[BreachExchange] Arming Employers Against Internal Hackers, the 11th Circuit Clarifies CFAA’s “Loss” Requirement

Wed Feb 1 19:54:47 EST 2017

http://www.jdsupra.com/legalnews/arming-employers-against-internal-14305/

The Eleventh Circuit ruled last week in a wrongful discharge turned
Computer Fraud and Abuse Act (“CFAA”) case, spinning the employee’s case
against his employer on its head. The facts of Brown Jordan International,
Inc. v. Carmicle stemmed from the employment of Christopher Carmicle by
Brown Jordan, a furniture manufacturer. Carmicle was an executive at Brown
Jordan, but his relationship with the company deteriorated with the hiring
of a new CEO, Gene Moriarty. Moriarty had doubts about Carmicle based on
excessive entertainment expenses, and Carmicle, in turn, had doubts about
Moriarty’s trust in him.

In the year prior to Carmicle’s termination, Brown Jordan switched to a new
email service. This switch (and the corresponding provision of a generic
password—Password1—to all employees) was what Carmicle used to investigate
his suspicions of Moriarty and others. Over the course of several months,
Carmicle repeatedly hacked into the accounts of Brown Jordan employees,
including his superiors, and took hundreds of screenshots on his personal
iPad.

Carmicle eventually wrote a letter to the company’s Board of Directors,
accusing Moriarty and others of illegal activities. The Board of Directors
hired an independent investigator, who learned of the unauthorized email
access. The investigator reported Carmicle’s hacking and his misuse of
$100,000 in company funds to the Board, who terminated his employment for
cause. After learning of Carmicle’s hacking, Brown Jordan hired consultants
both to understand how he accessed the email accounts and to conduct a
surveillance sweep.

Brown Jordan complained that Carmicle violated the CFAA as well as the
Stored Communications Act, and Carmicle brought actions for wrongful
discharge and breach of contract. On appeal, the CFAA’s “loss” requirement
was at issue. There is a violation of the CFAA for “[w]hoever . . .
intentionally accesses a computer without authorization or exceeds
authorized access, and thereby obtains . . . information from any protected
computer.” U.S.C. § 1030(a)(2)(C). Civil actions may be brought only if one
of several requirements is met, one of which is that the plaintiff incurs a
minimum “loss” of $5,000 because of the defendant’s violation of the CFAA.

The CFAA defines “loss” as:

any reasonable cost to any victim, including the cost of responding to an
offense, conducting a damage assessment, and restoring the data, program,
system, or information to its condition prior to the offenses, and any
revenue lost, cost incurred, or other consequential damages incurred
because of interruption of service.

18 U.S.C. § 1030(e)(11).

Although some district courts have interpreted “loss” as requiring an
interruption of service, both the Fourth and Sixth Circuits have held that
loss includes the cost of responding to the offense, regardless of whether
there was an interruption of service. Applying a plain language approach,
and noting that “loss” is defined in the disjunctive, the Eleventh Circuit
held that there can be two types of loss. While the first type requires an
interruption of service, the second type does not. Brown Jordan’s use of
the consultants to investigate the unauthorized access after the fact is
sufficient to constitute “loss” under CFAA.

The Eleventh Circuit’s interpretation of “loss” signals further expansion
of the CFAA. The “interruption of service” interpretation advocated by
Carmicle would have limited civil actions (under that subsection) to cases
of direct damage to the plaintiff’s computers and network, and the cost to
restore such damage. The Eleventh Circuit’s interpretation, however, does
not require that the plaintiff is even aware of the offense at or around
the time it occurs. Merely learning of an unauthorized access, and
attempting to understand how it affects the company months down the road is
sufficient. This interpretation effectively arms employers, and others, to
combat unauthorized computer access, even where they may not have known it
occurred.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170201/1d85d0c6/attachment.html>