In Part I of this post, we discussed copyright infringement and Digital Millennium Copyright Act (DMCA) claims brought in LivePerson, Inc. v. 24/7 Customer Inc., 2015 U.S. Dist. LEXIS 3688, No. 1:2014cv01559 (S.D.N.Y. Jan. 13, 2015). Now we turn to the Computer Fraud and Abuse Act (CFAA) claim brought in the case, and lessons from pleading deficiencies with respect to the CFAA claim.
The CFAA establishes a private cause of action against a person who “knowingly accessed a computer without authorization or exceeding authorization” resulting in a loss in excess of $5000 (and other injuries not relevant here). To state a claim for the loss of $5000 or more, Plaintiff must plead that Defendant: (1) accessed a “protected computer”; (2) without any authorization or exceeding its authorized access; and (3) caused loss in excess of $5000. 18 U.S.C. § 1030(g) (2012). The ultimate question here was whether Defendant’s access was unauthorized or exceeded its authorization. (Remember that Defendant already had access pursuant to the license agreement.)
There is a circuit split on the issue of when access exceeds authorization; the Second Circuit has not yet ruled on the issue. The First, Fifth, Seventh, and Eleventh Circuits have held that a defendant who misuses information to which he was given access exceeds authorized access. That is, access can be authorized and yet exceeded when information obtained through authorized access is misused. This is termed the “broad” approach. LivePerson at *18-*19. The Fourth and Ninth Circuits have held that misuse of information alone is insufficient. Instead, access cannot have been authorized. This is the “narrow” approach. Id. The Court here adopted the “narrow” approach, noting that a defendant exceeds authorized access when they have permission to certain information but access information for which they lack permission.
Based on this “narrow” approach, the Court held that Plaintiff did not adequately allege that Defendant had exceeded its authorized access. Plaintiff focused mostly in the misuse of data obtained through authorized access, which is only improper under the “broad” approach.
The Court also held that Plaintiff did not adequately plead the economic damages. Plaintiff’s damage allegation was that Defendant “harmed [Plaintiff] financially in an amount well in excess of the diversity jurisdictional threshold of $75,000.” Id. at *22-*23. Plaintiff also alleged that it suffered “disruption of its business relationships and the loss of clients and potential clients, dilution of good will,” and other, unquantified losses. The first damage allegation was not directly focused on the CFAA claim, and the Court held that Plaintiff did not specify if at least $5,000 of the quantified amount was attributable to the CFAA claim, and the second damage allegation did not quantify a loss at all. As such, the Court dismissed the CFAA claim as inadequately pled.