A Civil Action Is Not Permitted Under The Computer Fraud And Abuse Act For The Conduct Of Exceeding Authorized Access

I would like to apologize for my hiatus over the past few weeks.  Between being quite busy, and there being a lack of cases coming out of the Seventh Circuit (possibly related to the Easter and Passover holidays) about which to blog, I have not been meeting my goal of one to two posts per week.  Needless to say I feel re-energized.

A recent ruling on a defendant's motion to dismiss in the Northern District of Illinois requires a closer look at the Computer Fraud and Abuse Act ("CFAA"), codified at 18 USC 1030.  Plaintiff Worldspan, L.P. is a computer reservations system, a company that gathers electronic travel information for use by travel agencies and other travel-oriented companies.  Plaintiff sued defendant Orbitz, LLC, a popular online travel agency, for breach of contract as well as for violations of the CFAA.  The two parties had entered into a contract whereby plaintiff agreed to provide defendant with certain information and booking capabilities in exchange for fees.  Although plaintiff concedes that its agreement with the defendant granted defendant access to its computer system for specific purposes, it alleges that defendant exceeded the permitted access and misused the information it obtained.

The CFAA is primarily a criminal statute, and prohibits, among other things, the intentional access of "a protected computer without authorization" which results in damage.  Section 1030(a)(5)(A)(iii).  However, Section (g) of the statute permits a civil action by "[a]ny person who suffers damage or loss" stemming from conduct prohibited by the statute if such conduct involves one of the five factors set forth in Section 1030(a)(5)(B).  One such factor, and the one the Court deems most relevant to plaintiff's claim, is whether defendant's conduct caused "loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value."  However, in disposing of the case pursuant to Fed.R.Civ.P. 12(b)(6), the Court never even considers the substantive nature of this factor as it relates to plaintiff's CFAA claim.

Certain parts of the CFAA include prohibitions not only to unauthorized access, but also to exceeding authorized access.  In fact, Section 1030(e)(6) of the statute defines the term "exceeds authorized access" as accessing "a computer with authorization and [using] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."  However, all of the references to exceeding authorized access appear outside of Section 1030(a)(5), i.e. the section permitting a civil action.  Although plaintiff argued that "unauthorized access" includes "exceeding authorized access," the Court determined that "such an interpretation of the phrase 'without authorization' would ignore the carefully-drawn statutory distinction between wholly unauthorized access and access beyond that which is authorized."  Since plaintiff failed to allege that defendant accessed its computers without authorization, the Court dismissed the CFAA claim.

Note: As a procedural matter, since the Court dismissed the only federal claim in the case, it followed the general rule that, "when all federal claims are dismissed before trial, the district court should relinquish jurisdiction over pendent state-law claims rather than resolving them on the merits."  Hence, the Court determined that it should no longer exercise supplemental jurisdiction and it dismissed the state law claims for lack of subject matter jurisdiction.  Of course, since this dismissal was without prejudice, plaintiff has the right to refile in state court.

Worldspan, L.P. v. Orbitz, LLC, (Slip Op.) 2006 WL 1069128 (N.D. Ill, April 19, 2006).

Removal To Federal Court Was Proper Where The Remedy Sought By Plaintiff Required Construction Of The Copyright Act And Its Work For Hire Provisions

In a memorandum opinion denying a motion to remand the case to state court, the District Court for the Northern District of Indiana considered issues relating to the construction of the Copyright Act.  Plaintiff GH, LLC develops, markets, and sells products used by people with visual disabilities.  The various individual defendants were at one point employed by plaintiff, and allegedly signed confidentiality agreements. When the individual defendants left, they began working for defendant EITAC, apparently a company in the same line of business as plaintiff.

Plaintiff filed a 16-count complaint in Superior Court in Lafayette, Indiana.  The District Court summarized the allegations as follows: violation of trade secrets, common law misappropriation, breach of contract, specific performance, unfair competition, unjust enrichment, tortious interference with business relationships, breach of implied duties of good faith and fair dealing, and promissory estoppel.  The Defendants filed a Notice of Removal claiming that plaintiff had asserted rights arising under the U.S. Copyright Act.

The Court first discussed the removal standard whereby a defendant may remove a case to federal court "only if the federal court would have had original jurisdiction over the action."  Furthermore, "a plaintiff may not defeat removal by omitting to plead necessary federal questions in a complaint."  Original jurisdiction in federal district courts is granted by 28 USC 1338(a) for civil actions "arising under any Act of Congress" relating to copyrights.  That section further states that in copyright cases such "jurisdiction shall be exclusive of the courts of the states."  In other words, if an action arises under the Copyright Act it must be filed in federal district court.  The standard for determining if an action arises under the Copyright Act (referred to by the Court as the Harms test) includes (1) whether the remedy sought is one expressly granted by the Copyright Act or (2) whether the plaintiff asserts a claim requiring construction of the Copyright Act.  The instant case deals with the second part of this test.  The Court specifically noted that plaintiff's request for one of the defendants to assign to plaintiff "the entire rights to all such Works that under copyright law are not considered works made for hire" requires construction of the Copyright Act.  Granting the relief requested by plaintiff, i.e. specific performance, argued the Court, would require the Court to determine which works were "works made for hire."  Such a determination, held the Court, "would require construction of the Copyright Act."  The Court, concluding that the plaintiff's claim arises under the Copyright Act, denied its motion to remand.

Comment: Beware when alleging state law violations of trade secrets, breach of contracts, and/or conversion as a hidden copyright claim will take jurisdiction away from the state court.  The Court in this case made a distinction between a mere collateral reference to some amorphous copyright protection or principle, and an explicit request for relief that, if granted, would require a court to construe the Copyright Act.  Unfortunately, there is no real bright-line, and the facts of each case must be analyzed accordingly.  However, if it quacks like a duck, or should I say, if it reads like a copyright claim...

GH, LLC v. Curtin, et al.2006 WL 833133 (N.D. Ind., March 28, 2006).