This post examines an opinion a federal district court judge
recently issued in a civil case that arose from the following facts:
G. Curtis Jones and Jeffrey King worked
as managers for the Dresser–Rand Company, a $2 billion corporation that
provides technology, product and services used for developing energy and
natural resources. Dresser–Rand's business includes manufacturing industrial
equipment and field services operations to maintain and service industrial
equipment for Dresser–Rand clients who own power plants, industrial plants and
refineries.
Jones resigned from Dresser–Rand on February 9, 2010 from his
position as Regional Field Services Manager. King resigned . . . on February
26, 2010 from his position as Project Manager.
On
January 20, 2010, prior to the resignations of Jones and King, Albert Wadsworth
incorporated Global Power Specialist, Inc. and became [its] president. Jones
and King became Global Power's two employees. Global Power performs field
services work to fix gas turbines. Jones and King had Global Power cell phones
and e-mail addresses and performed work to benefit Global Power before they
resigned from Dresser–Rand.
Before Jones and King left
Dresser–Rand, they downloaded Dresser–Rand documents to external hard drives
and flash drives. Dresser–Rand's forensic computer expert found that on
multiple occasions from December 2009 through February 2010 Jones and King
downloaded Dresser–Rand files onto at least five external devices.
They
downloaded the files days before they each resigned. On February
25, 2010, King e-mailed to Wadsworth, `I shit canned everything on my computer
since I have to turn it in tomorrow.’ . . .
Dresser-Rand Co. v.
Jones, 2013 WL 3810859 (U.S. District Court for the Eastern District of Pennsylvania 2013).
In a footnote, the opinion explains that Jones and King
claim they downloaded the files because
they were told by their supervisors to back up the data on their Dresser–Rand
laptops onto external hard drives. King kept personal files, family
photographs, and music on his Dresser–Rand laptop. He claims he transferred all
of the contents of his Dresser–Rand computer to his Global Power computer
because he did not know how to use the hard drive to select documents to back
up.
He admitted he did not download those
documents for the benefit of Dresser–Rand, but to preserve his work history.
Dresser–Rand's computer expert found the manner in which the downloads were
made to the external devices was not consistent with `backing up’ a hard drive.
Dresser-Rand Co. v.
Jones, supra.
In the suit, Dresser-Rand asserted various causes of action
against the defendants, most of which arose under Pennsylvania law but one of
which arose under the basic federal computer crime statute: 18 U.S. Code § 1030 (a/k/a the Computer Fraudand Abuse Act). Dresser-Rand Co. v. Jones, supra. As I have noted in prior posts, § 1030 not
only creates federal computer crime offenses (in § 1030(a), it also creates a cause of action that lets one who suffered “damage” or “loss” as the result of a §
1030 crime sue the perpetrator.
The
cause of action is contained in 18 U.S. Code § 1030(g). The federal claim gives
the U.S. District Court jurisdiction over that part of the case, and under the
doctrine of pendent jurisdiction, can therefore exercise jurisdiction over the
state claims.
In this opinion, the federal judge is ruling on the
defendants’ motion for summary judgment against Dresser-Rand on its § 1030(g)
claims. Dresser-Rand Co. v. Jones, supra.
As Wikipedia explains, summary judgment is a judgment a court enters “for
one party and against another party summarily, i.e., without a full
trial.” As Wikipedia also notes, to
grant summary judgment for a party the court has to find that
- there are no disputes of `material’ fact requiring a trial to resolve, and
- in applying the law to the undisputed facts, one party is clearly entitled to judgment.
It also notes that a “material” fact is “one which,
depending upon what the factfinder believes "really happened," could
lead to judgment in favor of one party, rather than the other.” So, the defendants are trying to prevail
without going to trial.
The judge began by noting that the section of § 1030(a) at
issue in this lawsuit is § 1030(a)(4), which makes it a crime to (i) knowingly
and with intent to defraud, (ii) access a protected computer without
authorization or exceed authorized access (iii) and “by means of such conduct”
further the fraud and obtain “anything of value,” other than the use of the
computer if “the value of such use is not more than $5,000” in one year. As I have noted in prior posts, and as §
1030(e)(2) states, a protected computer is basically a computer that is used in
interstate or foreign commerce . . . essentially, any computer.
Dresser-Rand argued that the defendants violated §
1030(a)(4) for any or all of the following reasons:
—King and Jones exceeded their authorized access to Dresser–Rand's computers by downloading files to flash drives and external hard drives for the benefit of Global Power and in violation of Dresser Rand policy;
—Wadsworth and Global Power violated the CFAA when
King and Jones accessed their computers while acting as their agents; and
—Wadsworth violated the CFAA when he
accessed and edited Dresser–Rand files sent to him by Jones and King.
Dresser-Rand Co. v.
Jones, supra.
The judge began with the last contention, which she found
deficient:
[Section 1030] governs activity that
involves accessing or damaging computers. Use of the computer
is integral to the perpetration of a fraud under the CFAA, and not merely
incidental. . . . Whatever happens to the data subsequent to being taken
from the computers . . . is not encompassed in [§ 1030(a)(4)]. Dresser–Rand's .
. . claim against Wadsworth fails to meet the basic requirement of accessing a
computer.
Dresser–Rand does not allege . . . that
Wadsworth had any interaction with its computers, computer systems, or network
-- only that [he] viewed and edited Dresser–Rand documents on his own computer
that received via e-mail attachments from Jones and King. Wadsworth may have
accessed Dresser–Rand documents, but he never accessed Dresser–Rand computers,
as required under [§ 1030(a)(4)].
So she granted summary judgment to Wadsworth on this claim. Dresser-Rand Co. v. Jones, supra. (She granted the “defendant’s”
motion, which I assume was Wadsworth’s.)
She then took up the motion for summary judgment on
Dresser-Rand’s claim that King and Jones exceeded their authorized access to
its computers. Dresser-Rand Co. v. Jones, supra. The judge noted that “[u]nlike Wadsworth,
King and Jones undisputedly accessed Dresser–Rand's computers”, but whether
they “are liable under” § 1030(a)(4) “turns on whether they `exceed[ed]
authorized access’ when they downloaded files from their laptops.” Dresser-Rand
Co. v. Jones, supra. She
explained that while § 1030 does
not define the word `access,’ it
defines `exceeds authorized access,’ to mean, `to access a computer with
authorization and to use such access to obtain or alter information in the
computer that the accesser is not entitled to so obtain or alter.’ § 1030(e)(6).
The term `authorization’ is not further defined, leaving courts to wrestle with
the breadth of its meaning as increasingly, employers have used a statute
originally designed to punish hackers against disloyal employees.
Dresser-Rand Co. v.
Jones, supra.
She also explained that the federal Circuit Courts of Appeals
are split between what is cast as a
broad versus a narrow interpretation of the term `without authorization.’ Under
the narrow view, an employee given access to a work computer is authorized to
access that computer regardless of his or her intent to misuse information and
any policies that regulate the use of information. . . .
Under the broad view, if an employee
has access to information on a work computer to perform his or her job, the
employee may exceed his or her access misusing the information on the computer,
either by severing the agency relationship through disloyal activity, or by
violating employer policies and/or confidentiality agreements. . . .
Dresser-Rand Co. v.
Jones, supra.
The judge noted that she “find[s] the narrow interpretation
adopted . . . to be true to the language of the statute and intentions of Congress”
in adopting § 1030. Dresser-Rand Co. v. Jones, supra.
In so doing, she relied on an opinion from the U.S. Court of Appeals for the 4th Circuit in WEC Carolina Energy Solutions
LLC v. Miller, 687 F.3d 199 (2012). Dresser-Rand
Co. v. Jones, supra. She
then explained that the WEC Carolina
Court concluded that `an employee is
authorized to access a computer when his employer approves or sanctions his
admission to that computer,’ an employee is `without authorization’ when `he
gains admission to a computer without approval,’ and an employee `exceeds
authorized access’ `when he has approval to access a computer, but uses his
access to obtain or alter information that falls outside the bounds of his
approved access.’ WEC Carolina
Energy Solutions LLC v. Miller, supra
(citing LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (U.S. Court of Appeals for the 9th Circuit 2009)).
These definitions do not extend to
improper use of information validly accessed. WEC Carolina Energy Solutions LLC v. Miller, supra. . . Thus the
WEC Carolina Court concluded that
while [the] defendants may have misappropriated information, they did not
access a computer without authorization or exceed their authorized
access. . . .
Dresser-Rand Co. v.
Jones, supra.
The judge then took up the claims against Jones and King,
noting that if Jones and King
were authorized to access their work
laptops and to download files from them, they cannot be liable under [§ 1030]
even if they subsequently misused those documents to compete against
Dresser–Rand. . . .
King and Jones had user names and
passwords to access the Dresser–Rand network and had access to their
Dresser–Rand issued laptops and external hard drives. Chip Jones, Director of
Services for the Mid–Atlantic Region, stated he had `no reason to believe [they]
accessed information other than what they had authorized access to do through
their Dresser–Rand user name and password.’ . . .
Dresser–Rand does not argue
that there are limitations on employees' ability to copy documents to which
they would otherwise have access to external storage devices like hard drives
or flash drives. King and Jones' December 2009, January 2010 and February 2010
downloads all occurred while still employed by Dresser–Rand. . . . Based on
this evidence, Jones and King were authorized to access their laptops and
download files while they still were employed at Dresser–Rand.
Dresser-Rand Co. v.
Jones, supra.
The judge therefore granted summary judgment on this §
1030(a)(4) claim to Jones and King because they “had authorization to access
their work computers” and because while “[t]heir alleged misuse of the files
may have remedies under other laws,” it was not actionable under 18 U.S. Code §
1030(g). Dresser-Rand Co. v. Jones, supra.
She then took up Dresser-Rand’s motion insofar as it
concerned King’s “shit-canning” the laptop.
She began her analysis of the issue by noting that Dresser-Rand claimed a "genuine dispute" of
material facts
exists as to `[w]hat actions King took in “shit canning” his computer and thus
destroying Dresser–Rand files.’ . . . King wrote to Wadsworth that he `shit
canned everything on my computer since I have to turn it in tomorrow.’ . . .
Dresser–Rand takes this e-mail to mean King
destroyed files. Other than this e-mail, there is no other evidence that King
destroyed any files. In fact, Dresser–Rand's forensic computer expert made no
mention of destroyed or missing files in his report, despite the fact that he
analyzed King's Dresser–Rand laptop.
More importantly, Dresser–Rand presents
no arguments that by deleting files on his laptop, King would have exceeded his
authorized access. Dresser–Rand does not point to any restrictions on King's
access that, for instance, would allow him to view files on his laptop but
forbid him from deleting them. There is therefore insufficient evidence to
sustain a [§ 1030(a)(4)] claim against King on this basis.
Dresser-Rand Co. v.
Jones, supra. So she
granted King summary judgment on this claim. Dresser-Rand Co. v. Jones, supra.
And, finally, she addressed Dresser-Rand’s claim against
Global Power. She explained that Dresser-Rand brought its § 1030 claim against
all the defendants, including
Global Power. Dresser–Rand argues that
Global Power is implicated under [§ 1030] through Jones, King and Wadsworth,
working as agents of Global Power. Because the [§1030(a)(4)] cannot survive
against any of these Defendants, it cannot survive against Global Power.
Dresser-Rand Co. v.
Jones, supra.
She therefore granted the defendants’ motion to dismiss the
18 U.S. Code § 1030(a)(4)/1030(g) claims against Dresser-Rand . . . which
presumably leaves only the state law claims in the suit. Dresser-Rand
Co. v. Jones, supra.
No comments:
Post a Comment