Monday, June 8, 2009

Competitor Raids Company's Computer Data: Passwords Are Not Trade Secrets

Your company operates a website that provides data to paid subscribers that access your website through individual passwords. Your database is so successful that one of your former clients, which is also in a similar business, offers to buy it. But you decline. Around the same time you fire your marketing director. But you think your company is protected from being injured by that employee because he is subject to a non-compete and non-disclosure agreement.

Readers of this blog, by now, know where this story is going.

You then discover that your former client--now competitor--hired your former marketing director to compete against your company, despite his non-compete agreement. Then one of your long-time clients informs you that it is switching to your competitor's services.

Suspicious, you begin to investigate and discover that for the last four years, your database had been accessed 735 times from an IP address traced to your competitor's home city. And your competitor seems to have accessed your database by using the passwords assigned to your long-time client that switched to your competitor.

What do you do?

In State Analysis, Inc. d/b/a Statescape v. American Financial Services, Assoc., et al., found here, the plaintiff, Statescape, brought suit in the U.S. District Court for the Eastern District of Virginia, asserting claims arising out of facts like those described above. Statecape filed suit against: 1) its former client -- who set-up a competing business (the "Competitor"); 2) its former client that allegedly provided its password to the competitor ("Former Client"); and 3) its former employee.

The defendants moved to dismiss many of StateScape's claims. Several of the court's findings are noteworthy because they involve unfair business practices claims.

Computer Fraud and Abuse Act ("CFAA")

"18 U.S.C. Sec. 1030 (a) (2) prohibits 'intentially access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] . . . information from any protected computer . . ."

"Exceeds authorized access" is explicitly defined as 'to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.'"

Having recited the provisions, the court discussed the split between courts, some of which have limited the applicability of the CFAA to "computer hackers" who access computers without authorization. Those courts "reject[] attempts to apply the CFAA to cases where the defendants are not alleged to have 'broken into' the system but to have abused the privileges of a license." "Other courts have held that the CFAA does apply to authorized users who use programs in an unauthorized way, including employees who obtain and use proprietary information in violation of a duty of loyalty, and licensees who breach an agreement restricting their use of the software." (Internal citations omitted).

The court then found that the plaintiff stated a claim against its competitor for accessing "StateScape's website using usernames and passwords that did not belong to it. StateScape has pled that under the terms of their contract, only clients were authorized to use StateScape's subscription services, and that [the Competitor] was not so authorized. [The Competitor] therefore acted 'without authorization.'"

But the court found that StateScape did not state a claim against its Former Client because the Former Company "never went beyond the areas that StateScape authorized [it] to access." And the court did not have to resolve the case split because StateScape only reserved the right to terminate the Former Client's contract instead of having the contract automatically terminate if the Former Client breached the contract. Thus, the Former Client was never without authorization.

We have recently written about the applicability of the Computer Fraud and Abuse Act to departing employees who access their employer's computer data after they intend to join a competitor, which can be found here.

Electronic Communications Privacy Act ("ECPA")

The ECPA forbids "intentionally access[] without authorization a facility through which an electronic communication service is provided, or intentionally exceed[] an authorization to access that facility; and thereby obtain[], alter[], or prevent[] authorized access to a wire or electronic communication while it is in electronic storage."

The court found that "StateScape has stated a claim against [the Competitor] by alleging that [the Competitor], without any authorization from StateScape, accessed the password-protected areas of StateScape's site."

StateScape's claim against its Former Client, however, was dismissed under one of the ECPA's exceptions because the Former Client was "contractually entitled to see all of the information it is alleged to have accessed."

Virginia Computer Crimes Act

The court's opinion is also noteworthy because it held that StateScape's Virginia Computer Crimes Act claim was preempted by the federal Copyright Act. The claim was preempted since "software is within the subject matter of copyright" and, based on the alleged facts, the claims were not "'qualitatively' different from the Copyright Act claims."

Trespass

StateScape's claim for trespass to chattels is "based on the allegation that [the Former Client] accessed password-protected areas of StateScape's website without authorization. A trespass to chattels occurs 'when one party intentionally uses or intermeddles with personal property in rightful possession of another without authorization' and 'if the chattel is impaired as to its condition, quality, or value.'" (Internal citations omitted.)

The Former Client argued that no "impairment" was alleged. But the court found the impairment criterion was satisfied: "given that StateScape charges fees for its passwords, the value of StateScape's possessory interest in its computer network is diminished if unauthorized users access its password-protected areas."

Misappropriation of Trade Secrets

StateScape alleged that the Former Client's "sharing of its passwords for StateScape's database with [the Competitor]" violated the Virginia Uniform Trade Secrets Act ("VUTSA"). The defendants attacked the VUTSA claim, arguing that "passwords lack 'independent economic value,' but are instead a security mechanism designed to control access to information, and therefore are not trade secrets."

The court first reviewed the definition of a "trade secret" under the VUTSA: "'Trade secret' means information, including but not limited to, a formula, pattern, compilation, program, device, method, technique or process, that: 1. Derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and 2. Is the subject of efforts that are reasonable under the circumstances to maintain its secrecy."

"Although the passwords at issue clearly have economic value given that they are integral to accessing StateScape’s database, they have no independent economic value in the way a formula or a customer list might have. Where a plaintiff has not alleged that its passwords are the product of any special formula or algorithm that it developed, the passwords are not trade secrets."

Blog Conclusion

This case is another spin on the types of unfair business practices that can arise in today's electronic world. Many companies make their money by providing password-protected data on their websites. Protecting that data through security features and, if needed, litigation is critical. But, on a positive note, this case again demonstrates that unfair business practices can often be unmasked by tracing electronic footprints.

No comments: