Subject Matter Index All Decisions About Us Statutes Articles Online Resources Help


Martin Samson, author of the Internet Library of Law and Court Decisions

Recent Addition

Designer Skin LLC v. S & L Vitamins, Inc., et al.
Unauthorized internet reseller of plaintiff’s products is not guilty of trademark infringement, and does not cause actionable initial interest confusion, by using plaintiff’s trademarks in meta tags of website at which plaintiff’s and its competitors’ products are sold, and in...

Computer Fraud and Abuse Act - Internet Library of Law and Court Decisions - Updated November 27, 2008

Civ. Act. No. 07-0293 (E.D. Va., March 11, 2008)

Court holds that minors entered into valid ‘click wrap’ agreement with defendant IParadigms LLC (“IParadigms”) by clicking an “I agree” icon which appeared directly below an online Usage Agreement, and indicated their assent to be bound thereby.  Plaintiffs were high school students that were directed by the schools they attended to submit class work to defendant IParadigm’s “Turnitin” website to check for plagiarism.  As part of this submission process, plaintiffs were obligated to assent to the site’s Usage Agreement.  Because the Usage Agreement contained a limitation of liability clause precluding liability to plaintiffs as a result of their use of the Turnitin site, the Court rejected plaintiffs’ copyright infringement claims, which arose out of defendant’s storage of plaintiffs’ class work in a database used to check student homework for plagiarism.

In reaching this result, the Court rejected plaintiffs’ claims that, as minors, they were not bound by the terms of the site’s Usage Agreement.  Because they had accepted the benefits of the agreement – the ability to submit their class work for grade to their respective schools was dependent upon their use of the site – they could not escape the contractual conditions upon which such benefits were rendered.

The Court further held that plaintiffs’ copyright infringement claims failed because defendant had made a permissible fair use of their works.  In reaching this result, the Court relied on the fact that Turnitin’s use of plaintiffs’ school work was highly transformative of the original works, in that it added plaintiffs’ school work to a non-publicly available database used only to check for plagiarism by students.  The Court also rested its holding of fair use on the fact that defendant’s use did not impact the market for plaintiffs’ works, as the copies Turnitin made thereof were not available to the public, but rather maintained in a non-public database.

The Court rejected the counterclaims advanced by defendant iParadigms, including a claim for indemnification as a result of the commencement of this action.  This claim was based on a separate “Usage Policy” found on the Turnitin site.  The Court held that plaintiffs were not bound by this policy, which was not linked or otherwise referenced in the Usage Agreement to which plaintiffs were in fact bound.  There was no evidence that plaintiffs were aware of this separate “usage policy,” which was contained in a link on each page of the Turnitin site.  As a result, and because the parties’ contract stated that it constituted the full agreement between the parties, the plaintiffs’ use of the site was held not to create a valid browse wrap agreement, and the claim for indemnification, predicated on the Usage Policy, was dismissed.

The remaining counterclaims advanced by iParadigms arose out of the use of the site by one of the plaintiffs to submit class work to an institution he did not attend.  These claims for trespass to chattels, and violations of both the Computer Fraud and Abuse Act and Virginia Computer Crimes Act, failed due to the absence of the requisite damage.

2000 U.S. Dist. Lexis 17055, 121 F. Supp. 2d 1255 (N.D. Iowa, September 29, 2000)

The court denied plaintiff AOL's motion for summary judgment seeking to hold defendant liable for violations, inter alia, of the Computer Fraud and Abuse Act, the Virginia Computer Crimes Act, and common law trespass to chattels, as a result of the transmission of unsolicited bulk e-mail advertising defendant's products to AOL users. The court reached this conclusion because, based on the record before it, it could not determine whether the parties who sent the e-mail in question were defendant's agents, acting under its control, or independent contractors.

No. 04C7071 (N.D. Ill., Sept. 27, 2005)

Court holds that a principal can be held vicariously liable under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq., ("CFAA") for its agent's accessing without authorization another's computer system in violation of the CFAA at the principal's direction.  The Court accordingly denies the motion of defendants Acorn Advisory Management LLC and Acorn Advisory Capital L.P. (collectively "Acorn") to dismiss claims advanced by plaintiff Charles Schwab & Co. Inc. ("Schwab"), that sought to hold Acorn liable under the CFAA for the acts of defendant Brian Carter ("Carter").  Carter, a former employee of Schwab, had allegedly downloaded without authorization confidential information and trade secrets from Schwab's computer system at the behest of Acorn, by whom he was subsequently employed.

387 F.Supp.2d 378, 04 Civ. 8875 (SCR) (S.D.N.Y. Sept. 6, 2005)

Court holds that damages arising out of the use of data obtained via unauthorized access to another's computer system are not recoverable under the Computer Fraud and Abuse Act, 18 U.S.C. §1030 et seq. ("CFAA"),  when the data remains available to plaintiffs after such access.  As a result, the Court dismisses CFAA claims advanced by plaintiffs arising out of the alleged use of information obtained by unauthorized access to plaintiffs' confidential database by former employees to aid their new employer, one of plaintiffs' competitors.

154 F. Supp.2d 497, 00 Civ. 0641 (S.D.N.Y., March 28, 2001)

Court dismisses claims advanced by the plaintiff class under the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and the Wiretap Act arising out of Doubleclick's use and placement of "cookies" on plaintiffs' computers. Doubleclick uses such "cookies" to gather information about the users' use of Doubleclick client web sites. Because Doubleclick's clients consented to such information gathering, the court held that Doubleclick's activities did not run afoul of either the Electronic Communications Privacy Act or the Wiretap Act. The court also dismissed the claims plaintiffs advanced under the Computer Fraud and Abuse Act because any damages caused by Doubleclick's activities did not meet the threshold required by the Computer Fraud and Abuse Act. Finally, the court, having dismissed all of plaintiffs' federal claims, declined to retain jurisdiction over plaintiffs' state law claims, and dismissed the action.

318 F.3d 58 (1st Cir., January 28, 2003)

First Circuit holds that prohibitions found in a website's Terms of Use can be used to establish that a visitor to that site exceeded his authorized use thereof for the purposes of establishing a violation of the Computer Fraud and Abuse Act ("CFAA").  While prohibitions on authorized usage can also be established by reliance on such things as password protected access, the First Circuit rejected the notion that courts should look to the "reasonable expectations" of the parties to determine if a particular usage was in fact authorized.  The court affirmed a preliminary injunction enjoining defendant Zefer Corporation ("Zefer") from utilizing a "scrapper" tool it designed to obtain pricing information from plaintiff's website on the ground that Zefer was doing so to assist defendant Explorica, Inc. ("Explorica"), which was itself enjoined from such activity by virtue of its improper use of confidential information obtained from plaintiff to aid it in gathering this information.

207 F. Supp.2d 914 (W.D. Wis., March 28, 2002)

Court allows plaintiff to proceed with claims advanced against his employer and various fellow employees under the Electronic Communications Privacy Act, the Electronic Communications Storage Act, and Wisconsin's right to privacy statute, Wis. Stat. Section 895.50, as well as a common law defamation claim, arising out of defendants' interception of a telephone call plaintiff placed from his place of employ, and defendants' review of e-mails contained in a personal e-mail account plaintiff maintained with Hot Mail, which account plaintiff accessed from his work place.  There were sharply differing versions of the content of these various communications.  Defendants alleged that during the telephone call, the participants, while masturbating, graphically described homosexual activity between two males.  Plaintiff denied this.  Defendants also alleged that e-mails read from plaintiff's email account evidenced that plaintiff was involved in homosexual activity.  Plaintiff denied that these e-mails had been sent to him.

Defendants' version of the telephone conversation was related to various third parties, which resulted in the termination of plaintiff's employment.  This lawsuit ensued.  The court determined that plaintiff should be permitted to proceed with various claims he asserted. 

The court refused to dismiss plaintiff's claim, advanced under Wisconsin's right of privacy law, section 895.50, arising out of the review of e-mail from plaintiff's personal Hot Mail account.  The court held that issues of fact existed as to whether the review of such e-mail would be highly offensive to a reasonable person, and as to whether a reasonable person could consider such an account to be private, which precluded a grant of summary judgment to defendants.  The court also refused to dismiss the claim plaintiff brought under the Electronic Communications Storage Act arising out of the review of these e-mails.  If such a review took place (as opposed to defendants' having fabricated the e-mails) it would run afoul of the Stored Communications Act.  The court did dismiss the claims plaintiff raised under the Computer Fraud and Abuse Act, holding that plaintiff had not alleged economic damages arising from the review of these e-mails sufficient to state a claim under the Act.

The court also refused to dismiss the claims plaintiff advanced under the Electronic Communications Privacy Act and Wisconsin Privacy Act arising out of the interception of the telephone call described above.  The court refused to dismiss plaintiff's ECPA claim because, depending on what actually occurred, the defendants should have stopped listening to the telephone call when they discovered it was personal in nature.  The court refused to dismiss plaintiff's privacy act claims because plaintiff may have had a reasonable expectation of privacy in the telephone call if his claim that he made the call from a place his employer designated for private personal calls was true.

Lastly, the court refused to dismiss plaintiff's defamation claim, finding that issues of fact precluded it from determining whether defendants' communication of their version of the telephone call to third parties was protected by the common interest privilege possessed by members of religious associations as to communications pertaining to the qualifications of those who work for the organization.  Such privilege may have been lost, given plaintiff's claim that the defendants were lying about what took place during the telephone call.

Civil Act. No. 05-1979 (W.D. La., August 6, 2007)

Court holds that under the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. section 1030, the costs incurred by the owner of a computer system in retaining consultants to conduct forensic investigations of the use by defendants of the computer system, and the harm such use may have caused, constitute a “loss” within the meaning of the statute, which can be used to meet the CFAA’s $5000 jurisdictional threshold. 

The Court further held that, under the CFAA, once the Act’s jurisdictional threshold has been met, the plaintiff can recover “compensatory damages” caused by the defendant’s violation of the Act.  Such “compensatory damages” include lost profits and revenue caused by the defendants’ use of data improperly obtained in violation of the CFAA.  Importantly, the court held that such lost profits can be recovered even in the absence of an interruption in service caused by defendants’ conduct.

C98-20064 (N.D. Ca., April 20, 1998)

Court enjoined defendants both from sending spam which falsely stated it came from plaintiff's e-mail service, and from using Hotmail accounts as mailboxes for "spam" reply. Court held that such conduct violated plaintiff's Term's of Service, which prohibited the use of Hotmail accounts to facilitate the transmission of spam. To use plaintiff's service defendants, after being afforded the opportunity to view the Terms of Service, clicked on a box indicating their assent to be bound thereby. As such, the Court's holding reflects its willingness to uphold the validity of a click-wrap agreement between the parties. The Court also held that defendants' conduct constituted trademark infringement and dilution, as well as trespass to chattels and a violation of the Computer Fraud and Abuse Act.

Civ. Act. No. 1:00-CV-434-TWT (N.D. Ga. November 6, 2000)

Court holds that plaintiff's act of conducting an unauthorized port scan and throughput test of defendant's servers does not constitute a violation of either the Georgia Computer Systems Protection Act or the Computer Fraud and Abuse Act. The court further holds that various derogatory statements the parties made about each other do not support actions for defamation, tortious interference with contractual relations, or commercial defamation under the Lanham Act.

Civ. Act. No. 00-11672-JLT (D. Mass., August 13, 2002)

Court grants defendants' motion for summary judgment, and dismisses plaintiffs' claims under the Electronic Communications Privacy Act ("ECPA") and the Computer Fraud and Abuse Act ("CFAA") arising out defendant Pharmatrak's monitoring of plaintiffs' activities on the web sites of various pharmaceutical companies.  With the authorization of these pharmaceutical companies, who were also named as defendants in this litigation, defendant Pharmatrak placed software on their web sites which enabled Pharmatrak to gather information submitted by the plaintiffs to, and to track their activities at, these sites.  Pharmatrak's software also enabled Pharmatrak to gather information both about the web site plaintiffs visited immediately prior to their visit to defendants' sites, as well as the search plaintiffs conducted to get to defendants' sites.  According to plaintiffs, the information Pharmatrak gathered included personally identifiable information, although there was no evidence that Pharmatrak disseminated anything other than aggregated non-personally identifiable information to third parties.

The Court held that defendants did not violate Title I of the ECPA, the Wire Tap Act, because they qualified for the protection of Section 2511(2)(d) of the ECPA, which permits interception of a communication when it is authorized by one of the participants in the communication, provided the interception is not undertaken for a tortuous or criminal purpose.  Defendants were permitted to intercept the communications at issue because (a) the pharmaceutical defendants which participated in them had authorized such interception, and (b) there was no evidence that such interception was done for an improper purpose.

The Court dismissed plaintiffs' claims under Title II of the ECPA, the Stored Communications Act, both because the devices defendants accessed, plaintiffs' PCs, were not protected "facilities" under the Stored Communications Act, and because the pharmaceutical defendants consented to accessing the communications at issue.

Lastly, the Court dismissed the claims plaintiffs raised under the Computer Fraud and Abuse Act, because plaintiffs did not sustain damages sufficient to meet the damage threshold requirements of that statute.

126 F. Supp. 2d 238 (S.D.N.Y., December 12, 2000) (Jones, J.) aff'd. 356 F.3d 393 (2d Cir. 2004)

Court issues a preliminary injunction enjoining Verio, Inc. from either utilizing a search robot to obtain information from's Whois database, or utilizing information derived from that database for mass unsolicited advertising by telephone, direct mail or electronic mail. Court holds that Verio's actions will likely constitute a breach of plaintiff's Terms of Use, as well as a violation of both the Computer Fraud and Abuse Act and the Lanham Act and a trespass to chattels. In reaching this conclusion, the court holds that's Terms of Use are likely to create a contract between and the users of its Whois database, notwithstanding the fact that these users are not required to click an "I Agree" button indicating their agreement to be so bound.

Civ. Act. No. 3:06-CV-0891-B (N.D. Texas, September 12, 2007)

Finding defendant Boardfirst violated the terms of a browsewrap agreement entered into by its use of plaintiff Southwest Airlines’ website, the Court issued a permanent injunction, enjoining Boardfirst from accessing Southwest Airlines’ website on behalf of its customers to obtain boarding passes.  Southwest Airlines’ passengers engaged Boardfirst to obtain such boarding passes in the hopes of getting better seat assignments on Southwest Airlines flights.  Southwest Airlines has no assigned seating.  Those passengers who are the first to seek boarding passes within the designated time period are awarded “A” boarding passes, which, in turn, allow them to board the plane, and select their seat, first.  In reaching this result, the Court held that Boardfirst had the requisite knowledge that its use of plaintiff’s site would form a valid browsewrap contract by virtue, inter alia, of its receipt of cease and desist letters from Southwest Airlines apprising it of that fact.

The Court denied so much of Southwest Airline’s motion for summary judgment which sought to hold Boardfirst liable for violating of the Computer Fraud and Abuse Act, 18 U.S.C. Section 1030.  The Court held that issues of fact as to whether Southwest Airlines sustained the injury needed to sustain such a claim precluded an award of summary judgment.  The Court further held that it could not, at this time, determine whether Boardfirst accessed Southwest Airline’s site “without authorization” or in excess of authorization, an additional prerequisite to a CFAA claim.

Finally, the Court found that Boardfirst’s conduct violated Section 33.02 of the Texas Penal code, which makes it an offense to “knowingly access a computer network, or computer system without the effective consent of the owner.”  The Court reserved for trial the issue of whether such violation caused Southwest Airlines recoverable damages.

488 F.Supp.2d 991, 2007 WL 214595 (E.D. Ca., January 25, 2007)

Court allows the operator of a subscription-based website to proceed with copyright infringement and other claims arising out of the allegedly unauthorized access by the defendants of copyrighted materials contained on plaintiff's site.  These materials consist of pharmacist prepared monographs describing the results and/or effects of various drug treatments.  The complaint alleged that defendants NBTY, Rexall Sundown and Le Naturiste improperly used passwords obtained from plaintiff to allow more users to access plaintiff's site than permitted by applicable license agreements, thereby depriving plaintiff of appropriate license fees.  The court denied in its entirety defendants' motion to dismiss plaintiff's claims that such conduct constituted copyright infringement, violations of the Computer Fraud and Abuse Act ("CFAA"), the Electronic Communications Privacy Act and California Penal code section 502, as well as common law trespass and misappropriation of trade secrets. 

The Court held that plaintiff had adequately plead a copyright infringement claim by alleging that the defendants had accessed the monographs on its website without its permission, and had cut and pasted portions thereof into emails that were transmitted to others.

The Court further held that plaintiff had alleged damages sufficient to support its CFAA claim by alleging that it lost revenue as a result of defendants' unauthorized use of its site in excess of their license rights.

Finally, the Court held that the passwords necessary to access plaintiff's site were trade secrets entitled to protection under the Uniform Trade Secrets Protection Act.

Quick Hits

Heath Cohen v. Gulfstream Training Academy, Inc. and Gulfstream International Airlines, Inc.
Case No. 07-60331-Civ-Cohn/Seltzer (S.D. Fla., April 9, 2008)

Court grants so much of plaintiff employee’s motion for summary judgment which sought dismissal of claims brought by his former employer under the Computer Fraud and Abuse Act (“CFAA”) arising out of plaintiff’s alleged use of company information, copied from a company computer, to solicit company customers and compete with his former employer.  The Court held that the lost profits defendant allegedly sustained as a result of such competition were not recoverable under the CFAA.  Rather, the CFAA only permits recovery of losses caused by an interruption of service, or damage sustained by ‘any impairment to the integrity or availability of data, a program, a system or information.’  Because defendant Gulfstream Training Academy did not establish that the information plaintiff copied and deleted from its laptop were unavailable to it, it could not pursue a claim for lost profits resulting from plaintiff’s use of this data in competition with defendant, as such lost profits did not constitute either a ‘loss’ or ‘damage’ recoverable under the CFAA.  Said the Court:

Upon a review of the statutory language and the competing case law, the Court concludes that while the issue is a close one, the more appropriate reading of the statutory language is that any ‘loss’ must be related to interruption of service.  In this case, the fact that Plaintiff copied files and allegedly stole clients from GTA did not cause an interruption of service as contemplated by the CFAA.  Rather, the CFAA statutory language evidences an intent to allow recovery for reasonable costs caused by interruptions in service or damage to a computer.  GTA would need to prove that the customer files were unavailable to GTA due to Plaintiff’s actions in exceeding his authority to access the computer.  There is no evidence to support such a theory.  Simply copying the files and then contacting customers in those files to take their business is not causing a loss because of interruption of service.  Similarly, GTA has not shown that Plaintiff’s deletion of any information, which could be construed as ‘damage’ under the CFAA, resulted in at least $5000 worth of damage.  Rather, it appears that the only allegations of damages are the lost business profits.

The Court recognized that other courts had reached differing conclusions on this issue, including Resdev LLC v. Lot Builders Ass’n, Inc., 2005 WL 1924743 (M.D. Fla. 2005), Nexans Wire S.A. v. Sark-USA Inc., 319 F.Supp.2d 468 (S.D.N.Y.) aff’d 166 Fed Appx. 559 (2d Cir. 2006) and Cenveo Corp v Celum Solutions Software, 504 F. Supp. 2d 574 (D. Minn. 2007) which reached conclusions similar to those reached by the Court, and Frees Inc. v. McMillian, 2007 WL 2264457 (W.D. La. 2007) which held that, once a plaintiff had met the jurisdictional damage thresholds imposed by the CFAA, it provisions permitted recovery of any compensatory damages sustained by the Act’s violation, limited only by the requirement that they be ‘economic damages.’

Download PDF of Court Decision

Creative Computing d/b/a Internet v. LLC, et al.
386 F.3d 930 (9th Cir., 2004)

Ninth Circuit holds that plaintiff can recover damages for loss business and business goodwill arising out of defendant’s misuse of proprietary source code and customer lists improperly obtained in violation of the Computer Fraud and Abuse Act.  Such damages were held recoverable notwithstanding the absence of an interruption of service caused by defendant’s misconduct.  Said the Court:

Both the old and new versions of the statute limit damages for loss aggregating at least $5000 in a year to ‘economic damages.’  Getloaded objects to paying damages for loss of business and business goodwill.  The objection is without force, because those are economic damages.

As a result, the Ninth Circuit affirmed the lower court’s determination, after trial, which awarded plaintiff $150,000 for each of three violations by defendant of the Computer Fraud and Abuse Act. 

In affirming the District Court’s decision, the Ninth Circuit further held that the $5000 damage threshold of the CFAA does not require the plaintiff to prove it sustained $5000 in damages as a result of a single act of unauthorized access.  Rather, held the Court:  “neither version of the statute supports a construction that would require proof of $5000 of damage or loss from a single unauthorized access.  The syntax makes it clear that in both versions [of the CFAA], the $5000 floor applies to how much damage or loss there is to the victim over a one-year period, not from a particular intrusion.  …  The damage floor in the Computer Fraud and Abuse Act contains no single act requirement.”  

This action arose out of a competitior’s use of source code improperly obtained by accessing plaintiff’s site through another password, and ‘hacking’ into the site and its code.  The competitor also hired a former employee of plaintiff, who improperly supplied it with plaintiff’s customer lists.  The parties’ respective websites are used by truckers to ascertain loads available for transport in a given area, so as to permit the trucker to prevent ‘dead heading’ and allow them, instead, to travel both to and from a location fully loaded with cargo.  In addition to an award of $450,000 under the CFAA, the Court also awarded plaintiff $60,000 for violation of the Idaho Trade Secrets Act, $342,787,35 in attorneys fees and expenses, and $120,000 in exemplary damages as a result of defendants’ improper acts, including its violation of injunctions designed to prevent the destruction of evidence.

Download PDF of Court Decision

Nexans Wires S.A. and Lacroix & Kress GMBH v. Sark-USA Inc., et al.
No. 05-3820-cv (2d. Cir., February 13, 2006)

Court holds that lost profits caused by alleged misuse of proprietary data improperly obtained in violation of the Computer Fraud and Abuse Act are not recoverable as damages in claims asserted thereunder in the absence of an interruption in service caused by defendants’ alleged misconduct.  As a result, the Second Circuit affirmed the District Court’s grant of summary judgment to the defendants, dismissing plaintiff’s Computer Fraud and Abuse Act claim.  These claims alleged that defendants improperly obtained plaintiff’s proprietary data, which they used in aid of a competitor to plaintiff’s injury.  “As the district court correctly recognized, the plain language of the statute treats lost revenue as a different concept from incurred costs, and permits recovery of the former only where connected to an ‘interruption in service.’  …  Because it is undisputed that no interruption of service occurred in this case, L & K’s asserted loss of $10 million is not a cognizable loss under the CFAA.”

Download PDF of Court Decision

Disclaimer  |  Attorney Advertising
© Copyright 1997-2024 Martin H. Samson All Rights Reserved
Printer Friendly