Tsibouris & Associates Home | Practice Areas | Attorneys | Contact | Publications | Clients | Blog Home

Wednesday, September 29, 2010

Court Upholds Website Terms of Use But Loss Does Not Satisfy the CFAA

By Mehmet Munur

A district court in Maryland recently upheld a real estate company’s website terms of use, but held that the unauthorized use by the defendants and the lost revenue from this unauthorized access did not satisfy “loss” as defined by the Computer Fraud and Abuse Act.  The case demonstrates how important drafting accurate Terms of Use, obtaining click-through assent, and keeping track of each login via logs can be for the enforcement of website terms of use.

CoStar provides commercial real estate information through its website.  The website includes a database with photographs of real property and enables its users to find property for sale or rent.  The photographs are taken by CoStar’s field researchers and CoStar registers the photos for copyright protection.  CoStar enters into a License Agreement and charges users a subscription fee.  Users are then issued usernames and passwords to access the website.  CoStar logs the logins for each username using IP addresses.  The login prompt states “Login/Use Subject to Terms” underneath the fields for username and password.  This prompt also includes a functioning link to CoStar’s Terms of Use.

The Terms of Use prohibit the sharing of login information with other users.  It also prohibits unauthorized users from accessing the website.  The Terms of Use also define an authorized user as “an individual (a) employed by a CoStar Client or an Independent Contractor (as defined below) of a CoStar Client at a site identified in the License Agreement, and (b) who is specified in the License Agreement as a user of a specific Passcode-Protected Product.”  In addition to the login prompt, CoStar also required its users to accept the Terms of Use when they logged into the site for the first time and at periodic intervals throughout the license term.

Mark Field, who was doing business as Alliance Valuation Group, entered into a license agreement with CoStar in 2002.  The License Agreement named Brad Christensen, who was part owner and president of Pathfinder Mortgage Company, as an employee of Alliance Valuation Group and an authorized user.  In 2005, CoStar realized that Brad Christensen was no longer affiliated with Alliance Valuation Group and terminated his account.

CoStar alleged in its complaint, based on its logs, that Mark Field shared his username and password with Brad Christensen and Pathfinder Mortgage Company through 2008.  In fact, CoStar alleges that Pathfinder Mortgage Company’s IP addresses were recorded over 60 times accessing CoStar’s database.  At least two occasions, CoStar’s logs showed that Field’s username and password were used simultaneously by the IP addresses generally associated with Pathfinder Mortgage Company and Alliance Valuation Group.  Finally, CoStar alleges that Alliance Valuation Group also listed others as authorized users under its agreement with CoStar, who in return listed yet other people as authorized users for a fee.  All told, CoStar alleged that it had at least 200 unauthorized accesses to its website over a 43-month period.

CoStar brought actions for copyright infringement, breach of contract, and violation of the Computer Fraud and Abuse Act against Field, Alliance Valuation Group, Christensen, Pathfinder Mortgage Company, and others.  Parties filed for summary judgment against one another, amongst other motions.  CoStar succeeded in its motion for summary judgment in the breach of contract, copyright infringement, and fraud claims, but failed in its CFAA claim.

The court found that Pathfinder and all non-licensed parties were bound by the Terms of Use and relied on Motise v. America Online, 346 F. Supp. 2d 563 (S.D.N.Y. 2004).  Motise involved the use of an AOL account by two different members of the family, one of whom signed up for the account and was given notice of the terms and the other who used the account but did not receive notice.  The Motise court, much like this court, held that the parties had received derivate notice.  Furthermore, the court found that defendants did not provide any evidence to refute CoStar’s logs, which the court found persuasive.  Therefore, Pathfinder was bound by the Terms of Use even though it “may not have affirmatively clicked the ‘agree’ button before entering the database.”  Thus, CoStar won the motion for summary judgment on its behalf.

The court then turned to the CFAA claim and noted that the act offered a private cause of action for those who suffered damage or loss due to a violation of the CFAA.  The act further defines “loss” as “any reasonable cost to the victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service,” which must exceed $5,000.  CoStar argued that the value of the license fees it would have made had the unauthorized access to its website were properly authorized at $300,000.  Here, the court outlined the difference of opinion among different courts regarding the definition of “loss” covered by the CFAA.  The court sided with the approach that only allowed for lost revenue when it “was ‘incurred because of interruption of service.’”  The court cited other cases holding that the type of damage that Congress meant to relieve with the private cause of action in CFAA were the type resulting from a hacker type attack.  The court held that “a violation of the CFAA must cause an interruption of service in order for lost revenue to constitute as a qualifying ‘loss’ under the statute because, otherwise, the language of ‘because of interruption of service’ in the definition of ‘loss’ would be inoperative and violate a rule of statutory interpretation.”

A recent and interesting case involving unauthorized access to a database with a CFAA claim was Snap-On v. Business Solutions v. O’Neil & Associates, Inc. No. 509-CV-1547, (Apr. 16, 2010 N.D.  Ohio).  There, Mitsubishi hired Snap-On to build a searchable online database for use by its dealers.  Snap-On used printed parts catalogs and photos to put together a database for Mitsubishi and hosted the database on its servers.  The license agreement between Snap-On and Mitsubishi required that Mitsubishi be responsible for assigning and security of the usernames, passwords, and their use only by dealers and their agents.  Snap-On’s agreement governing the use of the database had terms similar to the terms that CoStar used on its website that limited use to authorized users.

Then Mitsubishi decided to change service providers from Snap-On to its competitor O’Neil & Associates.  When Snap-On offered to give Mitsubishi the database it had created for Mitsubishi for an additional fee, Mitsubishi balked.  It hired O’Neil & Associates to scrape the Snap-On database.  However, the scraping crashed Snap-On’s server on at least two occasions and impaired server condition and quality.  Snap-On spent 200 hours diagnosing the issue.  Snap-On also blocked the IP addresses that O’Neil & Associates used to access the website only to result in O’Neil using different IP addresses in its next attempt.  The court held in the motion for summary judgment that Snap-On had pleaded enough facts to survive the motion for summary judgment in the CFAA claim.  O’Neil did not contest Snap-On’s loss under the CFAA.

Though both CoStar and Snap-On were subject to access of their databases using legitimate usernames and passwords by unauthorized users, CoStar’s database use did not rise to the level that allowed Snap-On to succeed in the motion for summary judgment.  Snap-On demonstrated service interruption with its servers crashing, traffic escalating, and long hours of diagnostics.  However, CoStar only experienced about 260 unauthorized logins over a 43-month period with no apparent effect on service quality.  Though there are a great number of CFAA cases touching on both “loss” and “unauthorized” aspects of CFAA claim, based on these two cases, courts are more likely to be persuaded by “losses” that Snap-On demonstrated in its CFAA claim than CoStar’s “losses.”

Nevertheless, CoStar properly defined “authorized users” in its Terms of Use, obtained a click-through assent on first use, obtained intermittent click-through assent on other occasions, provided notice of the terms in each login, and, most importantly, kept track of each login in its logs.  Website operators must ensure that their websites are built in similar ways (possibly with the addition of obtaining assent to terms at login in addition to notice of terms at login) and evidence is kept and presented in a similar fashion to ensure that their online agreements remain enforceable.

The case is CoStar Realty Information, Inc. v. Field, 8:08-cv-00663-AW (D. Md. Aug. 23 2010).

You may read more about Snap-On v. Business Solutions v. O’Neil & Associates, Inc. No. 509-CV-1547, (Apr. 16, 2010 N.D.  Ohio) and other cases involving the dangers of outsourcing without having proper controls in place by Venkat Balasubramani and Eric Goldman at Eric Goldman’s blog.

You may read more about the issues concerning personal jurisdiction that were previously litigated in CoStar Realty Information, Inc. v. Field, 612 F. Supp. 2d 660 (D. Md. 2009) from Evan Brown.


Post a Comment

Subscribe to Post Comments [Atom]

<< Home