The
Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030,
continues to receive some uneven treatment by the courts. In
Yoder & Frey Auctioneers, Inc. v. Equipmentfacts, LLC, No. 3:10 CV 1590, slip op. (N.D. Ohio Apr. 8, 2013), the United States District Court for the Northern District of Ohio ruled that a private claim under the CFAA could proceed even though the harm it alleged did not seem to flow directly from unauthorized access.
Background
The plaintiffs, Yoder & Frey, an equipment auctioneer, and RealTimeBid.Com (RTB), an online auction service provider, are business partners. They alleged that Equipmentfacts, defendant and one-time auction service provider to Yoder & Frey, accessed the company’s new RTB-provided auction portal, first with an old administrative account and then with the “stolen” account of a long-time Yoder & Frey customer. According to the complaint, Equipmentfacts used both of these accounts to post defamatory, negative statements on the auction portal’s built-in message board, and then used the latter to post “false bids” for items up for auction--eventually winning eighteen items for a total of $1,171,074, which it has not paid.
Equipmentfacts disputed the underlying facts, but also moved for summary judgment on the CFAA claim, arguing that the CFAA does not encompass the type of damage alleged, because the harm was not due to the unauthorized access, and on the alleged facts did not even occur until the winning bidder refused to pay. Its argument focused on the disconnect between the alleged unauthorized access and the accrual of harm, arguing that “damages not flowing from an interruption of service are not recoverable under the CFAA.” The court, however, was unimpressed, and focused on the type of harm alleged rather than its nexus to the alleged unauthorized activity. It found that “interruption of service” could be found even when the website and bidding software performed as designed.
Finding "loss" under the CFAA
Civil plaintiffs under the CFAA must plead “loss” of at least $5,000 (or one of a few other narrow requirements, inapplicable here). 18 U.S.C. § 1030(g); 18 U.S.C. § 1030(c)(4)(A)(i)(I). “Loss” is statutorily defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11). The court analyzed the language and the legislative history of this provision to conclude that the CFAA claim could withstand summary judgment:
“Whether the alleged action left the system inoperable is too narrow a reading of the statute. An auction's high bidder, by definition, denies the other bidders the right to purchase that item at their bid price. . . . Fake bids deny the entire sale to both the auctioneer and the other bidders; particularly so when the auctioneer cannot discover the falsity of the high bid until the sale is long over. Depriving a business of potential sales is a loss contemplated by the CFAA. E.g., United States v. Schuster, 467 F.3d 614, 617 (7th Cir. 2006) (Affirming a restitution finding that the defendant was liable for the victim's loss of business productivity because he caused a computer attack that rendered the victim's system less available to customers)” (emphasis added).
While few would quarrel with the argument that
some lost sales revenue is contemplated by the CFAA (e.g., sales lost during an outage caused by unauthorized access), the court’s analysis broadly implies that any sales revenue lost by an online portal is sufficient to show “loss” under the CFAA. Moreover, it seems to stray from its own citation. In
Schuster (a criminal CFAA case that included restitution), the defendant conceded that his actions had impaired the availability of a system to other customers’ and the owner’s detriment, but here Equipmentfacts’ alleged unauthorized access to the bidding portal did not
directly cause any harm. As its brief in support of its motion for summary judgment points out, the system remained functional throughout the alleged episode: RTB, in fact, conceded in deposition that there was no interruption in the availability or the integrity of the auction portal’s technical services whatsoever:
Q: So bidders could still place bids at the auction on your technology platform?
A: Yes.
Q: Even though there was someone allegedly placing false bids?
A: Correct.
. . .
Q: And the only thing that went wrong was that someone submitted a bid for which they had no intention of paying, right?
A: Yeah.
Now, this line of questioning by the defense attorney is slightly misleading, because the plaintiffs did not “only” allege that a bid was submitted by someone who never intended to pay; they also alleged that the false bid was submitted using the “stolen identity” of a long-time Yoder & Frey customer, and that Yoder & Frey approved each bidder before allowing them to participate in the auction. These facts might tie the alleged unauthorized access sufficiently closely to the “loss” required by the CFAA, but the court’s analysis does not
follow this line of reasoning. Instead, it glosses over the distinction between
placing a false bid in an online auction and
using a stolen identity to participate in an online auction. The argument that a CFAA claim may be made on allegations of bidding online without intending to pay seems much more tenuous than the argument that a CFAA claim may be made on allegations of using a false identity to participate in an online auction, whether that bidder intended to pay for the items or not. The former claim, based on “false bids,” seems to be nothing more than a fraudulent, electronically concluded contract, which almost certainly falls outside the CFAA. Making such a claim based on falsely assuming the identity of a trusted customer seems much more like the type of conduct to which the CFAA was intended to apply. In a very confusing opinion, however, the court fails to distinguish these two very different issues.
Instead, its analysis seems to rely on its
previous finding that the “[d]efendant’s alleged intentional disruption of even a portion of the online auction through surreptitiously submitted false bids interrupted the service of that site.” This portion of analysis considers false bids and bids submitted by means of a false identity (“surreptitiously submitted”) together, but the rest of that opinion seems to indicate that the court’s thinking hewed closer to the more tenuous false-bids analysis: “While the online auction was not totally thwarted, a number of individual online transactions were. As such, the auction website did not provide service to either Plaintiffs or the buyers and sellers in the auction while Defendants allegedly submitted false winning bids.” This line of inquiry requires the court to find that the bidding portal “did not provide service” even though it functioned exactly as designed, without any degradation or impairment of any of its functions.
This broad reading of the CFAA seems to extend “interruption of service” to include any thwarted commercial service--potentially, any electronically but fraudulently concluded contract. While it is possible that the authors of the CFAA contemplated such broad meaning, and, as the court points out, left “interruption of service” undefined, it is unclear why Congress would have intended to allow plaintiffs alleging fraudulent creation of contract to access CFAA remedies if the relevant contract was concluded electronically. And although construction of the CFAA has sometimes been controversial, this decision stands out for eschewing a
narrow reading of CFAA liability (more
here and
here). If the court (and the plaintiff) had focused on illustrating the nexus between the alleged use of a stolen identity, which was trusted by the plaintiffs (and therefore approved as a bidder), and the lost commissions, it could have avoided muddying the waters with its analysis of “interruption of service.” As written, however, the opinion is unclear as to why this auctioneer’s harm had a sufficient nexus to any unauthorized access to warrant CFAA liability.
In addition to the CFAA claim, the complaint included claims based on common law fraud, common law trespass to chattels, and breach of contract. All of them survived the motion to dismiss. It will be interesting to see whether the parties settle, and if not, whether Yoder & Frey and its new service provider RTB can make the CFAA claim stick at trial.
--Brad Edmondson
