Thursday, March 25, 2010

Computer Fraud and Abuse Act

Computer Fraud and Abuse Act

In recent employers in recent years have increasingly been using the Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030) to sue employees and former employees who make wrongful use of the employer’s computer system. Employers have been able to successfully hold employees and former employees liable under the CFAA for actions such as retaining or wrongfully accessing the employer’s computer systems or electronic documents without proper authorization.

Originally designed to punish hackers, particularly those who attack computers used for compelling federal interests (e.g., computers used by the federal government, large financial institutions, etc.), the CFAA establishes civil liability for anyone who “[k]nowingly and with the intent to defraud, accesses a protected computer without authorization, or defraud, or exceeds authorized access, and by means of such conduct furthers the intended fraud ended or obtains anything of value.” 18 U.S.C. § 1030(a)(4).

A current CFAA hot topic is a recently developed circuit split as to whether the
Act should be interpreted broadly or narrowly when an employer claims a former employee has acted “without authorization” or has “exceeded authorization” in accessing computer-stored information prior to termination of employment.

The narrower view, which has garnered significant support, is illustrated by the 9th Circuit’s holding in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), where the Court rejected the employer’s argument that an employee accesses electronic documents without “authorization” when the employee acts contrary to the employer employer’s interest or in breach of the employee’s fiduciary obligation of loyalty to the employer. Rather, where the employee’s actions are consistent with the access previously granted to him as an employee, the Court held that the employee acts with proper “authorization” within the meaning of the Act.

The broader view, which has proven thus far to be the minority view, is illustrated by the 7th Circuit’s decision in Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), where the Court held that an employee can be found to have accessed a computer “without authorization” whenever he does so in breach of his duty of loyalty to the company.

Other recent CFAA developments are:

United States v. Drew, 2009 U.S. Dist. LEXIS 85780 (C.D. Cal.
Aug. 28, 2009) (dismissing a misdemeanor criminal complaint brought against an individual under the Act based upon the conscious violation of a website’s terms of service, as basing a misdemeanor violation on such conduct violated the constitutional “void-for-vagueness” doctrine).

Patrick Patterson Custom Homes, Inc. v. Bach, 586 F Supp.2d 1026 (N.D. Ill. 2008) (opinion discusses whether the defendant “knowingly cause[d] the transmission of a program, information, code or command, and as a result of such conduct intentionally cause[d] damage without authorization, to a protected computer”).

United States v. Middleton, 231 F.3d 1207 (9th Cir. 2000) (upholding a criminal conviction for violation of the Act in the form of intentionally causing damage to a “protected computer” without authorization).

Chas. S. Winner, Inc. v. Polistina, 2007 U.S. Dist. LEXIS 40741 (D.N.J. June 4, 2007) (dismissing for lack of federal subject matter jurisdiction because the plaintiffs failed to allege facts that show that they suffer they suffered a “loss” as defined under the Act).

Spangler, Jennings & Dougherty, P.C. v. Mysliwy, 2006 U.S. Dist. LEXIS 39602 (N.D. Ind. 2006) (denying plaintiff’s motion for summary judgment on its claim under the Act, because the plaintiff failed to provide any proof that it had been damaged by the defendant’s alleged violation of the Act).

Pearl Invs. LLC v. Standard I/O, Inc., 257 F. Supp. 2d 326, 2003 U.S. Dist. LEXIS 6890 (D. Me. 2003) (magistrate judge recommends that defendants be granted summary judgment as to plaintiff’s claim under the act, as the plaintiff showed no cognizable evidence that defendant’s alleged conduct damaged plaintiff’s computer system in any quantifiable amount).

Tyco Int’l Inc. v. Does, 2003 U.S. Dist. LEXIS 11800 (S.D.N.Y. July 11, 2003) (discussing compensatory damages under the Act for plaintiff’s costs associated with assessing the damage to its computer system and restoring its system after plaintiff’s attack).

For more information on this law see:

David Johnson, “Update on CFAA Circuit Split: District Courts in 8th Circuit Adopt Minority
View, Permitting Claims Where Defendant Exceeds His Authority to Access Computer”,
November 16, 2009, available here.

David Conforto, “Employees Beware: Computer Fraud & Abuse May Restrict Ability to
Retain Documents”, November 5, 2009, available here.

Amy E. Bivins, “Attorneys Advise Employers to Revisit Data Misuse Policies After Brekka
Ruling”, November 4, 2009, available at here.

Kenneth J. Vanko, “Two Views of the Computer Fraud and Abuse Act (Brekka and Pullen),
October 30, 2009, available at here.

Robert B. Milligan and Carolyn E. Sieve, “Establishing CFAA Violations by Former
Employees”, October 27, 2009, available at here.

David Johnson, “LVRC v. Brekka: 9th Circuit Decision Creates Circuit Split on Whether
CFAA Applies to an Employee Who Misuses His Authority to Access His Employer’s
Computer Files”, October 1, 2009, available at here.

Lori Bauman, “Ninth Circuit Narrowly Interprets Computer Fraud and Abuse Act”,
September 24, 2009, available at here.

David Johnson, “ES&H v. Allied Safety: Court Sidesteps Split in Authority over Whether
CFAA Applies to an Employee Who Misuses His Authority to Access His Employer’s
Computer Files”, September 24, 2009, available here.

Amy E. Bivens, “Brekka Case Shows Need for Comprehensive Strategy to Shield Data
from Insider Misuse”, September 20, 2009, available here.

Roy Ginsburg, “When Workers Steal Data to Use at New Jobs”, August 5, 2009, available here.

No comments: