In a case that vividly demonstrates how employers are vulnerable to insider cyber attacks, a recent federal court decision out of the Southern District of Ohio addressed the scope of federal statutes designed to address such activity. In Freedom Banc Mortgage Services, Inc. v. O'Harra, the plaintiff's complaint alleged that an employee began remotely downloading software programs on 27 of the employer's computers and five servers. Through these programs, O'Harra, with the assistance of others, allegedly was able to access the employer's employees' email accounts, deleted hundreds of email from these accounts, uninstalled the employer's security camera, deleted pictures that the camera had recorded, and monitored employee Blackberry usage, among other activities. As a result of these unauthorized intrusions into the plaintiff's computer system, the plaintiff's computers began to operate slowly and eventually, 22 computers and three servers became inoperable. The plaintiff alleged that it lost business, productivity, and revenue as a result of the damages to its computers and, in December 2010, ceased business operations.
Freedom Banc filed its complaint against O'Harra and her alleged accomplices alleging violations of the federal Computer Fraud and Abuse Act ("CFAA"), the Stored Communications Act ("SCA") and state law tort claims of trespass to chattels, conversion and conspiracy. In response, the defendants moved for dismissal. With respect to the CFAA count of the Complaint, the court rejected each of O'Harra's arguments that attacked the statute's applicability. First, O'Harra argued that the computers at issue were not "protected computers" within the meaning of the CFAA, but the Court concluded, as have virtually all courts that have addressed this issue, that any computer that is connected to the Internet is "protected" for purposes of invoking the CFAA. Next, O'Harra argued that for the CFAA to apply, the plaintiff must allege damages of at least $5,000 caused by a single unauthorized intrusion into a protected computer. Again, the Court had little difficulty rejecting this argument and found that the plaintiff's alleged damages of at least $5000 in the aggregate was sufficient to invoke the CFAA's protection.
The Court also permitted the plaintiff's state law tort claims to proceed. The Court concluded that the plaintiff's complaint sufficiently pleaded a trespass to chattels claim by alleging that O'Harra deprived plaintiff of the use of its computers and impaired those computers as to their condition and value. Similarly, plaintiff's complaint also alleged a cause of action for conversion by alleging that O'Harra downloaded software programs onto plaintiff's computers that gave them "complete access to and control over” plaintiff's email accounts and security camera, among other things, and by alleging that the defendants deleted hundreds of email messages from plaintiff's email accounts, deleted photographs from plaintiff's security camera, and continued to access and initiate contact with plaintiff's computers until they were ultimately rendered inoperable. Finally, the Court upheld the conspiracy count of the complaint based on the allegations that O'Harra conspired with her co-defendants in a "malicious combination" to gain unauthorized access to the plaintiff's computer systems.
The Court, however, agreed with O'Harra that the SCA claim was subject to dismissal on technical grounds. Specifically, the SCA makes it an offense to intentionally access without access or in excess of one's authorization a "facility through which an electronic communication service is provided" and thereby obtain, alter, or prevent authorized access to a wire or electronic communications "while it is in electronic storage in such system." Cutting to the chase and avoiding the heavy technology jargon, let's just say that the Court concluded that information stored on an individual's hard drive, such as images, personal information, and emails that he or she has downloaded is not "electronic storage" as defined by the SCA. As a result, the Court concluded that the "facilities" that the SCA is designed to protect are not computers that enable the use of an electronic communication service, such as an individual's personal computer or laptop, but instead the facilities that are operated by the electronic services providers themselves.
This case highlights the fact that the federal statutes available to employers to protect them from unauthorized access to their computer systems are confusing, in serious need of updating and subject to hypertechnical analyses. Don't lose track of basic state law remedies that may, as they did here, come to the rescue. Ultimately, however, the best protection for employers always will be to take the necessary security steps to prevent these kinds of cyber attacks in the first place.