Mark Field, who was doing business as Alliance Valuation Group, entered into a license agreement with CoStar in 2002. The License Agreement named Brad Christensen, who was part owner and president of Pathfinder Mortgage Company, as an employee of Alliance Valuation Group and an authorized user. In 2005, CoStar realized that Brad Christensen was no longer affiliated with Alliance Valuation Group and terminated his account.
CoStar alleged in its complaint, based on its logs, that Mark Field shared his username and password with Brad Christensen and Pathfinder Mortgage Company through 2008. In fact, CoStar alleges that Pathfinder Mortgage Company’s IP addresses were recorded over 60 times accessing CoStar’s database. At least two occasions, CoStar’s logs showed that Field’s username and password were used simultaneously by the IP addresses generally associated with Pathfinder Mortgage Company and Alliance Valuation Group. Finally, CoStar alleges that Alliance Valuation Group also listed others as authorized users under its agreement with CoStar, who in return listed yet other people as authorized users for a fee. All told, CoStar alleged that it had at least 200 unauthorized accesses to its website over a 43-month period.
CoStar brought actions for copyright infringement, breach of contract, and violation of the Computer Fraud and Abuse Act against Field, Alliance Valuation Group, Christensen, Pathfinder Mortgage Company, and others. Parties filed for summary judgment against one another, amongst other motions. CoStar succeeded in its motion for summary judgment in the breach of contract, copyright infringement, and fraud claims, but failed in its CFAA claim.
The court then turned to the CFAA claim and noted that the act offered a private cause of action for those who suffered damage or loss due to a violation of the CFAA. The act further defines “loss” as “any reasonable cost to the victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service,” which must exceed $5,000. CoStar argued that the value of the license fees it would have made had the unauthorized access to its website were properly authorized at $300,000. Here, the court outlined the difference of opinion among different courts regarding the definition of “loss” covered by the CFAA. The court sided with the approach that only allowed for lost revenue when it “was ‘incurred because of interruption of service.’” The court cited other cases holding that the type of damage that Congress meant to relieve with the private cause of action in CFAA were the type resulting from a hacker type attack. The court held that “a violation of the CFAA must cause an interruption of service in order for lost revenue to constitute as a qualifying ‘loss’ under the statute because, otherwise, the language of ‘because of interruption of service’ in the definition of ‘loss’ would be inoperative and violate a rule of statutory interpretation.”
A recent and interesting case involving unauthorized access to a database with a CFAA claim was Snap-On v. Business Solutions v. O’Neil & Associates, Inc. No. 509-CV-1547, (Apr. 16, 2010 N.D. Ohio). There, Mitsubishi hired Snap-On to build a searchable online database for use by its dealers. Snap-On used printed parts catalogs and photos to put together a database for Mitsubishi and hosted the database on its servers. The license agreement between Snap-On and Mitsubishi required that Mitsubishi be responsible for assigning and security of the usernames, passwords, and their use only by dealers and their agents. Snap-On’s agreement governing the use of the database had terms similar to the terms that CoStar used on its website that limited use to authorized users.
Then Mitsubishi decided to change service providers from Snap-On to its competitor O’Neil & Associates. When Snap-On offered to give Mitsubishi the database it had created for Mitsubishi for an additional fee, Mitsubishi balked. It hired O’Neil & Associates to scrape the Snap-On database. However, the scraping crashed Snap-On’s server on at least two occasions and impaired server condition and quality. Snap-On spent 200 hours diagnosing the issue. Snap-On also blocked the IP addresses that O’Neil & Associates used to access the website only to result in O’Neil using different IP addresses in its next attempt. The court held in the motion for summary judgment that Snap-On had pleaded enough facts to survive the motion for summary judgment in the CFAA claim. O’Neil did not contest Snap-On’s loss under the CFAA.
Though both CoStar and Snap-On were subject to access of their databases using legitimate usernames and passwords by unauthorized users, CoStar’s database use did not rise to the level that allowed Snap-On to succeed in the motion for summary judgment. Snap-On demonstrated service interruption with its servers crashing, traffic escalating, and long hours of diagnostics. However, CoStar only experienced about 260 unauthorized logins over a 43-month period with no apparent effect on service quality. Though there are a great number of CFAA cases touching on both “loss” and “unauthorized” aspects of CFAA claim, based on these two cases, courts are more likely to be persuaded by “losses” that Snap-On demonstrated in its CFAA claim than CoStar’s “losses.”
The case is CoStar Realty Information, Inc. v. Field, 8:08-cv-00663-AW (D. Md. Aug. 23 2010).
You may read more about Snap-On v. Business Solutions v. O’Neil & Associates, Inc. No. 509-CV-1547, (Apr. 16, 2010 N.D. Ohio) and other cases involving the dangers of outsourcing without having proper controls in place by Venkat Balasubramani and Eric Goldman at Eric Goldman’s blog.
You may read more about the issues concerning personal jurisdiction that were previously litigated in CoStar Realty Information, Inc. v. Field, 612 F. Supp. 2d 660 (D. Md. 2009) from Evan Brown.