The Computer Fraud and Abuse Act (CFAA), 18 USC 1030, is a federal criminal statute that prohibits certain conduct involving unauthorized access to protected computers. (A protected computer is for the purposes of this article, any computer used in interstate commerce – so all computers that have internet access are automatically “protected.”) What many people don’t realize is that the CFAA provides criminal penalties for unauthorized access to computers, similar to a trespass or burglary law, and that the statute permits any person who suffers “damage” or “loss” by reason of a violation of the CFAA to maintain a civil action against the violator to obtain compensatory damages and injunctive or other equitable relief. Those terms are quoted because they have a hypertechnical meaning under the CFAA.
This statute is particularly useful to companies that have had their protected computers compromised by outside or inside sources. In general the CFAA is implicated in three types of conduct related to a “protected” computer: unauthorized access of information, exceeding authorized access; and causing “damage.” Some of the violations under the CFAA require that someone has suffered “loss” of $5,000 or more – where “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. As you might expect showing “loss” of $5,000 or more is usually not too hard – often merely responding to a security breach will exceed this cost.
The language is deceptively complex. For example, in the absence of unauthorized access or exceeding authorized access, damage must be proven; however, suffering $5,000 or more in “loss” will not automatically constitute damage. While in most cases an employee would violate the CFAA if they gained unauthorized access to a protected computer, courts are struggling with the more typical employment scenario – one where an employee actually has authorized access, obtains information that they are legally entitled to obtain, and then later misuses that information in violation of some obligation they owe to their employer. There is a split in the cases on this issue. Some courts (at this writing the 1st and 7th Circuits) have concluded that an employee may be deemed to have exceeded his authorization or to have acted without authorization when he retrieves confidential or proprietary information from his employer's computers that he has permission to access, but then uses that information in a manner that is inconsistent with the employer's interests or in a manner that violates a contractual obligation.
Other courts have criticized this rationale, holding that the CFAA targets the unauthorized procurement or alteration of information, not its misuse.
In cases where an employee has not gained unauthorized access, or exceeded authorized access, the issue is merely whether the employee caused damages and the employer suffered $5,000 or more in loss. In this context “damage” means any impairment to the integrity or availability of data, a program, a system, or information. This sounds easier to resolve than it is. For example, some courts have held that making copies of files is not a “damage” but other courts have held that copying a secure file to an unsecure location is a “damage” because now such data is easier to obtain. Thus, in those courts that adopt this view, one way an employee could cause “damage” would be to access confidential files on his/her work computer and then e-mail them to an unsecure personal e-mail account (like Yahoo® or Gmail®) or copy them to an unsecure media storage device (like an external hard drive).
If one of your employees has engaged in behavior similar to that described in this article and you would like pursue action under the CFAA, you should contact an attorney.
Michael D. Oliver and Mitchell J. Rothenberg
Oliver@bowie-jensen.com
Rothenberg@bowie-jensen.com
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment