CFAA Hacking case example

In a Virginia computer forensics case, the court had the opportunity to examine the standard to determine whether to grant a preliminary injunction in the case.  In order to prove that a website was hacked, computer forensics techniques are frequently applied.  This post explains the standard that the court used for granting a preliminary injunction under the Computer Fraud and Abuse Act.  This was Physicians Interactive v. Lathiam,

The CFAA, although a criminal statute, provides for a private right of action. See 18 U.S.C. s 1030(g). A violation of Subsection (a)(2)(C) of the CFAA occurs whenever a person: intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains-… (C) information from any protected computer if the conduct involved an interstate or foreign communication. 18 U.S.C. s 1030(a)(2)(C).

A violation of 18 U.S.C. s 1030(a)(4) occurs whenever a person: knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value … 18 U.S.C. s 1030(a)(2)(C). In YourNetDating, Inc. v. Mitchell, 88 F.Supp.2d 870 (N.D.Ill.2000), the Northern District of Illinois held that the plaintiff had shown a likelihood of success on the merits of its CFAA claim when defendant was alleged to have hacked into its computer file server. In EF Cultural Travel BV v. Explorica, Inc ., 274 F.3d 577  (1st Cir.2001), the First Circuit held that the competitor’s use of a “scraper” computer software program to systematically and rapidly glean prices from a tour company’s website, in order to allow systematic undercutting of those prices,
“exceeded authorized access” within the meaning of the CFAA.

A violation of 18 U.S.C. s 1030(a)(5) occurs whenever a person “intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage.” 18 U.S.C. s 1030(a)(5)(A)(iii). The damage, or loss, must aggregate to at least $5,000 within a one-year period. 18 U.S.C. s 1030(a)(5)( (i).  There was probable cause to demonstrate that a defendant's information technology employee directed two computer attacks against its website and computer file server. Plaintiff traced the first alleged attack to a website owned by defendant.  Plaintiff traced the third alleged attack to an IP address assigned to an employee of defendant.  Another attack was designed to obtain technical information about the workings and security vulnerabilities of its website. It used a “software robot” to obtain proprietary information from Plaintiff. Both alleged attacks, at this stage of the pleadings, appear more likely than not to fit within the definition of 18 U.S.C. s 1030(a)(4). These attacks were an unauthorized entry into the website. The activity was geared towards copying confidential data. The end result was the loss of something of value-a significant amount of its confidential customer list information.

Given this scenario, the preliminary injunction was granted.

Blog tags