Last week, Reuters, ran a piece on how the Computer Fraud and Abuse Act (CFAA) may take center stage in legal circles over the coming months. Specifically, the Justice Department has until August 8th to decide whether or not they want to request a U.S. Supreme Court review of a long-running, controversial employment case, in which the CFAA figures prominently.
The CFAA In Ten Seconds
Ratified 28-years ago – when most homes still didn’t have a personal computer – officials passed the Computer Fraud and Abuse Act. Its intended goal was to develop a law to punish hackers. But lately it’s being used to prosecute employees who download sensitive data.
A multi-section bill, the CFAA covers a lot of ground, but perhaps the most controversial line is the explanation of what constitutes illegality, that being: “intentionally access[ing] a computer without authorization or exceed[ing] authorized access.”
The Curious Case of David Nosal & The Dismissal of CFAA Charges
Take the David Nosal case, for example. Gleaning from reports, he and a few colleagues allegedly pulled what sounds like the modern-day equivalent of the Sterling, Cooper, Draper, Pryce midnight pack-up when making moves to open their own company. Irate over the situation, in 2008, their former boss filed lawsuits against all the alleged conspirators. Some accepted the charges and their resultant fate, but David Nosal decided to fight the charges – which included a CFAA count.
After extensive litigation and court appearances, the appeals court, in a 9 to 2 ruling, dismissed the charges related to the CFAA.
The Justice Department Ain’t Happy About the Dismissal
Over the past six years, approximately 1,050 CFAA-related cases (half federal, half civil) have been filed. But lawmakers and law enforcement agencies want to see that number go up in the future. Ostensibly to extend their sphere of influence, the U.S. Justice Department is keen to use the CFAA when prosecuting.
So would a lot of corporations.
Oracle is so invested in the measure that they filed a brief in support of the Justice Department that argued trespass doctrines are rooted in common law standards and should therefore be applicable when defining the scope of the CFAA. They argued that “Among [common law standards] is the concept of restricted authorization: a person commits trespass not only when he or she enters property or a portion of it when told not to; a person commits trespass also when he or she has authorization to enter for some purposes but enters for different ones.”
If the Justice Department does seek a SCOTUS review, and it doesn’t end up in the department’s favor, they risk losing one of their most effective “bullets.” If they win, however, it could theoretically usher in a new “Minitru-esque” era where logging onto Facebook or Twitter, or engaging in a little digital retail therapy at work, could land you in a lot of – possibly criminal — trouble.
Proposed Amendments to The CFAA
In an effort to satisfy the Justice Department’s wishes to make ample use of the CFAA, there has been talk of amending the arguably antiquated act to protect the average employee who may dabble in a little Internet activity during, say, their lunch hour. Specifically, officials are knocking around ways to exclude harmless violations from being prosecuted under the bill (i.e., social network users signing up using a pseudonym).
The Computer Fraud and Abuse Act has been widely interpreted in various courts. If you have a legal issue involving the CFAA, contact us today to explore your options. Our Internet lawyers are well-versed in all things CFAA-related and can help you work out the ideal solution.
Web entrepreneurs beware. If you think coming up with an idea, developing a business plan and then launching it on the Web was hard, try alleging a civil loss under the Computer Fraud and Abuse Act in a business case. Cheat codes for Xbox are easier to understand!
Case in point, here is the exact language from U.S. Code Title 18, Part 1, Chapter 47, §1030 of the Computer Fraud and Abuse Act (CFAA) covering Fraud and Related Activity in Connection with Computers, “A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages.” Whew, I’m tired just reading it!
So what is this all about? There are many way to suffer loss as a web entrepreneur. Violations of CFAA are particularly insidious because they are difficult to qualify and must satisfy a jurisdiction prerequisite before you can file a claim. First, you need to know what constitutes a violation. A violation occurs when someone accesses one of your computers without authorization or exceeds their authorized access to wrongfully alter, delete, or transmit information with the intent to harm or gain a competitive business advantage. Most claims filed involve company insiders or former employees who leave “parting” gifts.
Next, let’s define what a “loss” under the CFAA is. It is not the theft of intellectual property, no matter how valuable. Nor is it gaining access to personal information or privacy invasion. To file a civil claim under the CFAA, the loss must involve a direct cost that is greater than $5000. An easy way to qualify a loss is to capture the cost of investigating, litigating and finally remediating the computer or computers where the violation occurred. An even easier way is to hire an Internet lawyer. Why?
An Internet lawyer can best coordinate, lead and manage the myriad of moving parts necessary to establish your case. In some instances, a computer forensics team must be hired to quarantine the affected computers, gather evidence and, if necessary, restore deleted media. All evidence must be accurately recorded and itemized for petitioning and court filing. The cost of lost labor from your employees must be cataloged and captured. And, finally somebody has to do the actual “lawyering”. These expenditures often are enough to meet the $5000 loss requirement to file a civil claim under the CFAA.
As I was saying, being a web entrepreneur is tough enough without the added cost of restoring computer equipment that’s been used in a violation. But, an Internet lawyer can make it as easy as… Y, Up, Right, Down, X, Left Trigger, White.