Unauthorized Email Access by High-Level Manager, While Employed, Violates Computer Fraud and Abuse Act (CFAA)

The Eleventh Circuit Court of Appeals held that a high level manager, with an “honorary” title of president, while employed by a furniture manufacturer, violated the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, when he accessed, without authorization, other employee email accounts with a generic password (“password1″) and further held that the cost of investigation alone was enough to meet the $5,000 damage threshold of the CFAA and that the statute did not require damage to the electronic data or an interruption of data services due to the manager’s actions.  Brown Jordan Int’l Inc. v. Carmicle, Case No. 16-11350 (11th Cir. Jan. 25, 2017) (Available Here).

Defendant Carmicle had an honorary title of president but he was only a national manager – employee at Plaintiff Brown Jordan.  Brown Jordan permitted Carmicle to use the title as a “customer facing accommodation.” Carmicle had a profit-interest in one of the several Brown Jordan companies and had an Executive Employment Agreement with Brown Jordan.  Prior to his termination, Brown Jordan began a transition from one email service to another. To assist in that transition, Brown Jordan’s Chief Information Officer provided a generic password — Password1 — to Brown Jordan employees and instructed each to test his or her new email account.  This generic password was never deactivated.

The Brown Jordan companies hired an investment firm which recommended either re-structuring the companies or spinning off certain corporate entities.  Apparently secretly, Brown Jordans’ CFO, who was Carmicle’s boss, along with several other officers of Brown Jordan developed a plan for a management buyout (an “MBO”) of Brown Jordan.

Carmicle discovered the MBO plan by accessing emails of these Brown Jordan officers with the generic password “Password1″ and he wrote a letter asserting potential shareholder fraud to the Board of Directors.   Brown Jordan hired a third party to investigate these allegations and discovered the unauthorized email access by Carmicle.  Brown Jordan then hired a computer forensic team to investigate the extent of Carmicle’s access and related misadventures with laptops, etc.

After his termination, Brown Jordan brought suit alleging that Carmicle violated the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, the Stored Communications Act (SCA), 18 U.S.C. § 2701.  At summary judgment, the District Court ruled in favor of Brown Jordan on the CFAA and the SCA claims.  After an 11 day bench trial, the trial court ruled against Carmicle on his counterclaim for wrongful discharge and breach of an employment agreement.

Carmicle testified that he was suspicious that a subordinate employee he considered difficult to manage was communicating directly with Moriarty, and that both were lying to Carmicle about a personnel issue. This prompted Carmicle to use the generic password to access their accounts and read their emails. From there, Carmicle’s behavior began to snowball. Carmicle repeatedly accessed the email accounts of other employees, including his superiors, with the generic password and used his personal iPad to take screenshots of hundreds of emails over the next six months. Along the way, Carmicle learned about the MBO and the other corporate re-structuring models.  Carmicle also learned that Brown Jordan’s CFO was scrutinizing his entertainment expenses (then in excess of $100,000) which years earlier had been the subject of a reprimand by the CFO.  When the Board of Directors met in February 2014, they decided that Carmicle’s employment should be terminated.

Carmicle tried to take his personal laptop from his office, but Brown Jordan refused this request unless Carmicle could prove that he bought it with his personal funds.  At home, Carmicle then attempted to lock the laptop but inadvertently locked another Brown Jordan employee’s laptop.  During discovery, Brown Jordan requested that Carmcile turn over his iPad, but Carmicle claimed he lost the device.

Carmicle appealed the District Court’s conclusion that he violated the CFAA claiming that Brown Jordan suffered no loss as defined in the CFAA because he caused no damage to Brown Jordan’s computer system and there was no “interruption of service.” Brown Jordan claimed its payments to the computer forensic consultant was a CFAA loss.  The forensic consultant was hired to assess how Carmicle accessed the emails.  Also, Brown Jordan hired a firm to sweep the office building for audio and video surveillance devices. Based on these payments, the District Court found Brown Jordan sustained a “loss” within the meaning of the CFAA and awarded Brown Jordan damages.

Carmicle asserted that Brown Jordan expenses did not qualify as a “loss” under the CFAA’s definition of loss arguing: (1) Brown Jordan’s loss did not stem from an “interruption of service;” and (2) Brown Jordan admitted there was no damage to its computers and it paid no money to remedy such damage and he also specifically argued that the fee Brown Jordan paid to the forensic consultants was unnecessary and the fee Brown Jordan paid to sweep its building for surveillance did not relate to Brown Jordan’s computers and was not a compensable loss under the CFAA.

Per the CFAA, “Whoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer” violates the CFAA. 18 U.S.C. § 1030(a)(2)(C). “A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i).” 18 U.S.C. § 1030(g). Subclause (I), applicable to the instant case, permits an action only if the plaintiff incurs a minimum “loss” of $5,000 as a result of the defendant’s violation of the CFAA. 18 U.S.C. § 1030(c)(4)(A)(i)(I). The CFAA provides that:
“the term ‘loss’ means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offenses, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”  18 U.S.C. § 1030(e)(11).

Two Circuit Courts of Appeal have interpreted the definition of “loss” as set forth in 18 U.S.C. § 1030(e)(11) to include the cost of responding to the offense, irrespective of whether there was an interruption of service. See Yoder & Frey Auctioneers, Inc. v. EquipmentFacts, LLC, 774 F.3d 1065, 1073-74 (6th Cir. 2014); A.V. ex rel. Vanderhye v. iParadigms, LLC, 562 F.3d 630, 646 (4th Cir. 2009).  Although no Court of Appeals has interpreted the statute to require an interruption of service in all cases, a more narrow view followed by some district courts requires that any loss under the CFAA be the result of an “interruption of service.” See, e.g., Cont’l Grp., Inc. v. KW Prop. Mgmt., LLC, 622 F. Supp. 2d 1357, 1371 (S.D. Fla. 2009).

The 11th Circuit agreed with the Fourth and Sixth Circuits.  “The plain language of the statutory definition includes two separate types of loss: (1) reasonable costs incurred in connection with such activities as responding to a violation, assessing the damage done, and restoring the affected data, program system, or information to its condition prior to the violation; and (2) any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. See 18 U.S.C. § 1030(e)(11). The statute is written in the disjunctive, making the first type of loss independent of an interruption of service. Yoder, 774 F.3d at 1073.  Contrary to the assertion of the court in Continental Group, this interpretation does not reduce ‘interruption of service’ to surplusage. See Cont’l Grp., 622 F. Supp. 2d at 1371.  ‘Loss’ includes the direct costs of responding to the violation in the first portion of the definition, and consequential damages resulting from interruption of service in the second. Thus, under a plain reading of the statute, Brown Jordan’s loss from Carmicle’s violation of the CFAA does not need to be related to an interruption of service in order to be compensable.”

In a footnote, the 11th Circuit stated that Carmicle contended that there can be no loss under the CFAA unless it relates to fixing damage to a computer or network.  “However, the definition of loss includes ‘any reasonable cost to any victim, including the cost of responding to an offense . . . .’ 18 U.S.C. § 1030(e)(11) (emphasis added). The reasonable cost of responding to the offense — in this case, the unauthorized email access — is not limited to damage to a computer or network.”

As for the Stored Communications Act (SCA), 18 U.S.C. § 2701, violation, the district court determined that Carmicle violated the SCA when he accessed other employees’ emails without authorization. Carmicle contended he did not violate the SCA because the emails Carmicle accessed were not held in “electronic storage” as that term is defined by the SCA and because his email access was authorized.  

The SCA provides that anyone who “intentionally accesses without authorization a facility through which an electronic communication service is provided; or . . . intentionally exceeds an authorization to access that facility; and thereby obtains . . . access to a wire or electronic communication while it is in electronic storage in such system” is liable. 18 U.S.C. § 2701(a); see also Vista Mktg., LLC v. Burkett, 812 F.3d 954, 962 (11th Cir. 2016).

On appeal, Carmicle contended that the emails he accessed were not in “electronic storage” as that term is defined by the SCA because the emails had already been opened by their intended recipients at the time he accessed them.  Carmicle argued that there was no evidence that he accessed unopened emails.

The Appeals Court ruled that Carmicle had waived or had failed to advance this “unopened-versus-opened-email” issue at summary judgment papers or at trial.  Further, the Appeals Court refused to address this “unopened-versus-opened-email” SCA issue, stating that “[w]e noted that ‘much debate” surrounded the issue. .. Once again, as in Vista Marketing, we will not ‘wade into the discussion’ of this complicated issue, but for a different reason. See Vista Mktg., 812 F.3d at 963. Here, Carmicle did not fairly present the unopened-versus-opened-email issue to the district court.”

Carmicle also contended that he did not violate the SCA because his email access was authorized. His argued that he was senior management and had the right to access all email.  Brown Jordan’s company policy stated that:

“[E]mployees at [Brown Jordan] should have no expectation of privacy while using company-owned or company-leased equipment. Information passing through or stored on [Brown Jordan] equipment can and will be monitored. Employees should also understand that [Brown Jordan] has the right to monitor and review Internet use and e-mail communications sent or received by employees. Access to another employee’s e-mail and internet usage is controlled by senior management. No IT staff person is authorized to give out passwords to users other than the account holder without the permission of senior management. Managers and employees who need access for legitimate [Brown Jordan] purposes to another employee’s e-mail must request such access from a member of corporate senior management.”

Carmicle contended that because he was a member of “senior management” he was not required to request access from a member of corporate senior management.  The District Court, in its summary judgment ruling, determined it would be “unreasonable to interpret the Computer and Internet Policy as authorizing [Carmicle] to exploit a generic password — which by happenstance permitted Carmicle to access others’ email accounts without requesting such access through appropriate and otherwise necessary channels — solely on suspicion of dishonesty concerning the content of communications between others, without any reason to suspect wrongful or illegal conduct prior to doing so.” The Appeals Court agreed with the District Court that Carmicle’s email access was unauthorized.

The Appeals Court also discussed the meaning and scope of “facility” used in the SCA.  “The language of the SCA requires intentionally accessing without (or exceeding) authorization ‘a facility through which an electronic communication service is provided.’ 18 U.S.C. § 2701(a) (emphasis added). The SCA does not define ‘facility,’ see Garcia v. City of Laredo, 702 F.3d 788, 792 (5th Cir. 2012); however, the Oxford English Dictionary definition of ‘facility’ includes ‘the physical means or equipment for doing something,’ Oxford English Dictionary Online [].   ‘Electronic communication service’ is defined as ‘any service which provides users thereof the ability to send or receive wire or electronic communications.’ 18 U.S.C. § 2510(15).”

Related Posts