Tech Company’s Motion for Affirmative Summary Judgment Denied
Earlier this month, the US District Court for the District of Maryland denied a partial motion for summary judgment in a case filed by Infotek Corporation against Mr. Dwight Preston, a former employee. See Infotek Corp v. Preston, No. CCB-18-1386, 2022 WL 4121414 (D. Md. 9 September 2022).
The court concluded, in an opinion by District Judge Catherine Blake, that factual issues remained as to whether Infotek’s costs were “reasonably necessary” to remedy Preston’s unauthorized access under the Computer Fraud & Abuse Act (CFAA).
In doing so, the court offered valuable guidance to tech companies and other employers pursuing similar claims against former employees.
At Infotek, Preston served as chief financial officer for nearly a decade. In 2015, Preston’s wife also started working for Infotek. During Preston’s tenure, Infotek owner Mrs. Jacky McComber gave Preston her credentials for an internal accounting program, known as Unanet, to run some reports for her. In March 2017, Preston resigned and Infotek revoked his Unanet account; however, Preston continued to access Unanet through McComber’s account. After Infotek fired Preston’s wife in June 2017, Preston used McComber’s account to grant additional paid time off to existing employees and change Intofek’s billing rates on multiple contracts. Two months later, in August 2017, an anonymous whistleblower filed a lawsuit alleging that McComber fraudulently billed the National Security Agency (NSA) under one of Infotek’s contracts, and the Inspector General of the NSA has opened an investigation. Soon after, Infotek brought in outside attorneys and digital forensics experts to help the company.
After discovering Preston’s activities, Infotek filed suit in May 2018, alleging claims under the CFAA, Lanham Act, Uniform Trade Secrets Act of Maryland, Defense of Secrets Act business and, under Maryland law, for trespass, and tortious interference with business. and economic relations. In February 2021, a federal grand jury indicted McComber for submitting false statements and making false statements. Five months later, in July 2021, Preston signed a non-prosecution agreement with federal prosecutors, in which he admitted to accessing Unanet without permission. Infotek requested partial summary judgment on the CFAA claim, pointing to Preston’s admission to the non-suit agreement.
The court observed that a person alleging a claim against the CFAA must demonstrate that the trespass resulted in a loss of at least $5,000 and that the costs incurred to remedy the loss were “reasonably necessary and causally related to the breaches.” of the CFAA”. Here, the Court held that Infotek had failed to demonstrate, beyond a genuine dispute over a material fact, whether the costs incurred in retaining the services of outside counsel and digital forensics experts were ” reasonably necessary to restore or re-secure the Unanet system after Mr. Preston’s intrusion” or, rather, were in fact “to develop a defense for Ms. McComber against criminal charges”. “Whether the looming specter of the NSA investigation caused Infotek to increase its expenses beyond what was reasonably necessary,” the court concluded, “is a factual question best suited to a jury, not summary judgment”. It should be noted that the court added: “Victims of CFAA violations can neither make a mountain out of a molehill when investigating trespassing nor use summary judgment to rubber stamp spending toward the threshold. skill loss.”
While the case and all of Infotek’s claims remain pending, the court’s notice recalls some key practice reminders for technology companies and other employers. From an information security perspective, individuals should not share account credentials; but if necessary, they should change their passwords after doing so; or, at the bare minimum, they should change their passwords after an employee with access leaves.
From a legal point of view, there are two important points to remember. First, employers should carefully document the services rendered by outside attorneys and other vendors, as well as the cost of those services. This is especially true when it comes to parallel surveys. Second, litigating employers cannot ignore the element of loss, harm, or damages for CFAA claims. It is not enough to demonstrate wrongful conduct, on its own – an employer must connect that conduct to actual loss, harm or damage.