Georgia Court of Appeals Discusses Damages Recoverable Under Georgia Computer Systems Protection Act

Posted by Neal F. Weinrich on

In the digital age, unfair competition cases between employers and employees often involve computer misconduct and claims under the federal and state statutes that regulate such misconduct.  One such statute is the Georgia Computer Systems Protection Act, O.C.G.A. § 16-9-90 et. seq. (“GCSPA”).  See also, generally, DuCom v. State, 288 Ga. App. 555, 654 S.E.2d 670 (2007) (finding that employee’s downloading of company data on the day she left the company and after she had formed an intent to compete was without authority within the meaning of the GCSPA).

There is not a lot of case law interpreting the GCSPA.  While a recent case involving the GCSPA does not involve allegations of unfair competition, the case does shed light on the damages potentially recoverable under the GCSPA in an employer/employee dispute.   Ware v. American Recovery Solution Services, Inc., 2013 WL 5542794 (Ga. App. October 9, 2013).  

The plaintiff, American Recovery Solution Services, Inc. (“ARSS”), is a collection agency.  ARSS entered into a written agreement with Christopher Ware whereby ARSS hired him to work as an independent contractor to design, develop and implement software for ARSS.  The agreement specified a date for the delivery of the software and the underlying source code to ARSS.  The parties agreed on a payment schedule and how change requests would be dealt with.  The parties’ written agreement provided that the software and code belonged to ARSS.  Ware first developed software that allowed ARSS’ employees to access the company’s database using a web-based platform.  After the program software was completed, he installed it on ARSS’s system.  The parties then discussed him developing a faster program based on Windows.  He began developing the second application. 

The parties subsequently had disagreements regarding their payment schedule and the status of the second project.  Ware’s harsh reaction in the midst of these disagreements gave rise to the lawsuit.  Specifically, Ware logged into ARSS’s server using the log-in name and password of ARSS’ Chief Financial Officer.  Ware then disabled ARSS’ ability to log into the system.  As a result, ARSS could not access the database of the 36,000 accounts in the system, and the company had to temporarily operate manually.  Ware emailed the company’s owners to demand his fee before he would allow them access to the application and database.

The company hired a software expert who restored access to the server and files.  Around the same time, Ware also again logged in using the CFO’s credentials and supposedly restored the application.  However, when employees tried to log in, they only had access to a previous version of the program which did not include a substantial amount of records that had been inputted into the newer version. 

ARSS filed a lawsuit against Ware and alleged that he committed computer theft and computer trespass in violation of the GSCPA.  ARSS also sought injunctive relief, and the trial court entered an order restraining Ware from accessing ARSS’s servers, ordering him to remedy any problems caused by his past acts, and requiring him to give ARSS the source code and documentation for all versions of the software. 

The case proceeded to a bench trial.  At the trial, the court found Ware had committed computer trespass as defined by O.C.G.A. section 16-9-93(b).  The court awarded ARSS $22,000 in lost profits, $15,000 to reimburse the fees ARSS had paid Ware, $15,000 for repairs, $17,875 in attorney’s fees and $350.00 in punitive damages. 

On appeal, Ware challenged the trial court’s finding that he had committed the offense of computer trespass.  Ware argued that he did not access ARSS’s server “without authority” because he owned the software that he had tampered with.  The Court of Appeals rejected this argument as irrelevant, noting that the GSCPA “only requires the intruder use a computer or a network knowing he was without authority and either temporarily or permanently removed data and interfere with the use of a computer program or cause a computer program to malfunction.”  Based on ARSS’s CFO’s testimony that he had not authorized Ware to disable an administrative login or alter the program and based on the fact that Ware’s actions shut down the company and hampered its ability to operate while its hired substitute experts attempted to diagnose and restore the application, the Court of Appeals found that the trial court was authorized to conclude that Ware committed computer trespass. 

Ware also challenged the trial court’s damages award.  Under O.C.G.A. § 16-9-93(g)(1) and (3), any person whose property or person is injured by reason of a violation of any provision of the GCSPA may recover for any damages sustained and the cost of suit.  The statute provides that “damages” includes lost profits and victim expenditure, as well as any additional civil remedy otherwise allowed by law.  Reviewing the damages awarded to ARSS, the Court found the $15,000 awarded to ARSS to reimburse it for what it had paid to Ware was improper, as ARSS was not entitled to a refund of money paid to him for his past services for which ARSS had received the benefit of the parties’ bargain.  The Court thus reversed that portion of the award.  The Court also reversed the trial court’s award of attorney’s fees, finding that the trial court had failed to make proper findings and conclusions as to the statutory basis for the fees award.

Ware thus further confirms that the GSCPA is a viable remedy for computer fraud and misconduct, although the remedies available thereunder are not without limit.