Practice Area

Computer Fraud and Abuse Act (CFAA)

Share
Photo of man and woman hacking computers and the internet. Pittsburgh, Pennsylvania Computer Fraud and Abuse Act (CFAA) Lawyers | CFAA | Attorneys

The Computer Fraud and Abuse Act is a Federal Statute that has roots going back to 1984, with many amendments having been made by congress as technology and data have become incredibly sophisticated and the scope and number of hacking and other computer related bad acts have grown exponentially. It was created to be a crimes and criminal procedure statute, but has expanded to include a civil remedy provision meaning that any person or business that suffers damages due to the type of computer espionage prohibited by this statute, may bring a civil lawsuit against the perpetrator for money damages. Houston Harbaugh IP and Tech Attorneys handle CFAA civil lawsuits. Pittsburgh, Pennsylvania Computer Fraud and Abuse Act (CFAA) Lawyers | CFAA | Attorneys

Civil Lawsuit Remedy Allowed under CFAA

The CFAA states that one who suffers loss may bring a civil action for money damages and injunction:

  • (g) Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses [5] (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.

The civil remedy provisions require that the civil action may only be brought if the offending conduct includes one of the factors set forth in section (c)(4)(A)(i):

  • (i) an offense under subsection (a)(5)(B), which does not occur after a conviction for another offense under this section, if the offense caused (or, in the case of an attempted offense, would, if completed, have caused)—
  • (I) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
  • (II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
  • (III) physical injury to any person;
  • (IV) a threat to public health or safety;
  • (V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or
  • (VI) damage affecting 10 or more protected computers during any 1-year period.

Illegal Conduct Per CFAA

With its origin as a criminal statute, the CFAA proscribes (makes criminal or subject to the statute) a number of computer related offenses including, inter alia;

  • 1) Unauthorized Access to Obtain Information (18 U.S.C. § 1030(a)(2)): This section criminalizes accessing a computer without authorization or exceeding authorized access to obtain information from any protected computer.
  • 2) Computer Espionage (18 U.S.C. § 1030(a)(1)): It is a federal crime to knowingly access a computer without authorization or to exceed authorized access with the intent to obtain classified information that could harm national security.
  • 3) Transmitting a Virus or Damaging a Computer (18 U.S.C. § 1030(a)(5)): This provision makes it illegal to knowingly transmit a program, information, code, or command, and as a result, cause damage to a protected computer.
  • 4) Trafficking in Passwords (18 U.S.C. § 1030(a)(6)): The Act prohibits trafficking in computer passwords if it affects interstate or foreign commerce or is done with the intent to defraud.
  • 5) Extortion Involving Computers (18 U.S.C. § 1030(a)(7)): This section addresses the act of threatening to damage a protected computer or to obtain information through extortion.

Several words and phrases in the CFAA require focus on their definitions, which are set forth in the statute. The CFAA defines “damage” to mean “Any impairment to the integrity or availability of data, a program, a system, or information”.  The CFAA defines “loss” to mean, “Any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

U.S. Supreme Court Addressed Certain CFAA Provisions

The United States Supreme Court building in Washington, D.C. Pittsburgh, Pennsylvania Computer Fraud and Abuse Act (CFAA) Lawyers | CFAA | Attorneys

The Supreme Court, in a 6-3 decision which was issued on June 3, 2021, reversed an Eleventh Circuit decision and adopted a narrow interpretation of “exceeds authorized access” under the Computer Fraud and Abuse Act of 1986 (CFAA)Section 1030(a)(2).

Van Buren v. United States, No. 19-783, 593 U.S. ___ (June 3, 2021).

Specifically, the Court ruled that an individual “exceeds authorized access” when he or she accesses a computer with authorization but then obtains information located in particular areas of the computer – such as certain files, folders, or databases – that are off limits to them. However, post-VanBuren, the CFAA does not prohibit accessing data for a purpose other than the purpose for which the user was permitted access in the first place. Nonetheless, the CFAA remains a seemingly underused and underappreciated tool in the arsenal of IP and technology lawyers in the fight against trade secret and confidential business information theft and destruction. With the Supreme Court weighing in, perhaps the CFAA will grow in prominence and use.

Van Buren involved a Georgia Police Sergeant, Nathan Van Buren (“Van Buren”), who used his patrol car computer to access a law enforcement database to retrieve information about a particular license plate number in exchange for money, rather than for a law enforcement purpose. He was charged criminally under the CFAA and convicted. Van Buren appealed to the Eleventh Circuit, which affirmed, and the Supreme Court then Reversed and Remanded the Decision, ruling that the CFAA does not criminalize the use of areas of a database that the bad actor has authorization to access.

In a civil context, this provision of the CFAA is regularly pled in cases involving former employees accessing proprietary data from their work computers immediately before leaving their company to join a competitor. This decision suggests that the Court is approaching CFAA violation cases with an overarching question of “did one have authorized access, or not?” Meaning, the intent of the bad actor has little weight in determining liability or culpability under the CFAA; rather, the determination focuses on whether or not the areas of the computer which were accessed were restricted to the individual, regardless of intent.

The Court also weighed in on what the limitations of “exceeding authorized access” are. In Van Buren, the Government contended that “exceeds authorized access” meant “exceed[ed] his authorized access to the law enforcement database when he obtained license-plate information for personal purposes.” Van Buren, 141 S.Ct. 1648 at 1649. The Court was unmoved, ruling that this interpretation was inconsistent with the language of the statute and would leave to an exorbitant amount of criminal charges and employees who use their work email for personal matters being subject to liability. Id. Moreover, the Court reasoned that the Government’s approach would “inject arbitrariness into the assessment of criminal [and civil] liability” because whether the conduct violated the CFAA would be subject to how an employer phrased the policy which was violated (i.e. as a “use” restriction or an “access” restriction).

Thus, the Supreme Court has ruled that one “exceeds authorized access” only when one obtains information located in particular areas of the computer that the individual does not have authorized access to.

Pittsburgh, Pennsylvania Computer Fraud and Abuse Act (CFAA) Lawyer | CFAA | Attorney