FEBRUARY 23, 2017
115TH CONGRESS 1ST SESSION
To amend title 18, United States Code, to provide a defense to prosecution
for fraud and related activity in connection with computers for persons
defending against unauthorized intrusions into their computers, and for other purposes.
IN THE HOUSE OF REPRESENTATIVES
Mr. GRAVES of Georgia introduced the following bill; which was referred to the Committee on
To amend title 18, United States Code, to provide a defense
to prosecution for fraud and related activity in connec-
tion with computers for persons defending against unau-
thorized intrusions into their computers, and for other
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ‘‘Active Cyber Defense Certainty Act’’.
SEC. 2. EXCLUSION FROM PROSECUTION FOR CERTAIN
COMPUTER CRIMES FOR THOSE TAKING ACTIVE CYBER DEFENSE MEASURES.
Section 1030 of title 18, United States Code, is amended by adding at the end the following:
‘‘(k) CYBER DEFENSE MEASURES NOT A VIOLATION
.—It is a defense to a prosecution under this section that the conduct constituting the offense was an active cyber defense measure.
.—In this subsection—
‘‘(A) the term ‘victim’ means an entity that is a victim of a persistent unauthorized intrusion of the individual entity’s computer;
‘‘(B) the term ‘active cyber defense measure’—
‘‘(i) means any measure—
‘‘(I) undertaken by, or at the direction of, a victim; and
‘‘(II) consisting of accessing without authorization the computer of the attacker to the victim’ own network to gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim’s own network; but
‘‘(ii) does not include conduct that—
‘‘(I) destroys the information stored on a computers of another;
‘‘(II) causes physical injury to another person; or
‘‘(III) creates a threat to the public health or safety; and
‘‘(C) the term ‘attacker’ means a person or an entity that is the source of the persistent un-authorized intrusion into the victim’s computer.’’.
1. Computer Fraud and Abuse Act Storage Ctrs., Inc. v. Safeguard Self Storage, Inc.,
119 F. Supp. 2d 1121, 1125
(W.D. Wash. 2000);
Ervin & Smith Advertising and Public Relations, Inc. v. Ervin, 2009 WL 249998 (D. Neb. 2009). Some of these cases further suggest that such a breach can occur when the user decides to access the computer for a purpose that is contrary to the interests of the authorizing party.
See, e.g.,Citrin, 440 F.3d at 420 (defendant’s authorization to access computer terminated when he resolved to destroy employer’s files);
ViChip Corp. v. Lee, 438 F. Supp. 2d 1087, 1100 (N.D. Cal. 2006) (same); NCMIC Finance Corp. v. Artino, 638 F. Supp. 2d 1042, 1057 (S.D. Iowa 2009) (“[T]he determinative question is whether Artino breached his duty of loyalty to NCMIC when Artino obtained information from NCMIC’s computers.”).
The Citrin/Shurgard line of cases has been criticized by courts adopting the view that, under the CFAA, an authorized user of a computer cannot access the computer “without authorization” unless and until the authorization is revoked. Most significantly, the Ninth Circuit recently rejected Citrin’s interpretation of “without authorization” and found that, under the plain language of the CFAA, a user’s authorization to access a computer depends on the actions of the authorizing party and not on the user’s duty of loyalty.
See LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133-34 (9th Cir. 2009) (“It is the employer’s decision to allow or to terminate an employee’s authorization to access a computer that determines whether the employee is with or ‘without authorization.’”). The court also suggested that Citrin’s reading of the CFAA is inconsistent with the rule of lenity, which requires courts to construe any ambiguity in a criminal statute against the government. Id.at 1134-35. The court then held that “a person uses a computer ‘without authorization’ . . . when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone’s computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” Id.at 1135.
Several district courts have also recently moved away from the Citrin/Shurgard view that a user can lose authorization to access a computer by F.3d 418 (7th Cir. 2006) (“Plaintiffs do not assert that Citrin accessed a computer without authorization.”). After analyzing the § 1030(a)(5)(A)(i) claim that plaintiff actually alleged, the Seventh Circuit then opined that the defendant had also violated § 1030(a)(5)(A)(ii) (now § 1030(a)(5)(B)), which did require that the defendant access a computer without authorization.
See Citrin, 440 F.3d at 420. The court appears to have been discussing this hypothetical §1030(a)(5)(A)(ii) claim when it stated that an employee could lose authorization to access his employer’s computer by breaching a duty of loyalty to the employer.
Prosecuting Computer Crimes breaching a duty of loyalty to the authorizing party.
See, e.g., Bell Aerospace Services, Inc. v. U.S. Aero Services, Inc., 690 F. Supp. 2d 1267 (M.D. Ala. 2010);
U.S. Bioservices v. Lugo, 595 F. Supp. 2d 1189 (D. Kan. 2009);
Losco Foods v. Hall & Shaw Sales, 600 F. Supp. 2d 1045 (E.D. Mo. 2009);
Bro-Tech Corp. v. Thermax, Inc., 651 F. Supp. 2d 378, 407-08 (E.D. Pa. 2009);
Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 964-967 (D. Ariz. 2008);
Diamond Power Int’l, Inc. v. Davidson, 540 F. Supp. 2d 1322, 1342 (N.D. Ga. 2007);
B&B Microscopes v. Armogida, 532 F. Supp. 2d 744, 758 (W.D. Pa. 2007);
Lockheed Martin Corp. v. Speed, 2006 WL 2683058, at *4 (M.D. Fla. 2006). These courts, like the Ninth Circuit, generally hold that an authorized computer user can never access the computer “without authorization” unless and until the authorization is rescinded.
See, e.g., Shamrock Foods, 535 F. Supp. 2d at 967 (“[A] violation for accessing ‘without authorization’ occurs only where initial access is not permitted.”).
Based on this recent case law, courts appear increasingly likely to reject the idea that a defendant accessed a computer “without authorization” in insider cases—cases where the defendant had some current authorization to access the computer. Accordingly, prosecutors should think carefully before charging such defendants with violations that require the defendants to access a computer “without authorization” and instead consider bringing charges under those subsections that require proof that the defendant exceeded authorized access.
Exceeding Authorized Access Several provisions of the CFAA impose criminal liability on a defendant who, among other things, “exceeds authorized access” when accessing a computer.
See 18 U.S.C. §§ 1030(a)(1), (a)(2), & (a)(4). The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
18 U.S.C. §1030(e)(6). Accordingly, to prove that someone has “exceeded authorized access,” prosecutors should be prepared to present evidence showing (a) how the person’s authority to obtain or alter information on the computer was limited, rather than absolute, and (b) how the person exceeded those limitations in obtaining or altering information.
It is relatively easy to prove that a defendant had only limited authority to access a computer in cases where the defendant’s access was limited by “Viewing material on a computer screen constitutes ‘obtaining’ information under the CFAA.”
Healthcare Advocates, Inc. v. Harding, Earley, Follmer & Frailey, 497 F. Supp. 2d 627, 648 (E.D. Pa. 2007) (citing legislative history for CFAA).
1. Computer Fraud and Abuse Act restrictions that were memorialized in writing, such as terms of service, a computer access policy, a website notice, or an employment agreement or similar contract.
See, e.g.EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003) (website notices); Cont’l Group, Inc. v. KW Prop. Mgmt., LLC, 622 F.
Supp. 2d 1357, 1372 (S.D. Fla. 2009) (computer access policies); United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009) (website terms of service); Modis, Inc. v. Bardelli, 531 F. Supp. 2d 314, 319 (D. Conn. 2008) (employment agreement);
Hewlett-Packard Co. v. Byd:Sign, Inc., 2007 WL 275476, at *13 (E.D. Tex. 2007) (confidentiality agreement); Am. Online, Inc. v. Nat’l Health Care Discount, Inc., 174 F. Supp. 2d 890, 899 (N.D. Iowa 2001) (email terms of service). In addition, password protection is an implicit (and technological) limit on access for otherwise authorized users who are not given the password.
See EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003). However, courts have split on the question of whether limits on authorized access can be reasonably inferred from the circumstances in cases where no explicit or implicit restrictions on access existed.
Compare EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003) (rejecting “reasonable expectations” test for lack of authorization), with United States v. Phillips, 477 F.3d 215, 219 (5th Cir. 2007) (“Courts have . . . typically analyzed the scope of a user’s authorization to access a protected computer on the basis of the expected norms of intended use or the nature of the relationship established between the computer owner and the user.”).
The most commonly litigated issue about “exceeding authorized access” in reported opinions is whether a particular defendant exceeded authorized access by accessing the computer for an improper purpose. Although United States v. Drew confirms that the government may rely on a website’s terms of service to establish that a website user exceeded her authorization to access the site, the district court also held in that case that the CFAA is unconstitutionally vague to the extent that it permits a defendant to be charged with a misdemeanor violation of § 1030(a)(2)(C) based on a conscious violation of a website’s terms of service. 259 F.R.D. 449, 464 (C.D. Cal. 2009) (“[I]f any conscious breach of a website’s terms of service is held to be sufficient by itself to constitute intentionally accessing a computer without authorization or in excess of authorization, the result will be that section 1030(a)(2)(C) becomes a law ‘that affords too much discretion to the police and too little notice to citizens who wish to use the [Internet].’”).
Note that one author argues that the law would be better off if all “unauthorized access” cases were based only on code-based restrictions, arguing that “contract-based” restrictions are harder to define. Orin S. Kerr, “Cybercrime’s Scope: Interpreting ‘Access’ and ‘Authorization’ in Computer Misuse Statutes,” 78 N.Y.U. L. Rev. 1596 (2003). However, this proposal would essentially read “exceeding authorized access” out of the statute, which the author generally acknowledges. Id.at 1662-63.
Prosecuting Computer Crimes issues are difficult to untangle, but this argument generally arises in one of three contexts: (1) the authorizing party has expressly prohibited the defendant from accessing the computer for the improper purpose; (2) the authorizing party has expressly prohibited the defendant from using the authorizing party’s data for the improper purpose but did not condition the defendant’s computer access on compliance with this prohibition; and (3) the authorizing party did not expressly prohibit the defendant from using its data for the improper purpose, but the defendant was acting against the authorizing party’s interests.
The first category of cases is the least controversial. Because the authorizing party explicitly imposed a purpose-based limitation on the defendant’s computer access, a defendant exceeds authorized access when he accesses the computer for an expressly forbidden purpose.
See, e.g., United States v. John, 597 F.3d 263, 272 (5th Cir. 2010) (“Access to a computer and data that can be obtained from that access may be exceeded if the purposes for which the access has been given are exceeded.”);
Cont’l Group, Inc. v. KW Prop. Mgmt., LLC, 622 F. Supp. 2d 1357, 1372 (S.D. Fla. 2009) (computer access policies stated that computers were provided “for business use” and were “to be used solely for the [authorizing party’s] purposes”); United States v. Salum, 257 Fed.
Appx. 225, 227 (11th Cir. 2007) (officers could access NCIC system only for official business of criminal justice agency);
Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238, 242-43, 248 (S.D.N.Y. 2000), aff’d, 356 F.3d 393 (2d Cir. 2004) (in order to submit query to website, users must agree not to use responsive data for direct marketing activities);
United States v. Czubinski, 106 F.3d 1069, 1071 (1st Cir. 1997) (“[IRS] employees may not use any Service computer system for other than official purposes.”). It may be more difficult to prove that a defendant exceeded authorized access in the second category of cases. In these cases, the authorizing party has expressly prohibited the defendant from using the authorizing party’s data for certain purposes, but it did not condition the defendant’s computer access on compliance with this prohibition. For example, the defendant might have signed a confidentiality agreement in which he agreed not to use the authorizing party’s information for personal gain, but the agreement did not specifically prohibit the defendant from accessing the authorizing party’s computer for that purpose. In essence, the authorizing party has explicitly limited the defendant’s authorization to use information that he might find on the computer, but it has not imposed the same purpose-based limitations on the defendant’s authorization to obtain or alter that information. The CFAA
1. Computer Fraud and Abuse Act provides that a defendant “exceeds authorized access” when he “obtain[s] or alter[s] information in the computer that [he] is not entitled so to obtain or alter,” 18 U.S.C. § 1030(e)(6), but it does not discuss using the information in an unauthorized way. Because of this statutory language, several courts have concluded that defendants did not “exceed authorized access” when they were permitted to obtain certain information from the computers, but then used that information for a specifically forbidden purpose.
See, e.g. Brett Senior & Assocs, P.C. v. Fitzgerald, 2007 WL 2043377, at *4 (E.D. Pa. 2007) (defendant permissibly copied data from computer but then allegedly used data in a way that violated his employment contract); Int’l Ass’n of Machinists and Aerospace
Workers v. Werner-Masuda, 390 F. Supp. 2d 479, 498-99 (D. Md. 2005) (defendant was authorized to access data on proprietary website but then violated agreement not to use the data for certain purposes). However, at least one circuit has upheld an “exceeding authorized access” claim in this context.
See EF Cultural Travel BV v. Explorica, 274 F.3d 577, 582-83 (1st Cir. 2001) (defendant exceeded authorized access by disclosing computer data in violation of confidentiality agreement).
The third and final category of “improper purposes” cases is arguably the most controversial. In these cases, the defendant accessed the computer within the limits of his authorization but used the computer for a purpose that was contrary to the implicit interests or intent of the authorizing party.
The case law is divided on whether these facts are sufficient to establish that the defendant exceeded authorized access. Some courts have concluded that the improper purpose, without more, establishes that the defendant exceeded authorized access.
See, e.g., Motorola, Inc. v. Lemko Corp. 609 F. Supp. 2d 760, 767 (N.D. Ill. 2009) (“Allegations that an employee e-mailed and downloaded confidential information for an improper purpose are sufficient to state a claim that the employee exceeded her authorization.”). These cases typically rely on the reasoning set forth in Citrin, 440 F.3d at 420-21, which is discussed in more detail in the previous subsection.
However, a number of recent civil cases have rejected the idea that users can exceed authorized access within the meaning of section 1030(e)(6) when they access information that they are authorized to access, even if their access is motivated by an implicitly improper purpose.
See, e.g., LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1135 n.7 (9th Cir. 2009) (stating in dicta that defendant does not “exceed authorized access” under the CFAA when he
breaches a duty of loyalty to authorizing party); Bell Aerospace Services, Inc. v.
Prosecuting Computer Crimes
U.S. Aero Services, Inc. 690 F. Supp. 2d 1267 (M.D. Ala. 2010); Orbit One Communications, Inc. v. Numerex Corp., 652 F. Supp. 2d 373 (S.D.N.Y. 2010);
National City Bank v. Republic Mortgage Home Loans, 2010 WL 959925 (W.D. Wash. 2010);
RedMedPar, Inc. v. Allparts Medical, LLC, 683 F. Supp. 2d 605
(M.D. Tenn. 2010); U.S. Bioservices Corp. v. Lugo, 595 F. Supp. 2d 1189, 1192 (D. Kan. 2009) (collecting cases);
Jet One Group, Inc. v. Halcyon Jet Holdings, Inc., 2009 WL 2524864, at *5-6 (E.D.N.Y. 2009);
Brett Senior & Assocs, P.C. v. Fitzgerald, 2007 WL 2043377, at *4 (E.D. Pa. 2007).
B. Obtaining National Security Information:
18 U.S.C. §1030(a)(1)
The infrequently-used section 1030(a)(1) punishes the act of obtaining national security information without or in excess of authorization and then willfully providing or attempting to provide the information to an unauthorized recipient, or willfully retaining the information.
Any steps in investigating or indicting a case under section 1030(a)(1) require the prior approval of the National Security Division of the Department of Justice, through the Counterespionage Section. See USAM 9-90.020. Please contact them at (202) 514-1187.
Title 18, United States Code, Section 1030(a)(1) provides:
(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or 1030(a)(1) Summary (Felony)
1. Knowingly access computer without or in excess of authorization
2. Obtain national security information
3. Reason to believe the information could injure the U.S. or benefit a foreign nation, willful communication, delivery, transmission (or attempt) OR willful retention of the information
1. Computer Fraud and Abuse Act to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it . . .shall be punished as provided in subsection (c) of this section.
1. Knowingly Access a Computer Without or In Excess of Authorization
A violation of this section requires proof that the defendant knowingly accessed a computer without authorization or in excess of authorization. This covers both completely unauthorized individuals who intrude into a computer containing national security information as well as insiders with limited privileges who manage to access portions of a computer or computer network to which they have not been granted access. The scope of authorization will depend upon the facts of each case. However, it is worth noting that computers and computer networks containing national security information will normally be classified and incorporate security safeguards and access controls of their own, which should facilitate proving this element.
Please see page 5 for the discussion of access and authorization.
2. Obtain National Security Information.
A violation of this section requires that the information obtained is national security information, meaning information “that has been determined by the United States Government pursuant to an Executive Order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph 14. of section 11 of the Atomic Energy Act of 1954.” An example of national security information used in section 1030(a)(1) would be classified information obtained from a Department of Defense computer or restricted data obtained from a Department of Energy computer. Prosecuting Computer Crimes.
3. Information Could Injure the United States or Benefit a Foreign Nation. A violation of this section requires proof that the defendant had reason to believe that the national security information so obtained could be used to the injury of the United States or to the advantage of any foreign nation. The fact that the national security information is classified or restricted, along with proof of the defendant’s knowledge of that fact, should be sufficient to establish this element of the offense.
4. Willful Communication, Delivery, Transmission, or Retention A violation of this section requires proof that the defendant willfully communicated, delivered, or transmitted the national security information, attempted to do so, or willfully retained the information instead of delivering it to the intended recipient. This element could be proven through evidence showing that the defendant did any of the following:
(a) communicated, delivered, or transmitted national security information, or caused it to be communicated, delivered, or transmitted, to any person not entitled to receive it; (b) attempted to communicate, deliver, or transmit national security information, or attempted to cause it to be communicated, delivered, or transmitted to any person not entitled to receive it; or (c) willfully retained national security information and failed to deliver it to an officer or employee of the United States who is entitled to receive it in the course of their official duties.
5. Penalties Convictions under this section are felonies punishable by a fine, imprisonment for not more than ten years, or both. 18 U.S.C. §1030(c)(1)(A). A violation that occurs after another conviction under section 1030 is punishable by a fine, imprisonment for not more than twenty years, or both. 18 U.S.C. §1030(c)(1)(B). 6.
Relation to Other Statutes Section 1030(a)(1) was originally enacted in 1984 and was substantially amended in 1996. As originally enacted, section 1030(a)(1) provided that anyone who knowingly accessed a computer without authorization or in excess of authorization and obtained classified information “with the intent or reason to believe that such information so obtained is to be used to the injury of the 1. Computer Fraud and Abuse Act 15 United States, or to the advantage of any foreign nation” was subject to a fine or imprisonment for not more than ten years for a first offense. This scienter element mirrored that of 18 U.S.C. §794(a), the statute that prohibits gathering or delivering defense information to aid a foreign government. Section 794(a), however, provides for life imprisonment, whereas section 1030(a)(1) is only a ten-year felony. Based on that distinction, Congress amended section 1030(a)(1) in 1996 to track more closely the language of 18 U.S.C. §793(e), which also provides a maximum penalty of ten years imprisonment for obtaining from any source certain information connected with the national defense and thereafter communicating or attempting to communicate it in an unauthorized manner.
Violations of this subsection are charged quite rarely. The reason for this lack of prosecution may well be the close similarities between sections1030(a)(1) and 793(e). In situations where both statutes are applicable, prosecutors may tend towards using section 793(e), for which guidance and precedent are more prevalent.
Although sections 793(e) and 1030(a)(1) overlap, the two statutes do not reach exactly the same conduct. Section 1030(a)(1) requires proof that the individual knowingly accessed a computer without or in excess of authority and thereby obtained national security information, and subsequently performed some unauthorized communication or other improper act with that data. In this way, it focuses not only on the possession of, control over, or subsequent transmission of the information (as section 793(e) does), but also focuses on the improper use of a computer to obtain the information itself. Existing espionage laws such as section 793(e) provide solid grounds for the prosecution of individuals who attempt to peddle governmental secrets to foreign governments. However, when a person, without authorization or in excess of authorized access, deliberately accesses a computer, obtains national security information, and seeks to transmit or communicate that information to any prohibited person, prosecutors should consider charging a violation section 1030(a)(1) in addition to considering charging a violation of section 793(e).
One other issue to note is that section 808 of the USA PATRIOT Act added section 1030(a)(1) to the list of crimes in that are considered “Federal Crime[s] of Terrorism” under 18 U.S.C. §2332b(g)(5)(B). This addition affects prosecutions under section 1030(a)(1) in three ways. First, because offenses listed under section 2332b(g)(5)(B) are now incorporated into 18 16
Prosecuting Computer Crimes: U.S.C. §3286, the statute of limitation for subsection (a)(1) is extended to eight years and is eliminated for offenses that result in, or create a foreseeable risk of, death or serious bodily injury to another person. Second, the term of supervised release after imprisonment for any offense listed under section 2332b(g)(5)(B) that results in, or creates a foreseeable risk of, death or serious bodily injury to another person, can be any term of years or life. 18 U.S.C. §3583. Formerly, the maximum term of supervised release for any violation of section 1030 was five years. Third, the USA PATRIOT Act added the offenses listed in section 2332b(g)(5)(B) to 18 U.S.C. §1961(1), making them predicate offenses for prosecutions under the Racketeer Influenced and Corrupt Organizations (RICO) statute. As a result, any “RICO enterprise” (which may include terrorist groups) that violates section 1030(a)(1) (or section 1030(a)(5)(A)) can now be prosecuted under the RICO statute.
C. Accessing a Computer and Obtaining Information: 18 U.S.C. §1030(a)(2)
The distinct but overlapping crimes established by the three subsections of section 1030(a)(2) punish the unauthorized access of different types of information and computers. Violations of this section are misdemeanors unless aggravating factors exist. Title 18, United States Code, Section 1030(a)(2) provides:
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of 1030(a)(2) Summary (Misd.)
1. Intentionally access a computer
2. Without or in excess of authorization
3. Obtain information
4. From financial records of financial institution or consumer reporting agency OR the U.S. government OR a protected computer (Felony)
5. Committed for commercial advantage or private financial gain OR committed in furtherance of any criminal or tortious act OR the value of the information obtained exceeds $5,000
The Computer Fraud and Abuse Act, also known as the CFAA, is the federal anti-hacking statute that prohibits unauthorized access to computers and networks.
In 1984, the world was just emerging from its digital Dark Age. CompuServe, the world’s first commercial email provider, was still trying to interest users in its fledgling service, and computer viruses and worms were still largely the stuff of engineering-school pranks. But even through the foggy haze of the internet’s early days, lawmakers saw clearly the importance that computers and computer crime would have on society. That’s when Congress enacted the Computer Fraud and Abuse Act, also known as the CFAA. The federal anti-hacking statute prohibits unauthorized access to computers and networks and was enacted to expand existing criminal laws to address a growing concern about computer crimes. But lawmakers wrote the law so poorly that creative prosecutors have been abusing it ever since.
The law, which went into effect in 1986, was passed just in time to be used to convict Robert Morris, Jr., the son of an NSA computer security worker, who unleashed the world’s first computer worm in 1988. Since then, it has been wielded thousands of times to convict high-profile hackers and low-level criminals alike. But as computer crimes have expanded and increased, so have prosecutors’ use and interpretation of the law, stretching it far beyond what it was originally intended to cover. And in 1994 the law moved beyond criminal matters with an amendment that allowed civil actions to be brought under the statute as well. This opened the way for corporations to bring lawsuits for unauthorized access against workers who steal company secrets.
Calls for reform
There have been many calls over the years to reform the CFAA, due to the overzealous nature of prosecutors who have used it—some would say abused it—to charge conduct that critics say does not constitute a true computer crime.
One case in particular was the prosecution of Lori Drew, a then-49-year-old mother who was charged in 2008 for using a fake MySpace profile to cyberbully a teenage girl. Drew was charged with conspiring with her daughter and her daughter’s friend to create the fake MySpace page of a boy in order to draw 13-year-old Megan Meier into an online friendship with the nonexistent boy, then humiliate her. Meier committed suicide, resulting in a public outcry to punish Drew for cyberbullying. But because there was no federal statute against cyberbullying at the time, federal prosecutors adopted a novel interpretation of the CFAA. They charged Drew with “unauthorized access” to MySpace’s computers for creating a fake MySpace account in violation of the web site’s terms of service. The web site’s user agreement required registrants to provide factual information about themselves when opening an account and to refrain from using information obtained from MySpace services to harass other people.
The prosecution turned what would normally have been a civil matter—breaching a contract—into a criminal matter. The case, if successful, would have potentially made a felon out of anyone who violated the terms of service of any website. Fortunately, although a jury convicted Drew (on lesser misdemeanor charges), the judge overturned the conviction on grounds that the government’s interpretation of the CFAA was “constitutionally vague” and overreached the bounds of the law.
Another case involving misuse of the statute also occurred in 2008 when three MIT students were barred from giving a presentation at the Def Con hacker conference. The students had found flaws in the electronic ticketing system used by the Massachusetts Bay Transportation Authority that would have allowed anyone to obtain free rides. The MBTA sought and obtained a temporary restraining order to bar the students from speaking about the flaws. In granting the temporary gag order, the judge invoked the CFAA, saying that information the students planned to present would provide others with the means to hack the system. The judge’s words implied that simply talking about hacking was the same as actual hacking. The ruling was publicly criticized, however, as an unconstitutional prior restraint of speech, and when the MBTA subsequently sought a court order to make the restraining order permanent, another judge rejected the request, ruling in part that the CFAA does not apply to speech and therefore had no relevance to the case.
A high-profile suicide
The most concerted effort to revise the CFAA came after a U.S. attorney used it to launch a heavy-handed prosecution against internet activist Aaron Swartz for what many considered a minor infraction. Swartz, who helped develop the RSS standard and was a cofounder of the advocacy group Demand Progress, was indicted after he gained entry to a closet at MIT and allegedly connected a laptop to the university’s network to download millions of academic papers that were distributed by the JSTOR subscription service. Swartz was accused of repeatedly spoofing the MAC address of his computer to bypass a block MIT had placed on the address he used. Although JSTOR did not pursue a complaint, the Justice Department pushed forward with prosecuting Swartz. U.S. Attorney Carmen Ortiz insisted that “stealing is stealing” and that authorities were just upholding the law.
Swartz, in despair over his pending trial and the prospect of a felony conviction, committed suicide in 2013. In response to the tragedy, two lawmakers proposed a long-overdue amendment to the law that would help prevent prosecutors from overreaching in their use of it. The amendment, referred to as Aaron’s Law, was introduced months after Swartz’s death by Rep. Zoe Lofgren (D-Calif.) and Sen. Ron Wyden (D-Oregon). The amendment would exclude breaches of terms of service and user agreements from the law and also narrow the definition of unauthorized access to make a clear distinction between criminal hacking activity and simple acts that exceed authorized access on a minor level. Instead, the amendment proposes to define unauthorized access as “circumventing one or more technological measures that exclude or prevent unauthorized individuals from obtaining or altering” information on a protected computer. The amendment also would make it clear that the act of circumvention would not include a user simply changing his MAC or IP address to gain access to a system.
“Taken together, the changes in this draft should prevent the kind of abusive prosecution directed at Aaron Swartz and would help protect other Internet users from outsized liability for everyday activity,” Lofgren wrote on Reddit when she announced the changes. The amendment, however, has withered in Congress and has so far failed to gather the support it needs to get passed.
“This reform only captured the attention of a small group of people. It’s not an issue that resonates with the public—at least yet,” Orin Kerr, professor of law at George Washington University Law School, told Forbes recently.
Some have attributed the amendment’s failure to lobbying on the part of corporations who use it to bring civil suits for theft of corporate secrets and don’t want to see it changed. Others say the problem is its association with Swartz, a figure some members of Congress don’t find sympathetic. Regardless, many say that reform of the CFAA is inevitable; it’s just a question of which case will finally force it to occur.
By Kim Zetter
U.S. Code › Title 18 › Part I › Chapter 47 › § 1030
18 U.S. Code § 1030 – Fraud and related activity in connection with computers
Current through Pub. L. 114-38. (See Public Laws for the current Congress.)
(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n)  of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer;
(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;
(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.
(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if—
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States; 
(7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any—
(A) threat to cause damage to a protected computer;
(B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or
(C) demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion;
shall be punished as provided in subsection (c) of this section.
(b) Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.
(c) The punishment for an offense under subsection (a) or (b) of this section is—
(A) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(1) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than twenty years, or both, in the case of an offense under subsection (a)(1) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;
(A) except as provided in subparagraph (B), a fine under this title or imprisonment for not more than one year, or both, in the case of an offense under subsection (a)(2), (a)(3), or (a)(6) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;
(B) a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(2), or an attempt to commit an offense punishable under this subparagraph, if—
(i) the offense was committed for purposes of commercial advantage or private financial gain;
(ii) the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or
(iii) the value of the information obtained exceeds $5,000; and
(C) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2), (a)(3) or (a)(6) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;
(A) a fine under this title or imprisonment for not more than five years, or both, in the case of an offense under subsection (a)(4) or (a)(7) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(4), or (a)(7) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;
(A) except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 5 years, or both, in the case of—
(i) an offense under subsection (a)(5)(B), which does not occur after a conviction for another offense under this section, if the offense caused (or, in the case of an attempted offense, would, if completed, have caused)—
(I) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
(II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(III) physical injury to any person;
(IV) a threat to public health or safety;
(V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security; or
(VI) damage affecting 10 or more protected computers during any 1-year period; or
(ii) an attempt to commit an offense punishable under this subparagraph;
(B) except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 10 years, or both, in the case of—
(i) an offense under subsection (a)(5)(A), which does not occur after a conviction for another offense under this section, if the offense caused (or, in the case of an attempted offense, would, if completed, have caused) a harm provided in subclauses (I) through (VI) of subparagraph (A)(i); or
(ii) an attempt to commit an offense punishable under this subparagraph;
(C) except as provided in subparagraphs (E) and (F), a fine under this title, imprisonment for not more than 20 years, or both, in the case of—
(i) an offense or an attempt to commit an offense under subparagraphs (A) or (B) of subsection (a)(5) that occurs after a conviction for another offense under this section; or
(ii) an attempt to commit an offense punishable under this subparagraph;
(D) a fine under this title, imprisonment for not more than 10 years, or both, in the case of—
(i) an offense or an attempt to commit an offense under subsection (a)(5)(C) that occurs after a conviction for another offense under this section; or
(ii) an attempt to commit an offense punishable under this subparagraph;
(E) if the offender attempts to cause or knowingly or recklessly causes serious bodily injury from conduct in violation of subsection (a)(5)(A), a fine under this title, imprisonment for not more than 20 years, or both;
(F) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A), a fine under this title, imprisonment for any term of years or for life, or both; or
(G) a fine under this title, imprisonment for not more than 1 year, or both, for—
(i) any other offense under subsection (a)(5); or
(ii) an attempt to commit an offense punishable under this subparagraph.
(1) The United States Secret Service shall, in addition to any other agency having such authority, have the authority to investigate offenses under this section.
(2) The Federal Bureau of Investigation shall have primary authority to investigate offenses under subsection (a)(1) for any cases involving espionage, foreign counterintelligence, information protected against unauthorized disclosure for reasons of national defense or foreign relations, or Restricted Data (as that term is defined in section 11y of the Atomic Energy Act of 1954 (42 U.S.C. 2014(y)), except for offenses affecting the duties of the United States Secret Service pursuant to section 3056(a) of this title.
(3) Such authority shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury and the Attorney General.
(e) As used in this section—
(1) the term “computer” means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;
(2) the term “protected computer” means a computer—
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;
(3) the term “State” includes the District of Columbia, the Commonwealth of Puerto Rico, and any other commonwealth, possession or territory of the United States;
(4) the term “financial institution” means—
(A) an institution, with deposits insured by the Federal Deposit Insurance Corporation;
(B) the Federal Reserve or a member of the Federal Reserve including any Federal Reserve Bank;
(C) a credit union with accounts insured by the National Credit Union Administration;
(D) a member of the Federal home loan bank system and any home loan bank;
(E) any institution of the Farm Credit System under the Farm Credit Act of 1971;
(F) a broker-dealer registered with the Securities and Exchange Commission pursuant to section 15 of the Securities Exchange Act of 1934;
(G) the Securities Investor Protection Corporation;
(H) a branch or agency of a foreign bank (as such terms are defined in paragraphs (1) and (3) of section 1(b) of the International Banking Act of 1978); and
(I) an organization operating under section 25 or section 25(a) 1 of the Federal Reserve Act;
(5) the term “financial record” means information derived from any record held by a financial institution pertaining to a customer’s relationship with the financial institution;
(6) the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;
(7) the term “department of the United States” means the legislative or judicial branch of the Government or one of the executive departments enumerated in section 101 of title 5;
(8) the term “damage” means any impairment to the integrity or availability of data, a program, a system, or information;
(9) the term “government entity” includes the Government of the United States, any State or political subdivision of the United States, any foreign country, and any state, province, municipality, or other political subdivision of a foreign country;
(10) the term “conviction” shall include a conviction under the law of any State for a crime punishable by imprisonment for more than 1 year, an element of which is unauthorized access, or exceeding authorized access, to a computer;
(11) the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service; and
(12) the term “person” means any individual, firm, corporation, educational institution, financial institution, governmental entity, or legal or other entity.
(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.
(g) Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses  (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.
(h) The Attorney General and the Secretary of the Treasury shall report to the Congress annually, during the first 3 years following the date of the enactment of this subsection, concerning investigations and prosecutions under subsection (a)(5).
(1) The court, in imposing sentence on any person convicted of a violation of this section, or convicted of conspiracy to violate this section, shall order, in addition to any other sentence imposed and irrespective of any provision of State law, that such person forfeit to the United States—
(A) such person’s interest in any personal property that was used or intended to be used to commit or to facilitate the commission of such violation; and
(B) any property, real or personal, constituting or derived from, any proceeds that such person obtained, directly or indirectly, as a result of such violation.
(2) The criminal forfeiture of property under this subsection, any seizure and disposition thereof, and any judicial proceeding in relation thereto, shall be governed by the provisions of section 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853), except subsection (d) of that section.
(j) For purposes of subsection (i), the following shall be subject to forfeiture to the United States and no property right shall exist in them:
(1) Any personal property used or intended to be used to commit or to facilitate the commission of any violation of this section, or a conspiracy to violate this section.
(2) Any property, real or personal, which constitutes or is derived from proceeds traceable to any violation of this section, or a conspiracy to violate this section 
(Added Pub. L. 98–473, title II, § 2102(a), Oct. 12, 1984, 98 Stat. 2190; amended Pub. L. 99–474, § 2, Oct. 16, 1986, 100 Stat. 1213; Pub. L. 100–690, title VII, § 7065, Nov. 18, 1988, 102 Stat. 4404; Pub. L. 101–73, title IX, § 962(a)(5), Aug. 9, 1989, 103 Stat. 502; Pub. L. 101–647, title XII, § 1205(e), title XXV, § 2597(j), title XXXV, § 3533, Nov. 29, 1990, 104 Stat. 4831, 4910, 4925; Pub. L. 103–322, title XXIX, § 290001(b)–(f), Sept. 13, 1994, 108 Stat. 2097–2099; Pub. L. 104–294, title II, § 201, title VI, § 604(b)(36), Oct. 11, 1996, 110 Stat. 3491, 3508; Pub. L. 107–56, title V, § 506(a), title VIII, § 814(a)–(e), Oct. 26, 2001, 115 Stat. 366, 382–384; Pub. L. 107–273, div. B, title IV, §§ 4002(b)(1), (12), 4005(a)(3), (d)(3), Nov. 2, 2002, 116 Stat. 1807, 1808, 1812, 1813; Pub. L. 107–296, title II, § 225(g), Nov. 25, 2002, 116 Stat. 2158; Pub. L. 110–326, title II, §§ 203, 204(a), 205–208, Sept. 26, 2008, 122 Stat. 3561, 3563.)
 See References in Text note below.
 So in original. The period probably should be a semicolon.
 So in original. Probably should be followed by “or”.
 So in original. The comma probably should not appear.
 So in original. Probably should be “subclause”.
 So in original. Probably should be followed by a period.
Provided below are example cases of federal prosecutions including CFAA violations charges. The case entries include links to additional materials from the case and resources related to the case. Also, the Department of Justice has published its own manual on “Prosecuting Computer Crimes” that is available online here.
U.S. v. Andrew Auernheimer, No. 13-1816 (3rd Cir. Apr. 11, 2014)
When Apple released the iPad, customers were required to purchase a contract with AT&T and register their accounts on a website controlled by AT&T using their email addresses. When testing AT&T’s security system, Andrew “Weev” Auernheimer discovered a flaw. He was able to gather the email addresses of their customers. When Weev notified AT&T that these personal emails were accessible and that AT&T customers were vulnerable, AT&T took no action. In response, he alerted the press to the security flaw and publicized some of the email addresses in redacted form. He did not possess, nor had access to, any other personally identifiable information or passwords of the customers.
AT&T responded by alerting the federal government, who then prosecuted Weev for violating the Computer Fraud & Abuse Act (CFAA). In order to enhance the potential punishment from a misdemeanor to a felony, the government claimed that the CFAA violation occurred in furtherance of a violation of New Jersey’s computer crime statute, even though no conduct occurred in New Jersey. This is known as “stacking” offenses, when the federal government reaches to a state statute to ramp up the charges, even though the state and federal statute cover the same conduct.
After a jury trial, Weev was convicted and sentenced to 41 months in federal prison and to pay $73,000 in restitution. NACDL filed an amicus brief in support of his appeal to the Third Circuit, urging the court to take a narrow approach to the CFAA and limit the prosecutorial power of the government, which is available here. Holding that venue was not proper in the District of New Jersey, the Third Circuit vacated Weev’s conviction (opinion).
U.S. v. Matthew Keys, No. 2:13-cr-00082 (E.D. Cal. 2013)
On March 14, 2013, Matthew Keys, a former Reuters Social Media Editor, was indicted on multiple counts of CFAA violations for allegedly providing hackers with usernames and passwords for Tribune Company websites in late 2010 after he was fired from his job at a Tribune-owned company. The government alleges this conduct was part of a conspiracy to make unauthorized changes to Tribune websites and to damage Tribune computers. The indictment charges three criminal violations of the CFAA, including conspiracy to cause damage to a protected computer, transmission of a malicious code and attempted transmission of a malicious code. These charges carry up to 25 years in prison and a fine up to $750,000. Keys rejected a plea deal and went to trial. After an 8-day jury trial, Keys was found guilty of three counts of violating the CFAA. On April 13, 2016, he was sentenced to 24 months of imprisonment, 24 months of supervised release, and restitution in the amount of $249,956. His appeal is currently pending before the Ninth Circuit.
U.S. v. Aaron Swartz, Crim. No. 1:11-cr-10260 (D. Mass. 2012)
Aaron Swartz, a computer programmer, entrepreneur and activist, was federally indicted on multiple counts of wire fraud and CFAA violations, including unlawfully obtaining information from a protected computer and recklessly damaging a protected computer. The charges stemmed from Swartz’ alleged effort to download approximately 4.8 million articles from JSTOR, which is a not-for-profit digital library, using the MIT network. Anyone on the MIT campus could access MIT’s computer network and, as a result, JSTOR, but JSTOR’s terms of service limited the amount of articles that could be downloaded at a time. Swartz wrote a script that instructed his computer to download JSTOR articles continuously and, when this violation was detected and requests from his computer were denied, Swartz spoofed his computer’s address to trick the JSTOR servers.
Swartz was first indicted in November 2011, but federal prosecutors filed a superseding indictment in September 2012 that added nine more felony counts, increasing Swartz’s maximum criminal exposure to 50 years of imprisonment and $1 million in criminal fines. According to Swartz’s attorney Elliot Peters, the prosecutors offered Swartz a plea deal in which he would pled guilty to 13 felonies in exchange for a four or six month sentence. The prosecutors also stated that they would seek a seven year sentence should Swartz exercise his constitutional right to a trial. The government took this hard-line position despite the fact that the “victims” MIT and JSTOR declined to pursue civil litigation. In fact, JSTOR actually informed the prosecutors that it did not want to press charges. Tragically, under the weight of the prosecution and potential prison sentence, Swartz committed suicide on January 11, 2013. After his death, the federal prosecutors dropped the charges.
For analysis of the Swartz prosecution, see Professor Orin Kerr’s two-part session here and here, posts from the Electronic Frontier Foundation here and here, and a two-part post from Jennifer Granick at the Center for Democracy and Technology here and here.
U.S. v. Sergey Aleynikov, No. 11-1126 (2d Cir. Apr. 11, 2012)
A computer programmer, Aleynikov allegedly stole proprietary computer source from his former employer (Goldman Sachs) and transferred it to his new employer. He was charged with violating the Economic Espionage Act (EEA), the National Stolen Property Act (NSPA), and the CFAA. Prior to trial, the U.S. District Court dismissed Count Three, the CFAA charge, on the ground that Aleynikov was authorized to access the Goldman computer and did not exceed the scope of authorization. Specifically, the court ruled that authorized use of a computer in a manner that misappropriates information is not an offense under the CFAA. A jury then convicted Aleynikov on the remaining counts and he appealed.
The Second Circuit reversed Aleynikov’s conviction on both counts (opinion). On count one, the court held that the theft and subsequent interstate transmission of purely intangible property is beyond the scope of the NSPA. The court similarly reasoned that the theft of source code relating to the high frequency trading system is not an offense under the EEA. Shortly after the Second Circuit vacated Aleynikov’s conviction, the Manhattan District Attorney’s Office initiated a prosecution against him based on state criminal law.
U.S. v. David Nosal, No. 10-10038 (9th Cir. Apr. 10, 2012)
The prosecution of David Nosal revolved around his enlistment of former colleagues to use their log-in credentials to download certain information from company computers in order to assist him in starting a new, competing business. These colleagues were authorized to access this information, but disclosing it violated company policy. The government charged Nosal with twenty counts, including trade secret theft, mail fraud, conspiracy, and violations of the CFAA. Following a motion to dismiss, the U.S. District Court dismissed the CFAA counts on the ground that the definition of “exceeds authorized access” does not incorporate corporate policies governing use of information. The government appealed and the Ninth Circuit agreed (opinion).
The Ninth Circuit reasoned that the phrase “exceeds authorized access” in the CFAA does not extend to violations of use restrictions. The court cited the rule of lenity, as well as basic common sense, for reaching this conclusion. Specifically, the court reasoned that a narrower interpretation is appropriate since the CFAA is an anti-hacking statute and Congress dealt with misappropriation of trade secrets in another part of the federal code. As the colleagues had permission to access the company databases and obtain the information, their conduct could not be “without authorization” nor could it “exceed authorized access.” The Ninth Circuit affirmed the dismissal of the CFAA counts and the government proceeded to prosecute and convict Nosal on the remaining counts.
U.S. v. Elaine Cioni, No. 09-4321 (4th Cir. Apr. 20, 2011)
The Cioni case involved a federal criminal statute that has two overlapping misdemeanor criminal offenses that prohibit hacking into email accounts. Ordinarily, first offenses under the Computer Fraud and Abuse Act and the Stored Communications Act are misdemeanors, unless committed, among other things, in furtherance of another crime. In Cioni, the government attempted stacking the misdemeanors to obtain a felony conviction. Cioni was convicted of multiple counts and appealed her conviction to the Fourth Circuit.
In an amicus brief, NACDL argued that Cioni’s CFAA offense, unauthorized access to stored email, was not committed “in furtherance of” an SCA violation, because both convictions were based on the same conduct. The government’s attempt to count the same conduct as both an underlying misdemeanor and as the basis for a felony conviction violates the Double Jeopardy Clause. The Fourth Circuit agreed (opinion), holding that the CFAA charges had been improperly elevated to felony offenses and sent the case back to the district court to reduce the convictions to misdemeanors.
U.S. v. Lori Drew, No. CR 08-0582-GW (C.D. Cal. Aug. 28, 2009)
The prosecution of Lori Drew, sometimes referred to as the “MySpace Suicide Case,” took place following the tragic suicide of a 13-year old girl. Drew and others set-up a fictitious account on the social media website MySpace in order to target this girl. Such conducted violated the MySpace terms of service and, when the conduct ultimately resulted in the girl’s suicide, federal prosecutors responded by charging Drew with multiple violations of the CFAA and conspiracy. Following a jury trial, Drew was acquitted of all counts but for one misdemeanor violation of the CFAA.
The U.S. District Court set aside the jury’s guilty verdict in an opinion rejecting the government’s position that violating a website’s terms of service can constitution a federal offense. The judge reasoned that reading the statute in such a manner would deprive individuals of actual notice and be an overwhelmingly overbroad enactment that converts a multitude of otherwise innocent internet users into federal criminals.
JULY 12TH: Internet-wide day of action to save Net Neutrality.
The FCC wants to destroy net neutrality and give big cable companies control over what we see and do online. If they get their way, they’ll allow widespread throttling, blocking, censorship, and extra fees. On July 12th, the Internet will come together to stop them.
Net neutrality is the basic principle that protects our free speech on the Internet.
“Title II” of the Communications Act is what provides the legal foundation for net neutrality and prevents Internet Service Providers like Comcast, Verizon, and AT&T from slowing down and blocking websites, or charging apps and sites extra fees to reach an audience (which they then pass along to consumers.)
Greetings, Citizens of the World, We are Anonymous.
On July 12th, 2017, internet users worldwide will gather in the streets to protest draconian cyber monitoring and control. Since as early as 2014 the issue of Net Neutrality became a major issue in public and political debates worldwide. HBO political talk-show host, John Oliver has brought this issue to the forefront of the minds of activists and in doing so has given the cause a voice we can not allow to be silenced.
Over-reaching political leaders and their allies in classified international agencies are moving faster than ever in the history of cyber dictatorship, to censor and manipulate the usage and access granted to any user on the internet. They do this not only for themselves but for the financial gain of their supporting industries. Data brokering and Federal Surveillance are but two of many terrifyingly specific methods of manipulating the content citizens of the world are allowed to access and edit. This level of observation and control is unprecedented and is a complete affront to freedom and guidelines set forth in the Universal Declaration of Human Rights.
When our Internet Service Providers have a monopoly on our access to unbiased and uncensored information and their motivation becomes financial, free and open information becomes a casuality. The ability to choose which services and sources you wish to employ becomes a thing of the past. As a result, a dystopian state in which governments and corporations control what you think, do and buy is rapidly becoming the future.
At the of the time of this video’s release there are confirmed acts of civil disobedience planned in many major cities across the United States. There are boots coordinating on the ground in Ottawa and London, ready to mobilize and fight for your rights as free people. This is not enough. Any individual, regardless of nationality, regardless of internet usage who accesses the internet for any purpose needs to educate themselves on what we as citizens stand to lose when net neutrality is in jeopardy.
We are calling on activists and citizens of the world alike in every city of every nation to step up and rally together in the face of surveillence and censorship of the one free and open resource to information we have. Inform your friends, your family, your coworkers.
There is no act of defiance too small or too risky.
The free internet must be defended at all costs. Information needs to be free and accessible to all, not dictated by the whim of cable company lobbyists or controlled by petty financial desires.
Join Anonymous on July 12th around the world to protest the censoring of the internet by the acts of net neutrality and government surveillance. Fill the streets with your presence and drown the FCC comment board with your voice. Write letters and make phone calls to politicians. Tell then why they must change course, and do so with passion.
We are Anonymous.
We are legion.
We do not forgive.
We do not forget.
Collaborate and register your protest – This is a battle for the future of the internet
Washington, D.C.—The Electronic Frontier Foundation (EFF) urged the U.S. Supreme Court to review a ruling that threatens to transform a law against computer break-ins into a mechanism for criminalizing password sharing and policing Internet use.
In an amicus brief filed with today, EFF urged the court to weigh in on a case in which an individual was charged with violating the Computer Fraud and Abuse Act (CFAA), a law intended to criminalize breaking into computers to access or alter data. Under the CFAA, it’s illegal to intentionally access a “protected computer”—which includes any computer connected to the Internet—“without authorization” or in excess of authorization. But the law doesn’t tell us what “without authorization” means.
Some courts have recognized that the CFAA must be interpreted narrowly to stay true to Congress’s intent of targeting crooks breaking into and stealing data from computers. These courts agreed that the CFAA mustn’t be used against, say, employees checking sports scores at work in violation of rules restricting Internet use at work to company business, or against people who shared their Facebook passwords, in violation of Facebook’s terms of service rules.
But other courts—including the U.S. Court of Appeals for the Ninth Circuit in its 2016 U.S. v. Nosal decision—have broadly interpreted the statute to cover using a computer in a way that violates corporate policies, preferences, and expectations. In the case, David Nosal, an ex-employee of the Korn/Ferry executive recruiting firm, was charged with violating the CFAA after other ex-employees acting on his behalf accessed Korn/Ferry’s proprietary database using legitimate credentials of a current company employee. The current employee knew of and authorized the use of her credentials, which was against Korn/Ferry’s computer policies. The Ninth Circuit found that in using the shared password, Nosal accessed the database “without authorization.” The court said that implicit in the definition of “authorization” is the proposition that authorization can come only from a computer owner—here, Korn/Ferry—not an employee with legitimate access credentials.
There is nothing in the CFAA, or even in the dictionary, that defines “authorization” to mean only permission from a computer owner. The Ninth Circuit imported a corporate ban on password sharing into its definition of “without authorization.”
“This ruling threatens to turn millions of ordinary computer users into criminals,” said EFF Staff Attorney Jamie Williams. “Innocuous conduct such as logging into a friend’s social media account or logging into a spouse’s bank account, with their permission but in violation of a corporate prohibition on password sharing, could result in a CFAA prosecution. This takes the CFAA far beyond the law’s original purpose of putting individuals who break into computers behind bars.”
“EFF has long advocated for reforming the CFAA, which overzealous prosecutors have exploited in troubling ways,” said Williams. “The Supreme Court can do its part by reviewing the Ninth Circuit’s troubling decision and giving “authorization” an appropriately narrow definition, specifically clarifying that password sharing is not—and was never intended to be—a crime.”
For EFF’s brief:
For more on this case:
Jamie Lee Williams
United States v. David Nosal
Terms Of (Ab)Use
Computer Fraud And Abuse Act Reform
After the tragic death of programmer and Internet activist Aaron Swartz, EFF calls to reform the infamously problematic Computer Fraud and Abuse Act (CFAA). In June 2013, Aaron’s Law, a bipartisan bill to make common sense changes to the CFAA was introduced by Reps. Lofgren and Sensenbrenner. You can help right now by emailing your Senator and Representative to reform the draconian computer crime law. The CFAA is the federal anti-hacking law. Among other things, this law makes it illegal to intentionally access a computer without authorization or in excess of authorization; however, the law does not explain what “without authorization” actually means. The statute does attempt to define “exceeds authorized access,” but the meaning of that phrase has been subject to considerable dispute. While the CFAA is primarily a criminal law intended to reduce the instances of malicious hacking, a 1994 amendment to the bill allows for civil actions to be brought under the statute.
Fix computer crime law.
Creative prosecutors have taken advantage of this confusion to bring criminal charges that aren’t really about hacking a computer, but instead target other behavior prosecutors dislike. For example, in cases like United States v. Drew and United States v. Nosal the government claimed that violating a private agreement or corporate policy amounts to a CFAA violation. This shouldn’t be the case. Compounding this problem is the CFAA’s disproportionately harsh penalty scheme. Even first-time offenses for accessing a protected computer without sufficient “authorization” can be punishable by up to five years in prison each (ten years for repeat offenses), plus fines. Violations of other parts of the CFAA are punishable by up to ten years, 20 years, and even life in prison. The excessive penalties were a key factor in the government’s case against Aaron Swartz, where eleven out of thirteen alleged crimes were CFAA offenses, some of which were “unauthorized” access claims. EFF is championing reforms to the CFAA. These suggestions expand on Zoe Lofgren’s terrific draft bill known as Aaron’s Law. We will expand on this and address other flaws of the CFAA, as well.
Part 1: No Prison Time For Violating Terms of Service
Part 2: Protect Tinkerers, Security Researchers, Innovators, and Privacy Seekers
Part 3: The Punishment Should Fit the Crime
Specific Reasons to Improve the CFAA
The CFAA Hampers Security Research
The CFAA Stifles Innovation
The CFAA Must Allow for Anonymity and Privacy
Initial Suggestions for improving Aaron’s Law
Introduction Blog Post
Additional Suggestions for improving the Penalty Scheme
Introduction Blog Post
Explanation of Proposal
Chart of Penalties Reform After Proposed Language
The Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, was originally enacted in 1984 as a criminal statute to deter hackers and protect data on federal computers. Over time, the scope of the CFAA evolved to include a private right of action for any person who suffers damage or loss because of a violation of the CFAA. Not surprisingly, employers have increasingly taken advantage of the CFAA’s civil remedies to obtain both injunctive and monetary relief against employees, making the federal statute a potent weapon against employees, especially in the context of noncompete and trade secrets litigation. This article examines the CFAA and suggests strategies that an employee can consider when fighting against a CFAA lawsuit.
Elements of a CFAA Claim
To establish a civil action against an employee under the CFAA, an employer must prove that the employee: (1) “knowingly and with the intent to defraud,” (2) accessed a “protected computer,” (3) “without authorization,” and as a result (4) caused a damage or loss of at least $5,000.1 This analysis focuses primarily on the last two elements and the extent to which a former employee has damaged or compromised the integrity of the employer’s computer system.
An employer does not have a cause of action under the CFAA if the alleged misconduct does not involve conduct prohibited by the act. Violations include but are not limited to:
1. damage to a protected computer that results in a loss of at least $5,000;
2. the impairment of a medical examination, diagnosis, treatment or care of an individual;
3. physical injury to a person; and
4. threats to public health or safety.
A. What Is a “Protected Computer” Under the CFAA?
A “protected computer” is defined broadly to include any computer that is “used in interstate or foreign commerce or communication.”2 This includes any computer connected to the internet.3
B. Did the Employee Have Authorization to Access the Protected Computer?
The key element to any CFAA claim is the employee’s unauthorized access to the employer’s computer system. Accordingly, an employer does not have a cause of action under the CFAA if access to the part of the employer’s computer system that the employee allegedly accessed was never revoked.4
The line blurs, however, when an employee planning to leave her job and while still employed and still authorized to use her employer’s computer system, uses that system for purposes adverse to the employer’s interest, for example, if the employee gathers and disseminates information for competitive purposes. Some courts have addressed this issue by treating such conduct as “exceeding authorized access,” while others have ruled that an employee’s authorization to access ends the moment he or she acts contrary to the employer’s interest, thereby rendering the conduct as one “without authorization.”5 Still others have determined that such conduct is outside the scope of the act.6 A review of recent case law reveals the various conclusions that courts have reached in analyzing this particular element of the CFAA.
In International Airport Centers, LLC v. Citrin, the Seventh Circuit ruled in favor of a real estate agency on its claims for violations of the CFAA.7 In Citrin, the employee deleted files from his company-issued laptop and installed a secure-erasure program making it impossible for the agency to recover any of the deleted information.8 According to the employee, there was no basis for the CFAA claim because he was “authorized” to access his computer at the time he deleted the files.9 The Seventh Circuit rejected this argument, finding that “[an employee’s] breach of his duty of loyalty [in deleting relevant files] terminate[s] his agency relationship. . .and with it his authority to access the [company] laptop.”10 The Seventh Circuit concluded that an employee’s authorized access terminates when the employee’s mental state changes from loyal employee to disloyal competitor and the employee accesses his employer’s computer for an unauthorized purpose, i.e., to defraud or cause harm to the former employer.11
Other courts, however, have considered and emphatically rejected the agency law notion of authorization applied in Citrin. For example, in International Ass’n of Machinists & Aerospace Workers v. Werner-Masuda,12 the court held that the employer could not state a claim for relief under the CFAA because “[the employee’s] access had not been revoked.”13 According to the Werner-Masuda court, Congress intended for the statute to apply to outside computer hackers and not to disloyal employees who access their employer’s computer system on behalf of the employer’s competitor.14 Further, the court concluded that the CFAA expressly prohibits “unauthorized access” and not “unauthorized disclosure” of information.15 A Texas court reached a similar result in Bridal Expo Inc. v. Van Florestein16 when it concluded that defendants, former employees of the bridal exposition company Bridal Expo, did not copy information from the company’s computers “without authorization” even though one of the former employees admitted to downloading Bridal Expo’s database and later, used the downloaded information for improper purposes.17 According to the court, “if Congress wanted to reach all wrong doers who access information that they will use to the detriment of their employers, it could have omitted the limiting words on authorization altogether.”18 Thus, finding that the former employees had signed no confidentiality agreement with Bridal Expo or any other
agreement restricting their access to the files they had been working with at their jobs at Bridal Expo, the court denied the CFAA claim.19
In the most recent case to tackle this issue, LVRC Holdings LLC v. Brekka,20 the Ninth Circuit also rejected the agency law notion of authorization applied in Citrin. In Brekka, the Ninth Circuit held that a marketing consultant did not violate the CFAA because he did not access the employer’s computer “without authorization” when he allegedly e-mailed his employer’s documents to himself and to his wife to further his own competing business.21 In reaching its decision, the Ninth Circuit concluded that “[n]o language in the CFAA supports the argument that authorization to use a computer ceases when an employee resolves to use the computer contrary to the employer’s interest.”22 Instead, “[an employee] uses a computer ‘without authorization’ when the person has not received permission to use the computer for any purpose . . . or when the employer has rescinded permission to access the computer and the [employee] uses the computer anyway.”23 The Brekka court also held an employee remains authorized to use the protected computer even when an agreement subjects the employee’s access to certain limitations and the employee violates these limitations.
While many courts have sided with the Werner-Masuda court, the scope of the term “authorization” remains unresolved.25 Even so, courts are more likely to dismiss a CFAA claim where an employee’s counsel can prove that the alleged “access” was harmless, was not for an improper purpose, or that the employee accessed the former employer’s computer system for legitimate, work-related reasons.26 Moreover, a court is less likely to consider a CFAA claim against an employee where the employee’s unauthorized conduct did not produce “anything of value.”27
C. What Constitutes Loss or Damage for a Viable CFAA Claim?
To be actionable, a CFAA claim must also allege that the employee’s wrongful conduct resulted in a $5,000 damage or loss to the employer. Failure of proof on this element is “fatal” to a CFAA cause of action. 28 Thus, employees should always try to challenge an employer’s complaint by arguing that his or her conduct did not result in a “loss” to the employer.
1. “Loss” Under the CFAA.
In determining what constitutes a “loss” under the CFAA, courts have consistently interpreted “loss” to mean expenses related to restoring computer data, fixing actual damages to a computer system and modifying a computer system to preclude further data transfer.29 Courts disagree, however, on whether consequential damages, such as loss in the value of trade secrets or competitive advantage constitute a “loss” under the CFAA.30
In Civic Center Motors Ltd. v. Mason Street Import Cars Ltd.,31 for example, a New York court held that lost profits and wasted investments are not compensable losses under the CFAA.32 In Civic Center, a car dealership brought a CFAA claim against its competitor, seeking compensation for their “now wasted investment” in a customer database and lost profits resulting from its competitor’s unfair competitive edge.33 The court refused to recognize Civic Center’s claims, concluding that “losses under the CFAA are compensable only when they are the result from damage to, or inoperability of, the accessed computer system.”34 Finding that the former employees’ access to the dealership’s web-based database did not affect the integrity of the database’s information, the court dismissed the CFAA claim.35
The court in Nexans Wires S.A. v. Sark-USA Inc.,36 reiterated the court’s position in Civic Center when it rejected an employer’s CFAA claim seeking reimbursement for the cost of flying two executives from Germany to New York to meet and discuss the consequences of their competitor’s gain in competitive edge from their use of unlawfully gained information.37 In reaching its decision, the court pointed to the fact that the executives’ trip and subsequent meetings were unrelated to “investigating or remedying damage to a computer,” and therefore, fell outside the definition of a recoverable “loss” under the statute.38 According to the court, “[g]eneral non-computer costs incurred in investigating the violation [are] too far outside of the scope of the [CFAA].”39 Other courts, however, have taken a broader view, suggesting that items such as misappropriated property, loss of goodwill, and investigative costs can be used to establish the “loss” requirement of a civil CFAA action.40
In EF Cultural Travel BV v. Explorica Inc.,41 for example, the First Circuit held that the CFAA covered more than the losses directly attributed to the actual physical damage of a computer’s hard drive.42 Here, a tour company sued its competitor under the CFAA for allegedly using a “scraper” software program to glean prices from its website.43 The company claimed that it sustained a compensable loss because it had to pay consultants to assess the effect of Explorica’s interference with its website.44 In response, Explorica argued that it could not be liable under the CFAA because “their actions neither caused any physical damage nor placed any stress on EF’s website.”45The court rejected Explorica’s arguments, holding that “a general understanding of the word ‘loss’ would fairly encompass a loss of business, goodwill, and the cost of diagnostic measures” that a company takes to
access the damage to its computer system.46 According to the court, any losses stemming from an employee’s unauthorized conduct are recoverable, so long as it results in a loss of at least $5,000.47
2. “Damage” Under the CFAA.
Under the statute, “damage” includes any “impairment to the integrity or availability of data, a program, a system or information.”48 Some courts have ruled that the misappropriation of trade secrets does not constitute damages under the CFAA.49 Others have ruled that the “damage” requirement can be satisfied when the misappropriation is coupled with other harm.50 Finally, there is authority that establishes the proposition that the misappropriation of trade secrets or confidential information alone is sufficient to establish the $5,000 jurisdictional threshold.
In Shurgard Storage Centers Inc. v. Safeguard Self-Storage Inc.,52 for example, the court held that even though the plaintiff’s data was not physically erased or changed, the misappropriation of the trade secrets constituted an impairment to the integrity of the data in question and thus, fell within the definition of damage.53 The majority of courts, however, have held that the misappropriation of trade secrets does not constitute damages under the CFAA.54 According to one court, the absence of evidence that a computer network was damaged in any quantifiable amount by the alleged unauthorized access of the network precludes recovery under the CFAA.55 Under this standard, a court likely will grant a motion to dismiss in a CFAA case where there is evidence that the misappropriated data remains intact on the employer’s computer or the employer fails to plead impairment to the integrity or availability of data, a program, a system, or information.56 Indeed, more courts are requiring employers to show computer related losses, impairment of the original data, or a complete lack of permitted access.57
The lesson to be gleaned from these cases is that each case will turn on its own facts and the determination of whether the employer has sufficiently pleaded “damage” or “loss” will, among other things, be determined by the jurisdiction overseeing the case.
II. General Tips for Avoiding CFAA Claims
The computer equipment provided by an employer does not belong to an employee. Thus, an employee should return all computerized information to the employer upon departure and refrain from deleting or transferring any information from the company’s computer system to a personal disk or e-mail without the company’s express consent.
III. General Tips for Defending Against CFAA Claims
A. Challenge Reliability of Employer’s Investigation.
An employee should consider attacking the quality and reliability of the former employer’s investigation into the employee’s “access” by demonstrating that the former employer’s methods for collecting evidence was unreliable or defective.58
B. Challenge Any Injunctions That Are Broad or Contrary to Public Policy.
Injunctions are an extraordinary remedy, which in the context of CFAA litigation can stifle competition and punish employees who may have inadvertently retained the former employer’s documents. Accordingly, an employee should object to the entry of an injunction that is considerably broader than that which could ordinarily be obtained under a trade secrets or unfair competition theory.
C. Argue That There Was No Practice, Procedure or Policy Prohibiting “Improper” Access or Use of the Company’s Documents.
In the absence of a promulgated policy or practice prohibiting employees from the “improper” access or use of an employer’s confidential information, a court likely will not find an employee’s allegedly improper access of company documents to be in violation of the CFAA.59
In Brekka, the Ninth Circuit held that an employer could not maintain its CFAA claim against a former employee accused of e-mailing company documents to his personal e-mail account because the employer could not establish that the former employee accessed its computer system “in excess of authorization” or “without authorization.”60 In reaching its decision, the court pointed to the fact that the employer failed to provide notice or employee guidelines distinguishing the proper and authorized use of employer information from the improper and unauthorized use of the company information in question.61 According to the Ninth Circuit, because Section 1030 is primarily a criminal statute and creates criminal liability for violators of the statute, the rule of lenity, which is rooted in considerations of notice, applies.62 Thus, “no citizen should be held accountable for a violation of a statute whose commands are uncertain, or subjected to punishment that is not clearly prescribed.”63 In short, a court will likely not recognize a CFAA claim where an employee “would have no reason to know that making personal use of the company computer . . . would constitute a criminal violation of the CFAA.”64
D. Assert the “Unclean Hands” Defense.
To challenge an employer’s CFAA claims, an employee can rely on the “unclean hands” doctrine. According to this doctrine, “he who asks equity must do equity, and he who comes into equity must come with clean hands.”65 In the context of CFAA litigation, this doctrine provides that “one who has acted in bad faith . . . or [has] been guilty of fraud, injustice or unfairness will appeal in vain to a court of conscience.”66 Thus, a court may not recognize a CFAA claim where there is evidence demonstrating that the employer engaged in wrongful or inequitable conduct with respect to the matter in litigation, i.e., the employer deleted all data that evidenced its retaliatory intent in filing the CFAA action.67
In sum, an employee faced with a lawsuit for violations of the CFAA has options to challenge the CFAA action, including the rule of lenity. Like lawsuits to enforce noncompetition provisions, CFAA actions are typically accompanied by a motion for a preliminary injunction or a motion for a temporary restraining order, which can put an employee out of work. Thus, it is critical quickly to assess and apply options available to the employee to gain the upper hand in the litigation and to avoid costs and being put on the defensive.
1 18 U.S.C. § 1030(a)(4); see also Pacific Aerospace & Elecs. Inc. v. Taylor, 285 F. Supp. 2d 1188, 1195 (E.D. Wash. 2003).
2 18 U.S.C. § 1030(e)(2)(B).
3 See Cont’l Group Inc. v. KW Prop. Mgmt. LLC, 622 F. Supp. 2d 1357, 1370 (S.D. Fla. 2009) (court held that connection to internet is “affecting interstate commerce or communication” and thus, computers connected to internet are protected under CFAA).
4 See LVRC Holdings v. Brekka, 581 F.3d 1127, 29 IER Cases 1153 (9th Cir. 2009); 2009 WL 2928952 (court held that employee uses computer “without authorization” when person has not received permission “to use computer for any purpose . . . or when the employer has rescinded permission to access the computer and the [employee] uses the computer anyway”).
5 Int’l Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006); 4 WLR 329, 3/17/06, (court held that “authorized access” ends when employee breaches his duty of loyalty);Patrick Patterson Custom Homes Inc. v. Bach, 586 F. Supp. 2d 1026, 1034-35 (N.D. Ill. 2008) (court held that employer stated administrative assistant exceeded her authority by installing data shredding software causing permanent deletion of financial records on company’s computer).
6 See B & B Microscopes v. Armogida, 532 F. Supp. 2d 744 (W.D. Pa. 2007) (court held that because CFAA delineates between authorized and unauthorized access, reading of statute that once employee begins violating duty of loyalty to his employer any authorized access is withdrawn, would render the CFAA’s distinction meaningless); see also Lockheed Martin Corp. v. Speed, No. 6:05-CV-1580-ORL-31, 2009 WL 2683058, at *4 (M.D. Fla. Aug. 1, 2006) (court refused to recognize CFAA claim where employer permitted its employees, as a function of their respective positions, to access the precise information at issue on ground that “Congress chose not to reach. . . those [employees] with access authorization.”); Black & Decker Inc. v. Smith, No. 07-1201, 2008 WL 3850825, at *3 (W.D. Tenn. Aug. 13, 2008) (court concluded that “the [CFAA] targets the unauthorized procurement or alteration of information, not its misuse.”).
7 Citrin, 440 F.3d at 421.
8 Id. at 419.
9 Id. at 421.
10 Id. at 420-21.
11 Id. at 421.
12 Int’l Ass’n of Machinists & Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479 (D. Md. 2005).
13 Id. at 499.
14 Id. at 498.
15 Id. at 499.
16 Bridal Expo Inc. v. Van Florestein, No. 4:08-CV-03777, 2009 WL 255862 (S.D. Tex. 2009).
17 Bridal Expo, 2009 WL 255862, at *11.
18 Id. at *10.
19 Id. at *11.
20 581 F.3d 1127, 29 IER Cases 1153, 2009 WL 2928952 (9th Cir. 2009).
21 Brekka, at *6-7.
22 Id. at *5.
23 Id. at *7; see also Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962 (D. Ariz. 2008) (employee’s acquisition of employer’s confidential information prior to resigning for new position with employer’s competitor was not “without authorization” or in matter that “exceeded authorized access” where employee was permitted to view specific files he allegedly e-mailed himself).
24 Brekka, at *5 (“It is the employer’s decision to allow or to terminate an employee’s authorization to access a computer that determines whether the employee is with or ‘without authorization.”).
25 Compare Brekka, at *5 (former employee who e-mailed sensitive company documents that he accessed with permission to his personal computer did not exceed his authorized access, even if he planned to use those documents to furtherhis own business objectives) and Jet One Group Inc. v. Halcyon Jet Holdings, No. 08cv3980, 2009 WL 2524864, *5-6 (E.D.N.Y. Aug. 14 2009) (dismissing complaint claiming that defendants, who were permitted to access client lists in question in normal course of business even when defendants later used those client lists to compete against plaintiff) with Int’l Airport, 440 F.3d at 420 (employee’s misappropriation of confidential information violated his duty of loyalty, thereby “terminating his agency relationship . . . and with it his authority to access the laptop”) and Calyon, No. 07 Civ. 2241, 2007 WL 2618658 at *1 (holding that employees who copied their employer’s proprietary electronic documents before their termination must have known doing so was “in contravention of the wishes and interests of the employer” and therefore exceeded the scope of their authorized access).
26 Hecht v. Components Int’l Inc., 867 N.Y.S.2d 889 (2008) (court granted summary judgment dismissing CFAA counter claim where employee’s access to company’s e-mail server was “standard” suggesting that “sensitive information was not reached”); Lockheed Martin, 2006 WL 2683058, at *8 (“The copying of information from a computer onto a CD or PDA is a relatively common function that typically does not, by itself, cause permanent deletion of the original computer files. In the absence of an allegation of permanent deletion or removal, the Court will not create one.”); Resdev LLC v. Lot Builder Ass’n Inc., No. 6:04-CV-1374ORL31DAB, 2005 WL 1924743, at *4-5 (M.D. Fla. 2005) (Court held that to have “damage” under the CFAA, there must be “some diminution in the completeness or useability of the data or information on a computer system.” Determination of whether damage exists hinges on physical change in data, program, system, or information).
27 United States v. Czubinkski, 106 F.3d 1069, 1070 (1st Cir. 1997) (employee of IRS did not violate CFAA even though he knowingly disregarded IRS confidential information rules by performing searches outside scope of his contract representative duties to satisfy his own curiosity about tax information of friends, political rivals, and acquaintances, because there was no evidence that he printed out, recorded, or used information he read to obtain “anything of value”); see also P.C. Yonkers Inc. v. Celebrations the Party & Seasonal Superstore LLC., 428 F.3d 504, 505 (3rd Cir. 2005); In re America Online Inc., 168 F. Supp. 2d 1359, 1360 (S.D. Fla. 2001).
28 Pearl Investments LLC v. Standard I/O Inc., 257 F. Supp. 2d 326, 349 (D. Me. 2003).
29 See Lasco Foods Inc. v. Hall & Shaw Sales, Marketing & Consulting LLC, No. 4:08CV01683, 2009 WL 151687, at *5 (E.D. Mo. 2009) (“[c]ourts have consistently interpreted loss. . . to mean a cost of investigating or remedying damage to a computer, or a cost incurred because the computer’s service was interrupted.”); Forge Indus. Staffing Inc. v. De La Fuente, No. 06 C 3848, 2006 WL 2982139, at *6-*7 (N.D. Ill. 2006) (loss includes cost of hiring forensic computer expert to recover destroyed data in addition to actual damages to computer system); see also Matter of Doubleclick Inc. Privacy Litigation, 154 F. Supp. 2d 497, 521 (S.D.N.Y. 2001) (court noted that “Congress intended the term ‘loss’ to target remedial expenses borne by victims that could not properly be considered direct damage caused by a computer hacker.”); 18 U.S.C. § 1030(e)(11) (loss is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment and restoring the data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred or other consequential damages incurred because of interruption of service.”).
30 Compare Garelli Wong & Associates Inc. v. Nichols, 551 F. Supp. 2d 704 (N.D. Ill. 2008) (court ruled that copying or misappropriation of trade secret through use of computer does not, on its own, constitute “damage” under CFAA) with HUB Group, Inc. v. Clancy, No. Civ. A. 05-2046, 2006 WL 208684, at *3-4 (E.D. Pa. 2006) (employee exceeded scope of his authorization into former employer’s database when he took information to use as TTS employee) and Caylon, No. 07 Civ. 2241, 2007 WL 2618658 at*1 (S.D.N.Y. Sept. 5, 2007) (holding that employees who copied their employer’s proprietary electronic documents before their termination must have known doing so was “in contravention of the wishes and interests of the employer” and therefore exceeded scope of their authorized access). 31 Civic Ctr. Motors Ltd. v. Mason St. Import Cars Ltd., 387 F. Supp. 2d 378 (S.D.N.Y. 2005).
32 Id.at 381.
33 Id. at 382.
34 Id. at 381.
36 Nexans Wires S.A. v. Sark-USA Inc., 319 F. Supp. 2d 468 (S.D.N.Y. 2004).
37 Id. at 476.
38 Id. at 473.
39 Id. at 476.
40 Cont’l Group Inc. v. KW Prop. Mgmt. LLC, 622 F. Supp. 2d 1357, 1370 (S.D. Fla. 2009); Creative Computing v. Getloaded.com LLC, 386 F.3d 930 (9th Cir. 2004).
41 EF Cultural Travel BV EF v. Explorica Inc., 274 F.3d 577 (1st Cir. 2001).
42 Id. at 585.
43 Id. at 579.
44 Id. at 580.
45 Id. at 584.
46 Id.; see also Creative Computing v. Getloaded.com LLC, 386 F.3d 930, 935 (9th Cir. 2004) (court held that loss of business and business goodwill are economic damages under CFAA).
47 Explorica, 274 F.3d at 585 (court held that $20,000 that EF spent to determine whether its website had been compromised met $5,000 threshold for loss or damage under CFAA).
48 18 U.S.C. § 1030(e)(8).
49 See, e.g., Garelli Wong & Assocs. Inc. v. Nichols, 551 F. Supp. 2d 704 (N.D. Ill. 2008) (court ruled that copying or misappropriation of trade secret through use of computer alone does not constitute “damage” under CFAA); Lockheed Martin, 2006 WL 2683058, at *4 (copying of confidential data does not constitute “damage” under the CFAA); Resdev, 2005 WL 1924743, at *5 n.3 (noting that “damage” contemplates “some diminution in the completeness or useability of data or information on a computer system.”); Davis v. Afilias Ltd., 293 F. Supp. 2d 1265 (M.D. Fla. 2003) (registry operator was not entitled to summary judgment on its counterclaim that employee that individual violated CFAA by using authorization codes to register domain names because World Intellectual Property Organization gave individual authorization codes to register his names, which individual did through his registrar, there was no evidence that individual directly accessed registry operator’s computer system to register domain names in question, and although it was discovered that codes were given to individual in error, individual could not be held simply on basis that he used codes to register domain names).
50 Black & Decker, 568 F. Supp. 2d at 937 (W.D. Tenn. 2008) (misappropriating a trade secret coupled with other harm to the data constitutes “damage” under CFAA).
51 See e.g., Four Seasons Hotel & Resorts BV v. Consorcio Barr SA, 267 F. Supp. 2d 1268, 1324 (S.D. Fla. 2003).
52 Shurgard Storage Centers Inc. v. Safeguard Self Storage, 119 F. Supp. 2d 1121, 1126-27 (W.D. Wash. 2000).
53 Id.; see also 18 USC § 1030(e)(8)(A) (2000).
54 Id. at 710; see also Andritz v. S. Maint. Corp, 626 F. Supp. 2d 1264 (M.D. Ga. 2009); Sam’s Wines & Liquors Inc. v. Hartig, No. 08 C 570, 2008 WL 4394962, at *3 (N.D. Ill. Sept. 24, 2008).
55 See Pearl Investments LLC v. Standard I/O Inc., 257 F.Supp. 2d 326, 349 (D. Me. 2003) (lack of evidence that computer network was damaged in any quantifiable amount by alleged unauthorized access by custom software company and its owners precluded developer’s recovery under CFAA).
56 See, e.g., Garelli, 551 F. Supp. 2d at 710 (court concluded that plaintiff failed to sufficiently plead damage under CFAA because misappropriation alone did not show “impairment to the integrity or availability of data, a program, a system, or information.”); Hartig, 2008 WL 4394962, at *4 (court granted employee’s 12(b)(6) motion to dismiss where employer failed to properly plead damage, i.e., impairment to integrity or availability of data, program, system, or information on its computer).
57 See, e.g., Condux Int’l v. Haugum, No. 08-4824, 2008 WL 5244818, at *8 (D. Minn. 2008) (concludes that plain language of statute requires “some alteration of or diminution to the integrity, stability, or accessibility of the computer data itself” to be damage under CFAA); P.C. Yonkers, 428 F.2d at 513 (franchisees were not entitled to preliminary injunction where they demonstrated that former employee of their franchisor accessed computer system and did not show any information was taken; absent something more than mere access, franchisees could not succeed on their claim).
58 Brekka, 2009 WL 2928952, at *8 (CFAA claim against employee failed because of contradictory evidence between the employer’s own witness and expert evidence).
59 Id. at *6.
60 Id. at *1.
61 Id. at *6.
62 Id. at *6
63 Id. at *6 (quoting United States v. Santos, 128 S. Ct. 2020, 2025 (2008)).
65 Albert v. Albert, 38 Va. App. 284, 299 (2002) (citing Walker v. Henderson, 151 Va. 913, 927-28 (1928)).
66 Matter of Garfinkle, 672 F.2d 1340, 1346, n. 7 (11th Cir. 1982) (quoting Peninsula Land Co. v. Howard, 6 So. 2d 384, 389 (Fla. 1941)).
67 Cont’l Group Inc., 622 F. Supp. 2d at 1377.