Greenbaum, Rowe, Smith & Davis LLP
In This Issue:
- Dispute Resolution Symposium Focuses on Improving Business Performance By Managing Disputes »
- Implementing Work Life Policies While Avoiding Legal Pitfalls »
- The Legislature Expands Employer Liability Under CEPA »
- Supreme Court Expands Warranty Protection to Lessees »
- Raymond M. Brown Joins GRS&D as Chair, White Collar Defense & Corporate Compliance Practice Group »
- David A. Roth Joins GRS&D as Chair, Environmental Practice Group »
- Court of Appeals for the Third Circuit Holds that Computer Fraud and Abuse Act Provides for Civil Remedies »
- BUSINESS FOR BREAKFAST SEMINAR - A Continuing Seminar Series »
- Digging Deeper: What You Need to Know About the Recently Expanded Grantee Fee (Mansion Tax) and the New Transferee Tax »
- The Employee’s Common Law Duty of Loyalty — Combatting the Faithless Employee »
- 30 GRS&D Attorneys Honored by Legal Directories »
- Highlights »
Court of Appeals for the Third Circuit Holds that Computer Fraud and Abuse Act Provides for Civil Remedies
by Olivier Salvagno, Esq
A. Introduction
In November 2005, the United States Court of Appeals for the Third Circuit rendered a decision in P.C. Yonkers, Inc. v. Celebrations! The Party and Seasonal Superstore, LLC, 428 F.3d 504 (3d Cir. Nov. 7, 2005). The decision was the Third Circuit’s first pronouncement regarding the civil remedies available under the federal Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. §1030. The Yonkers decision is of significance because it provides employers with another tool to obtain relief against employees and former employees who engage in the unauthorized access of computerized information.
B. The CFAA
The CFAA is a criminal statute, which criminalizes and penalizes unauthorized access to computers. There are seven different types of conduct punishable by fines or imprisonment set forth in 18 U.S.C. §1030(a), including obtaining information by intentional access of a computer without authorization or by exceeding authorized access.
The CFAA was enacted in 1984 and was significantly amended in 1994. The statute was initially employed as a method for prosecution of computer hackers. However, the statute has over the years been consistently expanded, both by amendment and by court decisions. Employers have begun asserting civil claims under the CFAA against former employees (and their new companies) based upon the wrongful obtaining of information through the employer’s computer system.
C. The Decision
In P.C. Yonkers, plaintiffs were 17 franchisees of Party City Corporation, a retail store that sells discount party goods and related products, and Party City Management Co., Inc., which manages the operations of the franchise locations. The defendants were two longtime Party City Corporation employees, who left the company in late 2003. In 2004, these defendants formed Celebrations! The Party and Seasonal Superstore, LLC (“Celebrations”), also a defendant in the case, and opened two retail stores in New York and New Jersey, in the vicinity of two existing Party City stores.
Plaintiffs claimed that the defendants had accessed plaintiffs’ computer system without authorization 125 times, and had wrongfully used the information obtained from the incursions to compete with Party City, including using the information to decide where to locate their stores and where to focus marketing efforts, in order to allegedly obtain an unfair competitive advantage. Party City sought a preliminary injunction prohibiting Celebrations from operating their stores and from using plaintiffs’ trade secrets and confidential and proprietary information, and ordering the return of such information.
After limited discovery, a Judge of the U. S. District Court for the District of New Jersey expressed doubt that the CFAA provided for a civil remedy. However, the Judge determined that even if a civil remedy were available under the statute, plaintiffs had failed to demonstrate that anything was actually taken from the plaintiffs’ computer system by the defendants, and had failed to even demonstrate that the incursions were inappropriate or outside of the scope of a legitimate work purpose. Accordingly, the District Court denied injunctive relief under the CFAA, and an appeal followed.
On appeal, the Court of Appeals for the Third Circuit affirmed the denial of a preliminary injunction, on the basis that there was “absolutely no evidence as to what, if any, information was actually viewed, let alone taken,” and that without such a showing, the elements of the CFAA claim brought by the plaintiffs could not succeed. The Court held that absent such evidence, the inference is that the defendants opened their new stores by employing the expertise they had gained through years of experience in the party goods business, unassisted by information accessed through the plaintiffs’ computer system.
After so ruling, however, the Court of Appeals took the opportunity to clarify the scope of relief available under the CFAA. The Court held that although the District Court had found it difficult to infer a civil application of the statute, the plain language of the statute militates in favor of the availability of a civil remedy. Subsection (g) of the statute states, in part, as follows:
(g) Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves one of the factors set forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B). Damages for a violation involving only conduct described in subsection (a)(5)(B)(i) are limited to economic damages. No action may be brought under this subsection unless such action is begun within two years of the date of the act complained of or the date of the discovery of the damage. 18 U.S.C. §1030(g). The Court held that although the CFAA is principally a criminal statute, civil actions are permitted pursuant to the language of §1030(g). Such civil actions may include claims for injunctive relief as well as for compensatory damages.
D. Significance of the Decision
Through its holding that a civil claim may be asserted under the CFAA, the Third Circuit Court of Appeals has provided employers with a new tool to use against employees and former employees who access a computer without authorization. In such circumstances, employers have traditionally asserted common law causes of action, including breach of fiduciary duty, unfair competition, misappropriation of trade secrets and confidential information, and conversion of property. P.C. Yonkers has now provided to employers the ability to obtain federal court jurisdiction and to assert a claim under the CFAA in connection with such alleged activity by employees or former employees.
Significantly, the ability of employers to use the CFAA in connection with such claims may actually increase the likelihood of success in lawsuits against employees or former employees, because a claim under the CFAA may be easier to establish than the traditional common law claims. For example, unlike some of the common law claims, there is nothing in the CFAA that requires a demonstration by the employer that the information improperly accessed by the employee is confidential or proprietary. Accordingly, the CFAA authorizes injunctive relief and permits employers to seek compensatory damages regardless of whether the information accessed is confidential or proprietary.
The P.C. Yonkers decision thus provides another option for employers seeking to obtain relief against employees or former employees who wrongfully access computerized information, and provides the benefit of a lower standard of proof in such claims, as well as the option of bringing such actions in federal court.