Designer Skin LLC v. S & L Vitamins, Inc., et al.
Scott Moulton and Network Installation Computer Services, Inc. v. VC3
Civ. Act. No. 1:00-CV-434-TWT (N.D. Ga. November 6, 2000)
Court holds that plaintiff's act of conducting an unauthorized port scan and throughput test of defendant's servers does not constitute a violation of either the Georgia Computer Systems Protection Act or the Computer Fraud and Abuse Act. The court further holds that various derogatory statements the parties made about each other do not support actions for defamation, tortious interference with contractual relations, or commercial defamation under the Lanham Act.
Plaintiff and defendant are competitors that are each in the business of installing and servicing computer networks. From August 1998 to December 30, 1999, plaintiff had a continuing service contract to perform computer related work for the Cherokee County 911 Center. Defendant had a contract to perform computer related work for the City of Canton, and had set up servers for that purpose.
Plaintiff was hired to set up a router connecting the computer network of the City of Canton Police Department with the Cherokee County 911 Center. Plaintiff allegedly became concerned that this project would jeopardize the security of the Cherokee County 911 server for which it was responsible.
As a result of these concerns, plaintiff, without authorization from either Cherokee County or the Canton Police Department, conducted port scans and throughput tests on defendant's servers. A port scan is a method of checking a computer to see what ports are open by trying to establish a connection to each port on the target computer. A port scan is frequently used to test a computer for possible security weaknesses. A throughput test sends information across a network to test the speed at which a computer processes data. Defendant detected plaintiff's activities and checked with both the Canton Police Department and Cherokee County to determine if they had authorized the activity. Upon learning that they had not, a meeting was set up at which were present plaintiff, defendant, representatives of the Canton Police Department and Cherokee County, and various law enforcement officials. At this meeting, plaintiff's activities were discussed. After the meeting, Cherokee County terminated its relationship with plaintiff, who was subsequently arrested for a criminal attempt to commit computer trespass against defendant. This lawsuit followed, in which plaintiff asserted claims against defendant for defamation and tortious interference with business relations and defendant counterclaimed for defamation, commercial disparagement in violation of the Lanham Act, and violations of the Computer Fraud and Abuse Act ("CFAA") and the Georgia Computer Systems Protection Act ("GCSPA"). The court dismissed all claims on the parties' cross-motions for summary judgment.
Of greatest interest to those following recent developments in Internet Law is the court's determination that plaintiff's activities did not violate either the GCSPA or the CFAA. The GCSPA, O.C.G.A. section 16-6-90 et seq., makes illegal the use of a computer with the intention of:
obstructing, interrupting, or in any way interfering with the use of a computer program or data; or altering, damaging, or in any way causing the malfunction of a computer, computer network or computer program, regardless of how long the alteration, damage or malfunction persists.
Defendant argued that plaintiff's throughput test and port scan slowed down its network and thereby interfered with computers in violation of the GCSPA. However, the court determined that "any slowdown was negligible at best and not noticeable to the company or its customers." Moreover, there was no evidence that plaintiff's activities resulted in any alteration, damage or malfunction of defendant's network. Under these circumstances, the court concluded the plaintiff had not violated the GCSPA.
The court reached a similar conclusion with respect to defendant's claims under the CFAA, 18 U.S.C. Section 1030. This act forbids the "intentional access[ing] [of] a protected computer without authorization, [that] as a result of such conduct, recklessly causes damage." "Damage," in turn, is defined in the CFAA as "any impairment to the integrity or availability of data, a program, a system, or information that causes loss aggregating at least $5000 ... or threatens public health or safety." The court held that defendant's CFAA claim failed because defendant could not prove that it sustained the damage necessary to establish a violation of the Act. The court rejected defendant's argument that the costs it expended in investigating plaintiff's activities constituted damages within the meaning of the statute. Rather, stated the Court, the "damage must be an impairment to the integrity and availability of the network." Because the network's integrity was not compromised, and no program or information was ever unavailable as a result of plaintiff's conduct, the requisite damage had not occurred, and defendant's claim failed.
The court also rejected the parties' respective defamation claims. During the course of the various meetings and communications regarding the aforementioned activities, plaintiff described defendant's employees as "stupid" and stated that defendant's network had created a security risk. The court held that these were non-actionable statements of opinion, and not defamatory facts "capable of being proved false." Said the court:
The statement allegedly made by plaintiff Moulton that Defendant's employees were "stupid" falls into this category of nonactionable opinion or hyperbole. ... The remaining statements deal primarily with the security of Defendant's network system. Computer security is also a subject on which reasonable people could differ. A network's security is relative to the risks posed. A network might be secure for one risk, and insecure as to another. ... Plaintiff Moulton's blanket assertions that Defendant's network contained security risks were statements to which reasonable people might differ and that are not capable of being proved true or false.
The court also rejected defendant's claim of commercial disparagement under the Lanham Act. First, such claim failed because plaintiff made no misrepresentation of fact. Rather, plaintiff only made nonactionable statements of opinion. Secondly, this claim also failed because plaintiff made no statement in connection with commercial advertising or commercial promotion, a prerequisite to such a claim. Said the court "isolated representations to a single customer do not fit into the idea of 'commercial advertising and promotion' in the marketing context."
The court also dismissed plaintiff's defamation claims against defendant. Plaintiff argued that defendant defamed him "because statements were made against [plaintiff's] trade, office or profession and imputed a criminal act to him." The court rejected this claim, finding that defendant's statements were privileged, either because they were made during the course of a police investigation into the activities in question, or "made with a good faith intent on the part of the speaker to protect his interest in a matter in which it is concerned." This latter privilege applied to defendant's inquiry to determine if plaintiff's port scan was authorized by the Canton Police Department.
Lastly, the court rejected plaintiff's tortious interference claim, both because Cherokee County stated that it was plaintiff's own actions, and not the defendant's statements, that led to its decision to terminate its contract with plaintiff, and because the statements in question were not defamatory, and therefore did not constitute the "improper action or wrongful conduct by the defendant without privilege" necessary to sustain such a claim.