As I have noted in earlier posts, the general federal
cybercrime statute – 18 U.S. Code § 1030 – not only defines criminal offenses,
it also, in 18 U.S. Code § 1030(g), creates a civil cause of action for one
“who suffers damage or loss by reason of a violation” of the statute’s criminal
provisions. As I have also noted, the Stored Communications Act also, in 18 U.S. Code § 2707, creates a civil cause of action for those “aggrieved by” a
violation of its provisions.
This post examines an opinion a district court judge in the
U.S. District Court for the Eastern District of Pennsylvania issued recently in
a civil case involving claims under both statutes: Brooks
v. AM Resorts, LLC, __ F.Supp.2d __, 2013 WL 3343993 (2013). The opinion begins by noting that Douglas Books sued
AM Resorts, LLC
(`AM Resorts’). Brooks alleges thatAM
Resorts gained unauthorized accessed to his computer and email account in
violation of the Stored Communications Act (`SCA’), 18 U.S.C. §
2701, et seq., the Computer Fraud and Abuse Act (`CFAA’), 18
U.S.C. § 1030, et seq.
Brooks v. AM Resorts,
supra.
In this opinion, the judge is ruling on Brooks’ motion for
“partial summary judgment on the issue of liability, arguing that AM Resorts is
indisputably liable on the claims brought against it and that trial should be
set solely on the issue of damages.” Brooks
v. AM Resorts, supra. AM Resorts filed a motion for summary judgment “in
its favor on all claims.” Brooks v. AM Resorts, supra.
As Wikipedia explains, summary judgment is a judgment a
court enters “for one party and against another party summarily, i.e.,
without a full trial.” As Wikipedia also
notes, to grant summary judgment for a party the court has to find that
- there
are no disputes of `material’ fact requiring a trial to resolve,
and
- in applying the law to the undisputed facts, one party is clearly entitled to judgment.
It notes that a “material” fact is “one which,
depending upon what the factfinder believes "really happened," could
lead to judgment in favor of one party, rather than the other.” So, each side is trying to avoid a trial on
some/all of the issues in the case.
The opinion says Brooks is a former employee of AM
Resorts. On March 4, 2010,
AM Resorts terminated [his] employment.
. . . After he was fired, Brooks engaged in an email exchange with his lawyers
to discuss attorney-client privileged matters pertaining to the termination
(the `privileged email exchange’). Neither Brooks nor his attorneys shared this
privileged email exchange with any third party.
However, on March 21, 2010,
Brooks received an email from his former supervisor at AM Resorts, Javier
Estelrich, that stated, `Doug, I got your email. Tomorrow our lawyers will get
in touch either with your lawyer or with you (in case it is not possible with
them).’ . . . Attached . . . was the privileged email exchange between Brooks
and his lawyers.
The header to Estelrich's March 21, 2010 email to
Brooks listed the Internet Protocol (`IP’) address 207.204.53.55. This same IP
address . . . appeared in the header of an email Estelrich received on March
10, 2010 from AM Resorts employee, Pepe Morell. Brooks had a Microsoft Hotmail
email account.
A log from the Microsoft Corporation lists the dates and times any
user accessed, or attempted to access, Brooks' personal email account in the
month of March 2010. This log indicates someone with the IP address
207.204.53.55 accessed Brooks email account on March 19, 2010 at 10:53 p.m. and
on March 20, 2010 at 5:43 a.m. . . .
Brooks had given his personal email
address and password to AM Resorts because he had experienced difficulty
accessing and using his work email account. Additionally, Brooks had allowed Am
Resorts to install a program called Team Viewer on his personal desktop
computer.
Team Viewer is a program designed to allow technicians to diagnose
problems on a user computer from a remote location. [It] enables an individual
to remotely access and control a computer. Brooks alleges that AM Resorts
remotely accessed his computer after his termination through the Team Viewer
program and accessed his personal email account, either independently of
accessing his computer or, while it was remotely controlling his computer
through Team Viewer.
Brooks does not know how to access his
computer remotely through Team Viewer. There is evidence someone accessed
Brooks' computer via Team Viewer on four separate occasions after his
termination.
Brooks v. AM Resorts,
supra.
When a parties move for summary judgment, they often provide
affidavits or other evidence to support their motions, which apparently
happened here:
The parties have presented dueling
forensic expert reports. All agree that IP addresses can be static or dynamic.
Static IP addresses are assigned by the Internet Service Provider (`ISP’) to an
individual or company for a certain period of time. Dynamic IP addresses can
change at any time because they are not assigned by the ISP to an individual or
company for any certain period of time. All experts agree that it is unknown
whether IP address 207.204.53.55 is a static or dynamic address.
Brooks' expert, Brian Harris, concludes
that Pepe Morell, an employee of AM Resorts, accessed Brooks' email account.
This conclusion is based, to a large extent, on the fact that Morell sent an
email from the IP address 207.204.53.55 to Estelrich on March 10, 2010 and that
same IP address appeared in the header of the March 21, 2010 email sent from
Estelrich to Brooks, which contained the privileged email. . . . Harris
concludes that AM Resorts accessed Brooks' desktop computer through Team
Viewer, a program that it installed on Brooks' computer.
AM Resorts' experts, Jerry Saperstein
and Louis Cinquanto, conclude there is not enough evidence to link AM Resorts
to the IP address 207.204.53.55 because it is unknown whether [it] is dynamic
or static, the parties never subpoenaed the internet service provider to obtain
the name of the person or company that was issued the IP address on a specific
date and time, and that IP address may have been used by many people at the
same time making it impossible to determine the identity of the person who
accessed Brooks' email account. . . . AM Resorts' experts conclude there is
insufficient evidence to link any Team Viewer access of Brooks' computer to AM
Resorts.
Brooks v. AM Resorts,
supra.
The judge first ruled on several of the issues raised by
both parties’ motions for summary judgment, noting, again, that Brooks had
moved for summary judgment on
AM Resorts' liability, arguing that the
evidence indisputably establishes that AM Resorts accessed his computer and
email account in violation of the SCA [and] the CFAA. . . . AM Resorts moves
for summary judgment in its favor on all claims, [claiming] the evidence is
insufficient to prove AM Resorts accessed Brooks' computer and email address.
Brooks v. AM Resorts,
supra.
She then addressed Brooks’ SCA claim, noting that 18 U.S.
Code § 2701(a) makes it a crime to intentionally access a facility through
which an electronic communication service is provided without being authorized
to do so or by exceeding authorization to do so and “thereby” obtain, alter or prevent authorized access to “a wire or electronic communication while it is
in electronic storage”. Brooks v. AM Resorts, supra. Both sides agreed “that email messages
remaining on an internet service provider's server after delivery fall within
the Act's definition of electronic storage.” Brooks v. AM Resorts, supra.
And neither argued that “emails downloaded and stored on a personal
computer are not included in the” definition of electronic storage. Brooks v. AM Resorts, supra.
The judge then ruled on one of the issues in the case,
noting that Brooks had
only alleged that AM Resorts obtained a
downloaded copy of the privileged email exchange that was stored on Brooks'
computer. Thus, AM Resorts argues that Brooks' claim under the SCA fails as a
matter of law because emails downloaded and stored on a computer are not
included in the Act's definition of electronic storage.
Brooks agrees with AM
Resorts' interpretation of the law. However, he strongly disagrees with AM
Resorts portrayal of his allegations.
While it is true that Brooks alleges AM
Resorts accessed his computer, [he] has never alleged that AM Resorts obtained
a downloaded copy of the privileged email exchange from his hard drive. Rather,
Brooks has maintained throughout this litigation that AM Resorts obtained the
privileged email exchange by accessing his Microsoft Hotmail email account, an
act that qualifies as a violation under the SCA. Brooks has presented evidence
that a genuine dispute of material fact exists as to whether AM Resorts
accessed his email account.
Therefore, I will deny AM Resorts' motion for
summary judgment on Brooks' SCA claim.
Brooks v. AM Resorts,
supra.
She then took up the CFAA claim, noting Brooks alleges AM Resorts violated the CFAA
by `intentionally
access[ing] a protected computer without authorization, and as a result of such
conduct, recklessly caus[ing] damage.’ 18 U.S. Code § 1030(a)(5)(B). Because this is a civil
action, Brooks must demonstrate that he suffered damage or loss as a result of
AM Resorts' violation of the CFAA. AM Resorts argues that Brooks cannot succeed
on his CFAA claim because he has not put forth any evidence to support that he
has suffered either damage or loss. Brooks argues that he has established
evidence of loss.
Brooks v. AM Resorts,
supra.
The judge then explained that In a 1030(g) civil suit for
violating the CFAA, the plaintiff must show that the defendant “caused “`loss
to 1 or more persons during any 1-year period . . . aggregating at least $5,000
in value.’” Brooks v. AM Resorts,
supra (quoting 18 U.S. Code §
1030(c)(4)(A)(i)(I)). She also noted
that the “CFAA defines `loss’ as `any reasonable cost to any victim, including
the cost of responding to an offense, conducting a damage assessment, and
restoring the data, program, system, or information to its condition prior to
the offense, and any revenue lost, cost incurred, or other consequential
damages incurred because of interruption of service.’” Brooks v. AM Resorts, supra (quoting 18 U.S. Code § 1030(e)(11)).
Next, she reviewed Brooks’ arguments as to why he had
alleged loss, noting that he
alleges that he suffered `loss’ when he
had to replace his computer while it was shipped to another location for
examination. There is no evidence in the record to support this occurrence.
Moreover, even if it did occur, there is no evidence to support the amount of
economic loss that Brooks suffered as a result.
Additionally, Brooks includes
as `loss’ the litigation costs associated with hiring court reporters and
videographers, and obtaining deposition transcripts. However, litigation costs
are not a compensable loss under the CFAA because they are not related to
investigating or remedying damage to the computer. . . .
Lastly,
Brooks points to the invoices Harris, his forensic expert, sent his attorney
during this litigation. While fees paid to an expert for investigating and
remedying damage to a computer may be a cognizable `loss’ under the CFAA, .
. . fees paid to an expert to assist in litigation do not fall within [its]
definition of `loss.’ See Mintel Int'l Group, LTD. v. Neergheen, 2010
WL 145786 (U.S. District Court for the Northern District of Illinois 2010).
Brooks v. AM Resorts,
supra.
The judge noted that Brooks claimed AM Resorts violated the CFAA in March 2010 and filed the
Complaint that began this suit in February of 2011. Brooks v. AM Resorts, supra.
She then explained that in the “eleven month time period” between the "alleged" violation
and the filing of the
Complaint, there is no evidence Brooks hired anyone to assess and/or remedy the
damage done to his computer. Rather, it was not until October 2011, . . . that [he]
hired Harris to investigate his computer. Harris' deposition testimony and expert
report indicate [he] was hired to prove AM Resorts accessed Brooks' computer
and email account.
There is no evidence Harris spent any time investigating, or
responding to, damage to Brooks' computer that occurred as a result of AM
Resorts unauthorized access.
The invoices cover services . . .
performed by Harris in September 2012 through February 2013, including
deposition preparation. Moreover, all invoices are addressed to Brooks'
attorney in this litigation. This evidence establishes Brooks retained Harris
for assistance in his lawsuit against AM Resorts. Therefore, these invoices do
not fall within the definition of `loss’ under the CFAA.
Moreover, even if some
of the services Harris performed could arguably fall within the definition of
`loss’ . . . , [they] do not meet the minimum loss requirement of $5,000.00.
While the total amount billed by Harris was $7,225.00, more than $3,000.00 was.
. . for time spent on depositions, declarations, and forwarding documents to
opposing counsel, all of which are litigation expenses that are not considered
`loss’ under the CFAA.
Brooks v. AM Resorts,
supra.
The judge therefore denied Brooks’ motion for partial
summary judgment on liability and denied AM Resorts’ motion for summary
judgment on his SCA claim. Brooks v. AM
Resorts, supra. She granted “AM
Resorts' motion for summary judgment on Brooks' CFAA claim because he "has not
demonstrated that he suffered the requisite `loss’ under the CFAA.” Brooks
v. AM Resorts, supra.
No comments:
Post a Comment