Carfax’s computer crimes case proceeds

A data company that housed its servers in Virginia found out the hard way that neglecting to rescind a user’s prior authorization will bar federal civil liability for improperly accessing their server without or in excess of the user’s authority.

In Carfax, Inc. v. Accu-Trade, LLC, et al. (VLW 022-3-116), the Eastern District of Virginia was tasked with answering when exactly a computer system’s “gates” are closed and transform formerly authorized use into actionable conduct.

Judge Rossie D. Alston Jr. agreed with Accu-Trade’s argument that plaintiff Carfax failed to allege it affirmatively revoked server access for Accu-Trade, and dismissed the Computer Fraud and Abuse Act, or CFAA, claim.

However, Alston found the allegations were sufficient to establish personal jurisdiction over the foreign defendants in Virginia, and Carfax may proceed under the Virginia Computer Crimes Act, or VCCA.

Negotiations open the gates

Carfax manages vehicle history information and owns the QuickVIN® tool, which allows users to search vehicle identification numbers, or VINs, to access vehicle information with only a license plate number and state.  Although organized in Pennsylvania, Carfax maintains its headquarters and servers in Virginia.

Accu-Trade LLC — which is part of R. Hollenshead Auto Sales & Leasing, Inc. — is a “valuation platform for auto dealers in calculating offers for potential trade-in vehicles.” Hollenshead visited Carfax’s Virginia offices in August 2016 to discuss “a potential data sharing agreement” with Accu-Trade.

In May 2018, Carfax gave Accu-Trade a “QV test account for the limited purpose of testing [it] to ensure it could be integrated into [their] valuation platform.” Accu-trade later provided Carfax a “test set of data” to test in their systems.

After frequent negotiations, Carfax sent Accu-Trade a “standard, unexecuted Data Transfer and License Agreement” with a Virginia choice-of-law provision. On Nov. 3, 2018, Accu-Trade informed Carfax they would stop using the QV tool and would not enter into a data-sharing agreement.

But Carfax soon learned that Accu-Trade had continued to use the QV tool.

Confrontation

Carfax confronted Accu-Trade’s CFO, who immediately signed and returned the proposed licensing contract.  Carfax never executed it.

Accu-Trade confirmed to Carfax that it continued using the QV tool and also resold the tool and its associated data to at least one third party “who then allowed access to approximately 100 of its regular customers.”

According to Carfax, Accu-Trade users accessed the QV tool and its associated data without authorization roughly 112,534 times.

Carfax claimed the defendants violated the CFAA and the VCCA, and committed fraud, unjust enrichment, conversion and trespass to chattels.

The defendants moved to dismiss for lack of personal jurisdiction and for failure to state valid claims under the CFAA and VCCA.

Virginia was the focal point

Virginia’s long-arm statute authorizes personal jurisdiction over a party who causes tortious injury in the Commonwealth by an act or omission, which includes “using a computer or […] network located in the Commonwealth,” said Alston.

The judge found Carfax’s pleadings “paint[ed] a clear picture that Accu-Trade and Hollenshead worked in concert[.]”

The defendants argued the pleadings failed to establish sufficient minimum contacts to satisfy due process for personal jurisdiction in Virginia.  The 4th U.S. Circuit Court of Appeals uses a three-pronged test for minimum contacts: (1) whether a defendant’s activities constitute purposeful availment; (2) whether the claims arose out of those activities; and (3) reasonableness.

Alston said the Fourth Circuit uses the effects test to determine purposeful availment for internet tort cases. Allegations must show that the defendant’s conduct was an intentional tort aimed at the forum and the plaintiff felt the brunt of it in the forum.

The analysis “turns on the defendant’s ‘contacts with the forum state itself, not … with the persons who reside there [and they] must convey a rhyme and reason such that the ‘defendant’s conduct connects it to the forum in a meaningful way’ rather than be ‘random, fortuitous, or attenuated.”

Alston credited the allegation that defendants’ purposeful misappropriation of the QV tool for pecuniary gain was an intentional tort.

The judge also concluded that the brunt of the defendants’ actions were aimed at — and felt in — Virginia.

“At each stage of communication between the parties, Plaintiff headlined Virginia within the negotiations as ‘the focal point both of the story and of the harm suffered,’” the judge wrote.

Citing the contract with a Virginia choice of law, Alston found the defendants “should reasonably anticipate being haled into court there.”

The location of Carfax’s server was probative of whether defendants directed their conduct at Virginia, even if they “did not know the precise location of the server,” he added.

‘Gates-up-or-down’

The CFAA, which has been characterized by the Fourth Circuit as “primarily a criminal statute designed to combat hacking,” provides a private right of action.

Last year’s U.S. Supreme Court holding in Van Buren v. United States settled a circuit split among interpretations of the CFAA. In that case, Van Buren acted with an improper purpose. However, because he had been granted access to the database at the time, the court limited its ruling to whether he exceeded his authorized access.

Using a “gates-up-or-down inquiry,” the Van Buren court held that one “exceeds authorized access […] when he accesses a computer with authorization but then obtains information located in particular areas of the computer — such as files, folders, or databases —that are off limits to him.”

Because the CFAA doesn’t define “without authorization,” the Fourth Circuit interpreted it to describe when a person “accesses a computer without permission.” Alston noted the concept “remains a matter of debate.”

Although Carfax admitted it could not state a claim on an “exceeds authorized access” theory, it argued that defendants’ access was “without authorization” after they ended negotiations.

But the defendants maintained that the CFAA is meant to target hackers and “technological harms,” that liability requires a showing of unauthorized access, and that lenity requires narrow construction of the CFAA.

Focusing on whether “the gates to the QV tool ever re-erected,” Alston considered whether the analysis “turned only on technological (or ‘code-based’) limitations on access, or instead also looks to limits contained in contracts or policies.”

The Fourth Circuit adopted the Ninth Circuit’s narrow view that “the CFAA fails to provide a remedy for misappropriation of trade secrets or violation of a use policy where authorization has not been rescinded,” Alston noted.

“In doing so, the Court expressed its unwillingness to ‘contravene Congress’ intent by transforming a statute meant to target hackers into a vehicle for imputing liability to workers who access computers or information in bad faith, or who disregard a use policy,” the judge added.

Cases from the Ninth Circuit and other courts have further narrowed “without authorization” to require express revocation, according to Alston.

Therefore, Carfax’s failure to affirmatively revoke defendants’ access to the QV tool after negotiations ended was fatal to its CFAA claim.

Virginia Computer Crimes Act

The VCCA prohibits unauthorized use of a computer or network with the intent to obtain property or services by false pretenses, embezzlement, larceny or conversion.

Alston found the VCCA made “crystal clear that if an actor at least ‘reasonably should know that he has no right’ to certain information, that actor may be subject to liability.”

Refusing to apply the rule of lenity, Alston pointed out that the VCCA predated the CFAA by two years and no cases have interpreted “without authorization” under the two statutes in the same manner. As such, the VCCA claim survived dismissal.

“Here, the Complaint provides sufficient allegations for this Court to reasonably infer that Defendants, at minimum, should have known that they forfeited the right to continue to use the QV tool at the time they actively ended negotiations,” he wrote. “That allegation meets the definition of ‘without authority’ under the VCCA, which is separate and apart from the ‘without authorization’ language used in the CFAA.”