Search results for: iowa

Last week the Supreme Court’s decision in Van Buren v. United States resolved a decade-long circuit split concerning the “exceeds authorized access” clause of the Computer Fraud and Abuse Act (“CFAA”).  Taking up the issue of whether an individual who has legitimate access to a computer network but accesses it for an improper or unauthorized purpose violates the CFAA, the Court ultimately found that such a use was not a violation of the statute.  Significantly, the decision in Van Buren endorses the narrower reading of CFAA adopted by the Second, Fourth, and Ninth Circuits,[1] while rejecting the more expansive reading of CFAA that had been the law of the land in the First, Fifth, Seventh, and Eleventh Circuits.[2]

One of the circuit splits that Van Buren appears to resolve, or provide guidance for resolving, is the question of whether violating a website’s terms of service constitutes a CFAA violation.  Prior to Van Buren, several courts within the Third, Fourth, Fifth, Eighth, and Ninth Circuits had found that terms of service violations could implicate the CFAA,[3] while other courts within the Fourth, Seventh, Tenth, and D.C. Circuits had found that individuals were not subject to criminal liability under CFAA by violating terms of service.[4]  The majority opinion in Van Buren, authored by Justice Amy Coney Barrett, adopts the latter reading.  Opining on the Government’s broad interpretation of the statute, the Court noted: “Many websites, services, and databases—which provide “information” from “protected computer[s],” §1030(a)(2)(C)—authorize a user’s access only upon his agreement to follow specified terms of service. If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers.” Op. at 18 (emphasis supplied).  This language appears in the Court’s broader analysis expressing concern over the scope of the Government’s interpretation of the statute, which the Court found “would attach criminal penalties to a breathtaking amount of commonplace computer activity.”  Op. at 17.

This language, as well as the policy concerns articulated by the Court supporting the narrower interpretation of CFAA, are anticipated to make it challenging to assert claims under CFAA for terms of service violations, including for misuse of data or information contained on a company’s website that would likely have constituted “exceed[ing] authorized access” under prior precedent.  However, companies seeking vindication for terms of service violations may still pursue other, previously available legal remedies.  This will be circumstance-dependent on the violation involved, including potential causes of action for copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy.

The Court’s narrow interpretation of the CFAA is also likely to impact individuals and companies engaging in data scraping, or the process of using a program to extract data from a codebase or another program. Many public-facing websites include provisions in their terms of service that limit both their own customer’s and third-parties’ use of the data contained on those websites.  Prior to Van Buren, some courts had found that data scraping constituted a violation of CFAA, particularly when the data being scraped was protected by some form of access permissions, such as a username or password requirement.[5]  This interpretation afforded entities with a remedy under the CFAA to protect the data against being scraped, as those entities could arguably assert claims under CFAA relying on that favorable precedent that data scraping “exceeds authorized access” of the website because the data was intended to be protected using access authorizations.  Some privacy advocates had also favored this broader interpretation of the CFAA as better protective of individual privacy.  [6]

While Van Buren does not affirmatively allow for data scraping, the Supreme Court’s narrower reading of CFAA in the decision will likely limit the legal remedies that may be available for data scraping.  As a result, companies engaged in data collection may wish to develop more stringent contractual policies for potential consumers, or take additional action to revoke authorization to their websites for parties violating the terms of service.  To afford the same protections previously available under CFAA, these companies may want to consider, to the extent they do not already have them, liquidated damages and injunction relief provisions in their contracts with other businesses.  This, of course, will not remedy violations committed by third parties that access their information by other means.  For that, a legislative fix may be necessary.

*Thomas J. Lloyd also contributed to this article as a co-author.

[1] See United States v. Valle, 807 F.3d 508, 523-28 (2d Cir. 2015); WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 204 (4th Cir. 2012); LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009); United States v. Nosal, 676 F.3d 854, 856-63 (9th Cir. 2012) (en banc).

[2] See EF Cultural Travel B.V. v. Explorica, Inc., 274 F.3d 577, 583 (1st Cir. 2001); United States v. John, 597 F.3d 263, 271 (5th Cir. 2010); Int’l Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006); United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010).

[3] See, e.g., America Online v. LCGM, Inc., 46 F. Supp. 2d 444, 451 (E.D. Va. 1998); United States v. Nosal, 844 F.3d 1024, 1033-38 (9th Cir. 2016); Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1066-69 (9th Cir. 2016); Southwest Airlines Co. v. Farechase, Inc., 318 F. Supp. 2d 435, 439-40 (N.D. Tex. 2004); Am. Online, Inc. v. Nat’l Health Care Disc., Inc., 174 F. Supp. 2d 890, 899 (N.D. Iowa 2001); United States v. Lowson, No. 10-114 (KSH), 2010 U.S. Dist. LEXIS 145647, at *11-18 (D.N.J. 2010).

[4] See, e.g., Sandvig v. Barr, 451 F. Supp. 3d 73, 76 (D.D.C. 2020);  Cvent, Inc. v. Eventbrite, Inc., 739 F. Supp. 2d 927, 932-34 (E.D. Va. 2010); Koch Indus., Inc. v. Doe, No. 2:10CV1275DAK, 2011 U.S. Dist. LEXIS 49529, at *19-25 (D. Utah. May 9, 2011); Bittman v. Fox, 107 F. Supp. 3d 896, 900-01 (N.D. Ill. 2015).

[5] See, e.g., HiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985, 999-1004 (9th Cir. 2019); Explorica, 274 F.3d at 582-84.

[6] See, e.g., HiQ Labs, Inc., 938 F.3d at 1003 (noting that CFAA is violated when an individual scrapes data by “circumvent[ing] a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer” as that data has been marked as “private”); see also id. at 1001-03 (discussing legislative history of CFAA and intent to increase privacy protections for online information).

Readers of CPW are no doubt familiar with the pattern of litigation following the announcement of a data breach as individuals impacted seek monetary damages and injunctive relief for the disclosure of their personal information.  (For some of CPW’s prior posts on this topic, check out here and here).  Aside from the threat of litigation commenced by private parties also hovers the specter of scrutiny from state attorneys general (who have the authority under state consumer protection laws to police against unfair and deceptive acts and/or practices, including in the realm of cybersecurity).  A settlement The Home Depot (“Home Depot”) entered into recently underscores this risk.

The settlement concerns a data breach Home Depot announced in September 2014 that impacted the payment card information of approximately forty (40) million consumers.  At the time, Home Depot reported that it had discovered unauthorized access to, and theft of, payment card information at its stores in the United States.  In addition to payment card information, intruders obtained a file containing the email addresses of approximately fifty-three (53) million consumers.  An internal investigation revealed that in April 2014, hackers gained access to Home Depot’s computer network and deployed malware to point-of-sale systems.  This malware was utilized to capture consumers’ card payment data, which was then exfiltrated and used by third parties.

Last month, it was announced that Home Depot had entered into a $17.4 million, multistate settlement with the Attorneys General of 46 states and the District of Columbia (participating states include Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, and Wisconsin).

Besides the monetary payment, Home Depot agreed with execution of the settlement to implement and maintain a series of data security practices.  This includes, among other measures:

  • Develop a comprehensive information security program that is reasonably designed to protect the security, integrity and confidentiality of the personal information Home Depot collects or obtains from customers;
  • Employ a qualified Chief Information Security Officer who will report to both the Senior or C-suite executives and Board of Directors regarding Home Depot’s security posture and security risks;
  • Provide resources necessary to fully implement the company’s information security program;
  • Provide security awareness and privacy training to all personnel who have access to the company’s network or responsibility for U.S. consumers’ personal information;
  • Adopt security safeguards with respect to logging and monitoring, access controls, password management, two factor authentication, file integrity monitoring, firewalls, encryption, risk assessments, penetration testing, intrusion detection, and vendor account management; and
  • Obtain (consistent with other state data breach settlements) an information security assessment and report from a third-party professional to assess Home Depot’s handling of consumer personal information and compliance with its information security program.

Home Depot is not the first entity to enter into such an agreement in the wake of a data breach and it certainly will not be the last.  Stay tuned.