Misuse of proprietary data alone doesn't violate CFAA, judge rules

Court rules that Computer Fraud and Abuse Act governs how data is accessed, not how it is used by persons with valid access

Federal courts have started ruling against companies using the much-reviled Computer Fraud and Abuse Act (CFAA) to pursue employees and others who allegedly misappropriate proprietary data.

The latest example involves the dismissal of a lawsuit in which Enki Corp., a Denver, Colo.-based managed services provider, alleges that former employee Keith Freedman violated provisions of the CFAA when he accessed and copied certain proprietary information from the company's servers.

The U.S. District Court for the Northern District of California last week dismissed the lawsuit on the grounds that the company had failed to properly state a claim under CFAA.

District Judge Paul Grewal ruled that Enki could not sue for unauthorized access under the CFAA because Freedman used valid login credentials provided to him by Enki. Any misuse of data accessed with valid credentials doesn't constitute a violation of CFAA, the judge said.

The ruling is similar to ones made by multiple federal courts in recent years.

For instance, appellate courts for the Ninth and Fourth Districts each ruled that people or entities with valid access to corporate data could not be held liable under the CFAA for abusing that access to steal, sabotage or misuse the data.

Other courts, including the Eleventh, Fifth and Seventh Circuit appellate, had earlier arrived at the opposite conclusion, ruling that CFAA can be used to prosecute individuals in such cases.

The recent trend suggests that enterprises should be careful about how they use CFAA, said Evan Brown, senior counsel with InfoLawGroup LLP in Chicago.

"Enterprises who wish to have the CFAA as a remedy must ensure that there are restrictions on access to data, not merely restrictions on what may be done with that data," he said. "The CFAA is often not the best tool for dealing with departing or former employees who wrongly take the organization's information or technology."

Typically, a company stands a better chance of succeeding by suing for breach of contract, a misappropriation of trade secrets, or copyright infringement, Brown said.

In the latest case, Freedman, a former employee at Enki, left the company in 2011 to set up another firm, called Freeform.

Shortly after Freedman's departure, Enki signed up billing services provider Zuora as a customer. Under the agreement, Enki would provide consulting, cloud computing and other IT services for Zuora. Enki then hired Freedman's company as a subcontractor to help service the Zuora contract.

In its lawsuit, Enki claimed that Freedman and his company took advantage of the situation to wrest Zuroa's business away from Enki.

The company claimed, in a 25-page complaint, that Freedman used Zuora's working login credentials to access Enki's servers and copy a proprietary monitoring tool that was used to manage Zuroa's systems. Zuora later terminated its relationship with Enki and signed up with Freedman's company, which continued to use the copied software for system monitoring purposes.

Enki claimed that Freedman violated CFAA rules by intentionally accessing the company's computers without proper authorization. The company also charged that Freedman exceeding any authorized access by copying and misusing the proprietary data.

Grewal dismissed both claims, noting that CFAA isn't applicable because Freedman used valid login credentials to access the data .

The CFAA imposes liability where the defendant commits certain acts on a "protected computer" either "without authorization" or "in excess of his authorization," the judge said.

Pointing to the Ninth Circuit's ruling on the issue, Grewal said that under the CFAA, unauthorized access only happens when someone accesses a protected system without any permission at all.

"It has further held that an individual does not "exceed authorized access" simply by misusing information that he or she was entitled to view for some other purpose; the CFAA regulates access to data, not its use by those entitled to access it," he said in the ruling.

Such cases underscore the challenges in using the CFAA to deal with those who misappropriate data, Brown said.

Enterprises are bringing claims under the CFAA in order to appear strong, Brown said.

"It elicits discussion about how the cause of action appears in a statute that is part of the federal criminal code. Plaintiffs hope that the specter of federal prosecution--regardless of whether that is a real possibility--will intimidate the defendant," he noted.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is jvijayan@computerworld.com.

Read more about it industry in Computerworld's IT Industry Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags IT industrysecuritylegal

More about TopicZuora

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place