Judge Rejects Expert's Hacking Suit Against Law Firms

A prominent expert witness for plaintiffs in products liability cases has lost his bid to hold two law firms liable for allegedly hacking into his password-protected Web site and using the contents against him in litigation.

A federal judge in Washington, D.C., threw out the lawsuit filed against Keller & Heckman and Jones Day by David Egilman, an associate professor at Brown University who has testified for plaintiffs in asbestos and other toxic-tort cases.

Egilman claimed the defendants violated two federal statutes — the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act — by accessing his Web site via a username and password he had given to a third party. Although the username and password were valid, Egilman said the defendants did not have authorization to use them.

The complaint filed in the U.S. District Court for the District of Columbia also included counts for misappropriation of confidential information in violation of the laws of the District of Columbia, Texas and Massachusetts.

Besides the two District of Columbia law firms, Egilman's complaint names as a defendant Douglas J. Behr, a Keller & Heckman partner. According to the complaint, the defendants represented companies named in litigation in Texas over vinyl chloride monomer exposure and in Colorado involving beryllium exposure. Egilman had been retained as an expert witness for the plaintiffs in those cases.

Egilman says he strengthened the Web site's password protection in response to a court order in the Colorado litigation, but the defendants still were able to access the site by obtaining a username and password from a third party who had permission to access the site.

The defendants allegedly downloaded materials from the site and used them to impeach Egilman's credibility in both lawsuits and to convince the Colorado judge to sanction him for violating the court order.

The District Court granted the defendants' motion to dismiss the complaint.

First, it found the Computer Fraud and Abuse Act claim time-barred because it was filed after the law's two-year limitations period. The allegedly improper Web site access occurred in June 2001, but Egilman did not file suit until May 2004, the court said.

Next, the court said Egilman could not prove any violations of the Digital Millennium Copyright Act. The law prohibits, among other things, the "circumvention" of technological measures that protect access to copyrighted works, such as the articles and other protected works Egilman claims were on his Web site. But the court concluded that simply using a valid username and password — even without the site owner's permission — does not constitute circumvention.

Circumvention requires some action, such as descrambling, decrypting, bypassing or deactivating a technological protection measure, the District Court said, citing the only other on-point case it could find: I.M.S. Inquiry Management Systems Ltd. v. Berkshire Information Systems Inc., 307 F. Supp. 2d 521 (S.D.N.Y. 2004).

Finally, the court declined to exercise supplemental jurisdiction over the state law claims.