This post summarizes a recent ruling by the United States Court of Appeals for the Sixth Circuit that allowed an employer to state a valid claim for damages to its computer system caused by a labor union’s organized phone and email attack. Specifically, the Sixth Circuit held that the impairment to the employer’s computers caused by an orchestrated “onslaught” of calls and emails was sufficient to support a claim by the employer against the union under the Computer Fraud and Abuse Act (the “CFAA”), 18 U.S.C. § 1030. (The CFAA permits criminal and civil actions for computer fraud involving improper transmission of data and improper access to computers.)
This decision is good for employers because it makes clear that they do have a remedy for impaired computer function caused by a coordinated phone and email attack. Although the facts of this case involve a cyber attack organized by a union, the Sixth Circuit’s reasoning would apply equally to competitors, disgruntled former employees, and others who might try to harass a company by hammering it with an avalanche of calls or emails.
The case (which can be accessed through the link at the end of this post) is Pulte Homes, Inc. v. Laborers’ Int’l Union of N. Am., Case Nos. 09-2245 and 10-1673 (August 2, 2011). The case arose from a phone and email attack organized by a union against the employer in response to the employer’s firing of an employee. The union retaliated against the employer by, among other things, asking its members to “fight back” against the employer by sending “thousands” of emails to three specific executives of the employer. The union even went so far as to hire a paid dialing service to assist in the attack on the employer's phones. When the union refused to stop its campaign in response to a request from the employer’s lawyers, the employer sued the union, including a claim for damages under the CFAA to compensate the employer for the impaired functioning of its computers due to the union’s attack. Specifically, the employer sued the union under 18 U.S.C. § 1030(a)(5)(A), which makes it illegal to knowingly transmit information that damages a computer.
The union then moved to dismiss the employer’s CFAA claim by arguing that the employer had: (1) failed to show statutorily required damages from the phone and email attack, and (2) failed to show that the union had intended to damage the employer’s computers. Because the trial court agreed and dismissed the employer’s CFAA claim, the employer appealed which resulted in the Sixth Circuit’s decision that is the subject of this post.
- Sixth Circuit Held That Impaired Functioning of a Computer System in Response to a Phone or Email Attack Qualified as Damages under the CFAA.
On appeal, the Sixth Circuit reversed the trial court’s ruling and held that the interference caused to the employer’s phone and email operations was sufficient to qualify as damages for its CFAA claim. Specifically, the Sixth Circuit looked to both the CFAA’s statutory language as well as the ordinary meaning of those words to find damages according to a “diminished-ability concept” that had been used by other courts. Specifically, the Sixth Circuit explained as follows:
To understand “damage,” we consult both the statutory text and ordinary usage. Under the CFAA, “any impairment to the integrity or availability of data, a program, a system, or information” qualifies as “damage.” [18 U.S.C. §] 1030(e)(8). Because the statute includes no definition for three key terms—“impairment,” “integrity,” and “availability”—we look to the ordinary meanings of these words. . . . “Impairment” means a “deterioration”or an “injurious lessening or weakening.” 7 Oxford English Dictionary 696 (2d ed.1989) . . . . The definition of “integrity” includes an “uncorrupted condition,” an “original perfect state,” and “soundness.” Id. . . . And “availability” is the “capability of being employed or made use of.” 1 OED . . . Applying these ordinary usages, we conclude that a transmission that weakens a sound computer system—or, similarly, one that diminishes a plaintiff’s ability to use data or a system—causes damage.
- Sixth Circuit Held That Acting with the “Conscious Purpose of Causing Damage” Is Sufficient to Satisfy the Knowledge and Intent Requirements of the CFAA.
As with the damages issue described above, the Sixth Circuit also looked to both statutory terms and ordinary meaning to find insufficient proof of any intent by the union to damage the employer’s computers:
The transmission subsection prohibits causing damage “intentionally.” 18 U.S.C. § 1030(a)(5)(A). We turn, again, to ordinary usage because the CFAA does not define the term. To act “intentionally” commonly means to act “on purpose”—i.e., with a purpose or objective. 7 OED . . . . The Third Circuit, for example, sustained a CFAA transmission conviction where the jury instructions provided that “[a] person acts intentionally when what happens was the defendant’s conscious objective.” . . . Thus, to satisfy its pleading burden, [the employer] must allege that [the union] acted with the conscious purpose of causing damage (in a statutory sense) to [the employer’s] computer system . . . .
(For those interested, a copy of the decision is linked here: Download Pulte Homes Case.)