Civil Computer Fraud and Abuse Act, ECPA award, attorneys fees, affirmed – Fourth Circuit

Tech Systems, Inc. v. Pyles. Unpublished opinion. Pyles argued that the district court erred in, among other things, denying her motion as to violations of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030 (2012) and the Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. § 2701 (2012). The Fourth Circuit disageed.

The CFAA criminalizes many nefarious actions involving computers including the distribution of malicious code, DDoS attacks and the like. But, it also allows a civil action where a violation has caused losses to one or more persons aggregating at least $5,000 in any one-year period. The Act also bars:

intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing] . . . information from any protected computer . . . [or] intentionally access[ing] a protected computer without authorization, and as a result of such conduct, caus[ing] damage and loss

18 U.S.C. § 1030(a)(2)(C); 18 U.S.C. § 1030(a)(5)(C).

Likewise, the ECPA prohibits accessing an electronic communication without authorization or in excess of authorization.

While it’s not discussed in the appellate opinion, Pyles’ acts were pretty severe. The district court gives some background:

An internal investigation revealed that someone (a) compromised the secure server room at Tech Systems’s offices and physically disconnected many of the components and (b) accessed the finance server and changed the BIOS boot-up information and altered the start-up sequence so that the server would not load properly. TSI investigated the matter and later concluded that Ms. Pyles sabotaged the servers, an act that disrupted the company’s computer systems. . . . After her termination, Ms. Pyles forwarded emails containing TSI’s confidential information to other employees, vendors, and customers that she received in her role as HR Manager.

(Citation omitted)

Pyles tried to argue that the CFAA did not apply to her actions because the company gave her full access to the computer system.  But…

Pyles accessed both the main computer network and financial servers without authorization or in excess of her authority. Additionally, upon termination of her employment, Pyles accessed her corporate email account and company-issued Blackberry without authorization.

Pyles also argued that she didn’t violate the ECPA because she had permission to access the system, and that she did not exceed that permission.

Here, although Pyles was permitted to use TSI’s email to carry out her duties as human resources manager, she was not authorized to access the server through which the email functioned in the manner she did here. Additionally, her authorization to access the Blackberry terminated with her employment. Thus, there was sufficient evidence for a reasonable jury to have found in TSI’s favor.

Additionally, Pyles appealed the district court’s award of $342,819.55 in attorneys’ fees to TSI. The district court awarded those fees pursuant to the Virginia Computer Crimes Act, the ECPA and common law. Because Pyles never contended that the district court fundamentally or even plainly erred, and instead raised this argument for the first time on appeal, The Fourth Circuit affirmed the award.