Civil Actions Under the Computer Fraud and Abuse Act featured image

Civil Actions Under the Computer Fraud and Abuse Act

by John DiGiacomo

Partner

Internet Lawyer

The Computer Fraud and Abuse Act (CFAA), codified as 18 U.S.C. § 1030, provides for civil actions arising out of various cyber infractions. The CFAA prohibits: (1) the unauthorized accessing (2) of a “protected” computer (3) with the intent to either (a) obtain information, (b) further a fraud, or (c) damage the computer or its data.[1] Computers used in interstate commerce are included under “protected” computers, and thus nearly all computers are protected under the Act.[2] As long as plaintiffs meet the qualifying loss of $5,000, defendants can be forced to pay compensatory, injunctive, or other equitable damages.[3] The claim must be filed within two years of the discovery of the damage.[4]

Unauthorized Access of a Protected Computer

Under the CFAA, a plaintiff can bring a claim against anyone[5] who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.”[6] A “protected computer” means a computer used either exclusively by a financial institution or US agency, or a computer “which is used in or affecting interstate or foreign commerce or communication.”[7] The interstate commerce provision places almost every computer under the jurisdiction of the Act.

Much of the litigation concerning unauthorized access concerns employees whom either exceeded the authorization granted by their employment,[8] or accessed their employer’s computer after termination of their employment.[9] Employees who access their employer’s computers, even if authorized, may violate the CFAA is such access breaches their duty of loyalty[10] or is coupled with bad intent.[11] Once an employee leaves and begins to work for another entity, the employee is presumed to no longer be an authorized user of his ex-employer’s computer.[12]

However, determining an employee’s level of authorized access can be tricky. For instance, if a company does not have procedures in place to regulate the use of company computers, uses of those computers leading to damages most likely do not violate the Act.[13] Also, the timeline of employment is important—an employee authorized to access information within the scope of his employment during his employment, even if he misuses the information, will not violate the CFAA.[14] Even sending the information to a competitor may be acceptable if the employee is not explicitly un-authorized and is currently employed.[15]

Beyond employment, the issue is clearer. If one is not authorized to use a computer, they fall under the act. This includes hackers,[16] spammers,[17] and business competitors.[18] Finally, one does not need to physically access a computer to fall under the Act. Transmissions of damaging “packets”[19] and use of third party computers to access websites have been held to violate the CFAA.[20]

Intent to Damage

The CFAA requires intent by the unauthorized user to either (a) obtain information, (b) further a fraud, or (c) damage the computer or its data.[21] In order to bring a civil suit, a plaintiff must show at least $5,000 in actual damages.[22] Obtaining information and furtherance of a fraud are not viable civil claims in and of themselves under the Act, but they are criminalized in the Act and could potentially lead to the damages required of a civil action.[23]

Obtain Information

Obtaining information under the CFAA is broadly defined. However, the language “anything of value” has limited it somewhat.[24] Suits concerning confidential information will generally meet the value requirement.[25] Of course, plaintiffs must be able to prove something of value was used and/or taken.[26]

Further a Fraud

Fraud in the CFAA is not like common law fraud.[27] CFAA fraud has been defined as “wrongful action” as opposed to fraud in the common law sense.[28] For one, it does not require actual knowledge of fraudulent activity—constructive knowledge has been held to be enough.[29] In general, a showing of “unlawful access” is enough to establish CFAA fraud.[30]

Loss of Data or Damage to Computer

Damage is defined in the Act as “a loss aggregating at least $5,000 in value during any one year period, modification or potential modification of medical diagnosis or treatment, physical injury to any person, or threatened public health or safety.”[31] In the civil context, the $5,000 damage floor is the most commonly claimed damage, but its application remains unclear. The losses cannot be too attenuated to fall under the Act, with even lost revenue due to stolen trade secrets being refused as damages.[32] Generally though, courts will consider costs lost due to the interruption of service, and costs to repair the system itself, as qualifying individualized damages.[33] Alleged damages do not need to be monetary, but harm to the “integrity of the system” may not be enough for monetary relief.[34] Also, an inconvenience or burden is not enough to establish damages.[35] There is some debate amongst courts whether or not costs associated with investigating and preventing computer fraud constitute damages under the Act.[36]

Remedies

A court can award successful plaintiffs compensatory damages, injunctive relief, and other equitable relief.[37] However, a plaintiff claiming a “loss aggregating at least $5,000” can only receive monetary damages.[38] The statute of limitation of two years begins to run when the damage resulting from the alleged unauthorized access is discovered.[39]

 

[1] Gregory C. Cook & Will Hill Tankersley Jr., A Practitioners Guide to the Computer Fraud and Abuse Act: Finally A Cause of Action for “Anything Wrong” (Over $5,000), Balch & Bingham LLP, available at http://www.balch.com/files/Publication/01d78bb1-08f4-4a25-8cf5-c5200c4834a7/Presentation/PublicationAttachment/981f7964-3af6-434a-ba24-050ba913390a/A_Practitioner’s_Guide-GCOOKWHT.pdf

[2] Id. See also, Cont’l Grp., Inc. v. KW Prop. Mgmt., LLC, 622 F. Supp. 2d 1357 (S.D. Fla. 2009) (holding that a computer based in Florida that enabled its owner to do business outside of Florida fell under the Act).

[3] See 18 U.S.C. § 1030(g).

[4] Id.

[5] Person, institution, legal entity, etc. See Id. at § 1030(e).

[6] Id. at § 1030(a)(2). This section also includes obtainment of information relating to a financial institution or US agency, though those computers also fall under the “protected computer” catch all.

[7] Id. at § 1030(e).

[8] See e.g., US Bioservices Corp. v. Lugo, 595 F.Supp.2d 1189 (D. Kan. 2009) (employees’ accessing of reports that were outside scope of their duties, and e-mailing of confidential information to their personal accounts, constituted “exceeding authorized access” under the Act).

[9] See e.g., International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (C.A.7 (Ill.) 2006) (employee allegedly caused the “transmission” of a program resulting in damage to a protected computer, and “intentionally accessed” the computer “without authorization,” or “exceeding authorization by allegedly installing a secure-erasure program on his employer’s computer; the program caused permanent deletion of employer’s files, and employee’s authorized access to the computer terminated when he quit his employment in violation of his employment contract and resolved to destroy the files).

[10] See NCMIC Finance Corp. v. Artino, 638 F.Supp.2d 1042 (S.D. Iowa 2009) (company VP acted “without authorization” or “exceeded authorized access” when he accessed confidential and proprietary business information from his employer’s computer that he had permission to access, but then used that information in a manner in breach of his duty of loyalty).

[11] See Penrose Computer Marketgroup, Inc. v. Camin, 682 F.Supp.2d 202 (N.D.N.Y.2010).

[12] See Shurgard Storage Centers, Inc. v. SafegUARD Self Storage, Inc., 119 F.Supp.2d 1121 (W.D. Wash. 2000).

[13] See e.g., Dresser-Rand Co. v. Jones, 957 F.Supp.2d 610 (E.D.Pa. 2013) (even if manager departing from energy company had deleted company files from his laptop prior to his resignation, such conduct did not violate the Act since manager had acted with authorization and the company had no restrictions forbidding employees from deleting files from their company-issued laptops).

[14] See Amphenol Corp. v. Paul, WL 272337 (D. Conn. 2014).

[15] See University Sports Pub. Co. v. Playmakers Media Co., 725 F.Supp.2d 378 (S.D.N.Y. 2010) (systems administrator who was authorized to access advertising company’s database of customer leads and historical sales data did not exceed his authorized access by obtaining confidential data and sending it to company’s former employee and current competitor where he was authorized to access, and thereby obtain, all information on the database, and even though copying or downloading information may not have been within the scope of his typical duties, his authorization was not limited so as to prevent him from doing so).

[16] See YourNetDating LLC v. Mitchell, 88 F.Supp.2d 870 (N.D.Ill, 2000) (former employee of website violated the CFAA when he hacked into plaintiff’s website and created a “blind link” to a different site).

[17] There is no consensus on whether or not spamming constitutes unauthorized access. Compare America Online, Inc. v. National Health Care Discount, Inc., 121 F.Supp.2d 1255 (N.D. Iowa 2000) (AOL user who obtained other email addresses and spammed other users was held to have authorized access as an AOL user under the Act); with America Online, Inc. v. LCGM, Inc., 46 F.Supp.2d 444 (E.D. Va. 1998) (AOL user who also spammed other users was held to be unauthorized because he violated the “Terms of Service” and “Rules of the Road” agreements AOL provided and thus lost his authorized access), and American Online, Inc. v. Prime Data Sys., Inc., 1998 U.S. Dist. LEXIS 20226 (E.D. Va.) (AOL was awarded over $100,000 in compensatory damages due to spam messages sent to its users).

[18] See EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (C.A.1 Mass. 2001) (competitor’s use of “scraper” computer software program to systematically and rapidly glean prices from tour company’s website, in order to allow systematic undercutting of those prices, “exceeded authorized access” under the CFAA).

[19] See Fink v. Time Warner Cable, 810 F.Supp.2d 633 (S.D.N.Y.2011) (internet service provider accessed plaintiff’s computers by knowingly transmitting “reset” packets to plaintiff’s computers to impede or prevent peer-to-peer receipts, which satisfied the access element required to state a claim under CFAA).

[20] See eBay Inc. v. Digital Point Solutions, Inc., 608 F.Supp.2d 1156 (N.D. Cal. 2009).

[21] 18 U.S.C. § 1030.

[22] Id. The language of the statute technically only allows civil suits for certain cases, of which fraud and obtaining information are not listed. However, those acts can lead to the damages requirement of the civil suit section and are thus worth studying.

[23] The Act limits civil suits to: (I) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value; (II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; (III) physical injury to any person;(IV) a threat to public health or safety; (V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security. Id.

[24] Id. at § 1030(a)(4).

[25] See e.g., NCMIC Finance Corp. v. Artino, S.D.Iowa 2009, 638 F.Supp.2d 1042 (company VP obtained “something of value,” when he accessed company’s customer spreadsheet, e-mailed it from his work e-mail account to his personal e-mail account without authorization, and used the customer spreadsheet for his own personal gain and against company’s financial interests).

[26] See e.g., P.C. Yonkers, Inc. v. Celebrations the Party and Seasonal Superstore, LLC., 428 F.3d 504 (C.A.3 (N.J.) 2005) (former employees’ alleged improper access to their former employer’s protected computer system did not violate the CFAA absent evidence as to what, if any, information was actually viewed, let alone taken).

[27] eBay Inc. v. Digital Point Solutions, Inc., 608 F.Supp.2d 1156 (N.D.Cal.2009) (fraud under the CFAA only requires a showing of unlawful access; there is no need to plead the elements of common law fraud to state a claim under the Act).

[28] Shurgard Storarge Centers, Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121 (W.D.Wash. 2000).

[29] See Multiven, Inc. v. Cisco Systems, Inc., 725 F.Supp.2d 887 (N.D.Cal. 2010) (former employee acted with “intent to defraud” when he accessed former employer’s computer network with knowledge of former employer’s policy prohibiting such access by non-employees; even if former employee genuinely believed that employee gave him authorization for a limited purpose on one occasion, there was no evidence that former employee had any reason to believe that having employee’s login and password gave him unlimited authorization to access former employer’s secure website at will).

[30] eBay, 608 F.Supp.2d 1156.

[31] 18 U.S.C. § 1030(e)(8). The statute also defines damage as: affecting interstate commerce by “trafficking” in computer password, Id. at § 1030(a)(6); and transmitting a threat to damage a protected computer, Id. at § 1030(a)(7).

[32] See Andritz, Inc. v. Southern Maintenance Contractor, LLC, 626 F.Supp.2d 1264 (M.D.Ga. 2009).

[33] See Steve Gordon, Using the Computer Fraud and Abuse Act to Remedy Misappropriation of Information by a Defecting Employee, Holland & Knight, available at http://www.hklaw.com/files/Publication/232f3c1e-d093-4235-a20f-99c4ff6ccafa/Presentation/PublicationAttachment/8621ec62-dc7f-4cdb-8be1-a073d74a3be2/SteveGordon2.pdf.

[34] See NetApp, Inc. v. Nimble Storage, Inc., 2014 WL 1903639 (N.D.Cal.) (storage company did not plead any damage in plausible detail, only alleging harm to integrity of its data, programs, and computer system). This is confusing because the statute, which focuses on criminalizing the conduct, does ban harming the “integrity of the system.” 18 U.S.C. § 1030(e)(8). However, the civil jurisdiction that the statute enables still requires a base amount of $5,000 in damages. Id. at § 1030(g).

[35] See e.g., Czech v. Wall Street on Demand, Inc., 674 F.Supp.2d 1102 (D. Minn. 2009) (cell phone owner’s claims that unwanted text messages consumed her cell phone’s limited resources and interrupted its functioning were too generalized and abstract to sufficiently allege that sender of unwanted text messages intentionally caused damage to her cell phone; owner did not claim that, as a result of receiving sender’s text messages, she was unable to make or receive a single phone call or send or receive a single text message).

[36] Compare Multiven, Inc. v. Cisco Systems, Inc., 725 F.Supp.2d 887 (N.D.Cal. 2010), (costs associated with investigating intrusions into a computer network and taking subsequent remedial measures were “losses” within the meaning of CFAA); with Jarosch v. American Family Mut. Ins. Co., 837 F.Supp.2d 980 (E.D. Wis. 2011) (insurance company’s alleged loss of $25,071.00 from investigating and preventing future taking of its customer information was not “loss” that would give rise to civil cause of action under the Act). See also Global Policy Partners, LLC v. Yessin, 686 F.Supp.2d 642 (E.D. Va. 2010) (lost revenue allegedly resulting from wife’s investigation and response to husband‘s alleged accessing and intercepting wife’s business e-mail account without authorization during process of dissolving marriage and business relationship was not qualifying “loss” where wife’s assertion that she spent 50 hours investigating and responding to husband’s alleged CFAA violations was unsupported and contradicted by other evidence, and were too vague to show that tasks she performed were reasonably necessary to restore or resecure the system).

[37] 18 U.S.C. § 1030(g).

[38] Id.

[39] Id.

Extra, Extra!
Recent Posts

Online Personal Data Privacy: Fight Over Universal Opt-Out Mechanisms

Online Personal Data Privacy: Fight Over Universal Opt-Out Mechanisms

Internet Law

Almost half of the States in the U.S. have enacted some version of an online personal or consumer data privacy statute. The statutes all use a similar framework that requires data collectors and processors to provide notices, obtain consent, and comply with mandates and prohibitions. For example, all of the online data privacy statutes require […]

Read more about Online Personal Data Privacy: Fight Over Universal Opt-Out Mechanisms

9th Circuit Partially Invalidates California’s Age-Appropriate Design Code Act

9th Circuit Partially Invalidates California’s Age-Appropriate Design Code Act

Internet Law

The Ninth Circuit Court of Appeals — located in San Francisco — partially struck down California’s Age-Appropriate Design Code Act (“CAADCA”). See Cal. Civ. Code §§ 1798.99.28 et seq. The CAADCA was passed in 2022 by the California State Assembly. The CAADCA was enacted to protect the online privacy of children — persons under the […]

Read more about 9th Circuit Partially Invalidates California’s Age-Appropriate Design Code Act

Put Revision Legal on your side