A split of opinions on the scope of authorization for accessing a computer that is needed to avoid violation of the Computer Fraud and Abuse Act (“CFAA” or “Act”), 18 U.S.C. § 1030 was examined in Phillips Medical v. GIS (U.S. Dist. Of Puerto Rico) Aug. 2016, in which Magistrate Judge Bruce McGiverin adopted an inclusive view of the entities whose authorization is needed under 18 U.S.C. § 1030(a)(2).
Phillips Medical Systems Puerto Rico, Inc. (“Phillips”) had sued GIS Partners Corp. and its founders (“GIS”) for allegedly violating the CFAA and asked the court for preliminary injunctive relief. Phillips-PR sells and services MRI machines (which qualify as “computers” under CFAA) which have, embedded in them, Phillips-PR proprietary information used for servicing the machines. GIS was founded by former Phillips service employees to offer service to those customers in competition with Phillips. A key basis of Phillips’ claim was that the GIS were gaining access to, and using, the Phillips information on customers’ MRI machines by means of access codes given to them by Phillips for use only during their employment with Phillips, and that by doing so as competitors of Phillips they were exceeding their authorization to access that information. GIS argued that the customer’s authorization was all that they needed.
Magistrate Judge Bruce McGiverin recognized a split on the interpretation of “authorization” and that his recommendation on Phillips’ request for an injunction could be determined by which interpretation he followed. The split arises from the fact that the owner of a computer is rarely the owner of the software on the computer, but rather is merely a licensee, and some courts have decided that as long as the owner of the computer grants a service provider access to a computer, that authorization will protect the service provider from violating CFAA even as to third party software on the computer (e.g., Oce N. Am., Inc. v MCS Servs., Inc, 748 F.Supp. 2d 482(D.Md 2010) (owner authorization is sufficient)). Other courts adopt a more nuanced approach, viewing third party software providers as having authorization rights regarding their software installed on computers owned by customers (e.g., Workgroup Tech. Partners, Inc. v. Anthem, Inc., No. 2:15-CV-00002-JAW, 2016 WL 424960, at *24 (D. Me. Feb. 3, 2016).
MJ McGiverin adopted the view the GIS needed authorization from Phillips as well as from the owner of the MRI machines to legally access the Phillips information on the owner’s machines, and recommended that the requested injunction be granted.
For general background information on the CFAA, a U.S. Department of Justice manual on the CFAA can be found HERE.