How a snooping furniture executive may have expanded the CFAA



Written by

An ex-furniture company executive was found once again to be in violation of the the controversial Computer Fraud and Abuse Act after being caught breaking into and reading his co-workers’ email accounts.

Christopher Carmicle had been an executive at Brown Jordan, a California-based furniture company, for a decade when a his relationship with the company’s CEO, Gene Moriarty, rapidly deteriorated. The reason, according to the company’s lawsuit, was simple: Carmicle was effectively stealing $100,000 from the company through deceitful entertainment expenses and having his wife on the payroll.

The breach in trust was followed by a “second chance” and an actual promotion for Carmicle. Carmicle then did the same thing again, but wasn’t fired due to a pending acquisition getting in the way. Carmicle, however, felt that Moriarty never truly trusted him again.

When the company changed email services, Carmicle admitted to using the software’s default password — Password1 — to access numerous employees’ email accounts, including the CEO, due to suspicions that others were lying about him to superiors as well as engaging in illegal activity. That’s hardly sophisticated hacking, but still broke the law.

Messily concluding the maelstrom of vicious office politics and paranoia, Carmicle was fired and then sued for spying on everything his co-workers wrote for six months.

Carmicle’s argument was that he did not violate the CFAA because there was no damage to Brown Jordan’s computer system and there was no “interruption of service.” CFAA civil actions require showing a loss of at least $5,000 as a result of the offense. Brown Jordan claimed losses came in the form of hiring consultants, investigating the breach and conducting surveillance sweeps around their offices. The district court and now the appeals court sided with the company.

Although the defendant argued his deeds didn’t meet the threshold financial threshold required by CFAA, late last month an appeals court concluded that the company’s subsequent investigation and office surveillance sweep counted as “loss” under the law despite there being no service interruption. Lower courts had been split on the question of loss outside of service interruptions.

The Eleventh Circuit’s interpretation, however, does not require that the plaintiff is even aware of the offense at or around the time it occurs,” Carol Thetford Montgomery, a lawyer at Butler Snow, wrote. “Merely learning of an unauthorized access, and attempting to understand how it affects the company months down the road is sufficient. This interpretation effectively arms employers, and others, to combat unauthorized computer access, even where they may not have known it occurred.”

The decision, she explained, “signals further expansion of the CFAA.”

You can read the full case below.

-In this Story-

Computer Fraud and Abuse Act (CFAA), legal
TwitterFacebookLinkedInRedditGoogle Gmail