Transmission Claims Under the Computer Fraud and Abuse Act

There is disagreement among courts on whether the mere unauthorized copying, downloading or e-mailing of proprietary information is sufficient to allege impairment of the integrity of data or a network. Some courts construe the term narrowly, and limit “damage” to those circumstances where there is “some diminution in the completeness or usability of data or information on a computer system.” See, e.g., Garelli Wong & Assocs, Inc. v. Nichols, 551 F. Supp. 2d 704 (N.D. Ill. 2008) (CFAA liability does not arise merely by copying data). Courts advocating a broader interpretation have held that copying or sending confidential information constitutes damage because it causes irreparable harm to the integrity of the computer system or database. See, e.g., Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000) (allegations of infiltrating a computer network and gathering and disseminating confidential information impaired the integrity of data even though no data were physically changed or erased).

The Success of a Claim

The success of a CFAA transmission claim turns on whether a plaintiff adequately states allegations of damage and intent. Computers, networks, and even smartphones and other modern wireless devices have finite resources in terms of internal memory, bandwidth and storage capacity to handle a certain amount of incoming data. For example, courts have found that when a large volume of unsolicited spam causes slowdowns or diminishes the capacity of an ISP or computer network to serve users, an “impairment” has occurred. However, courts typically require proof of more than simply an incremental impact to a computer network or device from a few unwanted transmissions. Rather, courts generally require an unwanted intrusion that, in the aggregate, overwhelms a device's or network's capacity and results in a delay or interruption of service. Beyond the requirement of damage, a plaintiff must also show that the defendant's culpable conduct was intended to cause the impairment of service, alleging facts that plausibly support a theory that the defendant knew that its unwanted transmissions would cause damage to the plaintiff's systems or devices by pushing them past their operational limits and disrupting service.

In determining the sufficiency of the pleadings, some courts have rejected transmission claims as vague and fanciful. For example, in Czech v. Wall Street on Demand, Inc., 674 F. Supp. 2d 1102 (D. Minn. 2009), the plaintiff commenced a putative action against the defendant alleging that unwanted text messages from the defendant consumed limited resources on her mobile phone, thereby constituting “damage” under the CFAA. The court ruled that the damage allegations were conclusory and dismissed the complaint. It found that absent an allegation of interruption of telephone or messaging services, the receipt of an unwanted text message, even if such a transmission were to consume limited electronic resources, did not constitute damage under the CFAA. The court commented that such a theory would necessarily extend “damage” to include the receipt of even wanted messages (which conceivably consume the same amount of a phone's capacity). According to the court, damage under the CFAA does not occur simply by “any use or consumption of a device's limited resources,” but rather damage must arise from an impairment of performance “that occurs when the cumulative impact of all calls or messages at any given time exceeds the device's finite capacity so as to result in a slowdown, if not an outright 'shutdown,' of service.” Id. at 1117.

In another case, the court also found a plaintiff's CFAA transmission claim deficient. In Condux Int'l, Inc. v. Haugum, 2008 WL 5244818 (D. Minn. Dec. 15, 2008), the defendant allegedly misappropriated customer lists and other confidential business information for a competing venture and the plaintiff-former employer brought, among other causes of action, a CFAA transmission claim, based upon the defendant's attempt to delete evidence of his download of proprietary information from the plaintiff's computer system. The court dismissed the plaintiff's transmission claims, because the misappropriation of trade secrets from a database, by itself, is insufficient to allege impairment to the integrity or availability of data or a system, as required under the statute. The court found no diminishment in the “completeness or useability” of the plaintiff's data, and while the defendant's alleged activities may well have compromised the secrecy of the proprietary information, “the plain language of the statute requires some alteration of or diminution to the integrity, stability, or accessibility of the computer data itself.” Id. at *8. Notably, the court stated, in dicta, that an allegation that the defendant deleted computer data would “perhaps be sufficient” to constitute damage under the CFAA, but the plaintiff-employer advanced no claims of actual deletion of data.

However, courts have permitted CFAA transmission claims to go forward in the civil and criminal context when the plaintiff has made an adequate showing of damage or impairment to a computer network. Examining allegations of a network “slowdown,” the Sixth Circuit allowed a CFAA transmission claim to go forward related to impairment to a communication network. In Pulte Homes Inc. v. Laborers Int'l Union of North America, 648 F.3d 295 (6th Cir. 2011), a company suffered impairment to business operations due to the defendant's campaign to bombard the company with thousands of e-mails and voicemails. The appeals court reversed the lower court's dismissal of the plaintiff's CFAA transmission claim, finding that the e-mail campaign may have caused “damage” under the statute and that the defendant acted with a conscious purpose to impair the plaintiff's computer systems. The court pointed to the allegations in the complaint, which claimed that the barrage of transmissions to the plaintiff's network diminished its ability to use its systems and data and prevented the plaintiff from receiving calls and accessing or sending some e-mails. See also, Becker v. Toca, 2008 WL 4443050, at *5 (E.D. La. Sept. 26, 2008) (“Error messages and slow processing constitute impairments to the integrity or availability of data.”). Moreover, the court found the complaint sufficiently alleged that the defendant acted with a conscious purpose of causing damage to the plaintiff's computer system, given the defendant's rhetoric of “fighting back” against the plaintiff's labor practices, which hinted that a slowdown of the plaintiff's systems was at least one of its objectives.

Similarly, a New Jersey district court, in Kalow & Springnut, LLP v. Commence Corp., 2009 WL 44748 (D.N.J. Jan. 6, 2009) (unpublished), allowed a plaintiff to proceed with CFAA transmission claims against a software maker that allegedly distributed billing and calendaring software with malicious code containing a “time bomb” that caused the software to cease functioning after a certain time. The court found that the plaintiff had sufficiently pled its claim that the defendant intended to transmit defective software code capable of causing damage to a computer system. The court looked to allegations that since the plaintiff had not altered its computer systems, the defendant's software, which does not “wear out or fail like a mechanical device,” would not have stopped operating but for an intentional use of a “time-bomb.” See also, United States v. Carlson, 209 Fed.Appx. 181 (3d Cir. 2006) (CFAA transmission conviction upheld where the defendant admitted to engineering a mass e-mailing method that flooded an inbox with unwanted e-mails and impaired the user's ability to access “good” e-mails; as to intent, the court pointed to the defendant's level of technical savvy, combined with his actions, to conclude that the defendant intended the consequences of his actions).

Richard Raysman is a partner at Holland & Knight LLP. He is a co-author of “Computer Law: Drafting and Negotiating Forms and Agreements” (Law Journal Press) (http://bit.ly/GCg8hQ).

The Computer Fraud and Abuse Act (“CFAA”) prohibits a number of different computer crimes, the majority of which involve accessing computers “without authorization” or in excess of authorization, and then taking specified forbidden actions, ranging from obtaining information to destroying computer data. See, 18 U.S.C. '1030(a)(1)-(7) (http://bit.ly/Jz0c3n). Although principally a criminal statute, the CFAA provides for a private civil right of action, allowing for awards of damages and injunctive relief in favor of any person who suffers a loss due to a violation of the Act. See, 18 U.S.C. '1030(g). Given the allure of robust remedies in federal court, companies routinely plead CFAA unauthorized access claims ' in addition to state law causes of action for misappropriation and breach of contract ' against former employees who seek a competitive edge through the use of information misappropriated from their former employer's computer network.

Beyond CFAA “authorization” claims, parties have also sought to use the CFAA in cases involving unauthorized “transmissions” of information that cause damage. To state a transmission claim, a plaintiff must allege that the defendant “knowingly cause[d] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally cause[d] damage without authorization, to a protected computer.” 18 U.S.C. '1030(a)(5)(A). Unlike other subsections of the statute which prohibit unauthorized access, a CFAA transmission claim is predicated on the defendant intentionally causing unauthorized damage. The CFAA defines the term “damage” as “any impairment to the integrity or availability of data, a program, a system, or information.” 18 U.S.C. '1030(e)(8).

Defining 'Impairment'

There is disagreement among courts on whether the mere unauthorized copying, downloading or e-mailing of proprietary information is sufficient to allege impairment of the integrity of data or a network. Some courts construe the term narrowly, and limit “damage” to those circumstances where there is “some diminution in the completeness or usability of data or information on a computer system.” See , e.g. , Garelli Wong & Assocs, Inc. v. Nichols , 551 F. Supp. 2d 704 (N.D. Ill. 2008) (CFAA liability does not arise merely by copying data). Courts advocating a broader interpretation have held that copying or sending confidential information constitutes damage because it causes irreparable harm to the integrity of the computer system or database. See, e.g. , Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc. , 119 F. Supp. 2d 1121 (W.D. Wash. 2000) (allegations of infiltrating a computer network and gathering and disseminating confidential information impaired the integrity of data even though no data were physically changed or erased).

The Success of a Claim

The success of a CFAA transmission claim turns on whether a plaintiff adequately states allegations of damage and intent. Computers, networks, and even smartphones and other modern wireless devices have finite resources in terms of internal memory, bandwidth and storage capacity to handle a certain amount of incoming data. For example, courts have found that when a large volume of unsolicited spam causes slowdowns or diminishes the capacity of an ISP or computer network to serve users, an “impairment” has occurred. However, courts typically require proof of more than simply an incremental impact to a computer network or device from a few unwanted transmissions. Rather, courts generally require an unwanted intrusion that, in the aggregate, overwhelms a device's or network's capacity and results in a delay or interruption of service. Beyond the requirement of damage, a plaintiff must also show that the defendant's culpable conduct was intended to cause the impairment of service, alleging facts that plausibly support a theory that the defendant knew that its unwanted transmissions would cause damage to the plaintiff's systems or devices by pushing them past their operational limits and disrupting service.

In determining the sufficiency of the pleadings, some courts have rejected transmission claims as vague and fanciful. For example, in Czech v. Wall Street on Demand, Inc. , 674 F. Supp. 2d 1102 (D. Minn. 2009), the plaintiff commenced a putative action against the defendant alleging that unwanted text messages from the defendant consumed limited resources on her mobile phone, thereby constituting “damage” under the CFAA. The court ruled that the damage allegations were conclusory and dismissed the complaint. It found that absent an allegation of interruption of telephone or messaging services, the receipt of an unwanted text message, even if such a transmission were to consume limited electronic resources, did not constitute damage under the CFAA. The court commented that such a theory would necessarily extend “damage” to include the receipt of even wanted messages (which conceivably consume the same amount of a phone's capacity). According to the court, damage under the CFAA does not occur simply by “any use or consumption of a device's limited resources,” but rather damage must arise from an impairment of performance “that occurs when the cumulative impact of all calls or messages at any given time exceeds the device's finite capacity so as to result in a slowdown, if not an outright 'shutdown,' of service.” Id. at 1117.

In another case, the court also found a plaintiff's CFAA transmission claim deficient. In Condux Int'l, Inc. v. Haugum, 2008 WL 5244818 (D. Minn. Dec. 15, 2008), the defendant allegedly misappropriated customer lists and other confidential business information for a competing venture and the plaintiff-former employer brought, among other causes of action, a CFAA transmission claim, based upon the defendant's attempt to delete evidence of his download of proprietary information from the plaintiff's computer system. The court dismissed the plaintiff's transmission claims, because the misappropriation of trade secrets from a database, by itself, is insufficient to allege impairment to the integrity or availability of data or a system, as required under the statute. The court found no diminishment in the “completeness or useability” of the plaintiff's data, and while the defendant's alleged activities may well have compromised the secrecy of the proprietary information, “the plain language of the statute requires some alteration of or diminution to the integrity, stability, or accessibility of the computer data itself.” Id. at *8. Notably, the court stated, in dicta, that an allegation that the defendant deleted computer data would “perhaps be sufficient” to constitute damage under the CFAA, but the plaintiff-employer advanced no claims of actual deletion of data.

However, courts have permitted CFAA transmission claims to go forward in the civil and criminal context when the plaintiff has made an adequate showing of damage or impairment to a computer network. Examining allegations of a network “slowdown,” the Sixth Circuit allowed a CFAA transmission claim to go forward related to impairment to a communication network. In Pulte Homes Inc. v. Laborers Int'l Union of North America , 648 F.3d 295 (6th Cir. 2011), a company suffered impairment to business operations due to the defendant's campaign to bombard the company with thousands of e-mails and voicemails. The appeals court reversed the lower court's dismissal of the plaintiff's CFAA transmission claim, finding that the e-mail campaign may have caused “damage” under the statute and that the defendant acted with a conscious purpose to impair the plaintiff's computer systems. The court pointed to the allegations in the complaint, which claimed that the barrage of transmissions to the plaintiff's network diminished its ability to use its systems and data and prevented the plaintiff from receiving calls and accessing or sending some e-mails. See also, Becker v. Toca, 2008 WL 4443050, at *5 (E.D. La. Sept. 26, 2008) (“Error messages and slow processing constitute impairments to the integrity or availability of data.”). Moreover, the court found the complaint sufficiently alleged that the defendant acted with a conscious purpose of causing damage to the plaintiff's computer system, given the defendant's rhetoric of “fighting back” against the plaintiff's labor practices, which hinted that a slowdown of the plaintiff's systems was at least one of its objectives.

Similarly, a New Jersey district court, in Kalow & Springnut, LLP v. Commence Corp., 2009 WL 44748 (D.N.J. Jan. 6, 2009) (unpublished), allowed a plaintiff to proceed with CFAA transmission claims against a software maker that allegedly distributed billing and calendaring software with malicious code containing a “time bomb” that caused the software to cease functioning after a certain time. The court found that the plaintiff had sufficiently pled its claim that the defendant intended to transmit defective software code capable of causing damage to a computer system. The court looked to allegations that since the plaintiff had not altered its computer systems, the defendant's software, which does not “wear out or fail like a mechanical device,” would not have stopped operating but for an intentional use of a “time-bomb.” See also , United States v. Carlson , 209 Fed.Appx. 181 (3d Cir. 2006) (CFAA transmission conviction upheld where the defendant admitted to engineering a mass e-mailing method that flooded an inbox with unwanted e-mails and impaired the user's ability to access “good” e-mails; as to intent, the court pointed to the defendant's level of technical savvy, combined with his actions, to conclude that the defendant intended the consequences of his actions).

Richard Raysman is a partner at Holland & Knight LLP. He is a co-author of “Computer Law: Drafting and Negotiating Forms and Agreements” (Law Journal Press) (http://bit.ly/GCg8hQ).