Litigators and in-house counsel: get to know CFAA civil actions, Part 2

In April 2012, the 9th U.S. Circuit Court of Appeals, sitting en banc, offered a strict rule concerning the application of the CFAA in United States v. Nosal, 676 F.3d 854 (9th Cir. 2012). Litigators - especially those working with web-based companies - and in-house counsel at such companies should be aware of Nosal and its progeny. With a working knowledge of these cases, both outside and inside counsel will better understand CFAA claims and how such claims integrate with other possible claims associated with content scraping.

In Nosal, the government charged the defendant (Nosal) under the CFAA. The government alleged that Nosal aided his former coworkers at an executive search firm to use their log-in credentials to access the company's confidential computer database, extract source lists, names, and contact information from the database, and provide Nosal with the confidential information. The search firm had a policy forbidding the disclosure of confidential information even though Nosal's former coworkers were authorized to access the information. Thus, the government charged that Nosal had aided and abetted his former coworkers in "exceed[ing their] authorized access with the intent to defraud." (Internal quotations omitted).

Although the Nosal court addressed a criminal CFAA charge, the court's definition of "unauthorized access" applies equally to civil actions and TOS violations. Following 9th Circuit precedent in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), the court held that the phrase "exceeds authorized access" does not cover violations of use restrictions, but rather the application covers only violations of access restrictions. Specifically, the court voiced concern that reading the CFAA to cover use restrictions "would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute" criminalizing - and allowing civil action against - minor violations of computer use policies as outlined by employer-employee agreements and even TOS. In limiting "exceeds authorized access" to access restrictions and not use restrictions, the 9th Circuit rejected the arguments of both the 5th Circuit and 11th Circuit interpreting exceeding use restrictions to fall within the definition of "exceeds authorized access."

At first blush, the Nosal holding's limitation of "exceeds authorized access" to access restrictions and not use restrictions would seem to eliminate any CFAA liability a TOS could create for its users regarding limiting use of a website or web service. One post-Nosal decision, however, provides a Nosal-compliant means for creating CFAA liability through a TOS and dispels this initial concern. Judge Edward M. Chen of the Northern District of California held in Weingand v. Harland Financial Solutions, Inc., No. C-11-3109 EMC, 2012 WL 2327660 (N.D. Cal. June 19, 2012), that, "although Nosal clearly precluded applying the CFAA to violating restrictions on use, it did not preclude applying the CFAA to rules regarding access." Under this rationale, Judge Chen proved willing to allow a contract limiting certain access to information to create a viable CFAA liability upon violation of the contract.

In Weingand, a former employee was given access to a computer owned by the company for the purpose of recovering "personal files" after termination; instead, the former employee accessed and copied additional company files unrelated to the former employee's "personal files" but crucial to the business. The court found such access violated the verbal authorization granted to the former employee for limited access to the files on the company's computer. Moreover, the court denied the former employee's suggestion that he could not have exceeded access because he had not violated any "code" authorization (such as bypassing a password or security measure). To that end, the court held that "the fact that Nosal uses the word 'authorization' interchangeably with 'permission,' suggests that one need not engage in such rigorous technological measures to block someone from accessing files in order to limit their 'authorization.'"

Read outside of the employment context, Weingand suggests that the question of CFAA liability turns on the language of the contract, or TOS, and whether limitations are framed as use restrictions or as access restrictions. If framed as a use restriction, violation of that term will not create liability, but if framed as an access restriction, violation of that term would create CFAA liability. For example, consider a TOS that restricts a user from accessing a website with a crawler bot or a website that implements the industry standard robots.txt file instructing robots not to cache the website. Under such a TOS and robots.txt structure, a user implementing a crawler bot to "content scrape" the website would have to improperly purpose the bot to ignore the robots.txt thus exceeding access and not use. Should a website block a specific bot for an access violation only to have the bot's creator rename the bot to continue the scrapping, such efforts will certainly strengthen a CFAA civil action by clearly substantiating the violating party's knowledge that it was "exceeding access." This substantiation is not necessary to establish CFAA liability, but it importantly restricts the violating party from alleging that it was unaware of its access violation and arguing against the TOS consent gained by a browsewrap or clickwrap agreement.

Importantly, the Weingand decision paired with the Nosal holding provides legal support for entities operating websites to proceed with CFAA, and state-equivalent Section 502, claims against parties attempting to "scrape" their website if the TOS effectively limits access such that it is breached by a "content scraping" bot.

The availability of CFAA and Section 502 claims against "content scrapers" benefits web-based clients in three key ways. First, both actions favor an award of attorney fees for successful actions. Second, the new case law eliminates inquiry into the intent of the use by a violator, which historically proved difficult to predict and problematic to establish (thus leading to the Nosal holding). Finally, availability of private civil action under the CFAA and Section 502 permits web-based clients, with adequate TOS, to recover for "content scraping" resulting in unfair competition or unjust enrichment even where copyright infringement allegations are unavailable.

Notably, the availability of CFAA and Section 502 claims provide important liability coverage in relation to other potential claims. First, copyright claims often are not available for web-based clients due to the functional and database nature of such websites. Moreover, unless the client registers its website's copyright in time, attorney fees may be unavailable even if a copyright claim can be brought. Second, trespass to chattels claims require a proving of physical harm to computer servers, see Intel v. Hamidi, 30 Cal. 4th 1342 (2003), that content scraping, though burdensome on servers, does not present. Third, the availability of a CFAA claim in particular benefits plaintiffs by permitting them to file suit in federal court thus offering an otherwise unavailable federal judicial forum for related trade secret, trademark, breach of contract and unfair competition claims.

Based on this analysis, a recommended best practice for web-based companies fearful of the inability to pursue legal recourse against a "content scraping" party would be to implement a strongly written TOS that limits access to its website from caching bots rather than attempting, ineffectively, to limit use. Under Nosal, this appears to be the only avenue for web-based companies invested in incurring CFAA liability upon their TOS-violating users. However, litigators and clients should be weary of such clever contracting. A court could potentially view such contracting limiting access as merely a workaround to actually limit use such that permitting liability would defeat the purpose of the CFAA post-Nosal and render that ruling at least partially impotent.