Civil Actions for the Misappropriation of
Electronic Data: The Missouri and
Federal Computer Tampering Acts
I.
INTRODUCTION
Virtually every business in
America uses computers. And
many companies allow their employees
access to their computer systems remotely
through Citrix, virtual private networks,
or otherwise from home or offsite computers. In fact, many companies provide
their employees with laptop computers
or PDAs to facilitate employees’ ability
to access and utilize company data. As
a result, businesses are understandably
concerned about safeguarding against the
unauthorized access or misappropriation
of their company’s data or systems.
The issue of whether an employee improperly accessed, altered, copied or downloaded computer data often arises when
an employee’s employment is terminated.
This concern is particularly heightened
when an employee accepts employment
with a competitor or starts a competing
business. In such a situation, the former
employer may request that its information services department or a third-party
computer forensics expert examine the
hard drive of the departing employee’s
computer to determine if any computer
data has been improperly accessed or taken
from the employer’s computer system. If
it appears that there has been improper access, both federal and Missouri computer
tampering statutes may provide businesses
with remedies. The primary purpose of
this article is to discuss these statutes, the
remedies they provide, and other possible
causes of action for the improper access
or misappropriation of data.
II. CIVIL ACTION UNDER THE FEDERAL COMPUTER FRAUD AND ABUSE
ACT (CFAA)
William M. Corrigan, Jr.1
Jeffrey L. Schultz1
Although originally only a criminal
statute, the Computer Fraud and Abuse Act
(CFAA) now provides for both criminal
and civil remedies.3 The CFAA allows
“person[s] who suffer damage or loss by
reason of” computer fraud to file civil lawsuits seeking “compensatory damages,”
“injunctive relief,” and “other equitable
relief.”4 The CFAA requires that any “civil
action for a violation” must be brought
“within 2 years of the date of the act complained of or the date of the discovery of
the damage.”5 Importantly, the CFAA can
provide a plaintiff with a basis for federal
question jurisdiction, allowing a plaintiff
to bring its claims in federal court.
A. Conduct Prohibited by the CFAA
Among other things, § 1030(a)6 of the
CFAA prohibits the following conduct:
(1) “[I]ntentionally access[ing]
a computer without authorization
or [by] exceeding authorized
access” and thereby obtaining
“information from any protected
computer”;7 or
(2) “[K]nowingly and with
the intent to defraud, access[ing]
a protected computer without
authorization, or exceed[ing]
1 Mr. Corrigan is a partner at Armstrong Teasdale LLP in St. Louis. He is a past president of The Missouri Bar. Corrigan is listed in Best Lawyers in America. The
authors extend their thanks to Callan F. Yeoman for the research and drafting assistance he provided for this article while participating in Armstrong Teasdale LLP’s summer associate program.
2 Mr. Schultz is an associate at Armstrong Teasdale LLP in St. Louis. Schultz is engaged in the practice of business litigation, with significant experience in trade secret,
non-compete, unfair competition and intellectual property matters.
3 Violent Crime Control and Law Enforcement Act of 1994, Pub. L. No. 103-322, 108 Stat. 1796 (1994).
4 18 U.S.C. § 1030(g).
5 Id.
6 It should be noted that Pub.L. No. 110-326, 122 Stat. 3560, which became effective September 26, 2008, amended certain language and renumbered various sections of the CFAA.
7 18 U.S.C. § 1030(a) and (a)(2)(C). Prior to Pub. L. No. 110-326, 18 U.S.C. § 1030(a)(2)(C) required that the conduct “involved an interstate or foreign communication.”
Journal of The Missouri Bar • July-August 2009 • Page 172
authorized access,” thereby
“further[ing] the intended fraud
and obtain[ing] anything of
value” greater “than $5,000 in
any 1-year period”;8 or
(3) “[K]nowingly causing
the transmission of a program,
information, code or command,
and as a result of such conduct,
intentionally caus[ing] damage
without authorization, to a protected computer[.]”9
A “protected computer” under the CFAA
is any computer “which is used in or affecting interstate or foreign commerce or
communication.”10 With the widespread
use of email and the internet, this encompasses virtually all computers.
B. Establishing a Civil Action Under
the CFAA
The CFAA provides a civil action to
“[a]ny person who suffers damage or
loss” as a result of conduct prohibited
by the CFAA.11 Although the statute uses
the conjunction “or,” courts disagree as
to whether either damage or loss alone is
sufficient to state a civil claim under the
CFAA, or whether both are required.12
Although the legislative history indicates
that both are required, some courts have
found otherwise.13 Federal courts in Missouri have not resolved this dispute.14
Thus, the safest practice is to allege both
damage and loss when pleading a claim
for violation of the CFAA.
The CFAA defines “damage” as “any
impairment to the integrity or availability of data, a program, a system, or
information.”15 In addition, the CFAA
defines “loss” as “any reasonable cost to
any victim, including the cost of responding
to an offense, conducting a damage assessment, and restoring the data, program,
system, or information to its condition
prior to the offense, and any revenue
lost, cost incurred, or other consequential
damages incurred because of interruption
of service.”16
The damage and/or loss resulting from
the defendant’s conduct must also include
one of the following elements under 18
U.S.C. § 1030(c)(4)(A)(i) in order for a
civil action to exist under the CFAA:17
u “[L]oss to 1 or more persons during
any 1-year period … aggregating at
least $5,000 in value;”18
u “[T]he modification or impairment,
or potential modification or impairment, of the medical examination,
diagnosis, treatment, or care of 1 or
more individuals;”19
u “[P]hysical injury to any person;”20
u “[A] threat to public health or
safety;”21 or
u “[D]amage affecting a computer
[system] used by or for an entity of
the United States Government in
furtherance of the administration of
justice, national defense, or national
security[.]”22
The first element – loss during one year
aggregating at least $5,000 – is the element
most likely to be present in a civil action
for damages under the CFAA. Damages
recoverable for a violation involving only
the first element “are limited to economic
damages,” which “precludes damages for
death, personal injury, mental distress, and
the like.”23
C. What Constitutes Unauthorized
Access or Access Exceeding Authorization?
As noted in subsection A, above,
violations of the CFAA generally require
that the defendant access the plaintiff’s
computers either “without authorization”
or that the defendant “exceeds authorized
access.”24 The CFAA does not define the
term “without authorization.” However,
it does provide a definition for the term
“exceeds authorized access.” According to
the CFAA, “the term ‘exceeds authorized
access’ means to access a computer with
authorization and to use such access to
obtain or alter information in the computer
that the accesser is not entitled so to obtain
or alter.”25
Significantly, federal courts are not in
agreement regarding whether an employee
accesses a computer either “without authorization” or “exceeds authorized access”
when an employee accesses an employer’s
computer data that he or she is otherwise
permitted to access before terminating his
or her employment and subsequently uses
that information to benefit a competitor.26
Some courts hold that an employee loses
his right to access his employer’s computer
once he decides to gather or use informa-
8 18 U.S.C. § 1030(a)(4).
9 18 U.S.C. § 1030(a)(5)(A).
10 18 U.S.C. § 1030(e)(2)(B).
11 18 U.S.C. § 1030(g).
12 Lasco Foods, Inc. v. Hall & Shaw Sales, Marketing, & Consulting, LLC, 600 F.Supp.2d 1045, 1050 (E.D. Mo. 2009).
13 Id.
14 Id.; see also H & R Block E. Enters., Inc. v. J & M Sec., LLC, No. 05-1056-CV-W-DW, 2006 WL 1128744 (W.D. Mo. Apr. 24, 2006) (plaintiff alleged both damages and loss and the court did not discuss whether either damages or loss alone would have been sufficient).
15 18 U.S.C. § 1030(e)(8).
16 18 U.S.C. § 1030(e)(11).
17 18 U.S.C. § 1030(g); P.C. Yonkers, Inc. v. Celebrations the Party and Seasonal Superstore, L.L.C., 428 F.3d 504, 512 (3rd Cir. 2005).
18 18 U.S.C. § 1030(c)(4)(A)(i)(I).
19 18 U.S.C. § 1030(c)(4)(A)(i)(II).
20 18 U.S.C. § 1030(c)(4)(A)(i)(III).
21 18 U.S.C. § 1030(c)(4)(A)(i)(IV).
22 18 U.S.C. §§ 1030(c)(4)(A)(i)(V).
23 Creative Computing v. Getloaded.com, L.L.C., 386 F.3d 930, 935 (9th Cir. 2004); 18 U.S.C. § 1030(g).
24 18 U.S.C. §§ 1030(a)(2), 1030(a)(4), 1030(a)(5)(A), 1030(a)(5)(B) and (C); Lasco Foods, at 1053; Condux Int’l, Inc. v. Haugum, Civil No. 08-4824, slip.op., 2008
WL 5244818, at *3 (D. Minn. Dec. 15, 2008). It should be noted, however, that 18 U.S.C. § 1030(a)(5)(A) is predicated on unauthorized damage, not unauthorized access. See Condux Int’l, Inc., 2008 WL 5244818, at * 6.
25 18 U.S.C. § 1030(e)(6).
Journal of The Missouri Bar • July-August 2009 • Page 173
tion for an improper purpose. These courts
generally reason that any access after this
point is without authorization or in excess
of authorized access under the statute,
even if the employee is still employed in
a position that would otherwise allow him
to access the computer.27 Other federal
district courts have determined that what
an employee does, or intends to do, with
information accessed on a computer is
irrelevant under the statute so long as the
employee remained within the employee’s
authorized access when the employee
obtained the information. These courts
generally reason that the CFAA is meant
to regulate whether access was authorized,
not whether the use (or misuse) of the information accessed was authorized.28
The Seventh Circuit Court of Appeals,
in International Airport Centers, L.L.C. v.
Citrin, concluded that an employee acted
without authorization when, while still employed by plaintiff but after deciding that
he was going to quit and pursue interests
adverse to plaintiff, he accessed plaintiff’s
computer to destroy files.29 The Citrin
court noted that the difference between
“exceeded authorized access” and “without
authorization” is “paper thin.”30 The court
reasoned that the employee’s breach of the
duty of loyalty terminated his authority to
access his employer’s computer, regardless
of the fact that he was still employed at
the time he accessed the computer. Thus,
accessing the computer for an improper
purpose was without authorization.31
Under somewhat similar circumstances,
the U.S. District Court for the District of
Connecticut in Modis, Inc. v. Bardelli used
different reasoning than the Citrin court to
conclude that a plaintiff properly pleaded
that the defendant, a former employee
of plaintiff, “exceeded her authorized
access.”32 The plaintiff claimed that the
defendant had obtained and used information from plaintiff’s database for the benefit
of defendant’s new employer.33 Defendant
claimed that she was authorized as an employee of plaintiff to access the database
at issue.34 Unlike in Citrin, the defendant
had agreed in an employment agreement
“to refrain from taking or reproducing or
allowing to be taken or reproduced any
[plaintiff’s] Property except in furtherance
of [plaintiff’s] Business.”35 The court held
that plaintiff sufficiently pleaded that the
defendant exceeded her authorized access
when she used her access for the purpose
of misappropriating plaintiff’s confidential
information because under the agreement
her access “was limited to access ‘in furtherance of [plaintiff’s] Business.’”36
Contrary to the results in Citrin and
Bardelli, some federal courts have reached
entirely different conclusions in cases with
similar facts, holding that the CFAA is not
implicated by the misuse or misappropriation of information that a defendant was
permitted to access while employed by the
plaintiff. For example, in Shamrock Foods
Co. v. Gast, the U.S. District Court for the
District of Arizona held that the defendant
did not access plaintiff’s information
without authorization or in a manner
that exceeded authorization when, while
still employed by plaintiff, the defendant
emailed plaintiff’s information to himself
and provided it to his new employer.37
The Shamrock Foods court adopted a narrow reading of the CFAA’s authorization
requirement, reasoning that the CFAA
is intended to prevent the unauthorized
accessing of information stored on a computer, not the subsequent use or misuse of
the information after it has been properly
accessed by an authorized user.38
Recently, two district courts within the
Eighth Circuit have agreed with the narrower reading of the CFAA. In Condux
International, Inc. v. Haugum, the U.S.
District Court for the District of Minnesota held that the plaintiff’s allegations
that defendant, plaintiff’s former vice
president, downloaded data for use in
a competing business and attempted to
delete evidence of his download while
he was still employed by plaintiff were
insufficient to establish that the defendant
acted without authorization or exceeded
his authorized access.39 The defendant had
been given access to plaintiff’s computer
system and confidential information while
he was plaintiff’s vice president.40 The
court agreed with the line of cases holding that “the CFAA is implicated only by
the unauthorized access, obtainment, or
alteration of information, not the misuse or
misappropriation of information obtained
with permission.”41 The Condux court reasoned that this view is consistent with the
plain language of the CFAA, the legislative
history of the CFAA, and the principles of
statutory construction.42
Likewise, the U.S. District Court for
26 See Condux Int’l, Inc., 2008 WL 5244818, at * 4 (observing that “courts have split on the question of whether an employee with an improper purpose may be held
civilly liable under the CFAA for accessing computer information that he is otherwise permitted to access within the scope of his employment,” and collecting cases on
both sides of the split); Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962, 964-965 (D.Ariz. 2008) (observing that there is a split and collecting cases).
27 See, e.g., Int’l Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006); see also Condux Int’l, Inc., 2008 WL 5244818, at * 4 (collecting cases).
28 See, e.g., Condux Int’l, Inc., 2008 WL 5244818, at * 4-*5; Shamrock Foods Co. v. Gast, 535 F. Supp.2d 962, 965 (D. Ariz. 2008).
29 Citrin, 440 F.3d at 420.
30 Id.
31 Id.
32 Modis, Inc. v. Bardelli, 531 F. Supp.2d 314, 318 (D. Conn. 2008).
33 Id. at 316.
34 Id. at 319.
35 Id.
36 Id.
37 Shamrock Foods Co., 535 F. Supp.2d at 963, 968.
38 Id. at 965-967.
39 Condux, Int’l, Inc., 2008 WL 5244818, at *1, *8.
40 Id. at *1, *4.
41 Id. at * 4.
42 Id. at * 4-*5.
Journal of The Missouri Bar • July-August 2009 • Page 174
the Eastern District of Missouri, in Lasco
Foods, Inc. v. Hall & Shaw Sales, Marketing, & Consulting, LLC, dismissed a purported CFAA claim that was based on the
misuse or misappropriation of information
by former employees.43 In Lasco Foods,
two former employees of plaintiff allegedly
downloaded or copied information and deleted information from plaintiff’s computer
prior to leaving plaintiff’s employment to
form a competing business.44 The Lasco
Foods court dismissed the CFAA claim on
the grounds that plaintiff failed to properly
allege the defendants accessed plaintiff’s
information without authorization.45 In
support of its decision, the Lasco Foods
court cited Condux for the proposition
that “where the ‘heart of the dispute’ was
‘not the access of the confidential business information but rather the alleged
subsequent misuse or misappropriation of
that information,’ plaintiff failed to state a
claim under CFAA.”46
In some instances, the former employee
may try to access the former employer’s
proprietary information after his employment has been terminated. There appears
to be no dispute that these cases reflect the
type of trespassing and hacking that the
CFAA is intended to prevent. For example,
in EF Cultural Travel BV v. Explorica,
Inc., the First Circuit determined that the
use of a computer software program by a
competitor to glean prices from plaintiff’s
website, in order to allow systematic
undercutting of those prices, “exceeded
authorized access” within the meaning of
the CFAA.47 The competitor employed a
number of plaintiff’s former employees,
at least one of whom had signed a con-
fidentiality agreement with plaintiff and
used his technical knowledge of plaintiff’s
website and his knowledge of plaintiff’s
proprietary codes to help develop the software program for his new employer.48 The
court concluded that this action exceeded
authorized access.49
It is important to note that the circumstances constituting “unauthorized access”
for purposes of the CFAA are not limited
only to those in which an employee or
former employee accesses computer data
belonging to a former employer. For example, in America Online, Inc. v. LCGM,
Inc., the court determined that customers of America Online exceeded their
authorized access when they maintained
e-mail accounts with America Online for
the purpose of using “extractor software
programs” in chat rooms to harvest e-mail
addresses of other AOL customers in order
to send bulk e-mails to those customers.50
The court reasoned that the harvesting of
other e-mail addresses exceeded authorized
access because such activity was not allowed by AOL’s terms of service that were
provided to customers.51
A plaintiff is not required to go so far as
to provide expert testimony that shows that
a protected computer was accessed without
authorization and something of value was
taken.52 In the absence of expert testimony,
testimony from others who, for example,
witnessed the printing of information or
provided passwords, may be sufficient
to allow a jury to reasonably find that a
computer was accessed in violation of the
CFAA.53 The evidence for a CFAA claim,
however, must consist of more than an “attenuated series of inferences-on-inferences
based on circumstantial evidence.”54 For
example, one court determined that there
was insufficient evidence to support a
claim that plaintiffs’ former joint venturer
had accessed plaintiffs’ computers where
the evidence before the court was merely
circumstantial, based on the former joint
venturer’s “undisputed physical access to
the plaintiffs’ computers” and the “frequent
crashing and malfunctioning of plaintiffs’
computers (resulting in [a] loss of data).”55
In that case, the plaintiffs presented no
evidence “to demonstrate either unauthorized access in general or any access by the
[venturer] leading to destruction of [the
developer’s] software or hardware.”56 The
court found “the utter lack of any expert
opinion evidence supporting the [plaintiffs’] speculative assertions” was fatal to
plaintiffs’ case.57
While an expert may not be required,
the better course is to have a retained or
non-retained computer forensics expert
explain the analysis of the computer system
that was performed to determine that the
system was accessed and whether data was
misappropriated.
D. What Constitutes Intent for
§ 1030(a)(2)(C) and Intent to Defraud for
§ 1030(a)(4)?
The CFAA, § 1030(a)(2)(C), requires
that the defendant intentionally access the
plaintiff’s computer system. Normally,
whether the defendant acted intentionally
will not be a contested issue. One case
held that the intent element for 18 U.S.C.
§ 103(a)(2)(C) was sufficiently pleaded
when plaintiffs’ alleged that a “web site
operator intentionally placed ‘cookies’
43 Lasco Foods, 600 F.Supp.2d at 1053.
44 Id. at 1053.
45 Id. It should be noted that the plaintiff in Lasco Foods did not respond to defendants’ argument that plaintiff failed to properly allege that defendants accessed
information without authorization as required under the CFAA. Id. at n.6
46 Id.
47 EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001).
48 Id. at 580-583.
49 Id. at 583-584.
50 America Online Inc. v. LCGM, Inc., 46 F. Supp.2d 444, 448 (E.D. Va. 1998).
51 Id. at 450.
52 Hanger Prosthetics & Orthotics, Inc. v. Capstone Orthopedic, Inc., No. 2:06-cv-2879-GEB-KJM, 2008 WL 2441067, 556 F. Supp.2d 1122, 1132-1133 (E.D. Cal.
June 13, 2008).
53 Id. at 1132.
54 Expert Bus. Sys., LLC v. BI4CE, Inc., 411 F. Supp.2d 601, 605 (D. Md. 2006).
55 Id. at 506.
56 Id.
57 Id. at 605-606.
Journal of The Missouri Bar • July-August 2009 • Page 175
on visiting users’ computers for [the]
purpose of monitoring [the plaintiffs’]
web activity.”58
Under § 1030(a)(4), the defendant must
have an intent to defraud. The intent to defraud requirement simply requires that the
defendant have intended some wrongdoing
and does not require proof of common law
fraud.59 In Hanger Prosthetics & Orthotics, Inc. v. Capstone Orthopedic, Inc., the
court held that a jury could reasonably
infer that the defendants had accessed
their employer’s computer with the intent
to defraud because the evidence showed
that a patient list owned by the former
employer was intentionally accessed by
the defendants who were employees of
the plaintiff, the list was never again seen
in the office, and the patients on the list
began using the competitor’s company
after the defendant employees terminated
their employment.60 The court concluded
this evidence was sufficient for the jury
to establish that the defendant employees
had engaged in wrongdoing by accessing
the list.61
E. The $5,000 Loss Requirement - 18
U.S.C. § 1030(c)(4)(A)(i)(I)
As noted above, the most likely element
under § 1030(c)(4)(A)(i)(I) to be alleged
in order to bring a civil action under the
CFAA is the requirement of “loss to 1 or
more persons … aggregating at least $5,000
in value.”62 The term “loss” is defined
in the CFAA to include “any reasonable
cost to any victim, including the cost of
responding to an offense, conducting a
damage assessment, and restoring the
data, program, system, or information
to its condition prior to the offense, and
any revenue lost, cost incurred, or other
consequential damages incurred because
of interruption of service.”63
The U.S. District Court for the Western
District of Missouri has been lenient in
its analysis of whether a plaintiff has sufficiently pleaded the requisite $5,000 loss
under the statute. In H & R Block Eastern
Enterprises, Inc. v. J & M Securities, LLC,
the court held that a plaintiff sufficiently
alleged damages and losses of at least
$5,000 when the complaint simply stated
that “[a]s a result of defendants’ unauthorized, intentional access of [plaintiff’s]
protected computer system, [plaintiff] has
suffered damages and a loss of no less than
$5,000.00, including but not limited to its
costs to respond to this offense.”64 The court
noted, however, that it would consider
“[p]ersuasive authority narrowly construing compensable losses under the CFAA .
. . when the facts are developed.”65
Similar to the analysis in H&R Block,
some courts also have held that plaintiffs
sufficiently allege damages when they
claim loss due to a former employee giving
confidential and proprietary information
to competitors.66 For example, the U.S.
District Court for the District of Kansas,
in Resource Center for Independent Living,
Inc. v. Ability Resources, Inc., held that the
plaintiff made a valid claim when it alleged loss of “confidential and proprietary
information for the benefit of [defendants’]
competing enterprise.”67
Other courts, however, have focused on
the language in the CFAA requiring that
the loss be incurred “because of interruption of service.”68 The U.S. District Court
for the Eastern District of Missouri, in
Lasco Foods, Inc. v. Hall & Shaw Sales,
Marketing, & Consulting, LLC, expressly
stated that under the CFAA a loss must
result from an interruption in service.69 In
Lasco Foods, plaintiff alleged that defendants retained plaintiff’s computers and
electronic information and deleted some
of plaintiff’s information. Plaintiff further
alleged that there was a 108-day gap in
time between when plaintiff demanded the
return of the computers and when plaintiff
actually returned the computers. The court
found this was sufficient to allege a loss
from interruption of service.70 In addition,
plaintiff had to hire a computer expert to
review defendants’ computers when they
were returned to determine what information was deleted. The cost of these
investigations also constituted a loss from
interruption of service.71
III. MISSOURI COMPUTER TAMPERING STATUTES
A. Overview
Similar to the CFAA, Missouri statutes
provide that a civil lawsuit may be brought
against individuals who tamper with
computer data, computer equipment, or
the users of computers. Like the CFAA,
the Missouri computer tampering statutes
(MCTS) contain both criminal and civil
provisions. The criminal provisions are set
forth in §§ 569.095, 569.097, and 569.099,
RSMo.; the civil provision is set forth in
§ 537.525, RSMo.
58 Cookies are electronic files that online companies sometimes implant on a user’s computer when the user visits a website. Cookies collect information about the
user. In re Intuit Privacy Litigation, 138 F. Supp.2d 1272, 1274 (C.D. Cal. 2001).
59 Hanger Prosthetics & Orthotics, Inc. v. Capstone Orthopedic, Inc., No. 2:06-cv-2879-GEB-KJM, 2008 WL 2441067, 556 F. Supp.2d 1122, 1131 (E.D. Cal. June
13, 2008).
60 Id. at 1132.
61 Id.
62 18 U.S.C. §§ 1030(c)(4)(A)(i)(I) and 1030(g).
63 18 U.S.C. § 1030(e)(11).
64 See H & R Block Eastern Enterprises, Inc., 2006 WL 1128744, at *2, *4.
65 Id. at *4.
66 Resource Ctr. for Independent Living, Inc. v. Ability Resources, Inc., 534 F. Supp.2d 1204, 1211 and 1211 n.30 (D. Kan. 2008) (collecting cases from other courts
holding that allegations of loss of confidential and proprietary information for the benefit of a competing enterprise are sufficient to state a cause of action under the
CFAA and defeat a motion to dismiss).
67 Id. at 1211.
68 See American Family Mut. Ins. Co. v. Rickman, 554 F. Supp.2d 766, 771 (N.D. Ohio 2008); Cenveo Corp. v. CelumSolutions Software GMBH & Co. KG, 504 F.
Supp.2d 574, 581 n.6 (D. Minn. 2007) (disagreeing with H&R Block, 2006 WL 1128744 and similar cases and dismissing CFAA claim that did not allege interruption in
service).
69 Lasco Foods, 600 F.Supp.2d at 1046.
70 Id. at 1053.
71 Id.
Journal of The Missouri Bar • July-August 2009 • Page 176
B. Statutory Scheme
Section 537.525, RSMo,. establishes
a civil action for compensatory damages
to the owner (or lessee) of a computer
system, network, program, service, or data
against any person who violates §§ 569.095
(tampering with computer data), 569.097
(tampering with computer equipment), and
569.099 (tampering with computer users).
“[C]ompensatory damages includ[e] any
expenditures reasonably and necessarily
incurred by the owner or lessee to verify
that a computer system, … network, …
program, … service, or data was not altered,
damaged, or deleted by the access.”72 In
addition, “the court may award attorney’s
fees to a prevailing plaintiff.”73
Similar to the CFAA, tampering with
computer data, equipment or users under
the MCTS must be done knowingly, and
either without authorization or without
reasonable grounds to believe one has
authorization.
1. Tampering with Computer Data
Section 569.095, tampering with computer data, provides:
1. A person commits the crime
of tampering with computer data
if he knowingly and without authorization or without reasonable
grounds to believe that he has
such authorization:
(1) Modifies or destroys data
or programs residing or existing
internal to a computer, computer
system, or computer network;
or
(2) Modifies or destroys
data or programs or supporting documentation residing or
existing external to a computer,
computer system, or computer
network; or
(3) Discloses or takes data,
programs, or supporting documentation, residing or existing
internal or external to a computer,
computer system, or computer
network; or
(4) Discloses or takes a password, identifying code, personal
identification number, or other
confidential information about
a computer system or network
that is intended to or does control
access to the computer system or
network;
(5) Accesses a computer, a
computer system, or a computer
network, and intentionally examines information about another
person;
(6) Receives, retains, uses, or
discloses any data he knows or
believes was obtained in violation
of this subsection.
2. Tampering with Computer Equipment
Section 569.097, tampering with computer equipment, provides:
1. A person commits the crime
of tampering with computer
equipment if he knowingly and
without authorization or without
reasonable grounds to believe that
he has such authorization:
(1) Modifies, destroys, daages,
or takes equipment or data storage
devices used or intended to be
used in a computer, computer system, or computer network; or
(2) Modifies, destroys, damages, or takes any computer,
computer system, or computer
network.
3. Tampering with Computer Users
Section 569.099, tampering with computer users, provides:
1. A person commits the crime
of tampering with computer users if he knowingly and without
authorization or without reasonable grounds to believe that he
has such authorization:
(1) Accesses or causes to be
accessed any computer, computer
system, or computer network; or
(2) Denies or causes the denial
of computer system services to an
authorized user of such computer
system services, which, in whole
or in part, is owned by, under
contract to, or operated for, or
on behalf of, or in conjunction
with another.
C. Case Law
Case law addressing civil actions
brought pursuant to the MCTS is sparse.
In Chrysler Corporation v. Carey, Chrysler
filed suit “against two attorneys who
formerly worked at a law firm that represented Chrysler in defending various
class action lawsuits involving alleged
defects in certain Chrysler vehicles.”74
“After leaving the [law] firm, the two attorneys formed their own firm and agreed
to serve as plaintiff’s counsel in a … class
action against Chrysler.”75 “Before their
departure” from their previous law firm,
the attorneys took “copies of various
pleadings and memoranda.”76 Some of the
documents taken by one of the attorneys
were copied from the law firm’s computer
system.77 Chrysler sued the former attorneys on a number of theories, including
tampering with computer data in violation
of the MCTS.
The attorneys admitted that they did not
have express authority to take the documents at issue, but “they claim[ed] that they
‘reasonably believed’ that neither Chrysler
nor [the law firm] would object to their
doing so.”78 One of the attorneys testified
that a number of lawyers left the law firm
while he was employed there, “and every
lawyer [that he] knew at the firm maintained a form file, … considered it their
personal property, and took it with them
when” leaving the firm.79 The Chrysler
court denied the parties’ cross-motions
for summary judgment, concluding that
there was a question of fact as to whether
the attorneys had “reasonable grounds to
believe” that the removal of the documents
from the law firm’s computer system was
authorized.80
72 Section 537.525(1), RSMo (2008).
73 Section 537.525(2), RSMo (2008). It is also important to note that violation of these statutes may constitute a misdemeanor or felony. A discussion of the criminal
exposure for violating these statutes is beyond the scope of this article.
74 Chrysler Corp. v. Carey, 5 F. Supp.2d 1023, 1025 (E.D. Mo. 1998).
75 Id. at 1025.
76 Id. at 1027.
77 Id.
78 Id. at 1035
79 Id. at 1036.
80 Id.; § 569.095(1), RSMo (2008).
Journal of The Missouri Bar • July-August 2009 • Page 177
In Pony Computer, Inc. v. Equus Computer Systems of Missouri, Inc., two former
employees of the plaintiff had limited access to plaintiff’s computer files, “including customer invoices, shipping records,
receiving records, credit records, and …
warranty records.”81 The plaintiff sued the
two former employees and their current
employer, a competitor, alleging a number
of tort theories, including a claim under
the MCTS.82 The plaintiff claimed that the
former employees disclosed confidential
information while accessing the computer
network in the course of their employment.
In opposition to a summary judgment motion filed by the former employees, the
plaintiff filed affidavits from its president
and its St. Louis branch manager stating
that the former employees disclosed confidential information. The district court
granted summary judgment in favor of the
former employees on the MCTS count.
In affirming the judgment,83 the Eighth
Circuit noted that the two affidavits were
“conclusory, failing to enumerate specific
evidence of any disclosure.”84 Because
there was “no independent evidence [of
disclosure], other than the petitioner’s
unsubstantiated allegations[,]” the court
concluded that summary judgment was
appropriate.85
Like the CFAA, proof of the offense of
tampering with computer data or computer
equipment under the MCTS may involve
testimony from a computer forensics expert
because the method of accessing, modifying, or otherwise tampering with the data
will sometimes be beyond the knowledge
or understanding of any lay witnesses.
IV. BREACH OF DUTY OF LOYALTY
If a business learns through a forensic examination of a former employee’s
computer that the former employee misappropriated data to begin, or work for,
a competing business, then the business,
under an appropriate set of facts, also may
have a cause of action against the former
employee for a breach of the common law
duty of loyalty.
Under Missouri law, all employees owe
their employers a duty of loyalty.86 The
Supreme Court of Missouri, in Scanwell
Freight Express STL, Inc. v. Chan, confirmed that every employee owes his or
her employer a duty of loyalty.87 “[T]he
most common manifestation of the duty of
loyalty… is that an employee has a duty
not to compete with his or her employer
[during his or her employment] concerning
the subject matter of the employment.”88
Therefore, although employees “may plan
and prepare for their competing enterprises
while still employed,” a breach of the duty
of loyalty “arises when [an] employee goes
beyond the mere planning and preparation
and actually engages in direct competition,
which, by definition, is to gain advantage
over a competitor.”89
In Scanwell, the ex-employee gave one
of Scanwell’s competitors confidential
information about Scanwell’s operations
and customers while still employed.90
Further, while still employed by Scanwell,
the ex-employee secured Scanwell’s office
lease for its competitor.91 The Court held
that Scanwell made a submissible case
for breach of the duty of loyalty because
the ex-employee clearly went beyond
mere planning and preparation to compete when she actually gave confidential
client information to a competitor and
secured her employer’s office lease for
the same competitor, all while working
for Scanwell.92
V. THE MISSOURI UNIFORM TRADE
SECRETS ACT
In some cases the Missouri Uniform
Trade Secrets Act (MUTSA) also may
provide a remedy for the unauthorized taking or disclosure of computer data.93 The
MUTSA provides a civil action for compensatory damages, punitive damages, and
injunctive relief if the owner of the information can show: (1) that the information is
a trade secret; and (2) actual or threatened
misappropriation of the information. For
an in-depth explanation of the MUTSA,
the protections afforded by the MUTSA,
and the remedies available to the owner of
misappropriated trade secret information,
see Trade Secret Litigation – An Overview,
63 JOURNAL OF THE MISSOURI BAR.94
VI. CONCLUSION
The civil remedies under the CFAA
give businesses a useful tool for protecting
their electronically stored information
both from outsiders who break into their
networks and employees who use their
access to misappropriate their employer’s
sensitive information. A plaintiff must
show: (1) that the offender’s access was
either without authorization or exceeded
authorized access; (2) that information
was gained via intentional conduct that
involved an interstate communication
or that the offender was knowingly
intending and furthering a fraud; and
(3) that the offender’s actions caused
damage and a loss in excess of $5,000.
In Missouri, the MCTS, the common law
duty of loyalty owed by an employee to
his or her employer, and the MUTSA
provide businesses with additional
tools for protecting their electronically
stored information. When filing a claim
relating to misappropriation or misuse
of electronically stored information,
Missouri businesses should analyze all
of these causes of action as part of their
claim.
81 Pony Computer, Inc. v. Equus Computer Sys. of Mo., Inc., 162 F.3d 991 (8th Cir. 1998).
82 Id. at 994.
83 Id. at 997.
84 Id. at 997.
85 Id.
86 Nat’l Rejectors, Inc. v. Trieman, 409 S.W.2d 1, 41 (Mo. banc 1966); see also RESTATEMENT (SECOND) OF AGENCY, §§ 396 & 393, cmt. e (1958).
87 Scanwell Freight Express STL, Inc. v. Chan, 162 S.W.3d 477, 479 (Mo. banc 2005).
88 Id. (citing RESTATEMENT (SECOND) OF AGENCY, § 393, cmt. e (1958)).
89 Id. (citing RESTATEMENT (SECOND) OF AGENCY, § 393, cmt. e (1958)). The Court observed that a jury instruction for breach of the duty of loyalty must set out that:
(1) “an employee must not … act contrary to the employer’s interest; (2)” an employee may plan, prepare, and agree with others to compete with the current employer
upon termination; and (3) an employee may not “go beyond mere planning and preparation and act in direct competition with the employer” while still employed by the
employer. Id. at 481.
90 Id. at 480.
91 Id.
92 Id.
93 Sections 417.450-417.467, RSMo (2008).
94 William M. Corrigan, Jr. & Jeffrey L. Schultz, Trade Secret Litigation—An Overview, 63 J. MO. BAR 234 (2007).
Journal of The Missouri Bar • July-August 2009 • Page 178