COVID-19-Related Cybercrime and the Computer Fraud and Abuse Act featured image

COVID-19-Related Cybercrime and the Computer Fraud and Abuse Act

by John DiGiacomo

Partner

Internet Law

In 1986, Congress enacted the Computer Fraud and Abuse Act (“CFAA”). See 18 U.S.C. § 1030, et seq. The CFAA is one of the major federal statutes that empowers the federal government to seek criminal penalties against hackers and cybercriminals. The statute has also been used to punish employees and others who “misuse” computers to which they have access. Civil parties can also use the CFAA to obtain civil penalties against those who commit computer fraud and misuse.

The CFAA has been a focus of news reports lately for two reasons. First, in April 2020, the United States Department of Justice (“DOJ”) announced a crackdown on computer hacking, cybercrime, fraud, scams and phishing schemes related to COVID-19 pandemic. Reprehensibly, hackers and cybercriminals have been exploiting the pandemic to scam donations and access to technology from businesses, universities, and individuals. During its announcement of its crackdown efforts, the DOJ highlighted examples like of a fake website pretending to be the Red Cross soliciting donations to fight COVID-19 and various fake websites and using look-alike domain names mimicking government websites tricking victims into turning over their bank account information and other personal information.

During the announcement, the DOJ also highlighted its powers under the CFAA and promised vigorous and tenacious prosecution of cybercriminals seeking to take advantage of the COVID-19 crisis. The CFAA makes computer hacking a crime. In particular, the CFAA makes it a crime to intentionally access a computer “without authorization” or by exceeding “authorized access” and, as a result, obtaining “information from any department or agency of the United States.” 18 U.S.C. § 1030(a)(2)(B). Originally, the CFAA only applied to hacking or unauthorized access of government computers, but the Act now applies to what are called “protected computers” which essentially mean all computers that are connected to the internet. Depending on the severity of the violation of the CFAA, the DOJ can seek substantial monetary fines and prison terms from as low as one year to as many as 20 years.

The CFAA has also been in the news lately because the US Supreme Court has agreed to hear an appeal related to a criminal conviction under the CFAA in the case of US v. Van Buren, 940 F. 3d 1192 (11th Cir. 2019). The DOJ has long taken the view that the CFAA can be used to criminally punish employees who abuse their employer’s computer by exceeding the authority granted to them as employees. In Van Buren, the defendant — Nathan Van Buren — was a sergeant with the Police Department in Cumming, Georgia. As a police officer, Van Buren had authorized access to the Department’s computer system for police-related operations. However, Van Buren used the computer system for personal — criminal — business. In exchange for a “loan” by a man interested in a woman he met at a strip club, Van Buren ran a search for a woman’s vehicle license plate number in the police database.

Unfortunately for Van Buren, the whole thing was an FBI sting operation. Van Buren was eventually arrested, charged with violating the CFAA and was convicted. On appeal to the Eleventh Circuit, Van Buren argued that the CFAA did not apply to situations, like his, where an employee violates an employer’s use-of-computer policies.

On this particular legal point, there is a split among the Federal Circuit Courts of Appeal. Like the First, Fifth and Seventh Circuits, the Eleventh Circuit agrees with the DOJ that the CFAA criminalizes using data for unauthorized purposes even if accessing the data was otherwise authorized. That is what Van Buren did. As a police officer, he was authorized to access license plate related information. However, he was not authorized to personally use that information and, obviously, not authorized to give the information to another in exchange for a “loan.”

By contrast, three Circuit Courts — the Second, Fourth, and Ninth Circuits — disagree with the DOJ’s interpretation. Those Circuits interpret the CFAA to only criminalize access to data that the employee was not authorized to access (regardless of what the data was ultimately used for). These Circuits are concerned about potential overreach and about criminalizing common employee behaviors. Imagine that a workplace provides work email addresses and the email-use policy states that the email addresses can only be used for company business. If an employee uses the email for personal business, under the broad interpretation of the FCAA, that employee has committed a crime.

The US Supreme Court is expected to hear arguments on the Van Buren case later this year. We, here at Revision Legal will be following the case with interest.

If you have legal questions about consumer privacy, data security or other legal issues related to internet law, contact the trusted internet lawyers at Revision Legal at 231-714-0100.

Extra, Extra!
Recent Posts

2025 Changes to Trademark Fees

2025 Changes to Trademark Fees

Trademark

There are some significant changes coming to the United States Patent and Trademark Office (USPTO) that will affect trademark filings beginning January 18, 2025. These changes include the introduction of the Trademark Center, new fees, and revised application requirements. Here is an overview of the key changes: The USPTO will retire the TEAS system, which […]

Read more about 2025 Changes to Trademark Fees

Automated Decision-Making Technology: California Releases Proposed Regulations

Automated Decision-Making Technology: California Releases Proposed Regulations

Internet Law

In today’s competitive e-commerce landscape, automated decision-making technology is becoming more and more important. From personalized product recommendations to targeted advertising and streamlined logistics, these systems help ecommerce businesses adapt and grow. But new regulations are on the horizon, and these changes could reshape the way e-commerce businesses use automation. The California Privacy Protection Agency […]

Read more about Automated Decision-Making Technology: California Releases Proposed Regulations

FTC Adopts Final “Click to Cancel Rule”

FTC Adopts Final “Click to Cancel Rule”

Internet Law

The Federal Trade Commission (FTC) has issued final amendments to its trade regulation rule concerning negative option plans, also known as the “click to cancel rule.” This rule aims to address widespread deceptive practices that prohibit customers from cancelling services in the same manner in which they signed up. Here’s a detailed summary of the […]

Read more about FTC Adopts Final “Click to Cancel Rule”

Put Revision Legal on your side