9/15. The U.S. Court of Appeals (9thCir) issued its opinion [19 pages in PDF] in LVRC v. Brekka, a civil case involving Section 1030 and unauthorized access to a protected computer system. The Court of Appeals affirmed the summary judgment of the District Court for a former employee of a company that accused him of unauthorized access both during and after his employment.

This opinion addresses in detail the meaning of the statute's phrases "without authorization" and "exceeds authorized access". Notably, this Court declined to follow the shaky reasoning of Judge Posner's 7th Circuit opinion in International Airport Centers v. Citrin. See, 440 F.3d 418, and story titled "7th Circuit Applies Computer Hacking Statute to Use of Trace Removers on Employee Laptops" in TLJ Daily E-Mail Alert No. 1,418, July 26, 2006.

Background. Christopher Brekka worked for LVRC Holdings LLC in a position that related to web and e-mail marketing. LVRC provided him with a computer at work. His job entailed using it. Brekka and LVRC had no employment contract or agreement that covered his use and access to LVRC's computer system. LVRC had no relevant company policy. Brekka lived in Florida, and computed to Nevada to work. He sent e-mail copies of company documents to himself in connection with performing his job responsibilities.

After he left his employment, LVRC filed a complaint against Brekka, his consulting businesses, and others alleging various state law claims, and violation of 18 U.S.C. §§ 1030(a)(2) & (4) in connection with his sending e-mail while employed by LVRC, and accessing the companies restricted access web site after his departure.

The District Court granted summary judgment to Brekka on the Section 1030 claims, and declined to exercise jurisdiction over the state law claims. LVRC brought the present appeal.

Statute. The Computer Fraud and Abuse Act (CFAA), which is codified at 18 U.S.C. § 1030, is the main federal computer hacking criminal statute. It contains numerous criminal bans related to unauthorized accessing of computers to steal information or cause damage.

In addition, some of the bans can also give rise to civil liability. Subsection 1030(g) provides, in part, that "Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B). ..."

Subsection 1030(a)(2) provides that "(a) Whoever ... (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... (C) information from any protected computer if the conduct involved an interstate or foreign communication;

Subsection 1030(a)(4) provides that "(a) Whoever ... (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;"

The five types of conduct listed in subsection 1030(a)(5)(B) are as follows:

"(i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
(ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(iii) physical injury to any person;
(iv) a threat to public health or safety; or
(v) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security;"

Court of Appeals. The Court affirmed the judgment of the District Court.

First, as to the allegation of post employment access, the Court held that LVRC presented insufficient evidence to survive a motion for summary judgment. Basically, it offered evidence that someone using Brekka's username logged into the LVRC web site. However, the evidence also showed that this information was on Brekka's computer when he left the company, and any subsequent user of that computer could have logged on with Brekka's information.

Second, the Court held that the allegation that Brekka acted "without authorization" or exceeded "authorized access" during his employment fail. It wrote that he was an employee, given a computer, and expected to use it, which he did.

LVRC relied upon the unfortunate 2006 opinion [7 pages in PDF] of the U.S. Court of Appeals (7thCir) in Citrin, a post-employment dispute involving Section 1030(a)(5) and an employee's use of a trace remover tools on the laptop assigned by his employer.

In Citrin the 7th Circuit held that an employee acted without authorization, in the absence of any violation of a contract or policy, or instructions, based upon obscure principles of agency law. However, the Court of Appeals in the present case wrote that "We are unpersuaded by this interpretation" of "without authorization".

The Court wrote in the present opinion that "No language in the CFAA supports LVRC's argument that authorization to use a computer ceases when an employee resolves to use the computer contrary to the employer's interest. Rather, the definition of ``exceeds authorized access´´ in § 1030(e)(6) indicates that Congress did not intend to include such an implicit limitation in the word ``authorization.´´"

In other words, the Court wrote, "for purposes of the CFAA, when an employer authorizes an employee to use a company computer subject to certain limitations, the employee remains authorized to use the computer even if the employee violates those limitations. It is the employer's decision to allow or to terminate an employee's authorization to access a computer that determines whether the employee is with or ``without authorization.´´"

In continued, "According to LVRC, Citrin supports its argument that the CFAA incorporates an additional limitation in the word “authorization,” such that an employee can lose authorization to use a company computer when the employee resolves to act contrary to the employer's interest. In Citrin, the court held that an employee's authorization to access a computer ended for purposes of § 1030(a)(5) when the employee violated his duty of loyalty to his employer. The employee had decided to start a competing business in violation of his employment contract and erased all data from his work laptop computer before quitting his job."

The Court wrote that were it to accept the reasoning in Citrin, Brekka would have acted "without authorization". But, it rejected Citrin, because it does not comport with the language of Section 1030, and because Section 1030 is primarily a criminal statute, and courts should not interpret "criminal statutes in surprising and novel ways that impose unexpected burdens on defendants".

The Court of Appeals held that "a person uses a computer ``without authorization´´ under §§ 1030(a)(2) and (4) when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone’s computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway". (Parentheses in original.)

The case is LVRC Holdings LLC v. Christopher Brekka, et al., U.S. Court of Appeals for the 9th Circuit, App. Ct. No. 07-17116, an appeal from the U.S. District Court for the District of Nevada, D.C. No. CV-05-01026-KJD, Judge Kent Dawson presiding. Judge Sandra Ikuta wrote the opinion of the Court of Appeals, in which Judges Margaret McKeown and James Selna (USCD/CDCal) joined.

9/15. The U.S. Court of Appeals (4thCir) issued its opinion [38 pages in PDF] in SEC v. Pirate Investor, a Section 10b civil securities fraud case. The Court of Appeals affirmed the judgment of the District Court against Pirate Investor.

In so doing, the Court of Appeals rejected the argument of numerous amicus curiae news media publishers, including Forbes, Hearst, and Tribune, that upholding this interpretation of Section 10b chills constitutionally protected free speech by publishers of financial news and commentary.

This case may further illustrate that the Securities and Exchange Commission (SEC) balances its inability to perform the major tasks with which it is charged by the Congress, such as preventing people like Bernard Madoff from conducting large scale investment fraud, by aggressively interpreting its statutory authority in a manner that threatens activities, such as those of financial news publishers, that do not frustrate the policy goals of the Congress.

Pirate publishes investment newsletters, and offers an e-mail service. It sent a bulk e-mail message titled "Super Insider Tip E-mail" to about 800,000 recipients. This message provided some detailed information about a company, but did not disclose the name of the company. The e-mail related, inaccurately, the substance of a telephone conversation with the Director of Investor Relations of the company. Pirate then sold for $1,000 the name of the company. It made over a thousand sales. Its revenue came from the sale of information, not from buying and/or selling securities.

The SEC filed a civil complaint in the U.S. District Court (DMd) against Pirate Investor and others alleging violation of the Section 10b of the Securities Exchange Act of 1934, which is codified at 15 U.S.C. § 78j(b), and rule 10b5 thereunder.

The District Court, following a bench trial, ruled that Pirate violated Section 10b. Pirate brought the present appeal, and major news publishers filed an amicus curiae brief in support.

Section 10b provides, in part, that "It shall be unlawful for any person, directly or indirectly, by the use of any means or instrumentality of interstate commerce or of the mails, or of any facility of any national securities exchange ... To use or employ, in connection with the purchase or sale of any security registered on a national securities exchange ... any manipulative or deceptive device or contrivance in contravention of such rules and regulations as the Commission may prescribe ...", including those that "prohibit fraud".

The Court of Appeals quoted the amicus brief: "As applied in the way the SEC now urges, § 10(b) would not be restricted to the statements of fiduciaries or those who trade in stocks, but would cover all statements about securities by anyone who cared to speak to anyone who cared to listen." (Emphasis in original.)

The Court continued that "The great concern is that publishers of financial news and commentary will face potential liability under § 10(b) and that this will chill publishers' attempts to report on financial matters. The amici, in particular, point out that financial news and commentary is especially important because so many Americans are actively involved in trading in the securities markets and there is a high demand for information about investment opportunities. Appellants and the amici argue that these constitutional concerns require that we interpret § 10(b)'s ``in connection with´´ requirement narrowly, and they suggest that we can do so by recognizing an exception from the coverage of § 10(b) for publishers of nonpersonalized financial news and commentary who do not possess a financial interest in the securities that they discuss." (Emphasis in original.)

The Court of Appeals concluded Pirate violated Section 10b. It explained that "Appellants made misrepresentations of a material fact -- whether an insider had provided the information in the stock tip -- and Appellants did so with the requisite scienter. Moreover, the misrepresentations were ``in connection with´´ securities transactions because securities transactions were necessary to maximize the fraudulent scheme, Appellants made their misrepresentations with the intent that investors would rely on them, and Appellants knew that investors would so rely. This conduct violates § 10(b), and Appellants cannot avoid application of the statute by invoking constitutional concerns because the text and purpose of § 10(b) admit of no exception for ``disinterested publishers.´´"

This case is Securities and Exchange Commission v. Pirate Investor LLC, et al., U.S. Court of Appeals for the 4th Circuit, App. Ct. No. 08-1037, an appeal from the U.S. District Court for the District of Maryland, D.C. No. 1:03-cv-01042-MJG, Judge Marvin Garbis presiding. The Court of Appeals issued a per curiam opinion of Judges Niemeyer and Motz.

Tech Law Journal publishes a free access web site and a subscription e-mail alert. The basic rate for a subscription to the TLJ Daily E-Mail Alert is $250 per year for a single recipient. There are discounts for subscribers with multiple recipients.

Free one month trial subscriptions are available. Also, free subscriptions are available for journalists, federal elected officials, and employees of the Congress, courts, and executive branch. The TLJ web site is free access. However, copies of the TLJ Daily E-Mail Alert are not published in the web site until two months after writing.

For information about subscriptions, see subscription information page.

Tech Law Journal now accepts credit card payments. See, TLJ credit card payments page.

TLJ is published by David Carney
Contact: 202-364-8882.
carney at techlawjournal dot com
P.O. Box 4851, Washington DC, 20008.

Privacy Policy
Notices & Disclaimers
Copyright 1998-2009 David Carney. All rights reserved.

The House will meet at 10:30 AM for morning hour, and at 12:00 NOON for legislative business. It will consider numerous non-technology related items under suspension of the rules. See, Rep. Hoyer's schedule for week of September 14.

RESCHEDULED FOR DECEMBER 1 and 2. The Federal Trade Commission (FTC) will hold the first in a series of workshops titled "Can News Media Survive the Internet Age? Competition, Consumer Protection, and First Amendment Perspectives". See, original FTC release, and notice of postponement.

12:30 - 2:00 PM. The Federal Communications Bar Association's (FCBA) Engineering and Technical Committee will host a brown bag lunch to discuss "upcoming activities and your suggestions for the new 2009-2010 year". For more information, contact Karen Higa at 202-974-5764 or email to khiga at chadbourne dot com. Location: Chadbourne & Parke,1200 New Hampshire Ave., NW.

1:00 PM. The House Judiciary Committee's (HJC) Subcommittee on Commercial and Administrative Law will hold a hearing titled "Mandatory Binding Arbitration -- Is it Fair and Voluntary?". See, notice. See also, HR 1020 [LOC | WW], and S 931 [LOC | WW], both titled the "Arbitration Fairness Act of 2009". Many information and communications technology companies, including wireless communications service providers, include arbitration clauses in consumer contracts. Location: Room 2141, Rayburn Building.

5:00 - 6:00 PM. The Department of Homeland Security's (DHS) Homeland Security Advisory Council (HSAC) will meet by teleconference to review the findings and recommendations of the HSAC's Homeland Security Advisory System Task Force. See, notice in the Federal Register, September 8, 2009, Vol. 74, No. 172, at Pages 46215-46216.

11:59 PM. Deadline to submit to the National Telecommunications and Information Administration (NTIA) all amended budgets in connection with applications for grants under its State Broadband Data and Development Grant Program. See, notice in the Federal Register September 10, 2009, Vol. 74, No. 174, at Pages 46573-46574.

Deadline to submit comments to the Office of the U.S. Trade Representative (OUSTR) regarding the free trade agreement (FTA) between the U.S. and Korea. Representatives of the two nations signed this FTA back on June 30, 2007. Democrats in the Congress have declined to approve it. This FTA includes technology related provisions. See, text of the FTA, and sections regarding telecommunications [17 pages in PDF], electronic commerce [4 pages in PDF], and intellectual property rights [35 pages in PDF]. See, notice in the Federal Register, July 27, 2009, Vol. 74, No. 142, at Page 37084.

12:00 NOON. Deadline to submit comments to the Office of the U.S. Trade Representative (OUSTR) regarding the free trade agreement (FTA) between the U.S. and Columbia. Representatives of the two nations signed this FTA back on November 22, 2006, and amendments on June 28, 2007. Democrats in the Congress have declined to approve it. This FTA includes technology related provisions. See, notice in the Federal Register, July 29, 2009, Vol. 74, No. 144, at Pages 37759-37760.

The House will meet at 10:00 AM for legislative business. It will consider HR 3246 [LOC | WW], the "Advanced Vehicle Technology Act". See, Rep. Hoyer's schedule for week of September 14.

The Senate will meet at 9:30 AM. It will resume consideration of HR 3288 [LOC | WW], the "Transportation, Housing and Urban Development, and Related Agencies Appropriations Act, 2010".

10:00 AM. The Senate Judiciary Committee (SJC) will hold an oversight hearing on the Federal Bureau of Investigation (FBI). FBI Director Robert Mueller will testify. Location: Room 226, Dirksen Building.

10:00 AM. The House Judiciary Committee (HJC) will meet to mark up several bills, including HR 2994 [LOC | WW], the "Satellite Home Viewer Update and Reauthorization Act". It is the first item on the agenda. See, notice. Location: Room 2141, Rayburn Building.

5:30 - 6:30 PM. The DC Bar Association will host an event titled "E-Discovery, Sanctions, and the Bench: Have the Courts Gone Too Far?". The speaker will be John Facciola (U.S. District Court). The price to attend ranges from $15 to $35. Most DC Bar events are not open to the public. See, notice. For more information, call 202-626-3463. Location: DC Bar Conference Center, 1101 K St., NW.

6:00 - 8:00 PM. The Federal Communications Bar Association's (FCBA) Young Lawyers Committee will host an event titled "Happy Hour". For more information, contact Micah Caldwell at mcaldwell at fh-law dot com, Stefanie Desai at szdesai at mintz dot com, or Darren Abernethy at djabernethy at mintz dot com. Location: Elephant & Castle, 900 19th St., NW.

Deadline to submit comments to the National Institute of Standards and Technology's (NIST) Computer Security Division (CSD) regarding its draft NIST IR 7621 [20 pages in PDF] titled "Small Business Information Security: The Fundamentals".

The House will meet at 10:00 AM for legislative business. See, Rep. Hoyer's schedule for week of September 14.

10:00 AM. The Senate Judiciary Committee (SJC) will hold an executive business meeting. The agenda again includes consideration of HR 985 [LOC | WW] and S 448 [LOC | WW], both titled the "Free Flow of Information Act of 2009". These bills have been on many previous agendas. The agenda also includes consideration of the nominations of Paul Fishman to be the U.S. Attorney for the District of New Jersey and Jenny Durkan to be the U.S. Attorney for the Western District of Washington. See, notice. Location: Room 226, Dirksen Building.

10:00 AM. The House Commerce Committee's (HCC) Subcommittee on Communications, Technology and the Internet will hold a hearing titled "Oversight of the Federal Communications Commission". See, notice. Location: Room 2123, Rayburn Building.

2:00 PM. the Senate Judiciary Committee's (SJC) Subcommittee on Crime will hold a hearing on S 1551 [LOC | WW], the "Liability for Aiding and Abetting Securities Violations Act of 2009". See, notice. The bill would address the Supreme Court's 2008 opinion [33 pages in PDF] in Stoneridge Investment Partners v. Scientific-Atlanta, 522 U.S. 148. See also, stories titled "Supreme Court Rules in Stoneridge v. Scientific Atlanta" in TLJ Daily E-Mail Alert No. 1,701, January 16, 2008, "Supreme Court Grants Cert in Stoneridge Investment v. Scientific-Atlanta" in TLJ Daily E-Mail Alert No. 1,557, March 27, 2007, and "Supreme Court to Consider 10b Liability of Stock Issuers' Vendors" in TLJ Daily E-Mail Alert No. 1,625, August 21, 2007. Location: Room 226, Dirksen Building.

6:00 - 9:15 PM. The DC Bar Association will host an event titled "Privacy in Today's Workplace". The speakers will be Gerard Stegmaier (Wilson Sonsoni) and Charles Henter. The price to attend ranges from $89 to $129. Most DC Bar events are not open to the public. This event qualifies for continuing legal education (CLE) credits. See, notice. For more information, call 202-626-3488. Location: DC Bar Conference Center, 1101 K St., NW.

Deadline to submit comments to the National Institute of Standards and Technology's (NIST) Computer Security Division (CSD) regarding its draft SP 800-38 E [7 pages in PDF] titled "Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Block-Oriented Storage Devices".

Rosh Hoshana begins at sundown.

Rep. Hoyer's schedule for week of September 14 states that "no votes are expected in the House".

Deadline to submit comments to the National Institute of Standards and Technology's (NIST) Computer Security Division (CSD) regarding its draft NIST IR 7609 [65 pages in PDF] titled "Cryptographic Key Management Workshop Summary".

Rosh Hoshana.

9:30 AM - 12:00 NOON. The American Enterprise Institute (AEI) will host an event titled "Free Trade Agreements in Asia: Implications for Taiwan and the United States". The first panel is titled "The Taiwan-China ECFA: Implications for Taiwan and the United States". The speakers will be Philip Levy (AEI), Claude Barfield (AEI), Rupert Hammond-Chambers (U.S.-Taiwan Business Council), and Daniel Rosen (Peterson Institute for International Economics). The second panel is titled "Free Trade Proliferation in Asia: Economic and Strategic Implications". The speakers will be Dan Blumenthal (AEI), Ellen Frost (Peterson Institute for International Economics), and Ernest Preeg (Manufacturers Alliance/MAPI). See, notice. Location: AEI, 12th floor, 1150 17th St., NW.

6:00 - 8:15 PM. The Federal Communications Bar Association (FCBA) will host an event titled "Smart Grid 101: What is it and what are the latest policy and regulatory issues facing both government and industry in its implementation?". See, notice. This event qualifies for CLE credits. Prices vary. Location: Dow Lohnes, 1200 New Hampshire Ave., NW.

6:00 - 9:15 PM. The DC Bar Association will host an event titled "From the Ground Up: Fundamentals of Practice Before the D.C. Court of Appeals". The speakers will be Inez Reid, John Fisher, Rosanna Mason, and David Tedhams (all of the U.S. Court of Appeals), and Todd Kim (Office of the Attorney General). The price to attend ranges from $89 to $129. Most DC Bar events are not open to the public. This event qualifies for continuing legal education (CLE) credits. See, notice. For more information, call 202-626-3488. Location: DC Bar Conference Center, 1101 K St., NW.

7:30 - 9:30 PM. The New America Foundation (NAF) will host a lecture by Jonathan Lazar titled "Current Issues in Human-Computer Interaction and Public Policy". See, notice. Location: NAF, Suite 400, 1899 L St., NW.

9:30 AM. The U.S. Court of Appeals (DCCir) will hold oral argument in Cablevision Systems Corporation v. FCC, App. Ct. No. 07-1425. This is a petition for review of the FCC's order extending the exclusivity prohibition. See, FCC's brief [PDF]. Judges Sentelle, Griffith and Kavanaugh will preside. Location: 333 Constitution Ave., NW.

10:00 AM. The Federal Communications Commission's (FCC) Advisory Committee on Diversity for Communications in the Digital Age will meet. See, notice in the Federal Register, August 12, 2009, Vol. 74, No. 154, at Page 40595. Location: FCC, Commission Meeting Room, 445 12th St., SW.

10:30 AM - 12:00 NOON. The Information Technology and Innovation Foundation (ITIF) will host an event to release a study titled "Explaining International Health IT Leadership". The speakers will be Daniel Castro (ITIF), Hannu Hanhijarvi (Finland), and Christina Wanscher (Denmark). See, notice. Location: ITIF, Suite 610, 1101 K St., NW.

11:00 AM. The House Judiciary Committee's (HJC) Subcommittee on the Constitution, Civil Rights and Civil Liberties will hold a hearing titled "USA PATRIOT Act". See, notice. Location: Room 2141, Rayburn Building.

12:30 - 2:00 PM. The Federal Communications Bar Association's (FCBA) International Telecommunications Committee will host a brown bag lunch. Fernando Schulhof will discuss "the Brazilian telecoms market". Register by September 15 with Jennifer Ullman at Jennifer dot ullman at verizon dot com. Location: Verizon, 1300 I St., NW.

6:00 - 9:15 PM. The DC Bar Association will host an event titled "Beginner’s Guide to Publishing Law and Publishing Agreements". The speaker will be Gail Ross (Lichtman Trister & Ross). The price to attend ranges from $89 to $129. Most DC Bar events are not open to the public. This event qualifies for continuing legal education (CLE) credits. See, notice. For more information, call 202-626-3488. Location: DC Bar Conference Center, 1101 K St., NW.

10:00 AM. The Senate Judiciary Committee (SJC) will hold a hearing titled "Reauthorizing the USA PATRIOT Act: Ensuring Liberty and Security". The SJC will webcast this event. See, notice. Location: Room 226, Dirksen Building.

10:00 AM. The U.S. Court of Appeals (FedCir) will hear oral argument in I4i v. Microsoft, App. Ct. No. 2009-1504. This is a patent infringement case involving XML and Microsoft Word. Location: Courtroom 201.

1:00 - 4:00 PM. The U.S.-China Economic and Security Review Commission will hold one of a series of meetings to consider staff drafts of material for its 2009 Annual Report to Congress. See, notice in the Federal Register, August 5, 2009, Vol. 74, No. 149, at Pages 39145-39146. Location: Conference Room 231, Hall of States, 444 North Capitol St., NW.