Tsibouris & Associates Home | Practice Areas | Attorneys | Contact | Publications | Clients | Blog Home

Thursday, September 30, 2010

Best Lawyers in America/Best Law Firms in America

Columbus-OH Tier 1
Information Technology Law

U. S. News & World Report and Best Lawyers in America have joined to rank 8,903 firms in 81 practice areas in 171 metropolitan areas and 7 states. We are pleased that Tsibouris & Associates, LLC has been chosen to be recognized and included in the U.S. News - Best Lawyers "Best Law Firms" inaugural 2010 edition, ranking as a Best Law Firm in Columbus, Ohio in the practice area of Information Technology Law. To read more about the release of the 2010 Best Law Firms rankings, click here.

Dino Tsibouris of Tsibouris & Associates, LLC was also selected to be included in the 2011 edition of The Best Lawyers in America in the specialty of Information Technology Law. The Best Lawyers in America is a publication of the most respected attorneys in their fields, which has been known to be a very valuable referral list of attorneys in practice. Inclusion in Best Lawyers is determined by more than 2.8 million evaluations and votes cast by the top attorneys in the country. To read more about the selection process, click here.



Wednesday, September 29, 2010

Court Upholds Website Terms of Use But Loss Does Not Satisfy the CFAA

By Mehmet Munur

A district court in Maryland recently upheld a real estate company’s website terms of use, but held that the unauthorized use by the defendants and the lost revenue from this unauthorized access did not satisfy “loss” as defined by the Computer Fraud and Abuse Act.  The case demonstrates how important drafting accurate Terms of Use, obtaining click-through assent, and keeping track of each login via logs can be for the enforcement of website terms of use.

CoStar provides commercial real estate information through its website.  The website includes a database with photographs of real property and enables its users to find property for sale or rent.  The photographs are taken by CoStar’s field researchers and CoStar registers the photos for copyright protection.  CoStar enters into a License Agreement and charges users a subscription fee.  Users are then issued usernames and passwords to access the website.  CoStar logs the logins for each username using IP addresses.  The login prompt states “Login/Use Subject to Terms” underneath the fields for username and password.  This prompt also includes a functioning link to CoStar’s Terms of Use.

The Terms of Use prohibit the sharing of login information with other users.  It also prohibits unauthorized users from accessing the website.  The Terms of Use also define an authorized user as “an individual (a) employed by a CoStar Client or an Independent Contractor (as defined below) of a CoStar Client at a site identified in the License Agreement, and (b) who is specified in the License Agreement as a user of a specific Passcode-Protected Product.”  In addition to the login prompt, CoStar also required its users to accept the Terms of Use when they logged into the site for the first time and at periodic intervals throughout the license term.

Mark Field, who was doing business as Alliance Valuation Group, entered into a license agreement with CoStar in 2002.  The License Agreement named Brad Christensen, who was part owner and president of Pathfinder Mortgage Company, as an employee of Alliance Valuation Group and an authorized user.  In 2005, CoStar realized that Brad Christensen was no longer affiliated with Alliance Valuation Group and terminated his account.

CoStar alleged in its complaint, based on its logs, that Mark Field shared his username and password with Brad Christensen and Pathfinder Mortgage Company through 2008.  In fact, CoStar alleges that Pathfinder Mortgage Company’s IP addresses were recorded over 60 times accessing CoStar’s database.  At least two occasions, CoStar’s logs showed that Field’s username and password were used simultaneously by the IP addresses generally associated with Pathfinder Mortgage Company and Alliance Valuation Group.  Finally, CoStar alleges that Alliance Valuation Group also listed others as authorized users under its agreement with CoStar, who in return listed yet other people as authorized users for a fee.  All told, CoStar alleged that it had at least 200 unauthorized accesses to its website over a 43-month period.

CoStar brought actions for copyright infringement, breach of contract, and violation of the Computer Fraud and Abuse Act against Field, Alliance Valuation Group, Christensen, Pathfinder Mortgage Company, and others.  Parties filed for summary judgment against one another, amongst other motions.  CoStar succeeded in its motion for summary judgment in the breach of contract, copyright infringement, and fraud claims, but failed in its CFAA claim.

The court found that Pathfinder and all non-licensed parties were bound by the Terms of Use and relied on Motise v. America Online, 346 F. Supp. 2d 563 (S.D.N.Y. 2004).  Motise involved the use of an AOL account by two different members of the family, one of whom signed up for the account and was given notice of the terms and the other who used the account but did not receive notice.  The Motise court, much like this court, held that the parties had received derivate notice.  Furthermore, the court found that defendants did not provide any evidence to refute CoStar’s logs, which the court found persuasive.  Therefore, Pathfinder was bound by the Terms of Use even though it “may not have affirmatively clicked the ‘agree’ button before entering the database.”  Thus, CoStar won the motion for summary judgment on its behalf.

The court then turned to the CFAA claim and noted that the act offered a private cause of action for those who suffered damage or loss due to a violation of the CFAA.  The act further defines “loss” as “any reasonable cost to the victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service,” which must exceed $5,000.  CoStar argued that the value of the license fees it would have made had the unauthorized access to its website were properly authorized at $300,000.  Here, the court outlined the difference of opinion among different courts regarding the definition of “loss” covered by the CFAA.  The court sided with the approach that only allowed for lost revenue when it “was ‘incurred because of interruption of service.’”  The court cited other cases holding that the type of damage that Congress meant to relieve with the private cause of action in CFAA were the type resulting from a hacker type attack.  The court held that “a violation of the CFAA must cause an interruption of service in order for lost revenue to constitute as a qualifying ‘loss’ under the statute because, otherwise, the language of ‘because of interruption of service’ in the definition of ‘loss’ would be inoperative and violate a rule of statutory interpretation.”

A recent and interesting case involving unauthorized access to a database with a CFAA claim was Snap-On v. Business Solutions v. O’Neil & Associates, Inc. No. 509-CV-1547, (Apr. 16, 2010 N.D.  Ohio).  There, Mitsubishi hired Snap-On to build a searchable online database for use by its dealers.  Snap-On used printed parts catalogs and photos to put together a database for Mitsubishi and hosted the database on its servers.  The license agreement between Snap-On and Mitsubishi required that Mitsubishi be responsible for assigning and security of the usernames, passwords, and their use only by dealers and their agents.  Snap-On’s agreement governing the use of the database had terms similar to the terms that CoStar used on its website that limited use to authorized users.

Then Mitsubishi decided to change service providers from Snap-On to its competitor O’Neil & Associates.  When Snap-On offered to give Mitsubishi the database it had created for Mitsubishi for an additional fee, Mitsubishi balked.  It hired O’Neil & Associates to scrape the Snap-On database.  However, the scraping crashed Snap-On’s server on at least two occasions and impaired server condition and quality.  Snap-On spent 200 hours diagnosing the issue.  Snap-On also blocked the IP addresses that O’Neil & Associates used to access the website only to result in O’Neil using different IP addresses in its next attempt.  The court held in the motion for summary judgment that Snap-On had pleaded enough facts to survive the motion for summary judgment in the CFAA claim.  O’Neil did not contest Snap-On’s loss under the CFAA.

Though both CoStar and Snap-On were subject to access of their databases using legitimate usernames and passwords by unauthorized users, CoStar’s database use did not rise to the level that allowed Snap-On to succeed in the motion for summary judgment.  Snap-On demonstrated service interruption with its servers crashing, traffic escalating, and long hours of diagnostics.  However, CoStar only experienced about 260 unauthorized logins over a 43-month period with no apparent effect on service quality.  Though there are a great number of CFAA cases touching on both “loss” and “unauthorized” aspects of CFAA claim, based on these two cases, courts are more likely to be persuaded by “losses” that Snap-On demonstrated in its CFAA claim than CoStar’s “losses.”

Nevertheless, CoStar properly defined “authorized users” in its Terms of Use, obtained a click-through assent on first use, obtained intermittent click-through assent on other occasions, provided notice of the terms in each login, and, most importantly, kept track of each login in its logs.  Website operators must ensure that their websites are built in similar ways (possibly with the addition of obtaining assent to terms at login in addition to notice of terms at login) and evidence is kept and presented in a similar fashion to ensure that their online agreements remain enforceable.

The case is CoStar Realty Information, Inc. v. Field, 8:08-cv-00663-AW (D. Md. Aug. 23 2010).

You may read more about Snap-On v. Business Solutions v. O’Neil & Associates, Inc. No. 509-CV-1547, (Apr. 16, 2010 N.D.  Ohio) and other cases involving the dangers of outsourcing without having proper controls in place by Venkat Balasubramani and Eric Goldman at Eric Goldman’s blog.

You may read more about the issues concerning personal jurisdiction that were previously litigated in CoStar Realty Information, Inc. v. Field, 612 F. Supp. 2d 660 (D. Md. 2009) from Evan Brown.