Monday, October 31, 2011

“Access,” “Authorization” and Deleting Files

As I’ve noted, the basic federal computer crime statute – 18 U.S. Code § 1030 -- creates a civil cause of action for those who have been “harmed” by conduct that violates the statute’s criminal provisions.

The cause of action arises under § 1030(g), which states, in part, that “[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.”

Section 1030(a) of Title 18 outlines a number of criminal “violations,” any of which can serve as the basis for a civil suit under § 1030(g). To prove the civil case, the plaintiff must prove that the defendant(s) committed the violation(s) alleged in the plaintiff’s complaint.

The § 1030(g) cause of action was the focus of a recent opinion from the U.S. District Court for the District of Kansas: Farmers Bank & Trust, N.A. v. Witthuhn, 2011 WL 4857926 (2011). The Farmers Bank & Trust N.A. [Farmers] filed a complaint in which it asserted “several claims against its former employees, defendants Ray Witthuhn and Tonetta Stieben.” Farmers Bank & Trust v. Witthuhn, supra. In Count III of the complaint, Farmers “allege[d] various violations” of 18 U.S. Code § 1030, which could support the imposition of civil liability pursuant to 18 U.S. Code § 1030(g). Farmers Bank & Trust v. Witthuhn, supra.

The defendants moved for summary judgment as to the § 1030(g) claims, and Farmers argued that summary judgment wasn’t appropriate. Farmers Bank & Trust v. Witthuhn, supra. As Wikipedia notes, summary judgment is a process by which a court can dispose of civil claims without having a trial. As Wikipedia also notes, summary judgment can only be granted if the judge finds there are (i) “no issues of ‘material’ fact requiring a trial for their resolution” and (ii) “in applying the law to the undisputed facts, one party is clearly entitled to judgment”.

The judge began her ruling on the defendants’ motion for summary judgment by explaining that certain facts at issue in the case are “uncontroverted”:

Witthuhn and Stieben were bank officers for Farmers -- Witthuhn was the Vice President and Stieben was Assistant Vice President. They were entrusted with Farmers' confidential information and trade secrets. Farmers' internal computer systems are password protected with restricted access.


Access to Farmers' customers' personal and financial information is limited to those with a business reason for knowing such information. [Witthuhn and Stieben] were not authorized to access this information for non-bank purposes, nor were they permitted to copy or delete this information for competitive purposes.


On December 27, 2010, [Witthuhn and Stieben] announced their intention to resign their employment, but between December 27 and January 3, 2011, they still had passwords and could access Farmers' computer systems. [They] deleted substantial amounts of data from Farmers' computers, including customers' personal and financial information and Farmers' confidential business information.


[Witthuhn and Stieben] were not permitted to delete Farmers' customers' personal and financial information or Farmers' confidential business information without the supervision of Farmers Bank IT personnel. [They] did not have permission to delete any of Farmers' files or emails containing Farmers' customers' personal and financial information or Farmers' business information.


By at least January 4, 2011, Farmers believed [Witthuhn and Stieben] were involved in downloading a substantial amount of material or data from Farmers' computer system. Despite Farmers' belief, it allowed [them] to return to work and continue working on January 5, 6, and 7. Dikeman, Farmers' President, testified that `[w]e had gone into a high-security mode and were watching everything they were doing.’ On January 7, 2011, Farmers' representatives took [their] keys, cut off their access to the computer networks and changed the locks at the branch office.

Farmers Bank & Trust v. Witthuhn, supra.

The court then addressed the defendants’ challenge to the Farmers’ claims that arose under 18 U.S. Code §§ 1030(a)(4) (crime to “knowingly and with intent to defraud” access a computer “without authorization” or by exceeding authorized access) and/or 1030(a)(2)(C) (crime to intentionally access a computer without authorization or by exceeding authorized access and thereby obtain information). Farmers argued that Witthuhn and Stieben were liable under either or both subsection(s) “because they either accessed information without authorization, or exceeded their authorized access by deleting information between the time when they announced their resignations and January 7, 2011.” Farmers Bank & Trust v. Witthuhn, supra.

In ruling on this challenge, she noted that there is a split of authority among courts

about the meaning of `authorization’ under [§ 1030]. On the one hand, there is a line of cases construing the term to depend on whether the employee violated a duty of loyalty or acted with an interest adverse to the employer – the Citrin cases. On the other hand, several courts determine authorization based on the `employer's decision to allow or terminate an employee's authorization’ – the Brekka cases. . . . This Court is persuaded by the reasoning in Brekka . . . and applies this approach in determining whether there is a genuine issue of material fact that defendants violated [§ 1030] when they accessed and deleted files from Farmers' computer system between the time they announced their resignations and the time their computer access was terminated.

Farmers Bank & Trust v. Witthuhn, supra.

The judge applied this standard to find that the defendants were entitled to summary judgment on the plaintiff’s claim(s) that they accessed the Farmers’ computer system “without authorization:”

The uncontroverted facts establish that defendants were permitted to access Farmers' confidential and proprietary information prior to January 7, 2011. They had passwords to Farmers' computer system and access to restricted information. Plaintiff argues that company policy only allowed [them] to access this information for a business reasons, but this argument would require the Court to follow the Citrin line of cases and determine whether defendants were acting in the interest of Farmers -- a standard that this Court has already declined to follow.


Instead, the Court looks to whether Farmers permitted [Witthuhn and Stieben] to access this information. Because it is uncontroverted that [they] were permitted to access the information at issue, no reasonable jury could determine that liability under [§1030] could lie based on [their] unauthorized access to the information in Farmers' computer system.

Farmers Bank & Trust v. Witthuhn, supra.

The judge then addressed Farmers’ claim that Witthuhn and Stieben are liable under § 1030 “because they exceeded their authorized access by deleting information in Farmers’ computer system.” Farmers Bank & Trust v. Witthuhn, supra. Witthuhn and Stieben argued that the uncontroverted facts at issue establish that they accessed

information they were permitted to access in the first place. [Farmers] responds that notwithstanding the initial access, [Witthuhn and Stieben] exceeded their authorization by deleting substantial amounts of data from Farmers' computer system. [They] reply that Farmers allowed employees to delete information in some instances and that the Bank's policy does not require that they obtain prior approval before deleting documents.

Farmers Bank & Trust v. Witthuhn, supra.

The judge noted that 18 U.S. Code § 1030(e)(6) defines “exceeds authorized access” as to “access a computer with authorization and to use such access to obtain or alter information in the computer that the accesses is not entitled so to obtain or alter.” She explained that as “this definition makes clear, an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered . . . someone who has `exceed[ed] authorized access.’” Farmers Bank & Trust v. Witthuhn, supra. Or, as another judge put it, “exceeding authorized access occurs `when the defendant has permission to access the computer in the first place, but then accesses certain information to which he is not entitled.’” Farmers Bank & Trust v. Witthuhn, supra (quoting U.S. Bioservices Corp. v. Lugo, 595 F.Supp.2d 1189 (U.S. District Court for the District of Kansas 2009)).

Farmers argued that Witthuhn and Stieben were liable under § 1030(g) “because they exceeded their authorized access by deleting information in Farmers' computer system.” Farmers Bank & Trust v. Witthuhn, supra. Witthuhn and Stieben argued, in response, that “Farmers allowed employees to delete information in some instances and that the Bank's policy does not require that they obtain prior approval before deleting documents.” Farmers Bank & Trust v. Witthuhn, supra. The judge found that there

is no question that [Witthuhn and Stieben] were authorized to access Farmers' confidential and proprietary information in the first place, but the Court finds there is a genuine issue of material fact about whether [they] used their access to `obtain or alter information in the computer’ that they were not `entitled so to obtain or alter.’ It is uncontroverted that [Witthuhn and Stieben] deleted substantial amounts of data from Farmers' computers, including customers' personal and financial information and Farmers' confidential business information.


And regardless of whether Farmers had a policy that required [them] to obtain prior approval to delete that information, it is uncontroverted that [Witthuhn and Stieben] did not have permission to delete any of Farmers' files or emails containing Farmers' customers' personal and financial information or Farmers' business information. Moreover, Farmers' had an Information Security and Unauthorized Access Policy that required retention of information for certain purposes and provides that `records shall generally be destroyed, or sterilized, under Bank IT personnel supervision.


Given all of these facts, a reasonable jury could conclude that [Witthuhn and Stieben] exceeded their authorization by deleting information in Farmers' computer system that they were not authorized to delete.

Farmers Bank & Trust v. Witthuhn, supra.

Finally, the judge addressed the defendants’ challenge to Farmers’ claim under 18 U.S. Code § 1030(a)(5)(A), which makes it a crime to “knowingly” cause “the transmission of a program, information, code, or command” and thereby “intentionally cause[] damage without authorization” to a computer. Farmers Bank & Trust v. Witthuhn, supra. Section 1030(e)(8) defines “damage” as “any impairment to the integrity or availability of data, a program, a system or information.” She found that “[b]ecause it is uncontroverted that [Witthuhn and Stieben] were not permitted to delete files and emails from Farmers' computer system, a reasonable jury could conclude that they violated this subsection.” Farmers Bank & Trust v. Witthuhn, supra.

The judge therefore held that “[b]ecause three of [Farmers’] four alleged [§1030] violations hinge on whether defendants exceeded their authorized access, or caused damage from the unauthorized deletion of information, these claims must be decided by a jury.” Farmers Bank & Trust v. Witthuhn, supra. In other words, she denied the defendants’ motion for summary judgment on these three claims, but granted them summary judgment on the fourth claim – the one that factually “rest[ed] solely on damage sustained from intentional unauthorized access.” Farmers Bank & Trust v. Witthuhn, supra. Since the judge found, as noted above, that at all relevant times Witthuhn and Stieben were authorized to access the system, she held that this claim was not appropriate for trial. Farmers Bank & Trust v. Witthuhn, supra.

No comments:

Post a Comment