S.C. State and Federal Courts Construe Aging Federal Computer Crime Statutes
The infamous Willie Sutton reportedly was once asked why he robbed banks. His simple answer: "That's where the money is." Likewise, in an information age, the information that forms the basis for legal disputes is increasingly stored on computers.
The South Carolina Court of Appeals recently considered a claim under the federal Stored Communications Act (SCA), found at Title II of the Electronic Communications Privacy Act (ECPA). And the 4th Circuit Court of Appeals reviewed a decision of the United States District Court for the District of South Carolina considering the reach of the Computer Fraud and Abuse Act (CFAA).
It is not surprising that litigants seek to take advantage of the civil liability provisions of these computer crime statutes when their adversaries obtain, transmit, and share electronically stored information. The challenge for courts construing these laws is that both of them were enacted in 1986, before the Internet and email (as we know these services) even existed.
Jennings v. Jennings- Storage Ain't What it Used to Be, But it is Still Storage
In Jennings v. Jennings, a divorce action, Broome (Mrs. Jennings' daughter-in-law) accessed Mr. Jennings' personal Yahoo account from her personal computer and printed out a number of emails between Mr. Jennings and a paramour. Mr. Jennings alleged that Broome violated Section 2701(a) of the SCA by obtaining access without authorization to "electronic communication" (email) while in "electronic storage" (on Yahoo's servers).
By way of (admittedly broad brush) background, Congress enacted the SCA because of the challenges to 4th Amendment protections presented by an online world: "the statute creates a set of Fourth Amendment-like privacy protections by statute, regulating the relationship between government investigators and service providers in possession of users' private information." Orin S. Kerr, A User's Guide to the Stored Communications Act, and a Legislator's Guide to Amending It, 72 GEO. WASH L.REV. 1208 (2004).
The Court of Appeals considered the conclusions of the trial court that the emails were not in "electronic storage" or stored "for purposes of backup protection" under 18 U.S.C. Section 2510(17), and reversed the lower court.
Section 2510(17) (of the Wiretap Act and applicable to the SCA) defines "electronic storage" as:
(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and
(B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.
(A) is not applicable in this case because the emails had been opened, and so the Court turned to (B). (It may occur to the reader that the definition is a little strange if you were trying to apply it to your Google or other "webmail" account. It makes a little more sense in the context of the email delivery system employed when the SCA was passed, "which required multiple service providers to store communications briefly before forwarding them on to the next destination or while awaiting download by a recipient." William J. Robison, Free at What Cost? Cloud Computing Privacy Under the Stored Communications Act, 98 Geo. L.J. 1195 (2010). Also, recall using a modem to briefly connect to CompuServe or Prodigy, download emails, and then disconnect.)
The emails were stored by an ECS. The trial court concluded that Mr. Jennings was not an Electronic Communication Service (ECS) under the SCA. The Court of Appeals refined the issue, pointing out that Mr. Jennings may not have been an ECS, but Yahoo undoubtedly is, and the emails were stored on Yahoo's servers. (Interestingly, the Court of Appeals pointed out that if Broome had accessed the emails from Jennings' hard drive, the SCA would not apply).
The emails were stored "for purposes of backup protection." The Respondents pointed out (sensibly) that because Mr. Jennings did not claim he saved the emails anywhere else, the Yahoo server was not "backup" storage for any other storage medium. In other words, "backup" cannot exist without something that is being backed up. The Court of Appeals disagreed, echoing the rationale of the 9th Circuit Court of Appeals in Theofel v. Farey-Jones, and reasoning that Yahoo provided "backup protection" because the previously opened emails were stored on Yahoo's servers, and Mr. Jennings could continue to access them if necessary. (For a little different take, see U.S. v. Weaver).
WEC Carolina Energy Solutions: These Employees Aren't Hackers
In WEC Carolina Energy Solutions v. Miller, Mr. Miller left WEC and went to work for a competitor. WEC alleged that Miller's download of WEC's proprietary information (before he resigned), was "without authorization" or "exceed[ed] authorized access" in violation of WEC's policies and therefore various subsections within Section 1030 of CFAA.
Both District Judge Cameron M. Currie and the 4th Circuit concluded that WEC's policies regulated use of that information (e.g. dissemination to third parties), but not access to that information (the mere download of documents). Also following the approach of the 9th Circuit Court of Appeals, (and contrary to the rationale of the 7th Circuit), the 4th Circuit interprets these terms "literally and narrowly," for application only "to situations where an individual accesses a computer or information on a computer without permission." The 4th Circuit's narrow reading was based in part on the fact that the CFAA "remains primarily a criminal statute designed to combat hacking."
Under the 4th Circuit's rationale, an employee accesses a computer "without authorization" when he "gains admission to a computer without approval," and "exceeds authorized access" when he has approval to access a computer, but uses access to get or change information outside his approved access. Because "access" is the touchstone and not "use," Miller's alleged dissemination of proprietary information could not fall within the ambit of the CFAA. (The Court was quick to point out that nine state-law causes of action offered potential relief to WEC).
Takeaways
Understanding the origin of these statutes, as well as their principal governmental and criminal focus, may be useful in pleading or defending claims based on them.
The South Carolina Court of Appeals recently considered a claim under the federal Stored Communications Act (SCA), found at Title II of the Electronic Communications Privacy Act (ECPA). And the 4th Circuit Court of Appeals reviewed a decision of the United States District Court for the District of South Carolina considering the reach of the Computer Fraud and Abuse Act (CFAA).
It is not surprising that litigants seek to take advantage of the civil liability provisions of these computer crime statutes when their adversaries obtain, transmit, and share electronically stored information. The challenge for courts construing these laws is that both of them were enacted in 1986, before the Internet and email (as we know these services) even existed.
Jennings v. Jennings- Storage Ain't What it Used to Be, But it is Still Storage
In Jennings v. Jennings, a divorce action, Broome (Mrs. Jennings' daughter-in-law) accessed Mr. Jennings' personal Yahoo account from her personal computer and printed out a number of emails between Mr. Jennings and a paramour. Mr. Jennings alleged that Broome violated Section 2701(a) of the SCA by obtaining access without authorization to "electronic communication" (email) while in "electronic storage" (on Yahoo's servers).
By way of (admittedly broad brush) background, Congress enacted the SCA because of the challenges to 4th Amendment protections presented by an online world: "the statute creates a set of Fourth Amendment-like privacy protections by statute, regulating the relationship between government investigators and service providers in possession of users' private information." Orin S. Kerr, A User's Guide to the Stored Communications Act, and a Legislator's Guide to Amending It, 72 GEO. WASH L.REV. 1208 (2004).
The Court of Appeals considered the conclusions of the trial court that the emails were not in "electronic storage" or stored "for purposes of backup protection" under 18 U.S.C. Section 2510(17), and reversed the lower court.
Section 2510(17) (of the Wiretap Act and applicable to the SCA) defines "electronic storage" as:
(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and
(B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.
(A) is not applicable in this case because the emails had been opened, and so the Court turned to (B). (It may occur to the reader that the definition is a little strange if you were trying to apply it to your Google or other "webmail" account. It makes a little more sense in the context of the email delivery system employed when the SCA was passed, "which required multiple service providers to store communications briefly before forwarding them on to the next destination or while awaiting download by a recipient." William J. Robison, Free at What Cost? Cloud Computing Privacy Under the Stored Communications Act, 98 Geo. L.J. 1195 (2010). Also, recall using a modem to briefly connect to CompuServe or Prodigy, download emails, and then disconnect.)
The emails were stored by an ECS. The trial court concluded that Mr. Jennings was not an Electronic Communication Service (ECS) under the SCA. The Court of Appeals refined the issue, pointing out that Mr. Jennings may not have been an ECS, but Yahoo undoubtedly is, and the emails were stored on Yahoo's servers. (Interestingly, the Court of Appeals pointed out that if Broome had accessed the emails from Jennings' hard drive, the SCA would not apply).
The emails were stored "for purposes of backup protection." The Respondents pointed out (sensibly) that because Mr. Jennings did not claim he saved the emails anywhere else, the Yahoo server was not "backup" storage for any other storage medium. In other words, "backup" cannot exist without something that is being backed up. The Court of Appeals disagreed, echoing the rationale of the 9th Circuit Court of Appeals in Theofel v. Farey-Jones, and reasoning that Yahoo provided "backup protection" because the previously opened emails were stored on Yahoo's servers, and Mr. Jennings could continue to access them if necessary. (For a little different take, see U.S. v. Weaver).
WEC Carolina Energy Solutions: These Employees Aren't Hackers
In WEC Carolina Energy Solutions v. Miller, Mr. Miller left WEC and went to work for a competitor. WEC alleged that Miller's download of WEC's proprietary information (before he resigned), was "without authorization" or "exceed[ed] authorized access" in violation of WEC's policies and therefore various subsections within Section 1030 of CFAA.
Both District Judge Cameron M. Currie and the 4th Circuit concluded that WEC's policies regulated use of that information (e.g. dissemination to third parties), but not access to that information (the mere download of documents). Also following the approach of the 9th Circuit Court of Appeals, (and contrary to the rationale of the 7th Circuit), the 4th Circuit interprets these terms "literally and narrowly," for application only "to situations where an individual accesses a computer or information on a computer without permission." The 4th Circuit's narrow reading was based in part on the fact that the CFAA "remains primarily a criminal statute designed to combat hacking."
Under the 4th Circuit's rationale, an employee accesses a computer "without authorization" when he "gains admission to a computer without approval," and "exceeds authorized access" when he has approval to access a computer, but uses access to get or change information outside his approved access. Because "access" is the touchstone and not "use," Miller's alleged dissemination of proprietary information could not fall within the ambit of the CFAA. (The Court was quick to point out that nine state-law causes of action offered potential relief to WEC).
Takeaways
Understanding the origin of these statutes, as well as their principal governmental and criminal focus, may be useful in pleading or defending claims based on them.
