October 20, 2020 - Fraud, Litigation

Avoiding Claims Under the Computer Fraud and Abuse Act in Connection with Software and Firmware Updates

A recent ruling in Parziale v. HP, Inc., arising out of the implementation by Hewlett-Packard (“HP”) of a remote firmware update on many models of the company’s printers, highlights the potentially broad application of the Computer Fraud and Abuse Act (“CFAA”). It also serves as a reminder to technology companies that when distributing software and firmware updates, they must be mindful of providing specific advance notice that such updates may impact product or computer performance.

The Computer Fraud and Abuse Act

In 1986, Congress enacted the CFAA, reportedly in response to concerns arising from the Matthew Broderick film War Games, in which a teenage computer hacker accesses a U.S. Defense Department computer, unintentionally starts the launch sequence on the U.S. nuclear arsenal thinking it is a computer game, and comes close to starting World War III. Saving us all from annihilation, Broderick teaches the computer that when it comes to global thermonuclear war, “the only winning move is not to play.”

The CFAA is the primary computer crime law in the United States. Over the years, it has been amended several times and has broad application. The CFAA criminalizes fraud and certain other specified activities in connection with unauthorized access to computers. The CFAA also provides for civil remedies based on the same prohibited conduct.

For instance, a violation of the CFAA may occur when anyone: (i) “intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains . . . information from any protected computer”; (ii) “intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss”; (iii) “intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage”; or (iv) “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.” Likewise, as claimed in the Parziale v. HP case, a CFAA violation may occur when anyone “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.”

A key question in most CFAA cases is whether the defendant acted “without authorization” or “exceed[ed] authorized access.” Notably, the scope of what it means to exceed authorized access is before the Supreme Court this term, with argument in that case scheduled for later this month.

Parziale v. HP, Inc.

In April 2019, HP implemented a remote firmware update on many models of the company’s printers. After the firmware update, certain non-HP ink cartridges stopped working on HP printers.

John Parziale, an owner of two HP printers, could no longer use his printers unless he inserted a genuine HP ink cartridge with an original HP chip. Alleging that the update reduced the value of his printers and rendered the non-HP cartridges he already owned useless, he brought an action seeking to certify a nationwide class action suit against HP. Parziale asserted claims under the CFAA, trespass to chattels, and the Florida Deceptive and Unfair Trade Practices Act (“FDUTPA”).

U.S. District Judge Edward Davila of the U.S. District Court for the Northern District of California granted defendant HP’s motion to dismiss all claims.

First, the judge dismissed Parziale’s CFAA claims. Parziale argued that HP violated Section 1030(a)(5)(A) of the CFAA, which prohibits “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.” Parziale, however, expressly alleged in his complaint that he had relied on the packaging and store page. The store page included a warning that stated:

Dynamic security enabled printer. Only intended to be used with cartridges using an HP original chip. Cartridges using a non-HP chip may not work, and those that work today may not work in the future.

The judge agreed with HP that Parziale’s express reliance on the warning on the store page made it clear that any damage caused by the firmware update was not “without authorization.” The judge also rejected Parziale’s contention that even if the warning created authorization for HP to implement the firmware update, the authorization did not extend to disabling printers. The judge pointed out that the warning expressly notified consumers that “[c]artridges using a non-HP chip may not work, and those that work today may not work in the future.”

Second, the judge also dismissed Parziale’s FDUTPA claims. Under the FDUTPA, a consumer claim for damages has three elements: (1) a deceptive act or unfair practice; (2) causation; and (3) actual damages. An act or practice is “unfair” if it causes consumer injury that is: (i) substantial, (ii) not outweighed by any countervailing benefits to consumers or competition, and (iii) one that consumers themselves could not have reasonably avoided.

According to the judge, there was no dispute that Parziale adequately pled a substantial injury. Parziale also adequately alleged that “the harm caused by forcing consumers to purchase more expensive ink cartridges” and by rendering their already purchased non-HP ink cartridges worthless, the harm outweighed any countervailing benefits to consumers. On the third prong, however, the judge found in HP’s favor. This prong tests if consumers have reason to anticipate the impending harm and the means to avoid it. In the judge’s view, the warning on the store page was sufficient to allow a reasonable consumer to anticipate any impending harm caused by a printer becoming incompatible with non-HP cartridges. Because they were put on notice, consumers could simply buy a different printer or not buy non-HP cartridges with potential compatibility issues in the future. In other words, they had the means to avoid any impending injury.

Finally, the judge dismissed Parziale’s trespass to chattels claims. To prevail on a claim for trespass, the plaintiff must establish: (1) defendant intentionally and without authorization interfered with plaintiff’s possessory interest in the computer system; and (2) defendant’s unauthorized use proximately resulted in damage to plaintiff.

Thus, the trespass claim also hinged on whether HP acted “without authorization.” The judge had already found under the CFAA claim section that HP did not act without authorization because Parziale was on notice of HP’s ability to interfere with his printers.

Key Takeaways

In HP’s case, the warning on the store page was quite clear that non-HP cartridges may not continue to work after the update. Given the clear notice to consumers and Parziale’s own express reliance on the notice, Judge Davila did not have much trouble dismissing all of Parziale’s claims. But other cases alleging that software or firmware was updated “without authorization” and caused damage may not be so clear cut. Such cases may necessitate fact-intensive inquiries. Companies that fail to give clear advance notice as to the impact of their updates may find themselves in a weaker position.