The opinion of the court was delivered by: Steven J. McAuliffe United States District Judge
Defendants move the court to reconsider its earlier order denying the parties' cross-motions for summary judgment on plaintiff's claims under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the "CFAA"). See Order of March 30, 2012 (document no. 138). The motion is granted in part and denied in part. And, for the reasons discussed, judgment as a matter of law shall be entered in favor of defendants Cheryl Moore and Glenn Littell on count one of the hospital's amended complaint. In all other respects, defendants' motion for reconsideration is denied.
That portion of the CFAA currently at issue provides as follows: "Whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer" shall be exposed to both criminal penalties and civil liability. 18 U.S.C. § 1030(a)(2)(C) (emphasis supplied). See also 18 U.S.C. § 1030(g). In their motion for reconsideration, defendants ask the court to resolve a legal question previously identified, but not fully briefed: Whether violating an employer's computer use policy - as opposed to circumventing its computer access restrictions - gives rise to liability under that provision of the CFAA. Defendants urge a narrow construction of the statutory language that would impose liability only when one circumvents computer access restrictions.
Defendants' argument invokes the Ninth Circuit's recent en banc decision in United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), in which the court held that, "the phrase 'exceeds authorized access' in the CFAA does not extend to violations of use restrictions." Id. at 863. Rather, the court concluded that "the plain language of the CFAA targets the unauthorized procurement or alteration of information, not its misuse or misappropriation." Id. (citation and internal punctuation omitted). See also Orbit One Communications, Inc. v. Numerex Corp., 692 F. Supp. 2d 373, 385 (S.D.N.Y. 2010) ("The plain language of the CFAA supports a narrow reading. The CFAA expressly prohibits improper 'access' of computer information.
It does not prohibit misuse or misappropriation. . . . [T]he statute as a whole indicates Congress's intent to prohibit access of a computer without authorization, not an employee's misuse of information that he or she was entitled to access or obtain.").
In other words, the Court of Appeals for the Ninth Circuit concluded that the CFAA does not address the situation in which someone "has unrestricted physical access to a computer, but is limited in the use to which he can put the information." Nosal, 676 F.3d at 857. And, one "exceeds authorized access" under the CFAA if he or she is "authorized to access only certain data or files but accesses unauthorized data or files - what is colloquially known as 'hacking.'" Id.*fn1
Defendants say they are entitled to summary judgment on the hospital's CFAA claims because they allege only a violation of the hospital's computer "use policy," rather than any circumvention of its computer "access restrictions." The hospital objects, arguing that Nosal was wrongly decided, is not binding precedent in this district, and is inconsistent with existing First Circuit precedent. Moreover, says the hospital, its CFAA claim in count one is based (at least in part) on alleged violations of "access restrictions," not simply "use restrictions."
Initially, it is worth noting that defendants take the position that "In order to sustain a claim under the CFAA, [the hospital] must show that the Defendants exceeded their authorized access. . . Each count fails because the Defendants were entitled to access all of the files copied, taken, and deleted." Defendants' Memorandum (document no. 139-1) at 4. That is not entirely correct. Count two of the amended complaint alleges that defendants violated 18 U.S.C. § 1030(a)(5)(A), by intentionally causing damage, without authorization, to a hospital computer. Contrary to defendants' suggestion, that count does not contain an "exceeds authorized access" element. See, e.g., Grant Mfg. & Alloying, Inc. v. McIlvain, 2011 WL 4467767, 8 (E.D.Pa. 2011) ("Unlike the other CFAA provisions [plaintiff] invokes, § 1030(a)(5)(A) does not require access of a protected computer without authorization or in excess of authorized access."); Farmers Bank & Trust, N.A. v. Witthuhn, 2011 WL 4857926, 6 (D.Kan. 2011) ("Unlike subsection (a)(5)(C), this section creates liability for knowingly causing transmission of something that causes damage without authorization, as compared to damage that is the result of access without authorization."). And, count three of the amended complaint simply alleges that the three individually named defendants conspired to violate sections (a)(2) and (a)(5)(A). See 18 U.S.C. § 1030(b). Only count one of the amended complaint requires the hospital to prove that defendants accessed a hospital computer "without authorization" or that they "exceed[ed] authorized access." Accordingly, the court will restrict its analysis to that particular count.
Mirroring the language of the CFAA, count one of the amended complaint alleges that "Defendants intentionally accessed computers without authorization or exceeded authorized access, and thereby obtained information from a protected computer." Amended Complaint (document no. 68) at para. 82. But, in elaborating on that claim, the hospital says:
Count I [of the amended complaint] alleges the Defendants violated [18 U.S.C. § 1030(a)(2)(C)] because, without the prior authorization and approval of the WDH Information Systems Department and in violation of the IM-09, they connected removable storage devices or external hardware to hospital computers and obtained or altered information from WDH computers owned by WDH that they were not entitled to obtain or alter.
Plaintiff's Motion for Summary Judgment (document no. 81-1) at 13 (emphasis supplied). Additionally, the amended complaint alleges that Dr. Thomas Moore circumvented access restrictions on two hospital computers (known as "PY001" and the "HP Laptop") by using his wife's password to view, copy, and delete ...