Wednesday, August 14, 2013

The Computer Fraud and Abuse Act and "Shit Canning" a Computer

-->
This post examines an opinion a federal district court judge recently issued in a civil case that arose from the following facts:



G. Curtis Jones and Jeffrey King worked as managers for the Dresser–Rand Company, a $2 billion corporation that provides technology, product and services used for developing energy and natural resources. Dresser–Rand's business includes manufacturing industrial equipment and field services operations to maintain and service industrial equipment for Dresser–Rand clients who own power plants, industrial plants and refineries. 

Jones resigned from Dresser–Rand on February 9, 2010 from his position as Regional Field Services Manager. King resigned . . . on February 26, 2010 from his position as Project Manager.



On January 20, 2010, prior to the resignations of Jones and King, Albert Wadsworth incorporated Global Power Specialist, Inc. and became [its] president. Jones and King became Global Power's two employees. Global Power performs field services work to fix gas turbines. Jones and King had Global Power cell phones and e-mail addresses and performed work to benefit Global Power before they resigned from Dresser–Rand.



Before Jones and King left Dresser–Rand, they downloaded Dresser–Rand documents to external hard drives and flash drives. Dresser–Rand's forensic computer expert found that on multiple occasions from December 2009 through February 2010 Jones and King downloaded Dresser–Rand files onto at least five external devices. 

They downloaded the files days before they each resigned.  On February 25, 2010, King e-mailed to Wadsworth, `I shit canned everything on my computer since I have to turn it in tomorrow.’ . . .



Dresser-Rand Co. v. Jones, 2013 WL 3810859 (U.S. District Court for the Eastern District of Pennsylvania 2013).



In a footnote, the opinion explains that Jones and King



claim they downloaded the files because they were told by their supervisors to back up the data on their Dresser–Rand laptops onto external hard drives. King kept personal files, family photographs, and music on his Dresser–Rand laptop. He claims he transferred all of the contents of his Dresser–Rand computer to his Global Power computer because he did not know how to use the hard drive to select documents to back up.



He admitted he did not download those documents for the benefit of Dresser–Rand, but to preserve his work history. Dresser–Rand's computer expert found the manner in which the downloads were made to the external devices was not consistent with `backing up’ a hard drive.



Dresser-Rand Co. v. Jones, supra.



In the suit, Dresser-Rand asserted various causes of action against the defendants, most of which arose under Pennsylvania law but one of which arose under the basic federal computer crime statute:  18 U.S. Code § 1030 (a/k/a the Computer Fraudand Abuse Act).  Dresser-Rand Co. v. Jones, supra.  As I have noted in prior posts, § 1030 not only creates federal computer crime offenses (in § 1030(a), it also creates a cause of action that lets one who suffered “damage” or “loss” as the result of a § 1030 crime sue the perpetrator.   

The cause of action is contained in 18 U.S. Code § 1030(g). The federal claim gives the U.S. District Court jurisdiction over that part of the case, and under the doctrine of pendent jurisdiction, can therefore exercise jurisdiction over the state claims.



In this opinion, the federal judge is ruling on the defendants’ motion for summary judgment against Dresser-Rand on its § 1030(g) claims. Dresser-Rand Co. v. Jones, supra.  As Wikipedia explains, summary judgment is a judgment a court enters “for one party and against another party summarily, i.e., without a full trial.”  As Wikipedia also notes, to grant summary judgment for a party the court has to find that



  1. there are no disputes of `material’ fact requiring a trial to resolve, and
  2. in applying the law to the undisputed facts, one party is clearly entitled to judgment.



It also notes that a “material” fact is “one which, depending upon what the factfinder believes "really happened," could lead to judgment in favor of one party, rather than the other.”  So, the defendants are trying to prevail without going to trial.



The judge began by noting that the section of § 1030(a) at issue in this lawsuit is § 1030(a)(4), which makes it a crime to (i) knowingly and with intent to defraud, (ii) access a protected computer without authorization or exceed authorized access (iii) and “by means of such conduct” further the fraud and obtain “anything of value,” other than the use of the computer if “the value of such use is not more than $5,000” in one year.  As I have noted in prior posts, and as § 1030(e)(2) states, a protected computer is basically a computer that is used in interstate or foreign commerce . . . essentially, any computer. 



Dresser-Rand argued that the defendants violated § 1030(a)(4) for any or all of the following reasons:


—King and Jones exceeded their authorized access to Dresser–Rand's computers by downloading files to flash drives and external hard drives for the benefit of Global Power and in violation of Dresser Rand policy;



—King exceeded his authorized access when he `shit-canned’ his Dresser–Rand laptop;



—Wadsworth and Global Power violated the CFAA when King and Jones accessed their computers while acting as their agents; and



—Wadsworth violated the CFAA when he accessed and edited Dresser–Rand files sent to him by Jones and King.



Dresser-Rand Co. v. Jones, supra.



The judge began with the last contention, which she found deficient:



[Section 1030] governs activity that involves accessing or damaging computers. Use of the computer is integral to the perpetration of a fraud under the CFAA, and not merely incidental. . . . Whatever happens to the data subsequent to being taken from the computers . . . is not encompassed in [§ 1030(a)(4)]. Dresser–Rand's . . . claim against Wadsworth fails to meet the basic requirement of accessing a computer.



Dresser–Rand does not allege . . . that Wadsworth had any interaction with its computers, computer systems, or network -- only that [he] viewed and edited Dresser–Rand documents on his own computer that received via e-mail attachments from Jones and King. Wadsworth may have accessed Dresser–Rand documents, but he never accessed Dresser–Rand computers, as required under [§ 1030(a)(4)].



So she granted summary judgment to Wadsworth on this claim. Dresser-Rand Co. v. Jones, supra. (She granted the “defendant’s” motion, which I assume was Wadsworth’s.)



She then took up the motion for summary judgment on Dresser-Rand’s claim that King and Jones exceeded their authorized access to its computers.  Dresser-Rand Co. v. Jones, supra.  The judge noted that “[u]nlike Wadsworth, King and Jones undisputedly accessed Dresser–Rand's computers”, but whether they “are liable under” § 1030(a)(4) “turns on whether they `exceed[ed] authorized access’ when they downloaded files from their laptops.”  Dresser-Rand Co. v. Jones, supra. She explained that while § 1030 does



not define the word `access,’ it defines `exceeds authorized access,’ to mean, `to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to so obtain or alter.’ § 1030(e)(6). 

The term `authorization’ is not further defined, leaving courts to wrestle with the breadth of its meaning as increasingly, employers have used a statute originally designed to punish hackers against disloyal employees. 



Dresser-Rand Co. v. Jones, supra



She also explained that the federal Circuit Courts of Appeals



are split between what is cast as a broad versus a narrow interpretation of the term `without authorization.’ Under the narrow view, an employee given access to a work computer is authorized to access that computer regardless of his or her intent to misuse information and any policies that regulate the use of information. . . .



Under the broad view, if an employee has access to information on a work computer to perform his or her job, the employee may exceed his or her access misusing the information on the computer, either by severing the agency relationship through disloyal activity, or by violating employer policies and/or confidentiality agreements. . . .



Dresser-Rand Co. v. Jones, supra



The judge noted that she “find[s] the narrow interpretation adopted . . . to be true to the language of the statute and intentions of Congress” in adopting § 1030.  Dresser-Rand Co. v. Jones, supra.  In so doing, she relied on an opinion from the U.S. Court of Appeals for the 4th Circuit in WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (2012). Dresser-Rand Co. v. Jones, supra.  She then explained that the WEC Carolina



Court concluded that `an employee is authorized to access a computer when his employer approves or sanctions his admission to that computer,’ an employee is `without authorization’ when `he gains admission to a computer without approval,’ and an employee `exceeds authorized access’ `when he has approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access.’ WEC Carolina Energy Solutions LLC v. Miller, supra (citing LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (U.S. Court of Appeals for the 9th Circuit 2009)).



These definitions do not extend to improper use of information validly accessed. WEC Carolina Energy Solutions LLC v. Miller, supra. . . Thus the WEC Carolina Court concluded that while [the] defendants may have misappropriated information, they did not access a computer without authorization or exceed their authorized access. . . .



Dresser-Rand Co. v. Jones, supra



The judge then took up the claims against Jones and King, noting that if Jones and King



were authorized to access their work laptops and to download files from them, they cannot be liable under [§ 1030] even if they subsequently misused those documents to compete against Dresser–Rand. . . .



King and Jones had user names and passwords to access the Dresser–Rand network and had access to their Dresser–Rand issued laptops and external hard drives. Chip Jones, Director of Services for the Mid–Atlantic Region, stated he had `no reason to believe [they] accessed information other than what they had authorized access to do through their Dresser–Rand user name and password.’ . . . 

 Dresser–Rand does not argue that there are limitations on employees' ability to copy documents to which they would otherwise have access to external storage devices like hard drives or flash drives. King and Jones' December 2009, January 2010 and February 2010 downloads all occurred while still employed by Dresser–Rand. . . . Based on this evidence, Jones and King were authorized to access their laptops and download files while they still were employed at Dresser–Rand.



Dresser-Rand Co. v. Jones, supra



The judge therefore granted summary judgment on this § 1030(a)(4) claim to Jones and King because they “had authorization to access their work computers” and because while “[t]heir alleged misuse of the files may have remedies under other laws,” it was not actionable under 18 U.S. Code § 1030(g).  Dresser-Rand Co. v. Jones, supra



She then took up Dresser-Rand’s motion insofar as it concerned King’s “shit-canning” the laptop.  She began her analysis of the issue by noting that Dresser-Rand claimed a "genuine dispute" of



material facts exists as to `[w]hat actions King took in “shit canning” his computer and thus destroying Dresser–Rand files.’ . . . King wrote to Wadsworth that he `shit canned everything on my computer since I have to turn it in tomorrow.’ . . .



Dresser–Rand takes this e-mail to mean King destroyed files. Other than this e-mail, there is no other evidence that King destroyed any files. In fact, Dresser–Rand's forensic computer expert made no mention of destroyed or missing files in his report, despite the fact that he analyzed King's Dresser–Rand laptop.



More importantly, Dresser–Rand presents no arguments that by deleting files on his laptop, King would have exceeded his authorized access. Dresser–Rand does not point to any restrictions on King's access that, for instance, would allow him to view files on his laptop but forbid him from deleting them. There is therefore insufficient evidence to sustain a [§ 1030(a)(4)] claim against King on this basis.



Dresser-Rand Co. v. Jones, supra.  So she granted King summary judgment on this claim. Dresser-Rand Co. v. Jones, supra



And, finally, she addressed Dresser-Rand’s claim against Global Power. She explained that Dresser-Rand brought its § 1030 claim against all the defendants, including



Global Power. Dresser–Rand argues that Global Power is implicated under [§ 1030] through Jones, King and Wadsworth, working as agents of Global Power. Because the [§1030(a)(4)] cannot survive against any of these Defendants, it cannot survive against Global Power.



Dresser-Rand Co. v. Jones, supra



She therefore granted the defendants’ motion to dismiss the 18 U.S. Code § 1030(a)(4)/1030(g) claims against Dresser-Rand . . . which presumably leaves only the state law claims in the suit.  Dresser-Rand Co. v. Jones, supra

No comments: