Connecticut Business Litigation Blog : Connecticut Business Lawyer & Attorney : N. Kane Bennett : Aeton Law Partners LLP : Hartford, Middletown, Glastonbury

In Connecticut, a person commits a computer crime if there is any violation of the provisions in Connecticut General Statutes 53a-251.  This is Connecticut's computer crime statute.   The statute defines criminal conduct under the following categories:

• Unauthorized access to a computer system
• Theft of computer services
• Interruption of computer services
• Misuse of computer system information
• Destruction of computer equipment

The computer crime statute itself does not provide for a civil cause of action.  Instead, a victim of a computer crime may rely on Connecticut General Statutes 52-570b, which permits a civil lawsuit for computer-related offenses. The statute provides a basis for a lawsuit for "an aggrieved person who has reason to believe that any other person has been engaged, is engaged or is about to engage in" conduct that violates the computer crime statute. 

As part of a computer crime lawsuit, a business may seek a temporary or permanent injunction, restitution, actual damages, unjust enrichment, an order to appoint a receiver who may take property into his possession, or any other equitable relief.  Punitive damages may be available if there is a showing of malicious or willful conduct. Further, a victim of computer crime may obtain an award of attorney's fees and costs.

One of the more common types of computer crime or cyber attack is an insider attack with unauthorized access to a computer network.  A common example is a disgruntled employee or vendor with some level of access to the computer network of a business that turns into unauthorized use or damaging conduct. The cyber attack might involve theft of confidential or proprietary information, installing a virus or malicious code to infect the system, or theft and disclosure of information to third parties. 

The most common defense raised to computer crime charges is "authorized access."  The statute exempts conduct that might qualify as improper, but was undertaken with a reasonable belief that it was authorized.  As such, the issue of authorization becomes a critical element in these cases.  Courts might look to the policies and practices of a business with respect to access and security to determine if a reasonable belief defense exists.  Courts will also look to the nature of the conduct to determine if a reasonable belief defense is legitimate under the circumstances of the case.

Responding quickly to a computer crime or cyber attack is important.  A business that is the victim of a computer crime or cyber attack should consider involving an attorney as part of the response team depending on the severity of the incident.  The attorney can assess whether a business that is victim of a computer crime can bring a lawsuit to recover damages or possibly make a claim for losses to an insurance company.  An attorney can  also assist with critical decision making regarding notification to outside parties in the case of a security breach or data loss.  An attorney can further assist with determining the need for involvement of an appropriate forensic expert to preserve and develop critical electronic evidence of the cyber attack. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Is it David v. Goliath or a patent troll case?  Connecticut based XPRT Ventures, LLC has filed a lawsuit in the U.S. District Court in Delaware (download lawsuit here) against eBay for $3.8 billion dollars over the technology for automating and securing online payment portals. The suit was also filed against eBay's PayPal, Bill Me Later, Shopping.com, and StubHub.

In the suit, XPRT alleges that PayPal and others have used its systems and methods for electronic auction and e-commerce transactions subject to XPRT's six U.S. patents since at least 2002.  XPRT also alleges that eBay received confidential information in 2001 from the inventors and misappropriated information from patent applications assigned to XPRT. XPRT alleges a loss to date of $600 million with expected future losses of $3.2 billion.

The suit is for willful patent infringement, but at its heart is XPRT's allegation that eBay stole XPRT's trade secrets obtained from patent applications to use in eBay's own patent applications and for use by eBay in multiple platforms for PayPal and others.  The complaint states that XPRT passed on confidential information related to its patents to eBay in 2001 with the expectation of compensation should eBay be interested in the technology. The complaint alleges that the confidential information included how eBay could benefit from acquiring PayPal's payment platform.  Instead, eBay allegedly used the information provided in support of its own patent applications and online uses for PayPal and others.

The suit has been summarized and covered by various online media with some support and others criticizing the suit. Read here for the Reuters report on eBay suit and PCWorld's story.  Another good summary is the post today from Rajeev Saxena of Trends Updates. The post includes the following statement from XPRT's Connecticut based counsel, Steven Moore: 

This involves a trade secret theft, along with sheer patent infringement.  It is bad enough to take someone's technology, but it is a bit much to use it in your own patent application. 

Attorney Moore's firm also issued a press release that states, in part:

 In a nutshell, XPRT asserts eBay unfairly stole the idea and method of payment used in eBay's PayPal and similar electronic payment systems.

Techdirt, a technology blog, came out swinging and criticized the suit as "another patent lawsuit against a big company for doing something obvious, filed by a company that appears to exist solely for the purpose of suing a company that actually does stuff."   Mike also includes in his post some additional details about the history of XPRT's trail of patent rejections.  His take is basically that the case is a patent troll stick up suit.    For a good and balanced definition of "troll patent" or "patent troll" read this post form PatentlyO, the nations leading patent law blog.

Erik Sherman, a freelance writer, had a somewhat different take in his blog post.  After a providing a detailed summary of his own investigation and fact finding, Erik wrote that "this is not a simple case of a troll finding an obscure patent that could be stretched to cover an intended target."  He also focused on another case where eBay was alleged to have engaged in similar unethical behavior and the complications potentially created for Meg Whitman (eBay CEO at the time) currently running for California governor.

Thus far, eBay only issued a short statement denying that there is any merit to the suit. What's your take, Patent Trolling or David v. Goliath?

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Previously, I have posted about non-compete agreements and the duty of loyalty for employees.  Many times, businesses do not have written contracts to protect confidential and proprietary information from not only competitors and vendors, but also their own employees.  Without a contract, the common law of Connecticut concerning breach of fiduciary duty is one of the ways attorneys can seek to protect business clients against improper use of confidential information.

Another method for attorneys to seek to protect their clients' confidential information stored on a computer system or network is through the federal Computer Fraud and Abuse Act (CFAA).  The CFAA is largely a criminal statute, but is being used more frequently in civil cases on behalf of businesses faced with loss or theft of confidential and proprietary information and trade secrets.   The CFAA, 18 U.S.C. 1030, essentially provides for civil liability for unauthorized access to protected computers with intent to defraud or cause damage.  There are civil enforcement provisions that allow private actions for recoverable loss related to prohibited conduct if a series of factors can be proved in court.

Recently, Peter J. Toren wrote an excellent article in the New York Law Journal  where he detailed methods in which the CFAA might be useful for attorneys to protect client trade secrets and other confidential information.   Peter listed the six factors necessary for proof of damages.  Peter also noted some of the limitations of the CFAA when it comes to employee theft of trade secrets and described the narrow and broad views taken by different courts when interpreting improper access of a protected computer without authorization. Peter further provides some useful tips for businesses on how to construct a policy in light of the different court interpretations of improper access. 

Lee Berlik, publisher of the Virginia Business Litigation Blog, also has a recent post about the series of hurdles necessary for attorneys to prove loss or damages under the CFAA.  Lee's post describes a threshold of $5,000 in value that must fit into the categories of potential loss defined in the CFAA.  Similar to Peter's article, Lee also describes how a case was unsuccessful in court because of insufficient facts to show loss under the CFAA.

In Connecticut federal courts, the reported cases under CFAA, largely have been unsuccessful for a variety of reasons, many of which Peter's article details.  Some cases were dismissed for failing to meet damages thresholds (Register.com v. Verio, 356 F.3d 393 (2004)) , while another case was dismissed because the facts were insufficient for unauthorized access (Cenveo, Inc. v. Rao, 659 F. Supp. 2d 312 2009)).   However, in a recent case, in the federal district court, Judge Vanessa Bryant issued an order of sanctions and for production of electronic devices for forensic inspection in a case based, in part, and the CFAA. (Genworth Financial Wealth Mngmt. Inc., v. McMullan). 

The takeaway here is that the CFAA provides another potential basis for a business to protect its confidential and proprietary information when the information resides on a computer system or network.  Of course, there are a series of factors that must be met before liability can be established.  Some of these factors may not apply and eliminate the CFAA as a method of recovery as we have seen in several reported cases.  However, the CFAA should be considered and evaluated in any case involving unauthorized access of confidential information through a computer system as it provides an additional basis for potential recovery.  Also, advanced planning with sound internal policies might provide a business with a better chance of success under the CFAA.

I will do a post soon on another statute, Connecticut's Computer Crime Act, that may provide additional remedies for improper access of a computer system or network.

• Email This
• Print
• Comments
• Trackbacks
• Share Link