On October 10, 2017, the U.S. Supreme Court denied a petition for writ of certiorari challenging the Ninth Circuit’s holding that Power Ventures, Inc. had violated the Computer Fraud and Abuse Act (“CFAA”) by accessing Facebook user accounts.
Power provided a platform whereby its members could access their various social media accounts in one place. Power received authorization from Facebook users for this service after sending them messages through the social media platform. Facebook responded by sending Power a cease-and-desist letter demanding that Power immediately stop its access of Facebook computers. Power nevertheless continued, evading Facebook’s attempts to block it.
Facebook filed a lawsuit in federal court in 2008 alleging that Power had used Facebook trademarks to send upwards of 60,000 spam messages to Facebook users to deceive them into thinking the messages were from Facebook, then stored and saved user account information outside the reach and protection of Facebook.
In 2013, the U.S. District Court for the Northern District of California awarded Facebook a permanent injunction against Power and $3 million in damages due to Power’s spam messages and its access to Facebook users’ accounts under both the CFAA and the Controlling the Assault of Non‑Solicited Pornography and Marketing Act, or CAN‑SPAM. In 2016, the Ninth Circuit partially overturned the district court’s order, holding that Power had violated the CFAA but not CAN‑SPAM. According to the Ninth Circuit, the basis for CFAA liability was Power’s actions taken after Facebook sent its cease-and-desist letter, at which point the social media giant had expressly revoked Power’s access to its computers.
In light of the U.S. Supreme Court’s refusal to review the Ninth Circuit’s decision, companies will need to consider the Ninth Circuit’s view of the scope of the CFAA as compared to how the other Circuits have interpreted it. Actions taking place within the jurisdiction of the Ninth Circuit may not lead to a cognizable action under the CFAA when that same conduct would lead to a viable claim in another Circuit. Moreover, as it concerns companies whose data stored on their systems can be accessed by third parties, those companies may want to ensure that their response to unauthorized access of systems by outsiders are clear and immediate if they want to preserve a claim under the CFAA.