Can a software vendor assert a Computer Fraud and Abuse Act (“CFAA,” 18 U.S.C. § 1030) claim against a third-party end-user for unauthorized access to the vendor’s licensed software operating on the vendor’s client’s computers? In other words, does the vendor have a viable CFAA claim if it does not own the accessed computers, but access nonetheless violates the terms of the vendor’s software license agreement? The cases discussed in this article show that such a claim might stand provided that the client did not authorize the access. This question is of import to software vendors who stand to lose revenue from the unauthorized use of their licensed products. This problem is especially significant when the licensed software is used by third-parties, as in the case of an Internet application accessible to a broad public for a fee, as this first case illustrates.
Fidlar Technologies licensed a software program (the “Laredo” program) to enable public access to local governmental records via Internet, including access to land ownership records. Fidlar Techs. v. LPS Real Estate Data Solutions, Inc., No. 4:13-cv-4021-SLD-JAG, 2013 WL 5973938, at *1 (C.D. Ill. Nov. 8, 2013); see also Complaint, Dkt. No. 1, at 1–2.1 Fidlar licensed Laredo to various county governments, some of which hosted Laredo on their servers. In other cases, Fidlar hosted and maintained Laredo on its own servers on behalf of the counties. In all cases, end-users paid a base subscription fee and a per-page fee when they printed records retrieved from the land ownership databases.
LPS was a company that aggregated and resold real estate property data. LPS purchased licenses to use Laredo to access real estate records in some 81 counties. LPS reverse-engineered the access protocol to Laredo’s database and periodically web-harvested the contents of the counties’ databases allegedly without either Fidlar’s or the counties’ knowledge or consent. LPS paid the Laredo subscription fees, but skirted paying the per-page printing fees thanks to its custom-built interface.
Fidlar sued LPS for violating the CFAA, among other causes of action. But Fidlar only alleged lost-revenue damages for unauthorized access to its own servers, presumably because Fidlar was not contractually entitled to any of the printing fees on its clients’ computers. Had Fidlar been entitled to a fraction of these fees, could it have alleged unauthorized access to its software on the counties’ computers and thus claimed additional lost-revenue damages?
The question of whether a CFAA claim can stand when the plaintiff does not own or control the accessed computer was addressed in Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004). In Theofel, the defendants obtained access to some of the plaintiffs’ emails that were originally stored on a third-party Internet Service Provider’s servers. The plaintiffs alleged a CFAA claim, among other causes of action. The district court dismissed the CFAA claim “on the theory that the Act does not apply to unauthorized access of a third-party’s computer.”2
The Ninth Circuit Court of Appeals reversed, holding that “[t]he district court erred by reading an ownership or control requirement into the Act.” As the Court noted, the CFAA’s civil remedy extends to “‘[a]ny personwho suffers damage or loss by reason of a violation of this section.’”3 The Court added:
[T]he word “any” has an expansive meaning, that is, “one or some indiscriminately of whatever kind.” Nothing in the provision’s language supports the district court’s restriction. Individuals other than the computer’s owner may be proximately harmed by unauthorized access, particularly if they have rights to data stored on it.4
Theofel clearly holds that a plaintiff can asserts a CFAA claim for wrongful computer access even if the plaintiff does not own the accessed computer. But of course a CFAA claim will stand only if access is unauthorized by the party that owns or controls the computers, as the next two cases illustrate.
In SecureInfo Corp. v. Telos Corp., one of the defendants (“Berman”) licensed SecureInfo’s software under false pretenses to analyze its functionality and compare it with the other defendants’ own competing product, in violation of the software license agreement. 387 F. Supp. 2d 593, 600–01 (E.D. Va. 2008) (mem. op.). Berman installed the software on his server and granted access to the other defendants. SecureInfo sued alleging numerous causes of action, including a claim under the CFAA. The court held that SecureInfo had failed to allege that access to the defendants’ server was unauthorized or exceed authorized access, and dismissed the CFAA claim. The court added that, in any event, Berman “explicitly allowed” the other defendants to access his server. The court rejected SecureInfo’s implicit attempt to have the court “hold that every breach of a computer software license agreement allows the licensing party to recover damages against a non-party to the software license under the CFAA.”5
Another district court reached the same result in Océ N. Am., Inc. v. MCS Servs., Inc., 748 F. Supp. 2d 481 (D. Md. 2010) (mem. op.). Océ alleged that MCS misappropriated and used Océ’s service tool software packages, which Océ developed to service its line of high-capacity printers. MCS competed with Océ for the sale and maintenance of used and refurbished Océ printers. Océ sued MCS alleging various causes of action, including a claim under the CFAA for unauthorized access to the laptops that held Océ’s software and to the printers themselves. The court granted defendants’ motion to dismiss as to the CFAA claim. The court found that Océ’s complaint did not allege that access to the laptops and printers in question was unauthorized. Moreover, most of the laptops and printers belonged to the defendants and Océ did not allege that anyone with the requisite authority denied access to the defendants. The court stressed that “Theofel does not vitiate . . . the need for the access to the computers to be unauthorized by whoever controlled such access.”6
The take-away from these cases is that a vendor that licenses its software to clients for use by third-parties, as in Fidlar, should ensure there is a requirement in its license agreements directing its clients to adopt specific access and use restrictions into the clients’ end-user agreements. The vendor might then narrowly define what constitutes “authorized access” in the license agreement, and by extension the end-user terms, to increase the chances that the vendor can assert CFAA claims against third-party end-users who violate those terms.
But narrowly defining the terms of access applicable to end-users through flow-down restrictions will not be enough. Vendors must also anticipate how unauthorized access will meet the damage and loss elements of a CFAA claim.7 No civil CFAA claim stands in the absence of these important elements.
In addition, and as SecureInfo and Océ demonstrate, the CFAA offers software vendors little recourse when unscrupulous clients use licensed software (or inappropriately allow end-users to use the licensed software) installed on the clients’ computers in violation of the vendor’s license agreements. The element of a CFAA claim that requires that access be unauthorized, or in excess of unauthorized access, is unlikely to be met when clients control this access. Plaintiffs’ recourse in these cases lies in traditional breach of contract and common law tort claims, e.g., trade secret theft, and breach of license and confidentiality agreements.