In a highly anticipated decision filed earlier this month, the Ninth Circuit Court of Appeals affirmed the district court’s grant of a preliminary injunction in favor of hiQ, a data analytics company, prohibiting LinkedIn, a professional networking website and competitor, from denying hiQ access to publicly available LinkedIn member profiles. In doing so, the Court clarified the scope of 18 U.S.C. §1030, aka the Computer Fraud and Abuse Act (CFAA).
Certain sections of the CFAA broadly bar “unauthorized access” to “protected computers”—i.e., any computer used in interstate commerce or communication—in order to get something of value. The Court ruled that automated scraping of publicly accessible data likely does not violate the CFAA, which was enacted to prevent computer hacking of private information. Thus, the hiQ ruling may strengthen the defenses of companies, institutions, and others who routinely aggregate and analyze public information.
TIP: While the chances of data aggregators ultimately being held liable under CFAA may have gone down, no doubt such claims and lawsuits will keep on coming. Insurance is key to minimizing this risk. Most cyber insurance policies now cover defense expense as well as the cost of any judgment or settlement arising from allegations of CFAA violations. And for those concerned with being breached, cyber policies typically cover a variety of internal expenses such as forensic investigation, data breach notification costs, the cost of replacing customer credit cards, and crisis management. In either case, be sure to get help reviewing your existing insurance policies for gaps and to maximize coverage.