Category Archives: Computer Fraud & Abuse Act

Butera & Andrews v. IBM – Employer not liable for intentional hacking by unknown IBM employee

Butera & Andrews v. International Business Machines Corporation, 456 F.Supp.2d. 104, (1:06-CV-647, D. of Columbia, Order granting Motion to Dismiss, October 18, 2006.)

Plaintiff Butera & Andrews is a law firm that specializes in federal government relations and litigation. It detected unauthorized intrusions into its computer systems in November of 2005. Security consultants tracked the intrusion to an IP address belonging to Defendant IBM, specifically its Durham, North Carolina facility. Later denial of service attacks were also traced to this facility. Plaintiff then sued IBM and the unknown “John Doe” IBM employee that allegedly carried out these attacks under the Computer Fraud & Abuse Act (18 U.S.C. § § 1030(a)(2) and (a)(5)), the Stored Wire and Electronic Communications Act (18 U.S.C. § § 2701(a) and 2707(a)), and the Federal Wiretap Act (18 U.S.C.A. § § 2511(1)(a)-(b)).

Plaintiff’s claims against IBM were based upon theories of respondeat superior, in that since IBM’s equipment was used in these attacks by an unknown IBM employee the Plaintiff claimed that IBM was therefore responsible. IBM moved to dismiss the complaint on the ground that the Plaintiff never alleged any *intentional acts* by IBM itself, which is a required element in all of the above-referenced statutes. The Court agreed, dismissing IBM from the case.

In dealing with the respondeat superior argument, the Court noted that an employer is not liable for an employees’ intentional conduct solely due to the employer-employee relationship. A plaintiff has to allege more in order to succeed on such a claim, such as some benefit received by the employer. Since Butera & Andrews could not do that here, it was proper to dismiss the claims against the employer, IBM.

In the alternative, Plaintiff requested expedited discovery from IBM regarding its involvement in the attacks. The Court held that post-complaint discovery was not appropriate, instead Plaintiff should have requested third-party discovery from IBM before naming it as a party.

A status hearing was to be held on December 20, 2006 regarding the status of Butera & Andrews’ claims against the John Doe defendant.

Cyberlaw Central Commentary:
I agree with the court’s decision. Third party discovery can be conducted fairly easily, even before filing a complaint under appropriate circumstances. A discovery suit could have been filed requesting the turnover of IBM’s records relating to the specific IP addresses enumerated in the complaint.