On July 18, 2016, Christopher Correa, the former director of the St. Louis Cardinals, pled guilty to five counts of “unauthorized access of a protected computer” in violation of the Computer Fraud and Abuse Act (CFAA, 18 U.S.C. 1030 et seq.). Correa was found guilty of hacking into the Houston Astros’ internal database by using credentials of former Cardinals employees that now worked for the Astros. His pending prison sentence is nearly four years.
Two weeks earlier, the U.S. Court of Appeals for the Ninth Circuit issued another opinion in the long-running litigation Nosal v. United States, holding that Nosal violated the CFAA in 2004 by using a former colleague’s password to access his former employer’s computer after his own access had been terminated. United States v. Nosal, — F.3d —-, 2016 WL 3608752 (9th Cir. July 5, 2016). Nosal had initially been charged with conspiracy, theft of trade secrets, and three computer fraud counts. His sentence included prison time, probation and nearly $1 million in fines and restitution.
Though other federal appeals courts have weighed in on what is access “without authorization” under the CFAA, the latest Nosal opinion appears to be the first that decides this question in the framework of arguable hacking of an employer database. The scope of the holdings in Nosal could be far broader, as noted in the dissent, which protested that the majority may have granted prosecutors excessive discretion, and unwittingly criminalized alleged misuse of a website’s terms and conditions (which has already occurred elsewhere) and password sharing. In the aftermath of the Nosal dissent, other commentators have argued that password sharing has not suddenly become criminalized, as the scenario posited in the dissent merely pertains to a speculative future situation.
Notwithstanding these two cases, employees have elsewhere found success in defeating CFAA accusations, often by arguing that they did not access a database or other proprietary information without authorization because their login credentials had yet to be revoked.
As surveyed below, results have been mixed for employees accused of hacking into the databases of their own companies, competitors and potential business partners. This article discusses three recent cases in this area of law, including cases involving: whether theft of intangible property that is not trade secret protected can constitute the common law tort of conversion; if working to remedy an alleged security breach is an adequate showing of “loss” under the CFAA; and if allegations stemming from a software hack are sufficiently related to a separate non-disclosure agreement so as to invoke its forum selection clause.
Can an Alleged Hacker Be Liable for Converting Intangible Property?
Intangible property is broadly defined as “something of individual value that cannot be touched or held” and can include “any item of net worth that is not physical in nature.” Such property includes trademarks, copyrights and even goodwill.
In late June of this year, the Supreme Court of Arkansas decided Integrated Direct Marketing v. May, — S.W. 3d —-, 2016 WL 3568569 (Ark. 2016), which presented a matter appearing to be of first impression as to whether intangible property, standing alone and not deemed a trade secret, could be converted in violation of the common-law tort. This court has defined conversion as “the exercise of dominion over property in violation of the rights of the owner or person entitled to possession.”
The plaintiff, which provided custom data solutions and advice on “data intelligence,” sued its former employee and his current employer for conversion after the former employee allegedly copied to his personal hard drive more than 300 files containing confidential and proprietary information. A federal district court granted summary judgment for the defendants on all of the plaintiff’s resulting claims that alleged, inter alia, breach of contract, breach of fiduciary duty and violation of state statutory trade secret protections, except for a conversion claim under Arkansas law. It certified the question to the Supreme Court of Arkansas of whether intangible property, such as electronic data, standing alone and not constituting a trade secret, can be converted.
This court answered in the affirmative. Without “controlling precedent on this issue,” it cited favorably the Ninth Circuit’s decision in Kremen v. Cohen, 337 F.3d 1024, 1034 (9th Cir. 2003), which held that an Internet domain name could be intangible property that serves as a basis for conversion claim, and also observed that “it would be curious jurisprudence that turned on the existence of a paper document rather than an electronic one.” Id. The Arkansas court adopted the logic of the Ninth Circuit and concluded that there is “simply no reasonable basis for allowing a claim for conversion of paper documents but not for their electronically stored counterparts.”
Does ‘Working Exclusively’ On Remedying a Former Employee’s Data Breach Constitute Loss?
In Custom Packaging Supply v. Phillips, 2016 WL 1532220 (C.D. Cal. April 15, 2016), the defendants, who included former employees of the plaintiff, alleged to have downloaded proprietary designs and other confidential information to compile an “illegal library” and pass it on to their new employers.
The plaintiff’s federal cause of action arose under the CFAA (separately, the court dismissed the state claims due to an absence of supplemental jurisdiction under 28 U.S.C. 1367(c)). A mandatory element of a justifiable CFAA civil claim is “damage or loss.” In the instant case, the plaintiff averred that it suffered sufficient “loss” because its employees worked to remedy the alleged data breach for roughly a week, “forcing other projects and customer needs to be ignored.” The court rejected this invocation of “lost business opportunities” as a sufficient loss, and since the plaintiff did not otherwise allege that its computer systems were damaged, the defendants’ motions to dismiss were granted.
Interpreting a Forum Non Conveniens Defense in a Software Hacking Case
Like the other cases discussed in this article, In re Orange, 818 F.3d 956 (9th Cir. 2016), involves litigation against the plaintiff’s former employees and competitors for injuries arising from an alleged hack (including those redressable by the CFAA and analogous state-law claims). The parties began to negotiate the forming of a partnership, which included non-disclosure agreements (NDAs), that looked into building technology that would enable phone calls between users of social media without the need for telephone numbers.
The nascent relationship soon went downhill, and the plaintiff later sued in federal court in California, alleging that the defendants had used “fictitious names” to hack into the plaintiff’s application, and thereby obtain information about the plaintiff’s platform.
The defendants, a French company and its employees, moved to dismiss on grounds of forum non conveniens on the theory that the forum selection clause in the NDA mandated that any litigation between the parties occur in France. After this defense failed in the trial court, the defendants sought a writ of mandamus to the Ninth Circuit that would compel dispute resolution in France. The writ was denied and the Ninth Circuit affirmed on the grounds that the CFAA and related claims that arose from allegations of defendants’ hacking was not covered by the NDA, which pertained instead to discussions of the potential business relationship.
Richard Raysman is a Partner at Holland & Knight. Peter Brown is the principal at Peter Brown & Associates. They are co-authors of Computer Law: Drafting and Negotiating Forms and Agreements (Law Journal Press).
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.