Aleksandr Korzh

Spring 2012


Legal Research: Trouble Online


Analysis of CFAA Unauthorized Access Requirement (18 U.S.C. §§ 1030)


The CFAA provides that the following actions are prohibited:

Subsection 2: (1) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtain... (c) information from any protected computer.


Subsection 4: (1) knowingly and with intent to defraud; (2) accesses a protected computer without authorization; (3) by means of such conduct furthers the intended fraud and obtains anything of value; (4) the object of fraud and thing obtained consists of more than the use of the computer and the value of such use is more than $5,000 in any 1-year period.

18 U.S.C. § 1030.  Under the CFAA, the standard for unauthorized access is articulated in the statute as “without authorization, or exceeds authorized access.”  (emphasis added) 18 U.S.C. 1030(a).  “[A] violation for `exceeding authorized access' occurs where initial access is permitted but the access of certain information is not permitted.”  Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962 (D. Ariz. 2008).  In the civil context, subsection (g) provides for compensatory damages (limited to economic damages) and injunctive or other equitable relief.

            In LVRC Holdings LCC v. Brekka, the court analyzed the term “without authorization” in the context of an employee who had access to a computer system.  581 F.3d 1127 (9th Cir. 2009).  There, the employee was found to have authorization during his employment to access the company computer and the specific information.  Therefore, his access was found to have been with authorization.  The court also explained that a breach of loyalty to an employer also does not lead to the conclusion that access was without or exceeding authorization.

            In Theofel v. Farey-Jones, a “patently unlawful” subpoena was used to gain access to e-mails on an internet service provider’s systems.  359 F. 3d 1066 (9th Cir. 2004).  The court held that the ECPA, discussed further below, applied to these communications.  The court also held that access to these e-mails was unauthorized for purposes of the CFAA explaining that access based on the deceptive subpoena could not have been authorized.


Analysis of ECPA (18 U.S.C. § 2701)

An action under the ECPA may be brought for (1) Intentional interception of contents of electronic communications; or (2) intentional use, or endeavors to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection.  18 U.S.C. § 2511.  Furthermore, § 2515 provides that any communication intercepted in violation of the act cannot be used in any trial, hearing or other proceeding.  Under § 2520, civil damages may be recovered including injunctive and other equitable relief, damages computed under subsection (c), attorneys’ fees, and punitive damages.  Damages under subsection (c) are the greater of the sum of actual damages suffered by the plaintiff and any profits made by the violators as a result of the violation; or statutory damages of whichever is the greater of $100 a day for each day of violation or $10,000.


Analysis of Cal. Pen. Code § 502(c)

California Penal Code section 502(c) may be violated the following ways relevant to the present case:

(1) Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.


(2) Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.


(3) Knowingly and without permission uses or causes to be used computer services.


(4) Knowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network.


(5) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.

Cal. Pen. Code § 502(c).  Subsection (e)(1) requires that a civil plaintiff suffer damage or loss as a result of a violation of subsection (c).  Under subsection (e), injunctive, compensatory, other equitable relief, attorneys’ fees, and punitive or exemplary damages (for oppression, fraud, or malice) are available.  Compensatory damages include any expenditure reasonably and necessarily incurred by the owner/lessee of the computer system to verify that the computer system/data was not altered, damaged, or deleted by the access.  Under Cal. Pen. Code § 502(c), the standard for a violation is “knowingly” access “without permission.”  If the access to the information would fall under the scope of the employment, then QMS would not be liable under § 502(c) even if the purpose was for something other than the purpose of the employment.  See Chrisman v. City of Los Angeles, 65 Cal. Rptr. 3d 701, 705-7 (8th Dist. 2007).  “A person acts within the scope of his or her employment when he or she performs acts which are reasonably necessary to the performance of his or her work assignment.” Cal. Pen. Code § 502(h)(1).


Trespass to Chattels in Internet Context

Common law trespass to chattels as applied to unauthorized computer system access requires (1) unauthorized system use and (2) measureable loss to computer system resources.  Intel v. Hamidi, 1 Cal. Rptr. 3d 32, 36 (2003).  Damages include injunctive relief as well as compensatory damages for the measurable loss to computer system resources.


From Wikipedia found at

Hamidi was a former engineer at Intel's Automotive Group when September 1990, he was injured in a car accident while returning from a business trip on behalf of Intel.[2] He returned to work for 18 months until his worsening physical condition caused him to take a medical leave on January 27, 1992 at the advice of Intel's doctors.[3] He remained on medical leave until he was fired on April 17, 1995 for failing to return to work after the medical leave.[4]

After termination, Hamidi formed a support group for former and current employees of Intel: Associated X-Employees of Intel (AXE-Intel), later renamed Former And Current Employees of Intel (FACE-Intel).[5] Over a 21-Month period, Hamidi sent six waves of e-mails to Intel employees on behalf of the organization.[6] The e-mails were critical of Intel's employment practices and encouraged employees to become involved in FACE-Intel. Each e-mail stated that the recipient could notify the sender to remove them from the mailing list, and Hamidi stopped sending e-mails to those who requested.[7]

Although some of the e-mails were blocked by Intel's internal filters, Hamidi succeeded in evading blocking efforts by using different sending computers. In March, 1998 Intel demanded that Hamidi and FACE-Intel stop sending e-mails, but he sent another mass e-mail in September, 1998. Intel sued Hamidi and FACE-Intel pleading cause of action for trespass to chattel and nuisance seeking damages and an injunction against further messages. Intel later dismissed its nuisance claim and waived the demand for damages. The trial court granted Intel's request for summary judgment and set a permanent injunction against Hamidi and FACE-Intel from sending unsolicited e-mails to the company.[8] Hamidi appealed the decision, and with one justice dissenting, the appellate court found that Intel "showed he was disrupting its business by using its property and therefore is entitled to injunctive relief based on a theory of trespass to chattels."