Over the past three years, as public  Web sites have become a business’s interface with the public, the federal  Computer Fraud and Abuse Act  (CFAA), 18, U.S.C. 1030, et. seq., has emerged as a potent civil remedy to protect valu­able competitive business information that is accessible through these Web sites. This article will examine this newly developed legal prece­dent and the proactive steps businesses should implement to take advantage of the CFAA.

Primarily a federal criminal statute, the CFAA provides for “a civil action against the violator to obtain compensatory damages and injunctive relief.” 18 U.S.C. 1030(g). The crit­ical element to proving a violation of the statute, which contains a number of civil caus­es of action, is the unauthorized access to a “protected computer,” which includes a compa­ny Web site. 18 U.S.C.  1030(e)(2)(B).

The CFAA defines “unauthorized access” to mean “information in the computer that the accessor is not entitled so to obtain.” 18 U.S.C. 1030(e)(6). The information protected by the CFAA need only be valuable, not trade secret or copyright protected or even confidential. As the 1st U.S. Circuit Court of Appeals recog­nized in United States v. Czubinski, 106 F.3d 1069, 1078 (1st Cir. 1997), “[t]he value of information [protected by the CFAA] is rela­tive to one’s needs and objectives.” 

A competitor who hacks “into the code...used to operate” a Web site or uses a stolen password to obtain valuable information is unquestionably in violation of those portions of the statute that outlaw theft of computer data (18 U.S.C. 1030(a)(2)(C), 1030(a)(4), Creative Computing v. Getloaded.Com LLC, 386 F.3d 930, 932 (9th Cir. 2004)) and trafficking in passwords. 18 U.S.C. 1030(a)(6). Compet­itors, however, have discovered a myriad of ways to retrieve valuable information from public Web sites, but few companies have insti­tuted appropriate protections.

A CFAA violation requires ‘unauthorized’ access

For example, in Business Information Systems v. Professional Governmental Research & Solutions Inc., 2003 WL 23960534 (W.D. Va. 2003), the litigants were “in the business of making scanned county land records available to sub­scribers of their respective websites.” Id. at *1. The defendant’s president subscribed to the plaintiff’s Web site “with his personal Visa card and was provided with an assigned username and password.” Thereafter, the defendant used that password and username to provide its cus­tomers with content from Business Information Systems’ (BIS) Web site.

The court found no violation of the CFAA because the defendants’ access and use of BIS’ data was not “unauthorized”—“BIS placed no restrictions on its users as to how they could make use of the information that they retrieved from BIS’s website or on whether they could allow another person to use their username and password to access BIS’s website.” Id. at *7. The court emphasized that “if BIS wanted to restrict its users in their abilities to make unfet­tered use of the records they were accessing, then it could have done so easily through its terms and conditions of usage.” Id.

The plaintiff in I.M.S. Inquiry Management Sys. Ltd. v. Berkshire Information Sys. Inc., 307 F. Supp. 2d 521 (S.D.N.Y. 2004), imposed such terms upon Web site users. The court upheld I.M.S.’ claim for unauthorized access under the CFAA because the defendant competitor had gained access to I.M.S.’ Web site by obtaining “a user identification and password issued to a third party, thereby knowingly inducing that third party to breach an agreement it had with I.M.S.” Id. at 523.

There is no requirement, however, that a contractual relationship exist between the user and Web site owner for terms of use to be effec­tive in delineating unauthorized access under the CFAA. In Register.com v. Verio Inc., 126 F. Supp. 2d 238, 245 (S.D.N.Y. 2000), affirmed on other grounds, 356 F.3d 393 (2d Cir. 2004), the data at issue were customer contact listings for domain names registered by Register.com.

As an accredited domain name registrar, Register.com is required to permit online access to names and contact information for its cus­tomers “to provide necessary information in the event of domain-name disputes, such as those arising from cybersquatting or trademark infringement.” Id. at 242. The database is set up to “allow the user to collect registrant con­tact information for one domain name at a time by entering the domain name into the provided search engine.”

The defendant Verio, a direct competitor of Register.com, built “an automated software pro­gram or ‘robot’ ” and periodically downloaded all of Register.com’s customer information, so that the defendant could solicit those customers for the same Internet services offered by Register.com. Id. at 243. The robot’s automatic downloading allowed Verio to contact Register.com’s customers “within the first several days after their registration,” when they were most likely primed and ready to purchase the related services. Id. at 243. Verio conceded that “it had violated Register.com’s posted restric­tion on the use of...[the] data for direct mail and telephone marketing purposes.” Id. at 245. Accordingly, the court granted Register.com an injunction based on the CFAA, finding that Verio’s access to the data and its use of that data was “unauthorized.”

A Web site’s terms of use also governed the scope of authorized use by a third party who tried to take commercial advantage of the Web site in Southwest Airlines Co. v. Farechase Inc., 318 F. Supp. 2d 435 (N.D. Texas 2004). Southwest Airlines, “developed and maintains the website Southwest.com, from which it ‘provides propri­etary fare, route, and schedule information to its actual and potential customers in an interactive format.’” Id. at 437. The defendant Farechase licenses software that was used by a third party to “access, search, and obtain data from South-west.com by ‘sending out a robot, spider, or other automated scraping device across the Internet’” for the purpose of allowing “corporate travelers to search for airline fares, as well as various features designed for corporate travel.” Id. at 437.

In denying Farechase’s motion to dismiss, the court found that Southwest had sufficient­ly alleged “unauthorized access” based on the terms of use that appeared on its Web site that “prohibited the use of ‘any deep-link, page-scrape, robot, spider or other automatic device, program, algorithm or methodology which does the same things.’ ” Id. at 439. While agreeing with Farechase “that the Use Agreement is not a contract,” the court found that the use agreement that was “accessible from all pages on the website” made it clear that Farechase’s software was not authorized to be used on Southwest’s Web site. Id. at 439.

Also, in both Southwest and Register.com, the courts found that the lack of authorization exist­ed by virtue of direct notice to both defendants that their access was unauthorized. Southwest did so prior to filing suit, and in Register.com, the court found that Verio was not authorized to use the automatic robot to mine data because “it is clear since at least from the date this lawsuit was filed that Register.com does not consent to Verio’s use of a search robot, and Verio is on notice that its search robot is unwelcome.” Register.com, 126 F. Supp. 2d at 249.

Former employees may not violate confidentiality pacts

Terms of use are not the only way to establish unauthorized conduct on a public Web site. In EF Cultural Travel BV v. Explorica Inc., 274 F. 3d. 577 (1st Cir. 2001) the former president and other high-ranking employees of EF Cultural Travel (EF) used a specially designed scraper tool to download automatically through the company’s public Web site all of EF’s 154,293 prices for high school tours (which could ordinarily be taken off the Web site only several prices at a time). Id. at 580, n.3. The defendants used these prices systematically to undercut EF’s prices for their new competing business, Explorica.

The 1st Circuit upheld the district court’s injunction, finding “excessive” unauthorized access “based on the confidentiality agreement between” EF and the former employee who orchestrated the download. Id. at 582. The court found that this former employee had “provided Explorica proprietary information about the structure of the website and the tour codes” which made it possible to develop the scraper program. The court further found that “if proven, Explorica’s wholesale use of EF’s travel codes to facilitate gathering EF’s prices from its website reeks of use—and, indeed, abuse—of proprietary information that goes beyond any authorized use of EF’s Web site.” Id. at 583.

In a later decision relating to co­defendant Zefer Corp., the 1st Circuit recognized that “[a] lack of authorization could be estab­lished by an explicit statement on the website restricting access” including prohibiting “the use of scrapers.” EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58, 62 (1st Cir. 2003). Such restrictions are enforceable because the CFAA “is primarily a statute imposing limits on access and enhanc­ing control by information providers.” Thus, the “website provider can easily spell out explicitly what is forbidden.” Id at 63.

For Web site owners who want to take advantage of the remedies afforded by the CFAA to protect themselves from competitors using their information, the lessons are straightforward:

  • Terms of use should be displayed conspic­uously on the Web site and incorporated into agreements with Web site users.
  • Written notice should immediately be sent to anyone suspected of violating the terms of use.
  • Confidentiality agreements should be required of all employees familiar with the inner workings of the Web site.
  • Passwords should be changed regularly to prevent former employees from using passwords to access company data through the Web site.

This article is reprinted with permission from the February 14, 2005 edition of the NATIONAL LAW JOURNAL. © 2005 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited. For information, contact American Lawyer Media, Reprint Department at 800-888-8300 x6111. #005-02-05-0013