barred by two year SoL. The court points out that it starts rolling at the time of the data breach, not when the Ps independently confirmed it. | |
| U.S. v. Wei Seng Phua | 2015 WL 427862 | United States District Court, D. Nevada(9th Cir.) | X | |||||
| CPA Lead, LLC v. Adeptive Ads LLC | 2014 WL 7072316 | United States District Court, D. Nevada (9th Cir.) | X | |||||
| Oracle USA, Inc. v. Rimini Street, Inc. | 6 F.Supp.3d 1108 | United States District Court, D. Nevada (9th Cir.) | X | |||||
| Cousineau v. Microsoft Corp. | 2014 WL 1232593 | Washington Western District | ||||||
| Slip Copy | 2014 WL 273140 | 1/23/14 | K.F. Jacobsen & Co., Inc. v. Gaylor | Oregon | Civil | Plaintiff filed action against its former employee seeking protection from release of confidential information under the CFAA. The plaintiff moved to dismiss because their requested relief was granted in state court. Defendant sought imposition of attorney's fees. | Motion to dismiss GRANTED, attorney's fees not imposed. | |
| Not Reported in F.Supp.2d | 2014 WL 2694220 | 6/11/14 | Mortensen v. Bresnan Communications, L.L.C. | Montana | Civil | Plaintiffs failed to timely object and waived right to de novo review; parties made a contract and arbitration is necessary. | Motion for reconsideration and for arbitration from Defendant is GRANTED. | |
| 6 F.Supp.3d 1167 | 2014 WL 1232593 | 3/25/14 | Cousineau v. Microsoft Corp. | Washington Western District | Civil | A woman brought suit against defendant alleging improper access of her cell phone location information. | Class certification DENIED for plaintiffs, defendants' motion for summary judgment GRANTED. | |
| Phillips v. Executor of Estate of Arnold | 2014 WL 4792033 | United States District Court, W.D. Washington at Seattle (9th Cir.) | X | |||||
| Slip Copy | 2015 WL 1954653 | 4/29/15 | Omega Morgan, Inc. v. Heely | Washington Western District | Civil | Plaintiff sued defendants, a former employee and a newly formed competor, alleging that they misappropriated confidential information, misused company property, and interfered with plaintiff's contracts. The defendants moved for partial summary judgment, arguing that the Washington Uniform Trade Secrets Act (WUTSA) preempts plaintiff's claim for, inter alia, violation of the CFAA. | The court held that the plaintiff's claims under the CFAA based on the unauthorized copying of confidential information was preempted by WUTSA because that claim rested in the same factual basis as the plaintiff's WUTSA claims. The plaintiff's claim that the defendants wiped the plaintiff's computers prior to their termination was not preempted by WUTSA, however, because that CFAA claim did not allege that the defendants action constituted a misappropriation of plaintiff's trade secrets. | Slip Copy |
Tenth Circuit Cases:
| Slip Copy | 2015 WL 4512313 | 7/27/15 | Premier Group, Inc v. Bolingbroke | Colorado District | Civil | Plaintiff brought a CFAA claim against a number of former employees, alleging that although they were granted access to its computer systems for the purpose of developing and growing its business, they exceeded the scope of their authorized access to its computer system by obtaining proprietary business information for the purpose of undercutting plaintiff's business and starting a competing company. Defendants argued that because they accessed the plaintiff's computer systems from a state outside the forum state (the defendants worked in Utah, and the plaintiff's computers were in Colorado), venue in Colorado was improper. | The court held that because accessing a protected computer and causing damage to said computer are elements of the plaintiff's CFAA claim, the location of the computer at issue is particularly relevant to determining the location of substantial acts giving rise to such claims. Accordingly, because the computer system that the defendant allegedly accessed without authorization was located in Colorado, venue was proper in that jurisdiction. | Slip Copy |
| 28 F.Supp.3d 1170 | 2014 WL 1128512 | 3/20/14 | Bovino v. MacMillan | Colorado | Civil | Plaintiff moves for summary judgment after defendant accessed her husband's emails with plaintiff attorney/law firm. Defendant claims she had access to view the emails on her computer after her husband's competency was at issue. | Motion for summary judgment DENIED due to material issues of dispute between parties. | |
| Not Reported in F.Supp.2d | 2014 WL 2885465 | 6/25/14 | Tank Connection, LLC v. Haight | Kansas | Civil | Plaintiff alleged that the defendant abruptly terminated his employment and took many flash drives with confidential information on them relating to business practices. | The defendant's new employer filed a motion to dismiss it as a relief defendant that the court GRANTED. | |
| Not Reported in F.Supp.2d | 2014 WL 644952 | 2/19/14 | AZ DNR, LLC v. Luxury Travel Brokers, Inc. | Kansas | Civil | Defendants who purchased frequent flyer miles from plaintiff sought to dismiss the case where plaintiff alleged that defendant unlawfully accessed their computer systems. | Defendants' misinterpretation about the scope of "authorization" and "access" prompted the court to DENY the motion to dismiss. | |
| U, Inc. v. Shipmate, Inc. | 2014 WL 6997538 | United States District Court, D. Kansas (10th Cir.) | X | |||||
| AZ DNR, LLC v. Luxury Travel Brokers, Inc. | ||||||||
| 2014 WL 5430224 | United States District Court, D. Kansas (10th Cir.) | X | ||||||
| AZ DNR, LLC v. Luxury Travel Brokers, Inc. | 2014 WL 644952 | Kansas | x | |||||
| Tank Connection, LLC v. Haight | 2014 WL 2885465 | Kansas | ||||||
| North American Ins. Agency, Inc. v. Bates | 2014 WL 3810534 | |||||||
| X | ||||||||
| Not Reported in F.Supp.2d | ||||||||
| 7/1/14 | Great Western Ins. Co., Inc. v. Miranda | Utah | Civil | The insurance company sued Michele Miranda and her attorney for unlawfully accessing websites on the GWIC website by manipulating URLs. She had access to sensitive and private information she wasn't supposed to have access to. | Court determined they could retain jurisdiction over Miranda but not Shields, her attorney, and so he was dismissed and a transfer to a different venue was denied. |
Eleventh Circuit Cases:
|
Slip Copy |
2015 WL 1474146 |
3/31/15 |
D&J Optical, Inc. v. Wallace |
Alabama Middle District |
Civil |
Plaintiff sued a former employee, a former independent contractor, and a competitor alleging violations of the CFAA after the plaintiff discovered that data was transferred from its server to an unknown server and that various data transmitters had been installed to its computer network in order to allow remote access. One of the defendants, the competitor for whom the former employees now worked, moved to dismiss, alleging that the claims against it were merely speculative. |
The court denied the motion to dismiss, finding that at this point in the litigation the plaintiff's allegation that the competitor defendant intended to access its computer system remotely was sufficient, particularly since the former employees were undergoing training at the competitors offices when the alleged violations took place. Further, the plaintiff alleged that some its workstations were accessed from remote locations that can be traced back to the competitor both before and after the former employees left. |
Slip Copy |
|
Slip Copy |
2014 WL 293472 |
1/27/14 |
Keen v. Bovie Medical Corp. |
Florida Middle District |
Civil |
Bovie filed counterclaims against Keen (former in-house counsel and executive officer at Bovie) for violation of the CFAA. A jury returned a verdict for Keen on the counterclaim, and the parties brought motions for attorneys' fees. |
The court GRANTED in part and DENIED in part the plaintiff's motion for attorneys' fees. |
|
|
Slip Copy |
2014 WL 408443 |
2/3/14 |
Deman Data Systems, LLC v. Schessel |
Florida Middle District |
Civil |
FFS claims it is an owner of software, and they sublicense to DDS. DDS claims it is exclusive provider of data services utilizing the software. Schessel allegedly engaged in misconduct, including accessing and deleting confidential information, soliciting other business, and storing information for his new business (CFAA violation). |
Court retained jurisdiction on the CFAA claim, and motions to dismiss claims on both sides GRANTED and DENIED (granted dismissal of DDS's unjust enrichment claim, denied all others). |
|
|
Slip Copy |
2014 WL 2960964 |
6/30/14 |
Denarii Systems LLC v. Arab |
Florida Southern District |
Civil |
- |
Plaintiff's motion for summary judgment on the CFAA was DENIED because there was a material dispute shown. |
|
|
--- F.Supp.3d ---- |
2015 WL 1611310 |
4/9/15 |
TracFone Wireless, Inc. v. Adams |
Florida Southern District |
Civil |
|
|
--- F.Supp.3d ---- |
|
Slip Copy |
2015 WL 6123520 |
10/19/15 |
BROWN JORDAN INTERNATIONAL INC., BJI HOLDINGS, LLC, BROWN JORDAN SERVICES & BROWN JORDAN COMPANY, Plaintiffs, v. CHRISTOPHER CARMICLE, Defendant, |
Florida Southern District |
Civil |
Former employee brought a CFAA claim against his former employer alleging that it hacked into his personal laptop while it was in the employers custody for a brief period of time. Employer moved for summary judgment on the CFAA claim. |
The court granted summary judgment based on the sworn affidavit of the company's VP of Benefits that the plaintiff's laptop was in her possesion and that she neither access nor attempted to access its contents. Further, the plaintiff to support his allegations, the plaintiff was able to establish only that the computer lid may have been opened when in the employer's possession, and not that any information had been accessed. |
Slip Copy |
|
Slip Copy |
2015 WL 4243480 |
7/8/15 |
Thomas Christopher Group, Inc. v. Moreno |
Florida Middle District |
Civil |
Plaintiff sued two former employees and the employee of a competitor, alleging, inter alia, that they access plaintiff's computer servers and stole proprietory systems, tools, and processes by externally recording files and data in an effort to start their own business. One of the defendants, the former employee of the competitor, moved to dismss all claims, including a claim for violation of the CFAA. |
The court granted the defendant's motion to dismiss with respect to the CFAA claim based in the fact that the plaintiff failed to allege that this particularly defendant accessed it computers without authorization. The court rejected the plaintiff's argument that the defendant was liable for a violation of the CFAA because she directed the other two defendants to access the plaintiff's computers, noting that, despite the fact that the Eleventh Circuit interprets "access" under the CFAA broadly, no contolling case law existed to support a definition of "access" based on an agency theory. |
Slip Copy |
|
Slip Copy |
2015 WL 3720107 |
6/15/15 |
Allied Portables, LLC v. Youmans |
Florida Middle District |
Civil |
Plaintiff brought eight claims against former managing member, including one claim for violating the CFAA, which alleged that defendant repeatedly accessed plaintiff corporation's computers with an intent to defraud when she changed the access credentials used by other authroized users and created backdoors and other vulnerabilities in the network. Defendent moved to dismiss, arguing that plaintiffs failed to sufficiently allege that she exceeeded her authorized access when she accessed plaintiff's computers. |
The Court sided with the defendant and dismissed the CFAA claim, thereby requiring a dismissal of the case from federal court because the CFAA claim was what granted subject matter jurisdiction. In doing so, the Court rejected the plaintiff's argument that it should adopt the "broad" definition of "exceeds authorized access" and instead held that the narrow interpretation is more persuasive. Accordingly, because the defendent was authorized to access the plaintiff's computer at the time of the alleged misconduct, she did not violate the statute simply because her actions violated a company policy. |
Slip Copy |
|
Slip Copy |
2015 WL 1470852 |
3/31/15 |
Enhanced Recovery Co., LLC v. Frady |
Florida Middle District |
Civil |
Plaintiff filed a suit against a former employee, her subsequent employer, and its COO, claiming that before she left plaintiff's company she misappropriated its trade secrets and shared them with her future employer. Defendants moved to dismiss for failure to state a claim, and a magistrate judge recommended dismissing some claims, but allowing the CFAA claim to go forward. The defendants then challenged this recommendation, arguing that defendant was an authorized user at the time she obtained the plaintiff's information, and therefore did not "exceed authorized access." |
The court sided with the defendants, taking a narrow approach the CFAA term "exceeds authorized access" and finding that even though the defendant may have violated a company computer use policy, the fact that the employee was authroized to access the information at the time it was obtained was sufficient to immunize her activities from the scope of the CFAA. Thus, the court ruled that "a violation for accessing 'without authorization' occurs only where initial access is not permitted, and a violation for 'exceeding authorized access' occurs where initial access is permitted but the access of certain information is not permitted." |
Slip Copy |
|
Slip Copy |
2015 WL 2354803 |
5/15/15 |
Stirling Intern. Realty, Inc. v. Soderstrom |
Florida Middle District |
Civil |
Plaintiff alleged that ex-wife accessed his private email account without authorization and forwarded emails to third parties in order to gain a tactical advantage in their divorce proceedings. The defendant moved to dismiss, arguing that the plaintiff failed to allege a loss of at least $5,000, that the computer at issue was not protected, and that she was actually the person who exceeded authorized access. |
The court found that the plaintiff's submission of a $5,100 invoice for forensic computer services conducted to investigate the alleged breach was sufficient to make a CFAA claim. The court further held that a computer that is connected to the Internet sufficiently affects interstate commerce and is considered a protected computer under the CFAA. Additionally, the court held that it was not necessary for the plaintiff to prove at this point that she was the individual who accessed the account without authorization, only that it was plausible that she did so (make a reasonable inference). |
Slip Copy |
|
Deman Data Systems, LLC v. Schessel |
2014 WL 408443 |
Florida Middle District |
x |
|
|
|
|
|
|
Keen v. Bovie Medical Corp. |
2014 WL 293472 |
Florida Middle District |
|
|
|
|
|
|
|
Sprint Solutions, Inc. v. Cell Xchange, Inc. |
2015 WL 1001272 |
United States District Court, M.D. Florida, Tampa Division (11th Cir.) |
X |
|
|
|
|
|
|
Stirling Intern. Realty, Inc. v. Soderstrom |
2015 WL 403318 |
United States District Court, M.D. Florida, Orlando Division (11th Cir.) |
X |
|
|
|
|
|
|
Maintenx Management, Inc. v. Lenkowski |
2015 WL 310543 |
United States District Court, M.D. Florida, Tampa Division (11th Cir.) |
X |
|
|
|
|
|
|
Enhanced Recovery Co., LLC v. Frady |
2015 WL 1470839 |
United States District Court, M.D. Florida, Jacksonville Division (11th Cir.) |
X |
|
|
|
|
|
|
Deman Data Systems, LLC v. Schessel |
2015 WL 78795 |
United States District Court, M.D. Florida, Tampa Division (11th Cir.) |
X |
|
|
|
|
|
|
Deman Data Systems, LLC v. Schessel |
2104 WL 6751195 |
United States District Court, M.D. Florida, Tampa Division (11th Cir.) |
X |
|
|
|
|
|
|
Aquent LLC v. Stapleton |
65 F.Supp.3d 1339 |
United States District Court, M.D. Florida, Orlando Division (11th Cir.) |
X |
|
|
|
|
|
|
Wyndham Vacation Ownership, Inc. v. Miloszewski |
2014 WL 5472454 |
United States District Court, M.D. Florida, Orlando Division (11th Cir.) |
X |
|
|
|
|
|
|
Denarii Systems LLC v. Arab |
2014 WL 2960964 |
Florida Southern District |
x |
|
|
|
|
|
|
Slip Copy |
2014 WL 667958 |
2/20/14 |
Southern Parts & Engineering Co., LLC v. Air Compressor Services, LLC |
Georgia Northern District |
Civil |
Plaintiff business alleges defendants unlawfully accessed their information, took customer lists, and even used company resources to develop their competitor company. Their website looks substantially like the defendants' new website. |
Motion to dismiss from the defendants DENIED, plaintiff alleged loss sufficient under CFAA. |
|
|
--- F.Supp.3d ---- |
2015 WL 6161344 |
10/19/15 |
Sprint Solutions, Inc. v. JP Intern. Group Inc. |
Georgia Northern District |
Civil |
|
|
--- F.Supp.3d ---- |
CFAA Criminal Cases[edit]
| 31 F.Supp.3d 540 | 2014 WL 3362059 | 7/9/14 | U.S. v. Ulbricht | New York Southern District | Criminal | The US government sued Ulbricht as the creator of the website Silk Road as participating in conspiracy, ongoing criminal trafficking, etc. Ulbricht argued that "access without authorization" is not defined adequately under CFAA. | Defendant's motion to dismiss is DENIED. | ' |
| 301 F.R.D. 53 | 2014 WL 2980256 | 6/30/14 | U.S. v. Valle | New York Southern District | Criminal | Defendant accessed a NYPD database to look up information about a woman he discussed with online friends on a fetish website. | Defendant's motion for a judgment of acquittal on the CFAA count was DENIED. | |
| Slip Copy | 2015 WL 5602886 | 9/23/15 | U.S. v. Prugar | Pennsylvania Middle District | Criminal | Plaintiff filed a motion to withdraw his guilty plea in a criminal proceding where he had been charged in a three count indictment with intentionally causing damage without authorization to a protected computer, in violation of the CFAA, based on an intrusion into his former employer's computer system shortly after he was terminated from his position as a computer network administrator. Defendant claimed that at the time he entered the guilty plea, he was unaware of the available defense that his actions may not have caused the harm which they were alleged to have caused. | The court found that the record sunstantiated defendant's claim of actual innocence, because the only evidence of harm presented during the hearing was the network failure of two memory modules, which could not have resulted from the defendant's actions. Also, the fact that other users accessed the company's system at the same time as the defendant, and it was impossible to determine whose actions actually caused any damage. Accordingly, the court found that these uncertainties in the record demonstrated that the connection between the defendant's conduct and the resulting harm was questionable at best. | Slip Copy |
| 748 F.3d 525 | 2014 WL 1395670 | 4/11/14 | U.S. v. Auernheimer | Third Circuit Court of Appeals | Criminal | Defendant and friend discovered a flaw in Apple's iPad registration process through AT&T that compromised emails, and the pair exploited it to demonstrate the flaw and then sent information to the media and to Apple. Defendant was found guilty in New Jersey for violating the CFAA. He moved to dismiss. | Court DISMISSED for venue issues and CONVICTION VACATED for Auernheimer. | |
| 610 Fed.Appx. 334 | ||||||||
| 2015 WL 4547893 | 7/29/15 | U.S. v. Rich | Fourth Circuit Court of Appeals | Criminal | 610 Fed.Appx. 334 | |||
| 15 F.Supp.3d 846 | 2014 WL 1621964 | 4/17/14 | U.S. v. Yihao Pu | Illinois Northern District | Criminal | Defendants sought to dismiss a superseding indictment, which included among other counts, violations of the CFAA for unauthorized access to Citadel computer systems and download of proprietary source code related to HFT trading. | Motion to dismiss CFAA claims is DENIED. | |
| Not Reported in F.Supp.2d | 2014 WL 3109805 | 7/8/14 | U.S. v. Stratman | Nebraska | Criminal | Defendant pled guilty to one count of violating the CFAA, and the parties met with a list of incontrovertible facts to determine the loss experienced by two institutions of higher education. At issue was the costs incurred by investigating the data security breach. | Court determined the actual loss sustained after having a company investigate the data breach was around $100k. | |
| Slip Copy | 2015 WL 3417471 | |||||||
| U.S. v. Shen | Missouri Eastern District | Criminal | Defendant challenged a magistrate's recommendation to deny his motion to dismiss the CFAA claim against him. The CFAA claim alleged that the plaintiff gained access to password-protected third party service providers, and downloaded sensititve, confidential information regarding his former employer, Washington University. The defendant moved to dismuss, arguing that the CFAA claim was defective because he was authorized to access the service provider, either because he used his personal computer or because his password still worked. | The district court sustained the magistrate's recommendation and denied that the defendant's motion to dismiss. The court agreed with the magistrate that an indictment that tracks the language of a statute is facially sufficient. The court further found that the CFAA claim contained factual allegations that were sufficient to inform the defendant of the conduct that is deemed unlawful. The magistrate pointed to the fact that neither of the defendant's arguments were dispositive with respect to the CFAA claim, and that even though the government would have to present evidence to support each element of the claim, the facts alleged in the complaint were adequate at this point in the litigation. | Slip Copy | |||
| Not Reported in F.Supp.2d | ||||||||
| 5/20/14 | United States v. Nosal | California Northern District | Criminal | Defendant was convicted under the CFAA of unlawfully downloading, copying, and duplicating trade secrets from his former employer. Suit was brought to determine the amount of damages that defendant owed his employer. | Court granted restitution for the time and money spent helping the government's investigation and attorneys' fees. | |||
| 2015 WL 5010591 | 8/25/15 | U.S. v. Christensen | Ninth Circuit Court of Appeals | Criminal | --- F.3d ---- |
Notable cases and decisions referring to the Act[edit]
- United States v. Riggs, brought against people associated with Phrack magazine for obtaining a document (known as the "E911 document") about information on BellSouth products implementing 911 emergency telephone services, a case described in Bruce Sterling's "Hacker Crackdown of 1990". The government dropped the case after it was revealed that the document was on sale by AT&T for $13.
- United States v. Morris (1991), 928 F.2d 504, decided March 7, 1991. After the release of the Morris worm, an early computer worm, its creator was convicted under the Act for causing damage and gaining unauthorized access to "federal interest" computers. The Act was amended in 1996, in part, to clarify language whose meaning was disputed in the case.[7]
- Theofel v. Farey Jones, 2003 U.S. App. Lexis 17963, decided August 28, 2003 (U.S. Court of Appeals for the Ninth Circuit), holding that the use of a civil subpoena which is "patently unlawful," "in bad faith," or "at least gross negligence" to gain access to stored email is a breach of both the CFAA and the Stored Communications Act.[8]
- International Airport Centers, L.L.C. v. Citrin, 2006, , in which Jacob Citrin deleted files from his company computer before he quit, in order to conceal alleged bad behavior while he was an employee.[9]
- LVRC Holdings v. Brekka, 2009 1030(a)(2), 1030(a)(4), in which LVRC sued Brekka for allegedly taking information about clients and using it to start his own competing business.[10][11]
- Robbins v. Lower Merion School District (U.S. Eastern District of Pennsylvania), where plaintiffs charged two suburban Philadelphia high schools secretly spied on students by surreptitiously and remotely activating webcams embedded in school-issued laptops the students were using at home, violating the Act. The schools admitted to secretly snapping over 66,000 webshots and screenshots, including webcam shots of students in their bedrooms.[12][13]
- United States v. Lori Drew, 2008. The cyberbullying case involving the suicide of a girl harassed on myspace. Charges were under 18 USC 1030(a)(2)(c) and (b)(2)(c). Judge Wu decided that using against someone violating a terms of service agreement would make the law overly broad. 259 F.R.D. 449 [14][15]
- People v. SCEA, 2010. Class action lawsuit against Sony for removing OtherOS, the ability to install and run Linux (or other operating systems) on the PlayStation 3. Consumers were given the option to either keep OtherOS support or not. SCEA was allegedly in violation of this Act because if the consumers updated or not, they would still lose system functionality.[16]
- United States v. Drake, 2010. Drake was part of a whistle-blowing effort inside the NSA to expose waste, fraud, and abuse with the Trailblazer Project. He talked to a reporter about the project. He was originally charged with five Espionage Act counts for doing this. These charges were dropped just before his trial was to begin, and instead he pleaded guilty to one misdemeanor count of violating the CFAA, (a)(2), unauthorized access.
- United States v. Manning, 2010-. Chelsea Manning was a soldier who allegedly disclosed tens of thousands of documents to those 'not entitled to receive' them. Among the 34 counts against her, there are several under (a)(1) and (a)(2) of the CFAA, some specifically linked to files like the Reykjavik 13 State Department cable and a video of the July 12, 2007 Baghdad airstrike.[17]
- Grand Jury investigation in Cambridge, 2011. Unknown persons were listed in Grand Jury hearings in Cambridge, Massachusetts, regarding potential charges under the CFAA, as well as the Espionage Act. Journalist Glenn Greenwald has written these were likely related to Wikileaks.[18]
- United States v. Collins et al, 2011. A group of men and women connected to the collective Anonymous signed a plea deal to charges of conspiring to disrupt access to the payment website PayPal in response to the payment shutdown to Wikileaks over the Wau Holland Foundation which was part of a wider Anonymous campaign, Operation Payback.[19][20] They later became known under the name PayPal 14.
- United States v. Aaron Swartz, 2011. Aaron Swartz allegedly entered an MIT wiring closet and set up a laptop to mass-download articles from JSTOR. He allegedly avoided various attempts by JSTOR and MIT to stop this, such as MAC address spoofing. He was indicted for violating CFAA provisions (a)(2), (a)(4), (c)(2)(B)(iii), (a)(5)(B), and (c)(4)(A)(i)(I),(VI).[21] The case was dismissed after Swartz committed suicide in January 2013.[22]
- Sony Computer Entertainment America v. George Hotz and Hotz v. SCEA, 2011. SCEA sued "Geohot" and others for jailbreaking the PlayStation 3 system. The lawsuit alleged, among other things, that Hotz violated ([by] taking info from any protected computer). Hotz denied liability and contested the Court's exercise of personal jurisdiction over him.[23] The parties settled out of court. The settlement caused Geohot to be unable to legally hack the PlayStation 3 system furthermore.
- United States v. Nosal, 2011. Nosal and others allegedly accessed a protected computer to take a database of contacts from his previous employer for use in his own business, violating 1030(a)(4)[24][25] This is a complex case with two trips to the Ninth Circuit, and another seen as likely after the latest conviction in 2013.[26]
- Lee v. PMSI, Inc., 2011. PMSI, Inc. sued former employee Lee for violating the CFAA by browsing Facebook and checking personal email in violation of the company's acceptable use policy. The court found that breaching an employer's acceptable use policy was not "unauthorized access" under the act and, therefore, did not violate the CFAA.
- United States v. Peter Alfred-Adekeye 2011. Adekeye allegedly violated (a)(2), when he allegedly downloaded CISCO IOS, allegedly something that the CISCO employee who gave him an access password did not permit. Adekeye was CEO of Multiven and had accused CISCO of anti-competitive practices.[27]
- Pulte Homes, Inc. v. Laborers' International Union 2011. Pulte Homes brought a CFAA suit against the Laborers' International Union of North America (LIUNA). After Pulte fired an employee represented by the union, LIUNA urged members to call and send email to the company, expressing their opinions. As a result of the increased traffic, the company's email system crashed.[28][29]
- United States v Sergey Aleynikov, 2011. Aleynikov was a programmer at Goldman Sachs accused of copying code, like high-frequency trading code, allegedly in violation of 1030(a)(2)(c) and 1030(c)(2)(B)i-iii and 2. This charge was later dropped, and he was instead charged with theft of trade secrets and transporting stolen property.[30][31]
- United States v Nada Nadim Prouty, circa 2010.[32] Prouty was an FBI and CIA agent who was prosecuted for having a fraudulent marriage to get US residency. She claims she was persecuted by a U.S. attorney who was trying to gain media coverage by calling her a terrorist agent and get himself promoted to a federal judgeship.[33]
- United States v. Neil Scott Kramer, 2011. Kramer was a court case where a cellphone was used to coerce a minor into engaging sex with an adult. Central to the case was whether a cellphone constituted a computer device. Ultimately, the United States Court of Appeals for the Eighth Circuit found that a cell phone can be considered a computer if "the phone perform[s] arithmetic, logical, and storage functions", paving the way for harsher consequences for criminals engaging with minors over cellphones.[34]
- United States v. Kane, 2011. Exploiting a software bug in a poker machine does not constitute hacking[35] because the poker machine in question was not a “protected computer” under the statute (not being connected to the Internet it was judged not to qualify as "protected computer" affecting interstate commerce) and because the sequence of button presses that triggered the bug were considered "not exceed their authorized access." As of November 2013[update] the defendant still faces a regular wire fraud charge.[36]
- Craigslist v. 3Taps, 2012. 3Taps was accused by Craigslist of breaching CFAA by circumventing an IP block in order to access Craigslist's website and scrape its classified ads without consent. In August 2013, US federal judge found 3Taps's actions violated CFAA and that it faces civil damages for “unauthorized access”. Judge Breyer wrote in his decision that "the average person does not use “anonymous proxies” to bypass an IP block set up to enforce a banning communicated via personally-addressed cease-and-desist letter".[37][38] He also noted "Congress apparently knew how to restrict the reach of the CFAA to only certain kinds of information, and it appreciated the public v. nonpublic distinction — but [the relevant section] contains no such restrictions or modifiers."[39]
Aaron Swartz[edit]
The government was able to bring such disproportionate charges against Aaron because of the broad scope of the Computer Fraud and Abuse Act (CFAA) and the wire fraud statute. It looks like the government used the vague wording of those laws to claim that violating an online service’s user agreement or terms of service is a violation of the CFAA and the wire fraud statute.
Using the law in this way could criminalize many everyday activities and allow for outlandishly severe penalties.
When our laws need to be modified, Congress has a responsibility to act. A simple way to correct this dangerous legal interpretation is to change the CFAA and the wire fraud statutes to exclude terms of service violations. I will introduce a bill that does exactly that.
Rep. Zoe Lofgren, Jan 15, 2013 [40]
In the wake of the prosecution and subsequent suicide of Aaron Swartz, lawmakers have proposed to amend the Computer Fraud and Abuse Act. Representative Zoe Lofgren has drafted a bill that would help "prevent what happened to Aaron from happening to other Internet users".[40] Aaron's Law (H.R. 2454, S. 1196[41]) would exclude terms of service violations from the 1984 Computer Fraud and Abuse Act and from the wire fraud statute, despite the fact that Swartz was not prosecuted based on Terms of Service violations.[42]
In addition to Lofgren's efforts, Representatives Darrell Issa and Jared Polis (also on the House Judiciary Committee) raised questions about the government's handling of the case. Polis called the charges "ridiculous and trumped up," referring to Swartz as a "martyr."[43] Issa, who also chairs the House Oversight Committee, announced an investigation of the Justice Department's prosecution.[43][44]
As of May 2014, Aaron's Law was stalled in committee, reportedly due to tech company Oracle's financial interests.[45]
Amendments history[edit]
2008[1]
- Eliminated the requirement that information must have been stolen through an interstate or foreign communication, thereby expanding jurisdiction for cases involving theft of information from computers;
- Eliminated the requirement that the defendant’s action must result in a loss exceeding $5,000 and created a felony offense where the damage affects ten or more computers, closing a gap in the law;
- Expanded 18 U.S.C. § 1030(a)(7) to criminalize not only explicit threats to cause damage to a computer, but also threats to (1) steal data on a victim's computer, (2) publicly disclose stolen data, or (3) not repair damage the offender already caused to the computer;
- Created a criminal offense for conspiring to commit a computer hacking offense under section 1030;
- Broadened the definition of “protected computer” in 18 U.S.C. § 1030(e)(2) to the full extent of Congress’s commerce power by including those computers used in or affecting interstate or foreign commerce or communication; and
- Provided a mechanism for civil and criminal forfeiture of property used in or derived from section 1030 violations.
See also[edit]
- Defense Secrets Act of 1911 / Espionage Act of 1917 / McCarran Internal Security Act 1950
- California Comprehensive Computer Data Access and Fraud Act
- Electronic Communications Privacy Act
- LVRC Holdings v. Brekka
- In re DoubleClick
- MBTA v. Anderson
- Information technology audit
- Computer security audit
- Computer fraud case studies
- The Hacker Crackdown (mentions the law, & the eponymous Chicago task force)
- Protected Computer
- Wikileaks
- Weev
References[edit]
- ^ a b c Jarrett, H. Marshall; Bailie, Michael W. (2010). "Prosecution of Computer Crimes" (PDF). justice.gov. Office of Legal Education Executive Office for United States Attorneys. Retrieved June 3, 2013.
- ^ "SECURING CYBERSPACE - President Obama Announces New Cybersecurity Legislative Proposal and Other Cybersecurity Efforts". Whitehouse.gov. January 13, 2015. Retrieved January 30, 2015.
- ^ "Democrats, Tech Experts Slam Obama's Anti-Hacking Proposal". Huffington Post. January 20, 2015. Retrieved January 30, 2015.
- ^ "Obama, Goodlatte Seek Balance on CFAA Cybersecurity". US News. January 27, 2015. Retrieved January 30, 2015.
- ^ Varma, Corey. "What is the Computer Fraud and Abuse Act". www.coreyvarma.com. Retrieved 10 June 2015.
- ^ Legal Information Institute, Cornell University Law School. "18 USC 1030".
- ^ United States v. Morris (1991), 928 F.2d 504, 505 (2d Cir. 1991).
- ^ "Ninth Circuit Court of Appeals: Stored Communications Act and Computer Fraud and Abuse Act Provide Cause of Action for Plaintiff | Stanford Center for Internet and Society". Cyberlaw.stanford.edu. Retrieved September 10, 2010.
- ^ US v Jacob Citrin, openjurist.org
- ^ U.S. v Brekka 2009
- ^ Kravets, David, Court: Disloyal Computing Is Not Illegal, Wired, September 18, 2009.
- ^ Doug Stanglin (February 18, 2010). "School district accused of spying on kids via laptop webcams". USA Today. Retrieved February 19, 2010.
- ^ "Initial LANrev System Findings", LMSD Redacted Forensic Analysis, L-3 Services—prepared for Ballard Spahr (LMSD's counsel), May 2010. Retrieved August 15, 2010.
- ^ U.S. v. Lori Drew, scribd
- ^ US v Lori Drew, psu.edu KYLE JOSEPH SASSMAN,
- ^ ". Retrieved February 21, 2011.
- ^ See the linked articles about Chelsea Manning, and her charge sheets here: Hague Justice Portal
- ^ FBI serves Grand Jury subpoena likely relating to WikiLeaks by Glenn Greenwald, Salon.com 27 April 2011.
- ^ David Gilbert (December 6, 2013). "PayPal 14 'Freedom Fighters' Plead Guilty to Cyber-Attack". International Business Times.
- ^ Alexa O'Brien (December 5, 2013). "Inside the ‘PayPal 14’ Trial". The Daily Beast.
- ^ See Internet Activist Charged in M.I.T. Data Theft, By NICK BILTON New York Times, July 19, 2011, 12:54 PM, as well as the Indictment
- ^ Dave Smith, Aaron Swartz Case: U.S. DOJ Drops All Pending Charges Against The JSTOR Liberator, Days After His Suicide, International Business Times, January 15, 2013.
- ^ See the links to the original lawsuit documents which are indexed here
- ^ U.S. v. Nosal, uscourts.gov, 2011
- ^ Appeals Court: No Hacking Required to Be Prosecuted as a Hacker, By David Kravets, Wired, April 29, 2011
- ^ Kravets, David (April 24, 2013). "Man Convicted of Hacking Despite Not Hacking". Wired.
- ^ US v Adekeye Indictment. see also Federal Grand Jury indicts former Cisco Engineer By Howard Mintz, 08/05/2011, Mercury News
- ^ techdirt.com 2011 8 9, Mike Masnick, "Sending Too Many Emails to Someone Is Computer Hacking"
- ^ Hall, Brian, Sixth Circuit Decision in Pulte Homes Leaves Employers With Few Options In Response To Union High Tech Tactics, Employer Law Report, 3 August 2011. Retrieved 27 January 2013.
- ^ US v Sergey Aleynikov, Case 1:10-cr-00096-DLC Document 69 Filed 10/25/10
- ^ Ex-Goldman Programmer Described Code Downloads to FBI (Update1), David Glovin and David Scheer - July 10, 2009, Bloomberg
- ^ Plea Agreement, U.S. District Court, Eastern District of Michigan, Southern Division. via debbieschlussel.com
- ^ Sibel Edmond's Boiling Frogs podcast 61 Thursday, 13. October 2011. Interview with Prouty by Peter B. Collins and Sibel Edmonds
- ^ "United States of America v. Neil Scott Kramer" (PDF).
- ^ Poulsen, Kevin (May 7, 2013). "Feds Drop Hacking Charges in Video-Poker Glitching Case". Wired.
- ^ No Expansion of CFAA Liability for Monetary Exploit of Software Bug | New Media and Technology Law Blog
- ^ Kravets, David (August 20, 2013). "IP Cloaking Violates Computer Fraud and Abuse Act, Judge Rules". Wired.
- ^ Craigslist v. 3taps | Digital Media Law Project
- ^ 3Taps Can't Shake Unauthorized Craigslist Access Claims - Law360
- ^ a b Reilly, Ryan J. (January 15, 2013). "Congresswoman Introduces 'Aaron's Law' Honoring Swartz". Huffington Post.
- ^ H.R. 2454 at Congress.gov; H.R. 2454 at GovTrack; H.R. 2454 at OpenCongress. S. 1196 at Congress.gov; S. 1196 at GovTrack; S. 1196 at OpenCongress.
- ^ news.cnet.com/8301-1023_3-57564193-93/new-aarons-law-aims-to-alter-controversial-computer-fraud-law/
- ^ a b Sasso, Brendan. "Lawmakers slam DOJ prosecution of Swartz as 'ridiculous, absurd' - The Hill's Hillicon Valley". Thehill.com. Retrieved 2013-01-16.
- ^ Reilly, Ryan J. (January 15, 2013). "Darrell Issa Probing Prosecution Of Aaron Swartz, Internet Pioneer Who Killed Himself". Huffingtonpost.com. Retrieved 2013-01-16.
- ^ Dekel, Jonathan (May 1, 2014). "Swartz doc director: Oracle and Larry Ellison killed Aaron’s Law". Postmedia.
External links[edit]
- 18 U.S.C. § 1030, text of the law
- Cybercrime: A Sketch of 18 U.S.C. 1030 and Related Federal Criminal Laws, by Charles Doyle, CRS, 12 27 2010, (FAS.org)