The Computer Fraud and Abuse Act--A Survey of Recent Cases
I. Introduction
The criminal statutory provisions commonly referred to as the Computer Fraud and Abuse Act (“CFAA”) were first enacted in 1984[i] as a means to prosecute computer crimes related to hacking.[ii] However, the scope of prohibited actions in the CFAA extends well beyond traditional hacking. More generally, the CFAA criminalizes conduct that involves accessing computers without authorization or in excess of authorization, and then the subsequent use of such access to obtain information that causes loss or damage, or defrauds another or the government.[iii] The CFAA also provides a private cause of action for persons who suffer damage or loss as a result of such computer access, and it provides for damages and equitable relief.[iv]
This survey focuses on the most litigated provisions of the CFAA in cases decided between June 1, 2009 and June 1, 2010.
II. Authorization
Many of the cases decided under the CFAA in the last year involved civil causes of action between employers and their erstwhile employees. The fact patterns underlying these civil claims are often quite similar: an employee obtains confidential information from the employer’s computer system while employed, and then uses the information to the employer’s detriment.[v] Upon discovery, the employer asserts a cause of action under the CFAA (and often other claims) against the former employee, alleging that the employee intentionally accessed a computer without authorization or in excess of authorized access, and obtained and used information accessed from the computer.[vi]
However, courts have struggled with the element of “authorization,” which has led to a circuit split. The CFAA defines “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.”[vii] However, the CFAA does not define “without authorization,” and courts differ on the meaning and scope of “without authorization,” as well as whether use (or misuse) of information even implicates the CFAA.[viii] Two federal circuits weighed in on these controversial issues last year.
In February 2010, in United States v. John, a criminal case, the U.S. Court of Appeals for the Fifth Circuit resolved an issue related to the statutory interpretation of “exceeds authorized access.”[ix] The court examined whether information obtained by permitted access to a computer system, but used beyond limits placed on the use of such information, falls within the definition of “exceeds authorized access” under the CFAA.[x] In this case, an employee of a financial institution had access to customer account information and passed it along to others, who then incurred fraudulent charges on those customers’ accounts.[xi] The employee was convicted because she exceeded her “authorized access” to a computer system and obtained information from a financial record of a financial institution.[xii] The court held that “the concept of ‘exceeds authorized access’ may include exceeding the purposes for which access is ‘authorized.’”[xiii] Affirming the conviction,[xiv] the court held that the employee’s access to her computer was limited and that she exceeded her authorization when she accessed information for use in a fraudulent scheme, which she knew or should have known was unauthorized.[xv]
However, courts have struggled with the element of “authorization,” which has led to a circuit split. The CFAA defines “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.”[vii] However, the CFAA does not define “without authorization,” and courts differ on the meaning and scope of “without authorization,” as well as whether use (or misuse) of information even implicates the CFAA.[viii] Two federal circuits weighed in on these controversial issues last year.
In February 2010, in United States v. John, a criminal case, the U.S. Court of Appeals for the Fifth Circuit resolved an issue related to the statutory interpretation of “exceeds authorized access.”[ix] The court examined whether information obtained by permitted access to a computer system, but used beyond limits placed on the use of such information, falls within the definition of “exceeds authorized access” under the CFAA.[x] In this case, an employee of a financial institution had access to customer account information and passed it along to others, who then incurred fraudulent charges on those customers’ accounts.[xi] The employee was convicted because she exceeded her “authorized access” to a computer system and obtained information from a financial record of a financial institution.[xii] The court held that “the concept of ‘exceeds authorized access’ may include exceeding the purposes for which access is ‘authorized.’”[xiii] Affirming the conviction,[xiv] the court held that the employee’s access to her computer was limited and that she exceeded her authorization when she accessed information for use in a fraudulent scheme, which she knew or should have known was unauthorized.[xv]
In LVRC Holdings LLC v. Brekka, an employee e-mailed confidential documents to his home computer while he was still employed, intending to use the information to compete with the employer after termination.[xvi] The employer brought a CFAA action against the employee, asserting that the employee exceeded his “authorized access” or was “without authorization” at the moment the employee decided to use the computer contrary to the employer’s interest.[xvii] The U.S. Court of Appeals for the Ninth Circuit rejected that argument,[xviii] and held that “without authorization” means “without permission,”[xix] reasoning that to expand the meaning of “without authorization” beyond that would give no effect to “exceeds authorized access” in the CFAA.[xx] Applying its new rule, the court held that the employee had authorization (i.e., permission) to access the computer because his job required him to use the computer.[xxi] The court noted that had the employee accessed the computer after he was terminated from employment, he would have undoubtedly accessed a computer “without authorization.”[xxii]
This decision is in direct contrast to International Airport Centers, L.L.C. v. Citrin, a decision by the U.S. Court of Appeals for the Seventh Circuit in 2006.[xxiii] In that case, the Seventh Circuit held that an employee’s authorization to access an employer’s computers ended at the time the employee breached his duty of loyalty to the employer.[xxiv] The court found that such a breach occurred when the employee decided to erase from his laptop all company data and other incriminating information showing that he started a competing business in violation of his employment agreement.[xxv] Using agency principles, the court held that the employee’s breach of his duty of loyalty terminated his authorization to access the laptop.[xxvi]
There is a similar split among district courts.[xxvii] Courts in Alabama, Florida, Georgia, and Tennessee are in agreement with the Ninth Circuit, holding that “without authorization” means that initial access to the computer was not permitted.[xxviii] Those same courts in Alabama and Tennessee, along with courts in Pennsylvania and Texas, addressed the issue of information misuse, holding that “without authorization” or “exceeds authorized access” does not extend to circumstances involving improper use of information that one was authorized to access.[xxix] All of these courts either dismissed the CFAA claims or granted summary judgment to the defendants, as applicable, because the defendants in each case clearly had permission to access the obtained information.[xxx]
However, two district courts appear to have aligned themselves with the Seventh Circuit in holding that improper use of information was sufficient to allege “without authorization” or “exceeding authorized access.”[xxxi] Each court denied the employee-defendant’s motion to dismiss the employer-plaintiff’s CFAA claim, holding that the employers sufficiently alleged that the employees acted “without authorization” or exceeded their “authorized access” when the employees obtained information that they were authorized to access but later misused.[xxxii]
III. Loss and Damage
Section 1030(g) of the CFAA provides a civil remedy for any person who suffers “damage or loss by reason of a violation” of the CFAA.[xxxiii] The CFAA defines the term “loss” to mean “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”[xxxiv] The CFAA cases in this survey show that district courts have strictly interpreted the meaning of “loss,” refusing to expand the definition beyond the plain language of the statute. For example, some courts held that economic costs and lost revenue unrelated to computer systems did not fall within the CFAA’s definition because such losses were not incurred due to an “interruption of service.”[xxxv] Others held that the cost of examining a defendant’s improper actions and examining other parties’ computers were not losses that related to the investigation or repair of a computer system.[xxxvi]
Additionally, the term “damage” under the CFAA means “any impairment to the integrity or availability of data, a program, a system, or information.”[xxxvii] In the last year, courts treated the definition of “damage” similar to that of “loss,” refusing to expand the definition beyond the plain language of the statute. For example, courts held that merely copying information from a computer system or utilizing a computer’s resources do not fall within the CFAA’s definition of “damage.”[xxxviii]
IV. Constitutional Challenges
Last year’s criminal cases brought two constitutional challenges to the CFAA under the void-for-vagueness doctrine. In United States v. Drew,[xxxix] the defendant used a fictitious account on the social networking site Myspace.com to befriend and subsequently reject a thirteen-year-old girl who later committed suicide.[xl] The defendant was convicted of misdemeanor violations of the CFAA.[xli] The court found that the defendant’s creation and use of a fictitious MySpace account to impersonate another and commit a tort was in direct violation of the MySpace terms of service.[xlii] The court held that an intentional breach of the MySpace terms of service constituted access to the MySpace computers “without authorization” or in excess of the defendant’s authorization to Myspace.com under the CFAA because a website’s terms of service defines the scope of authorized access to the website.[xliii] However, the court concluded that prosecution and conviction for a CFAA misdemeanor violation based upon the conscious violation of a website’s terms of service was void for vagueness.[xliv] The court held that deficiencies in actual notice and an absence of minimal guidelines to govern law enforcement meant that individuals were not reasonably on notice that a breach of the terms of service could constitute a criminal violation of the CFAA.[xlv] As a result, the court granted the defendant’s motion for judgment of acquittal for the misdemeanor.[xlvi]
In United States v. Powers,[xlvii] a void-for-vagueness challenge arose out of a criminal indictment alleging that the defendant accessed a woman’s e-mail account to which he had previously been given the password.[xlviii] The defendant then forwarded previously sent, partially nude photos of the woman to others.[xlix] The defendant challenged the indictment, asserting that the section prohibiting accessing a computer and obtaining information from the computer “without authorization” or by “exceed[ing] authorized access” is unconstitutionally vague because it does not provide reasonable notice of what conduct is prohibited.[l] The court concluded that the CFAA defines the statutory terms with sufficient particularity to provide adequate notice of prohibited conduct under the statute,[li] and held that the defendant exceeded his “authorized access” when he obtained compromising images from past e-mail messages and sent those images to others.[lii]
V. Conclusion
Regardless of the outcome of the hotly contested issues reported in this survey, business lawyers should consider reexamining company policies that define acceptable uses of business computer systems and company information, and, when necessary, consider if reliance on the CFAA as a cause of action against rogue employees is justified. Continued controversy over the parameters of the CFAA can be expected to continue until there is more uniformity and consistency in its interpretation and application.
* Molly Eichten is an attorney with Larkin Hoffman Daly & Lindgren Ltd. in Minneapolis, Minnesota, practicing in the areas of intellectual property law and commercial transactions.
[i]The popular name of “Computer Fraud and Abuse Act” was created in a 1986 amendment to 18 U.S.C. § 1030. See Pub. L. No. 99-474, 100 Stat. 1213 (1986). Section 1030 was initially created by the Comprehensive Crime Control Act of 1984. See Pub. L. No. 98-473, 98 Stat. 1976, 2190 (1984). Section 1030 as a whole is commonly referred to as the Computer Fraud and Abuse Act. See Orin. S. Kerr, Vagueness Challenges to the Computer Fraud and Abuse Act, 94 Minn. L. Rev. 1561, 1561 n.2 (2010). Therefore, in this survey I refer to 18 USC § 1030 as the CFAA.
[ii] See LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130–31 (9th Cir. September 15, 2009) (citing H.R. Rep. No. 98-894 (1984), reprinted in 1984 U.S.C.C.A.N. 3689, 3694 (July 24, 1984)).
[iii] 18 U.S.C. § 1030(a)(1)–(7) (2006).
[iv] 18 U.S.C. § 1030(g).
[v] See, e.g., Bell Aerospace Servs., Inc. v. U.S. Aero Servs., Inc., 690 F. Supp. 2d 1267, 1271 (M.D. Ala. 2010);Vurv Tech. LLC v. Kenexa Corp., No. 1:08-cv-3442-WSD, 2009 WL 2171042, at *2 (N.D. Ga. July 20, 2009).
[vi] See, e.g.,Consulting Prof’l Res., Inc. v. Concise Techs. LLC, No. 09-1201, 2010 WL 1337723, at *2 (W.D. Pa. Mar. 9, 2010) (magistrate judge’s report and recommendation, which was adopted as the opinion of the court).
[vii] 18 U.S.C. § 1030(e)(6).
[viii] See Vurv Tech.,2009 WL 2171042 at *6 (describing split).
[ix] 597 F.3d 263, 273 (5th Cir. 2010).
[x] Id. at 271.
[xi] Id. at 269.
[xii] Id. at 269–70 (discussing violations of 18 U.S.C. § 1030(a)(2)(A), (C)).
[xiii] Id. at 272.
[xiv] Id. at 289.
[xv] Id. at 272–73.
[xvi] LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1129–30 (9th Cir. 2009)
[xvii] Id. at 1131.
[xx] Id. at 1133.
[xxi] Id. at 1135.
[xxii] Id. at 1136.
[xxiii] 440 F.3d 418 (7th Cir. 2006).
[xxiv] Id. at 420.
[xxv] Id.
[xxvi] Id. at 420–21.
[xxvii] Compare, e.g., Condux Int’l, Inc. v. Haugum, No. 08-4824 ADM/JSM, 2008 WL 5244818, at *6 (D. Minn. Dec. 15, 2008) (holding that claims of misappropriation, as opposed to access, do not fall under the CFAA), with, e.g., Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121, 1124–25 (W.D. Wash. 2000) (holding that the plaintiff properly alleged a claim under the CFAA even though the employees of the defendant had access to the information in question).
[xxviii] ReMedPar, Inc. v. AllParts Med., LLC, 683 F. Supp. 2d 605, 613 (M.D. Tenn. 2010) (citing Black & Decker (US), Inc. v. Smith, 568 F. Supp. 2d 929, 935–36 (W.D. Tenn. 2008)); Bell Aerospace Servs., Inc. v. U.S. Aero Servs., Inc., 690 F. Supp. 2d 1267, 1272 (M.D. Ala. 2010); Mortgage Now, Inc. v. Stone, No. 3:09cv80/MCR/MD, 2009 WL 4262877, at *9 (N.D. Fla. Nov. 24, 2009); Vurv Tech. LLC v. Kenexa Corp., No. 1:08-cv-3442-WSD, 2009 WL 2171042, at *7 (N.D. Ga. July 20, 2009).
[xxix] ReMedPar, 683 F. Supp. 2d at 613 (citing Black & Decker, 568 F. Supp. 2d at 936); Bell Aerospace Servs., 690 F. Supp. 2d at 1272 (“‘Exceeds authorized access’ should not be confused with exceeds authorized use.”); Consulting Prof’l Res., Inc. v. Concise Techs. LLC, No. 09-1201, 2010 WL 1337723, at *2 (W.D. Pa. Mar. 9, 2010) (magistrate judge’s report and recommendation, which was adopted as the opinion of the court); Joe N. Pratt Ins. v. Doane, No. V-07-07, 2009 WL 3157337, at *4 (S.D. Tex. Sept. 25, 2009) (“The mere misuse of information to which a defendant had authorized access is not enough.”).
[xxx] See ReMedPar, 683 F. Supp. 2d at 616 (dismissing claim because it was clear the defendant was authorized to access the plaintiff’s computers); Bell Aerospace Servs., 690 F. Supp. 2d at 1272–73 (granting summary judgment to former employees because employees each had valid permission to access the company’s computers); Consulting Prof’l Res., 2010 WL 1337723, at *8 (dismissing claim because employee had permission to access confidential information on the employer’s computers); Mortgage Now, 2009 WL 4262877, at *9–10 (dismissing claim because employer admitted employees had access to trade secret information while employed); Joe N. Pratt Ins., 2009 WL 3157337,at *4 (granting summary judgment to the defendant because it was undisputed that the defendant had access to information at issue); Vurv Tech., 2009 WL 2171042, at *7 (dismissing claim covering period of employment because employee had access to employer’s computers and information).
[xxxi] Guest-Tek Interactive Entm’t, Inc. v. Pullen, 665 F. Supp. 2d 42, 45–46 (D. Mass. 2009); Lasco Foods, Inc. v. Hall & Shaw Sales, Mktg. & Consulting, LLC, No. 4:08CV01683 JCH, 2009 WL 3523986, at *4 (E.D. Mo. Oct. 26, 2009).
[xxxii] Guest-Tek, 665 F. Supp. 2d at 45–46; Lasco, 2009 WL 3523986, at *4.
[xxxiii] 18 U.S.C. § 1030(g) (2006).
[xxxiv] Id. § 1030(e)(11).
[xxxv] See ReMedPar, 683 F. Supp. 2d at 614 (holding that lost revenue from misappropriation of plaintiff’s trade secrets was not actionable because it was not incurred due to an “interruption of service”); Doyle v. Taylor, No. CV-09-158-RHW, 2010 WL 2163521, at *3 (E.D. Wash. May 24, 2010) (holding that the cost of examining other parties’ computers was not a cost incurred because of an “interruption of service”); TelQuest Int’l Corp. v. Dedicated Bus. Sys., Inc., No. 06-5359 (PGS), 2009 WL 3234226, at *1 (D.N.J. Sept. 30, 2009) (holding that lost revenue resulting from defendant’s unfair business competition was not lost revenue because of an “interruption of service”); ES & H, Inc. v. Allied Safety Consultants, Inc., No. 3:08-cv-323, 2009 WL 2996340, at *4 (E.D. Tenn. Sept. 16, 2009) (holding that lost revenue from misappropriation of plaintiff’s information was not lost revenue because of an “interruption of service”).
[xxxvi] Mintel Int’l Group, Ltd. v. Neergheen, No. 08-cv-3939, 2010 WL 145786, at *10 (N.D. Ill. Jan. 12, 2010) (fees paid to expert who assessed the defendant’s improper actions were not losses that related to the investigation or repair of a computer system); TelQuest Int’l, 2009 WL 3234226, at *2 (costs of hiring computer expert to find evidence of disloyal conduct was not related to discovering or remedying damage to a computer).
[xxxvii] 18 U.S.C. § 1030(e)(8).
[xxxviii] See Volk v. Zeanah, No. 608CV094, 2010 WL 318261, at *3 (S.D. Ga. Jan. 25, 2010) (“[M]ere copying of data does not create a cognizable claim for damage under the CFAA.”); Mintel Int’l Group, 2010 WL 145786, at *10 (copying and e-mailing of employer’s computer files did not impair the integrity or availability of the employer’s computer system); Czech v. Wall St. on Demand, Inc., 674 F. Supp. 2d 1102, 1117–18 (D. Minn. 2009) (refusing to expand the definition of “damage” under the CFAA to include any use or consumption of a device’s finite resources).
[xxxix] 259 F.R.D. 449, 452 (C.D. Cal. 2009).
[xl] Id.
[xli] Id. at 453.
[xlii] Id. at 454.
[xliii] Id. at 461-462.
[xliv] Id. at 464.
[xlv] Id. at 465–67.
[xlvi] Id. at 468.
[xlvii] No. 8:09CR361, 2010 WL 1418172 (D. Neb. Mar. 4, 2010).
[xlviii] Id. at *1.
[xlix] Id.
[l] Id. at *3.
[li] Id. at *4.
[lii] Id.