The Computer Fraud and Abuse Act Will Need To Wait Another Day In New York’s Commercial Division
Justice Shirley Kornreich recently issued one of the few New York state court decisions that address the Computer Fraud and Abuse Act (“CFAA”). Spec Simple, Inc. v. Designer Pages Online LLC, No. 651860/2015, 2017 BL 160865 (N.Y. Sup. Ct. May 10, 2017). The CFAA criminalizes both accessing a computer without authorization and exceeding authorized access and thereby obtaining information from any protected computer. Id. at *3 (citing 18 U.S.C. § 1030(a)(2)(C)). The CFAA also provides a civil cause of action to any person who suffers damage or loss because of a violation of the CFAA. Id. at *4 (citing 18 U.S.C. § 1030(g)). As discussed below, the decision provides a helpful look into the interpretation of CFAA claims in the future.
Spec Simple operates computer databases that are used by architectural, interior design, engineering, facility management, and furniture professionals. Id. at *1. According to Spec Simple, its databases provide companies with a competitive advantage in the marketplace and are the result of twenty years of innovation. Id. at *1. Spec Simple’s technology is similar to Westlaw, LexisNexis, and Bloomberg Law, and allows users to search reference materials that are useful to design professionals. Id. at *1-2. In addition to its searching functionality, Spec Simple allows users to access a proprietary email system that allows users to email librarians who can run more complex searches and obtain price quotes, product specifications, and schedule meetings with vendors. Id. at *2.
Defendant FXFOWLE, an architectural firm, began subscribing to the Spec Simple databases in 2009. FXFOWLE also has an ownership interest in DPO, the other defendant in the action. Id. DPO is a competitor of Spec Simple. Id.
The Alleged Unauthorized Access
In its amended complaint, Spec Simple alleges that FXFOWLE provided DPO with its password to Spec Simple’s database. According to the amended complaint, DPO conducted thousands of searches over the course of the day and “downloaded for its own benefit large portions of Spec Simple’s Virtual Library and/or information or emails stored in Spec Simple’s Email System.” Id. at *3. Spec Simple further alleges that DPO used this information to lure away Spec Simple clients. Id. at *3.
Spec Simple asserted claims for violation of the CFAA. Importantly, Spec Simple did not allege any damages, including to its computer systems, other than competitive injury. FXFOWLE and DPO moved to dismiss the CFAA claim, among others. The Court granted FXFOWLE and DPO’s motion.
Discussion of the CFAA Claim
In resolving defendants’ motion to dismiss, Justice Kornreich cited to Ninth Circuit precedent holding that “illicitly accessing a competitor’s website to facilitate unfair competition may indeed be a CFAA violation.” Id. at *4 (citing United States v. Nosal (Nosal I), 676 F.3d 854, 863 (9th Cir. 2012)). The Court noted that the Ninth Circuit has further held that the CFAA can be violated by providing passwords to, among other individuals or entities, “competitors.” Id. (citing United States v. Nosal (Nosal II), 844 F.3d 1024, 1037 (9th Cir. 2016)). Justice Kornreich also acknowledged that there is significant disagreement regarding whether merely accessing the database of a competitor and performing searches is sufficient to show that the unauthorized access was for the purpose of unfair competition. Id. *5 (citing LivePerson, Inc. v. 24/7 Customer, Inc., 83 F. Supp. 3d 501, 512 (S.D.N.Y. 2015)).
Nevertheless, Justice Kornreich did not need to reach that question. As the Court explained, to state a claim under the CFAA, a plaintiff must allege damages in excess of $5,000. Id. Under the statute, loss is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages because of interruption of service.” Id. (citing 18 U.S.C. § 1030(e)(11)). The statute further defines “damages” as “means any impairment to the integrity or availability of data, a program, a system, or information.” Id. (citing 18 U.S.C. § 1030(e)(8)). Accordingly, the Court determined that damages for unfair competition injury were not sufficient to satisfy the statutory elements of a claim. As such, the Court dismissed the CFAA claims given that Spec Simple failed to allege any injury beyond unfair competition.