The Computer Fraud and Abuse Act

by Alicia Brown Oliver
       

If your business uses computers to transmit information internally or over the internet, or if your business maintains a website, you should be aware of the Computer Fraud and Abuse Act ("CFAA").  Congress originally enacted the CFAA (codified at 18 U.S.C. § 1030) in 1984 as a criminal statute to punish and prevent computer piracy by outside hackers.  Congress has continually broadened the CFAA over the past two decades and it now provides aggrieved parties a civil cause of action against violators. Section (g), added in 1994, provides a private right of action under the CFAA for compensatory damages, injunctive and other equitable relief if the plaintiff has suffered "damage" or "loss" of at least $5000.00 to a "protected computer".  The CFAA defines "protected computer" broadly as any computer used in interstate or foreign commerce or communication.  The most common situation where the CFAA is implicated is when an outsider hacks into your business's computer system to steal or destroy data.  There is also some law imposing liability on insiders (e.g., employees) for the same behavior.

The primary substantive sections used to prosecute these civil suits are sections 1030(a)(2)(C), (a)(4) and (a)(5)(A). Section (a)(2)(C) provides that a defendant violates the CFAA when he:

Intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains –

information from any protected computer if the conduct involved an interstate or foreign communication.

Section (a)(2) originally applied primarily to "privacy protection" because it related only to information on the computer systems of consumer reporting agencies and financial institutions. This section has been broadened substantially over the years and is now interpreted by courts to cover "information held on private computers" and potentially an employee's computer theft of his employer's trade secrets.

Section (a)(4) provides for liability when a person

knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value. . .

Section (a)(5)(A) provides for liability when a person

(i)  knowingly causes the transmission of a program, information code or command, and as a result of such conduct intentionally causes damage without authorization to a protected computer; or

(ii)  intentionally accesses a protected computer site
without authorization, and as a result of such conduct, causes damage, or

(iii)  intentionally accesses a protected computer without
authorization, and as a result of such conduct causes damage. . .

These sections squarely address hacking behavior. The key to liability is whether the hacker's conduct "exceeds authorized access" or is "without authorization".  The term "exceeds authorized access" is defined in the CFAA as access to a computer with authorization and use of such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.  Congress chose, however, not to define the term "without authorization" and courts have struggled to come up with a workable definition. 

By far the biggest controversy exists when the plaintiff uses a violation of its website's "Terms and Conditions" to invoke the CFAA.  The courts have not given a definitive answer on whether this conduct "exceeds authorized access" or is "without authorization".  For example, one court found that the use of "extraction" or "robot" software by a member of an internet service provider to harvest other members' addresses in violation of the internet provider's service agreement was "without authorization".  However, another court questioned whether violation of the same internet provider's service agreement would be "without authorization".  There is no clear answer on this question.  However, a clear set of "Terms and Conditions" defining the behavior allowed in connection with your website may potentially strengthen your case against a hacker.  In addition, internal policies regulating employee use of computer systems and data can hopefully prevent damage by an insider to your data.

If you would like more information about the Computer Fraud and Abuse Act, please contact a member of our Intellectual Property Group.