Wholesale Scraping of “Public” Data May Be Trade Secret Misappropriation
In what could be prove to be an important decision within the context of scraping of “public” data, in a recent case the Eleventh Circuit reversed a lower court’s dismissal of trade secret claims relating to the scraping of insurance quotes. (Compulife Software, Inc. v. Newman, No. 18-12004 (11th Cir. May 20, 2020)). The appellate court agreed with the lower court that while Compulife’s insurance quote database was a trade secret, manually accessing life insurance quote information from the plaintiff’s publicly web-accessible database would generally not constitute the improper acquisition of trade secret information. However, the court disagreed with the lower court in finding that the use of automated techniques to scrape large portions of the database could constitute “improper means” under state trade secret law. In reversing the lower court’s dismissal of the trade secret claims, the appeals court stressed that “the simple fact that the quotes taken were publicly available does not automatically resolve the question in the defendants’ favor.” Even though there was no definitive ruling in the case – as the appeals court remanded the case for further proceedings – it is certainly one to watch, as there are very few cases where trade secrets claims are plead following instances of data scraping.
In the “typical” website data scraping case, the plaintiff might advance a claim under the Computer Fraud and Abuse Act (CFAA) to remedy “unauthorized access” to a network database, as well as a contract claim for breach of the underlying terms of service. Compulife did not bring a CFAA claim, but did bring a claim under the Florida state computer anti-hacking statute; the claim was dismissed because the state statute protects networks that “can be accessed only by employing a technological access barrier,” which was not present in this case.
The fact pattern of this case is fairly extensive – as the court remarked, “there is nothing easy about this case” and the legal issues are “tangled.” For purposes of this blog post, we will focus on the trade secret issues in the case and not address the copyright or other issues that the case also presents.
Compulife and the defendants are direct competitors in the niche industry of generating life-insurance quotes. Compulife obtains rate tables from insurance companies, but does not own this information, as it is public. It compiles this information into a database in a confidential manner and encrypts the database to prevent reverse engineering. Compulife then licenses access to the database for a fee under various licensing schemes, including allowing licensees to embed a “web quoter” on their websites for customers (which pulls data from a remote server). In addition, Compulife maintains a website at www.term4sale.com that allows visitors to obtain life insurance quotes at no cost.
The defendants hired a third party to scrape data from Compulife’s Term4Sale website. This individual purportedly created a partial copy of Compulife’s database, extracting all the insurance-quote data pertaining to two zip codes. While a human user could permissibly enter query after query into Compulife’s database to generate quotes, the bot entered every possible combination of demographic data, totaling more than 43 million quotes. Compulife alleged that the defendants then used the scraped data as the basis for generating quotes on their own websites. The Term4Sale website did not include a user agreement at the time of the scraping, but one was added afterward.
Compulife claimed that the defendants misappropriated a trade secret by scraping data from its site. (There was also a copyright claim asserted based upon different allegations of access to the database, but as noted above, that is beyond the scope of this post.)
The lower court found that while Compulife’s database was generally protectable as a trade secret, the trade secret claims based on misappropriation of quotes failed because the individual quotes were available to the public and thus did not constitute trade secrets. Thus, the court found that the defendants hadn’t misappropriated any trade secrets.
The appeals court reversed. In summarizing Florida law (i.e., Florida’s version of the Uniform Trade Secrets Act), the court stated that if a defendant knows that his knowledge of a trade secret was acquired using “improper means,” or that he has acquired knowledge of a trade secret “by accident or mistake” and still uses it, such use is actionable misappropriation. Fla. Stat. § 688.002(2)(b). The appeals court rejected the lower court’s reasoning that the publicly-available nature of the insurance quotes negated the trade secret claim:
“Even granting that individual quotes themselves are not entitled to protection as trade secrets, the magistrate judge failed to consider the important possibility that so much of the Transformative Database was taken—in a bit-by-bit fashion—that a protected portion of the trade secret was acquired. The magistrate judge was correct to conclude that the scraped quotes were not individually protectable trade secrets because each is readily available to the public—but that doesn’t in and of itself resolve the question whether, in effect, the database as a whole was misappropriated. Even if quotes aren’t trade secrets, taking enough of them must amount to misappropriation of the underlying secret at some point.”
“We express no opinion as to whether enough of the Transformative Database was taken to amount to an acquisition of the trade secret, nor do we opine as to whether the means were improper such that the acquisition or use of the quotes could amount to misappropriation. We merely clarify that the simple fact that the quotes taken were publicly available does not automatically resolve the question in the defendants’ favor.”
Furthermore, the court reasoned that the nature of scraping itself, even on a publicly available database, may yet constitute an “improper means” to acquire trade secret information under state trade secret law:
“Nor does the fact that the defendants took the quotes from a publicly accessible site automatically mean that the taking was authorized or otherwise proper. Although Compulife has plainly given the world implicit permission to access as many quotes as is humanly possible, a robot can collect more quotes than any human practicably could. So, while manually accessing quotes from Compulife’s database is unlikely ever to constitute improper means, using a bot to collect an otherwise infeasible amount of data may well be….”
The court cited favorably to the 2003 Physicians Interactive case, where the defendants allegedly accessed plaintiff’s website by sending software bots to acquire its customer list, computer code, and confidential data. In that case, a Virginia district court, in finding the plaintiff had shown a likelihood of success on the merits, held that: “There can be no doubt that the use of a computer software robot to hack into a computer system and to take or copy proprietary information is an improper means to obtain a trade secret, and thus is misappropriation under [Virginia law],” rejecting the defendants’ argument that their access to plaintiff’s website was authorized because of plaintiff’s failure to place usage restrictions on its site.
This case potentially offers website publishers a new arrow in the quiver to combat unwanted website scrapers who rely on a “public data” argument to justify scraping. This case also suggests that users of such “public data” should, as part of their diligence on their data sources, probe into the issue of the extent and methods used to extract such “public data” as to whether such scraping potentially constitutes trade secret misappropriation.
We will continue to monitor the Compulife data scraping case closely given the important issues in dispute.