Pierre Grosdidier 2017-03-28 21:11:26
Asserting Texas Harmful Access by Computer Act claims in intraspousal data breaches. Data breach claims can arise in family law cases when an estranged spouse accesses his or her soon-to-be ex’s email account or cellphone without the person’s knowledge or consent. The motive is usually to try to expose infidelity or to get a step-up in a divorce or custody proceeding, or both. Plaintiff’s counsel might be tempted to assert Stored Communications Act, or SCA, (18 U.S.C. §§ 2701–2712) and Computer Fraud and Abuse Act, or CFAA, (18 U.S.C. § 1030) claims in these cases, if only because of the statutes’ general reputation as strong remedies, especially the CFAA.1 The statutory language’s complexity and the caselaw’s fragmentation invite caution, however. These claims also create an awkward venue conundrum for the plaintiff. A federal judge might view them as a sideshow to what is substantively a divorce-related dispute that belongs in state court. And a state judge might not be the best-equipped arbiter of these highly technical federal claims. As discussed later, the few relevant family law cases on record illustrate the difficulty of alleging SCA and claims against snooping spouses. This article argues that Texas’ Harmful Access by Computer Act, or HACA, (Tex. Civ. Prac. & Rem. Code Ch. 143) provides a better cause of action for victims of these intraspousal data beaches. THE STORED COMMUNICATIONS ACT Congress enacted the SCA in 1986 to protect the privacy of electronic communications such as email, a service then newly offered to the public.2 Electronic communications, not computers, are the statute’s focal point. In a family dispute context, these communications are typically one spouse’s emails or phone text messages. But whether a SCA claim stands depends on whether the communications are in “electronic storage” as that term is defined in the statute and, in turn, on how courts construe the statutory definition.3 The law protects unopened or unread emails stored on servers before they are delivered to and opened by their recipients because they are in storage.4 A civil cause of action stands where the defendant accessed unopened emails on a server, such as on a Yahoo! or Apple webmail. But the SCA does not protect the contents of hand-held devices and home computers, including emails.5 No SCA claim exists against a spouse who rummages through the other spouse’s cellphone, tablet, or personal computer, including downloaded and locally stored emails because these emails are not in storage. In Morgan v. Preston, the plaintiff alleged that his spouse surreptitiously installed monitoring software on his personal computer.6 The court dismissed Morgan’s SCA claim because his “personal computer [wa]s not covered by the SCA.” The status of opened emails left on a server remains unclear, some courts have held that they are protected, and others have not. In Jennings v. Jennings, a cheated-on spouse and her daughter-in-law guessed the password and accessed the husband’s Yahoo! email account.7 The daughter-in-law alleged that she only accessed opened emails.8 The court dismissed the plaintiff’s SCA claim because it held that the SCA did not protect these opened emails because they were no longer in storage. In Bailey v. Bailey, on similar facts, the court held that the “plain language of the statutes seems to” bring them under the SCA’s protection, and it denied the defendant’s motion for summary judgment.9 SCA claims require a careful analysis of the facts and the applicable caselaw to assess their viability. In the absence of clear applicable precedent, dismissal motion practice is almost unavoidable in light of this split in court opinions. THE COMPUTER FRAUD AND ABUSE ACT The CFAA is a broadly worded criminal statute that protects computers, including computers that are “used in … interstate … commerce or communication.”10 All internet-connected computers—both home computers and hand-held devices— are CFAA-protected.11 But a CFAA civil claim in a family law context sports a high $5,000 loss threshold.12 Absent bona fide pecuniary harm (e.g., to a family business), a family law plaintiff will struggle to meet this requirement and a CFAA claim will likely fail. In Global Policy Partners, LLC v. Yessin, two separating spouses and business partners litigated the husband’s surreptitious access of the wife’s emails.13 The court dismissed the plaintiffs’ CFAA claims because it found that their qualified loss allegations only reached $2,283.07, short of the statutory threshold.14 In Morgan v. Preston, under similar facts, the court dismissed the CFAA claims because Morgan provided no “factual allegations in support of his claim that he lost at least $5,000” as a result of Preston’s alleged conduct.15 These two cases confirm that, in general, mere unconsented access to a spouse’s cellphone, email, or computer will not support a CFAA claim absent a summary-judgment-proof $5,000 loss. Here again, courts construe the term “loss” differently and plaintiff’s counsel must review the applicable caselaw to assess a CFAA claim’s viability.16 THE HARMFUL ACCESS BY COMPUTER ACT In contrast to the SCA and the CFAA, the Texas HACA is a plainly worded statute that creates a civil cause of action for a “person who is injured or whose property has been injured” by knowing or intentional violations of Texas Penal Code Chapter 33, Computer Crimes.17 The injured party is entitled to actual damages and reasonable attorneys’ fees and costs.18 Texas Penal Code Chapter 33, states broadly that whereby [a] person commits an offense if the person knowingly accesses a computer, computer network, or computer system without the effective consent of the owner.19 “Access” means to approach, instruct, communicate with, store data in, retrieve or intercept data from, alter data or computer software in, or otherwise make use of any resource of a computer, computer network, computer program, or computer system.20 The statute does not define the term “approach.” Construing the term by its dictionary definition could potentially criminalize merely standing next to a protected computer. More likely and applying the ejusdem generis doctrine, the term probably means any attempt to log on to or to “ping” a computer. No caselaw sheds light on this issue. But the inclusion of the term “approach” illustrates Chapter 33’s breadth and strength. Civil litigants will find the HACA simpler to wield than either the SCA or the CFAA, yet no less powerful. It is not bridled by the SCA’s narrow and technical “communications” language, or by the CFAA’s $5,000 loss threshold. Mere injury to the person, or the person’s property, suffices for a claim. Moreover, the statute narrowly defines “effective consent,” an issue that is the source of much litigation under the CFAA. In particular, “[c]onsent is not effective if … used for a purpose other than that for which the consent was given.”21 Yet, for all its potential strength as a civil litigation tool, the HACA has remarkably little civil caselaw history. Recently, a Texas court of appeals issued the first published decision in a case where plaintiffs asserted a HACA claim against a former snooping spouse. In Miller v. Talley Dunn Gallery, LLC, Miller accessed his soon-to-be ex-wife Dunn’s cellphone, took screen shots of text messages between Dunn and another man, and examined the phone’s log.22 Dunn and her eponymous art gallery eventually sued Miller asking for injunctive relief and alleging, inter alia, a HACA claim. As to the latter, the court held that (1) a cellphone qualified as a computer under the Texas Penal Code § 33.01(4) and (2) Miller accessed the phone within Chapter 33’s meaning when he retrieved the phone’s log and text messages. The court also rejected Miller’s claim that he had effective consent to access the phone because it was community property. The phone belonged to Dunn, she used it “on a daily basis,” and “it was the only way to reach her.” She had the right to password protect the phone, and Miller used her sleeping state as an opportunity to access the phone. The court held that Dunn had a greater right of access to the phone and it sustained the district court’s injunctive relief order as to the information Miller obtained in violation of the HACA. Miller is not the first time the Court of Appeals in Dallas has narrowly construed the term “effective consent,” in accordance with its plain statutory definition. In Institutional Sec. Corp. v. Hood, the plaintiff, a securities broker/dealer, sued its former vice president Hood after he retained copies of the corporation’s computer files and tried to woo its clients to his new employer.23 The court held that “[t]he download of data from the computer system without ISC’s consent could constitute a violation of section 33.02(a) of the Penal Code,” and it affirmed, in part, the district court’s temporary injunction.24 In other words, Hood’s unfettered access to the company’s computer system did not imply that he enjoyed its consent to download client information for his personal benefit or “for a purpose other than that for which the consent was given.” Under this logic, a spouse’s occasional and consented use of the other spouse’s personal computer to, say, check weather or traffic conditions, would not authorize the spouse to rummage through the computer. NOTES 1) Both the SCA and the CFAA offer civil remedies. 18 U.S.C. §§ 2707(a) (SCA), 1030(g) (CFAA). Of course, victims can also assert tort claims such as invasion of privacy or intentional infliction of emotional distress. 2) See Orin S. Kerr, A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending it, 72 George Washington Law Review 1208 (2004). 3) 18 U.S.C. § 2510(17). For a more complete discussion, see Pierre Grosdidier, Privacy Liability for Data Breach and Remedies, State Bar of Texas, Family Law & Technology, Chap. 16, Dec. 8-9, 2016. 4) Steve Jackson Games, Inc. v. U.S. Secret Serv., 36 F.3d 457, 461-63 (5th Cir. 1994). 5) Garcia v. City of Laredo, Tex., 702 F.3d 788, 790, 792 (5th Cir. 2012), cert. denied, 133 S.Ct. 2859, 186 L.Ed.2d 911 (2013). 6) No. 3:13-00403, 2013 WL 5963563, at *6 (M.D. Tenn. Nov. 7, 2013) (mem. op.). 7) 736 S.E.2d 243 (S.C. 2012). 8) Jennings v. Jennings, 697 S.E.2d 671, 673 (S.C. App. 2010). 9) No. 07-11672, 2008 WL 324156, at *6 (E.D. Mich. Feb. 6, 2008). 10) 18 U.S.C. § 1030(e)(2)(B). 11) See United States v. Nosal, 676 F.3d 854, 859 (9th Cir. 2012) (the CFAA’s “broadest provision is subsection 1030(a)(2)(C), which makes it a crime to exceed authorized access of a computer connected to the Internet without any culpable intent.”) (emphasis in original); United States v. Kramer, 631 F.3d 900, 902-03 (8th Cir. 2011) (“The language of 18 U.S.C. § 1030(e)(1) is exceedingly broad … we conclude that cellular phones are not excluded by this language.”). 12) 18 U.S.C. § 1030(c)(4)(A)(i)(I), (g). 13) 686 F. Supp. 2d 642 (E.D. Va. 2010) (mem. op.). 14) Id. at 654. 15) 2013 WL 5963563, at *4. 16) See, generally, Grosdidier, supra note 3. 17) Tex. Civ. Prac. & Rem. §143.001(a). 18) Id. § 143.002. 19) Tex. Pen. Code § 33.02(a). 20) Id. § 33.01(1). 21) Id. § 33.01(12). 22) No. 05-15-00444-CV, 2016 WL 836775, at **1, 11 (Tex. App.—Dallas Mar. 3, 2016, no pet.). 23) 390 S.W.3d 680, 684 (Tex. App.—Dallas 2012, no pet.). 24) Id. at 684. PIERRE GROSDIDIER is an associate of Haynes and Boone in its business litigation practice group in Houston. He specializes in complex commercial litigation, especially disputes with construction, engineering, or software elements and has litigated cases involving software copyrights, CFAA claims, and an SCA claim. Prior to practicing law, Grosdidier worked in the process control industry. He holds a Ph.D. from Caltech and a J.D. from the University of Texas School of Law. He is certified in construction law by the Texas Board of Legal Specialization and is an inactive registered professional engineer in Texas.
Published by State Bar of Texas. View All Articles.
This page can be found at http://mydigimag.rrd.com/article/Digital+Divorce/2748438/387761/article.html.