On Monday, April 20th, the Supreme Court accepted cert in Van Burien v. United States to (hopefully) resolve a longstanding circuit split regarding the Computer Fraud and Abuse Act (or CFAA): Does an individual exceed authorized access when he or she accesses a computer contrary to a policy or agreement limiting access (i.e., accessing a computer for a purpose beyond those permitted by the company). READ MORE
Marc represents clients in federal and state courts at the trial and appellate levels with a particular focus on class actions, multi-district litigation, and mass joinders. Recently, Marc played a lead role in securing denial of class certification and affirmance by the Ninth Circuit Court of Appeals in an employment discrimination suit against Microsoft. He also successfully secured dismissal of several foreign defendants in a class action before a MDL Court in Louisiana involving allegedly defective drywall. Marc currently represents the NCAA in concussion and injury-related cases throughout the country, Marathon Oil Corporation in nationwide climate change litigation, Johnson & Johnson in talc-related litigation across the country, Sanei International Ltd. in an international contract and unjust enrichment dispute, DomainTools in a contract and Computer Fraud and Abuse Act dispute concerning terms of service for accessing WHOIS registrant data, and Global Linguist Solutions in a 29-plaintiff, mass joinder False Claims Act case. In addition, in response to the Covid-19 pandemic, Marc is actively assisting clients in strategizing around litigation arising out of the health crisis.
Marc served as a law clerk to Judge Betty B. Fletcher of the U.S. Court of Appeals for the Ninth Circuit. Prior to joining Orrick, Marc worked as an appellate and post-conviction attorney for the Equal Justice Initiative. In that capacity, he engaged in trial level and appellate representation of clients in both state and federal court, including two cases that were briefed and argued before the United States Supreme Court.
Posts by: Marc Shapiro
On July 5, 2016, the Ninth Circuit Court of Appeals issued its highly anticipated decision in the most recent chapter of United States v. Nosal, holding that an individual acts “without authorization” as used in the Computer Fraud and Abuse Act (“CFAA”) when, after his/her own access has been revoked, the individual utilizes legitimate log‑in information of another to access company databases. This decision has important consequences for organizations as they consider how to implement policy and technical controls on user access to ensure they are protected against unauthorized access under the CFAA.
On December 3, the Second Circuit Court of Appeals became the most recent entrant into the circuit conflict on the question of when and under what circumstances an employee’s use of a computer to gain access to unauthorized information constitutes a violation of the Computer Fraud and Abuse Act. Over a dissent, the Court held that an employee cannot be convicted of violating the CFAA when he uses a database, to which he has been granted access, in a manner that is prohibited by company policy. With the Second Circuit joining the Fourth and Ninth Circuits in the minority on the issue, the answer continues to turn on the jurisdiction in which the suit was brought. Employers should take note because the decision reinforces the need to consider carefully whether and how to limit employee access to sensitive company information within its network—e.g., by use of written policy or technical access restrictions—and how those protections will play out in court if an employee takes company information for use in future employment.
Yesterday, the United States Supreme Court granted certiorari in Spokeo, Inc. v. Robins, to consider a question critical to the viability of data breach class actions: standing. Since the Court’s most recent standing decision in Clapper v. Amnesty Int’l USA, a majority of lower courts have dismissed data breach claims for failing to satisfy Article III’s injury-in-fact requirement; however, a growing chorus of lower courts have sanctioned such actions. As the Supreme Court prepares to wrestle with that split of authority during oral argument this fall, it will be tasked with deciding whether a plaintiff’s allegations concerning violations of statutory rights under the Federal Credit Reporting Act (“FCRA”) are sufficient to establish standing irrespective of any tangible injury. The ramifications of that determination are deeply significant, as the decision may either open or close the floodgates to data breach litigation throughout the country.