The Computer Fraud and Abuse Act Applied to Proprietary Database License Misuse

Congress enacted the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030 et seq., in 1984 to combat hackers and to address federal computer-related offenses. The CFAA prohibits individuals from “intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] … information from any protected computer.” See 18 U.S.C. § 1030(a)(2)(C). A “protected computer” includes a computer “exclusively for the use of a financial institution or the United States Government” or a computer that is “used in or affecting interstate or foreign commerce or communication.” See 18 U.S.C. § 1030(e)(2). The CFAA provides for criminal fines and penalties as well as a private civil right of action to remedy violations. See 18 U.S.C. § 1030(g). Civil remedies are limited to economic damages. Id.

Recently, proprietary database hosts have attempted to expand the CFAA’s scope to assert claims against third-parties who have accessed proprietary electronic databases by using the login credentials of an authorized or licensed user. Proprietary databases — like Westlaw, Hoovers, Dun & Bradstreet and LexisNexis — typically grant password-protected access to authorized users, usually under an individual or enterprise license agreement, so that only authorized users may access the hosted data. Such database hosts commonly provide restrictions on access to their proprietary electronic databases by licensees and typically inform licensed users that user names and passwords (“credentials”) are strictly personal and may not be shared with or disclosed to any third-party.

In State Analysis Inc. v. American Financial Servs. Assoc., 621 F. Supp. 2d 309 (E.D. Va. 2009), the court held that a CFAA claim was valid against a third-party user of licensee’s password, even though the licensee provided the third-party with the password. The court emphasized that, notwithstanding the means by which the third-party received the password, the third-party was still an unauthorized user of database. The court dismissed the CFAA claim against the authorized licensee because the simple allegation that the licensee had misused the credentials was not sufficient to state a claim under the CFAA. In contrast, in AtPac Inc. v. Aptitude Solutions Inc., No. 2:10-cv-00294-WBS-KJM, 2010 WL 1779901 (E.D. Cal. April 29, 2010), the court held that neither a state government licensee nor its new software vendor could be held liable under the CFAA for accessing a former software vendor’s proprietary database. The state government licensee provided its credentials to a new software vendor for purposes of downloading the state government’s data from the former software vendor. The court determined that the CFAA does not apply to the state government licensee because it was an authorized user and was not improperly accessing the data. The court further determined that the new software vendor likewise had no improper motive in accessing the database, and further had no prior knowledge or notice of the limitations to the former software vendor’s license agreement.

While most courts have not yet ruled on the limits or scope of the CFAA in similar cases, licensees should be cautioned to understand the terms of the license agreement governing access to the proprietary database, including whether it allows for enterprise use or requires a new password for each authorized user. Licensees should also be mindful that misuse or shared use of credentials could not only result in termination of the license, but significant civil liability.

Natalie H. Mantell is an Associate on the Gibbons E-Discovery Task Force.