Earlier this month, the US District Court for District of Maryland denied a partial motion for summary judgment in a case filed by Infotek Corporation against Mr. Dwight Preston, a former employee. See Infotek Corp v. Preston, No. CCB-18-1386, 2022 WL 4121414 (D. Md. Sep. 9, 2022).
The court concluded, in an opinion by District Judge Catherine Blake, that questions of fact remained as to whether Infotek’s costs were “reasonably necessary” to remediate Preston’s unauthorized access under the Computer Fraud & Abuse Act (CFAA).
In so doing, the court offered valuable guidance for technology companies and other employers pursuing similar claims against ex-employees.
At Infotek, Preston served as chief financial officer for nearly a decade. In 2015, Preston’s wife began working for Infotek, as well. During Preston’s tenure, Infotek’s owner, Ms. Jacky McComber, gave Preston her credentials for an internal bookkeeping program, known as Unanet, to run certain reports for her. In March 2017, Preston resigned, and Infotek revoked his Unanet account; however, Preston continued to access Unanet through McComber’s account. After Infotek fired Preston’s wife in June 2017, Preston used McComber’s account to give existing employees extra paid time off and edit Intofek’s billing rates on several contracts. Two months later, in August 2017, an anonymous whistleblower filed a complaint alleging that McComber fraudulently billed the National Security Agency (NSA) under one of Infotek’s contracts, and the NSA Inspector General commenced an investigation. Shortly thereafter, Infotek retained outside counsel and digital forensics experts to assist the company.
After discovering Preston’s activities, Infotek commenced suit in May 2018, alleging claims under the CFAA, Lanham Act, Maryland Uniform Trade Secrets Act, Defend Trade Secrets Act, and, under Maryland law, for trespass to chattels, as well as tortious interference with business and economic relations. In February 2021, a federal grand jury indicted McComber for submitting false claims and making false statements. Five months later, in July 2021, Preston signed a non-prosecution agreement with federal prosecutors, in which he admitted to accessing Unanet without authorization. Infotek moved for partial summary judgment on the CFAA claim, emphasizing Preston’s admission in the non-prosecution agreement.
The court observed that one alleging a CFAA claim must show that the intrusion resulted in a loss of at least $5,000, and that the costs incurred to remedy the loss were “reasonably necessary and causally related to the CFAA violations.” Here, the Court held that Infotek had not shown, beyond a genuine dispute of material fact, whether the costs incurred in retaining outside counsel and digital forensics experts were “reasonably necessary to restore or resecure the Unanet system after Mr. Preston’s intrusion” or, rather, were in fact “to develop a defense for Ms. McComber against criminal charges.” “Whether the looming specter of the NSA probe pushed Infotek to increase its expenses beyond what was reasonably necessary,” the court concluded, “is a factual question best suited for a jury, not summary judgment.” Of note, the court added: “Victims of CFAA violations may neither make a mountain out of a molehill when investigating intrusions, nor use summary judgment to rubberstamp expenses toward the jurisdictional loss threshold.”
Although the case and all of Infotek’s claims remain pending, the court’s opinion drives home a few key practice reminders for technology companies and other employers. From an information security standpoint, individuals should not share account credentials; but if necessary, they should change their passwords after doing so; or, at the bare minimum, they should change their passwords after an employee with access has left.
From a legal standpoint, there are two important points to remember. First, employers should carefully document the services performed by outside counsel and other vendors, and the cost of those services. This is especially true when dealing with parallel investigations. Second, employers in litigation cannot overlook the element of loss, harm, or damages for CFAA claims. It is not enough to show wrongful conduct, standing alone — an employer must connect that conduct to an actual loss, harm, or damage.