The Computer Fraud and Abuse Act (CFAA) remains the primary statute used to prosecute hackers. While the CFAA is still primarily a criminal statute, Congress amended it in 1994 to provide a private cause of action if a violation causes “loss” or “damage” as those terms are defined in the CFAA.
Civil liability under the CFAA. To establish a civil violation of the CFAA under § 1030(g), a plaintiff must prove by a preponderance of the evidence: (1) that the plaintiff suffered “damage or loss” as a result of a violation; and (2) the elements of a particular substantive CFAA offense under § 1030(a). The conduct also must involve: (1) at least $5,000 loss, (2) modification of a medical exam or diagnosis, (3) physical injury to any person, (4) a threat to public health or safety, or (5) damage affecting ten or more protected computers.
The CFAA defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information.” It includes clearly destructive behavior, such as using a virus or a worm or deleting data, but it also may include less obviously intrusive conduct, such as flooding an e-mail account with spam. Courts are split on whether mere copying constitutes damage, with the majority position that it does not.
The CFAA defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” In general, there are two categories of statutory loss: expenses incurred and revenue lost because of a service disruption. Importantly, it does not include litigation expenses, lost potential business opportunities, or damage to reputation.
CFAA violation. Most civil violations involve computer trespass by those who are not authorized users or who exceed authorized use. More specifically, in the most frequently used provision, § 1030(a)(2) creates civil liability for whoever “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” The term “obtaining information” includes merely reviewing information online without downloading or copying it. The statute thus provides two ways of improperly accessing a protected computer: (1) obtaining access without authorization, and (2) obtaining access with authorization but then exceeding the authorized access.
The CFAA does not define “access,” and it has been subject to various interpretations. Federal and state courts have differentiated between defining access as a virtual activity versus a physical world concept. With regard to the latter, the issue is not whether the defendant gains a virtual entrance into the computer but whether the communication is transmitted through the computer and is, therefore, making use of that computer, even if the sender might not perceive the interaction as access. On the other hand, the virtual reality approach focuses on whether the user has passed through a password protection to find information inside.
There is even a greater divide between what it means to access a computer “without authorization” versus “in excess of authorization.” The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
The statute does not define “without authorization,” despite the fact that “exceeds authorized access” is explicitly defined in the CFAA. In the civil arena, the issue of the meaning of “exceeds authorized access” has arisen most frequently where an employee is authorized in the first instance to access certain information, but then uses that information for an improper purpose.
The First, Fifth, Seventh, and Eleventh Circuits have adopted a broad construction of the statute, concluding that unauthorized access encompasses adverse use of accessed information. Under the broad approach, wherever an employee breaches a duty of loyalty or a contractual obligation, or otherwise acquires an adverse interest to the employer, the employee’s authorization to access information stored on an employer’s computer terminates, and all subsequent access is unauthorized or exceeds the scope of authorization, whether or not access is still technologically enabled.
By contrast, the Second, Fourth, and Ninth Circuits have expressly adopted a more arrow approach, holding that the CFAA does not reach the mere misuse of employer information or violations of terms of service. The split focuses on employees who are authorized to access their employer’s computers but use the information they retrieve for an improper purpose.
IP practice pointers. In spite of the uncertainty of the breadth of the CFAA and the inconsistent understanding of the meaning of the terms “without authorization” and “in excess of authorization,” intellectual property litigators should not overlook alleging a violation of the CFAA where, for example, an employee or a third party gained access to the employer’s computer and subsequently misused the information, especially if the venue for the action is within the First, Fifth, Seventh, or Eleventh Circuit, which have adopted a broad construction of the CFAA. This means that § 1030(a)(2) may provide a cause of action even where the information that was misused does not qualify as a trade secret under the Defend Trade Secrets Act of 2016.
It is important for employment agreements in these jurisdictions to clearly delineate the scope of an employee’s authorization regarding the computer system. The agreement should clearly state that the employee’s access of the computer system is limited by the employee’s employment responsibilities, and any use of the computer system that is inconsistent with this understanding or contrary to the interests of the employer is without authorization. Courts have questioned the enforcement of clauses in an employment contract that simply provide that it is corporate policy that computers be used only for business purposes because the definition of a “business purpose” may be vague and unclear. It is suggested that employment agreements explicitly define to the extent possible what it means to access a computer without authorization or in excess of authorization.
Companies within the jurisdiction of the Second, Fourth, and Ninth Circuits are more limited in bringing purported violations of the CFAA. It is clear that where an employee or individual simply violates company policy or terms of service in accessing a computer, the company likely has no redress under the CFAA. However, that does not mean that company policy or an employee agreement should not deal with this issue. It is still important for these documents to carefully describe authorized computer use. Company policy and employment agreements should also make clear that sharing of passwords is prohibited and that leaving the company, whether voluntarily or involuntarily, means that all subsequent access to the company’s computers is terminated.
Finally, employers should provide written notice to departing employees that any and all subsequent access to the companies’ computers shall be deemed without authorization. Conversely, until the scope of the CFAA is clarified, individuals need to know that if they receive a letter informing them not to access a specific website or particular computer, the failure to comply may open them up to civil and criminal liability.
Despite the uncertainty surrounding the scope of the CFAA and a consensus of the meaning of “without authorization” and “in excess of authorization,” the CFAA continues to provide civil litigators with a possible cause of action and a key to federal court that should not be easily discounted. Further, because the law in this area is likely to continue to rapidly evolve, even in the absence of Supreme Court or congressional involvement, it is incumbent on civil litigators to remain abreast of developments.
ABA Section of Intellectual Property Law
This article is an abridged and edited version of one that originally appeared on page 42 of Landslide®, May/June 2017 (9:5).
For more information or to obtain a copy of the periodical in which the full article appears, please call the ABA Service Center at 800/285-2221.
PERIODICALS: Landslide® magazine, published six times annually (both in print and online); eNews, timely Section developments sent monthly.
CLE AND OTHER PROGRAMS: Annual Intellectual Property Law Conference; multiple CLE webinar/teleconferences throughout the year.
BOOKS AND OTHER RECENT PUBLICATIONS: The Practitioner’s Guide to Trial Before the Patent Trial and Appeal Board, 2d ed.; Legal Guide to Video Game Development, 2d ed.; Copyright Termination and Recapture Laws: Good Intentions Gone Awry; Chinese Expansion in the EU: Strategies and Policies of the Two Blocks and the Role of the U.S.; Antitrust Issues in Intellectual Property Law.